I am using powershell cmdlets to create a new event-log, register a source and log events.
I experience some unexpected behavior. I created a new log with an arbitrary name by issuing the command:
New-EventLog -LogName SchedulerWakeUpTask -Source devops
I have verified in Event Viewer that it has appeared in "Applications and services logs" directory. I then created an event with
Write-EventLog -LogName SchedulerWakeUpTask -Source devops -EventId 1000 -Message "All good."
but the event didn't get logged in the correct log, but in the Application log instead. It resembles the behavior described in this question.
In log properties I have verified that my custom log has been assigned a specific separate log file with path %SystemRoot%\System32\Winevt\Logs\SchedulerWakeUpTask.evtx. Having checked that, I then removed the log by issuing command
Remove-EventLog -LogName SchedulerWakeUpTask
After that, the empty log has disappeared from the event viewer, but also the whole Application log has been wiped out clean. Why?
Seeing the havoc already present I decided to test this a little more. The test concludes that:
- source name doesn't matter
- application event log consistently gets cleared every time I create and remove custom log with this particular name again
- application event log does not get cleared when I attempt to remove this custom log if it doesn't exist
- application event log does not get cleared when I create another custom event log with an arbitrary name of SchedulerWakeUpTask2, or SchedulerWakeUpTas, or SchedulerWakes, or kapusta, or whatever;
- application event log does not get cleared when I remove only the source associated with the custom log
- when custom log is created again and an event is emitted with
Write-EventLog it's again only visible in Application event log
- it's not a visual glitch with Event Viewer,
Get-EventLog -LogName Application says No match and the assigned event file has been truncated (used to be over 100MB IIRC, but it's size is a negligent 70kB now)
