An event log provider is writes to an event log. I’ve used WMI in the past to get these but while looking for somethign else discovered that Get-WinEvent can also find this information
Get-WinEvent -ListProvider * | ft Name, LogLinks -AutoSize –Wrap
Provides a nice long list of all of the providers and the event logs they write to.
Usually I’m only interested in what’s writing to a particular event log. And that’s where things get a bit more messy.
The loglinks are supplied as a System.Collections.Generic.IList[System.Diagnostics.Eventing.Reader.EventLogLink] LogLinks object that doesn’t play nicely with –in or –contains
So we need a bit of PowerShell manipulation to get what we want
$log = ‘System’
Get-WinEvent -ListProvider * |
foreach {
if ($log -in ($psitem | select -ExpandProperty Loglinks | select -ExpandProperty Logname)){
New-Object -TypeName psobject -Property @{
Name = $psitem.Name
Log = $log
}
}
}
The trick here is that the loglinks are a collection of objects so you need to expand them twice to get to the name. Not pretty but it works