SqlSpnManager

1.4.1

Private/Write-SqlSpnEventLog.ps1

                                # =============================================================================

# Script  : Write-SqlSpnEventLog.ps1

# Author  : Keith Ramsey

# =============================================================================

# Change Log

# -----------------------------------------------------------------------------

# 2026-05-09  Keith Ramsey  Phase 2 release polish - DR-202 standard header applied.

# =============================================================================

function Write-SqlSpnEventLog {

    <#

    .SYNOPSIS

        Best-effort write to the Windows Application Event Log under source 'SqlSpnManager'.

    .DESCRIPTION

        Registers the source on first call if missing and the current process is elevated;

        otherwise silently skips for the rest of the session. Event ID conventions:

            INFO    -> 1000 (Information)

            SUCCESS -> 1001 (SuccessAudit)

            WARN    -> 2000 (Warning)

            ERROR   -> 3000 (Error)

        Per BTRD TR-202; complements the per-invocation file log written by Write-SqlSpnLog.

    .NOTES

        Failures here never propagate. The file log is the authoritative audit record;

        Event Log emission is the SIEM-readiness convenience.

    #>

    [CmdletBinding()]

    param(

        [Parameter(Mandatory=$true)][string]$Message,

        [ValidateSet('INFO','WARN','ERROR','SUCCESS')][string]$Level = 'INFO'

    )

    if ($script:SqlSpnEventLogDisabled) { return }

    $source = 'SqlSpnManager'

    $logName = 'Application'

    try {

        $exists = [System.Diagnostics.EventLog]::SourceExists($source)

    }

    catch {

        $script:SqlSpnEventLogDisabled = $true

        return

    }

    if (-not $exists) {

        try {

            [System.Diagnostics.EventLog]::CreateEventSource($source, $logName)

        }

        catch {

            $script:SqlSpnEventLogDisabled = $true

            return

        }

    }

    $entryType = switch ($Level) {

        'INFO'    { [System.Diagnostics.EventLogEntryType]::Information }

        'SUCCESS' { [System.Diagnostics.EventLogEntryType]::SuccessAudit }

        'WARN'    { [System.Diagnostics.EventLogEntryType]::Warning }

        'ERROR'   { [System.Diagnostics.EventLogEntryType]::Error }

    }

    $eventId = switch ($Level) {

        'INFO'    { 1000 }

        'SUCCESS' { 1001 }

        'WARN'    { 2000 }

        'ERROR'   { 3000 }

    }

    try {

        [System.Diagnostics.EventLog]::WriteEntry($source, $Message, $entryType, $eventId)

    }

    catch {

        $script:SqlSpnEventLogDisabled = $true

    }

}