Author Posts

December 10, 2017 at 3:35 am

I've been attempting to use the xWinEventLog DSC resource and got stuck on an error. I've nailed it down to the part of the resource that sets the logging mode, i.e. how the logs are retained.

I've run the following test using just Get-WinEvent, outside of DSC. I can see the property changes, but I cannot get it to save the change:

PS C:\> Write-Host "Get log: `n"
$log = Get-WinEvent -ListLog Microsoft-Windows-DeviceSetupManager/Analytic
$log

Write-host "`nChange log mode`n"
$log.LogMode = "Retain"

Write-Host "Check property has changed:`n"
$log

Write-Host "`nSave change:`n"
$log.SaveChanges()


#Output:

Get log: 

LogMode   MaximumSizeInBytes RecordCount LogName                                                                                                                                                                                    
-------   ------------------ ----------- -------                                                                                                                                                                                    
Circular             1052672             Microsoft-Windows-DeviceSetupManager/Analytic                                                                                                                                              

Change log mode

Check property has changed:

Retain               1052672             Microsoft-Windows-DeviceSetupManager/Analytic                                                                                                                                              

Save change:

Exception calling "SaveChanges" with "0" argument(s): "The parameter is incorrect"
At line:12 char:1
+ $log.SaveChanges()
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : EventLogException

I've tried on a couple of boxes, including Win10 and Server 2012 R2, PS. 5.1, with the same results.
I've also tried on the Microsoft-Windows-DSC/Admin log and I don't get the error.

I note that there is an anomaly between the way the GUI works. In Admin, if the event is enabled, "When maximum event log size is reached" options are selectable but when it is disabled, they are grayed out. In Analytic and Debug, this opposite is true.

If I try to save the changes whilst it is enabled, I get:

Exception calling "SaveChanges" with "0" argument(s): "The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation"
At line:1 char:1
+ $log.SaveChanges()
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : EventLogException

So I make sure it is disabled but then I get the error:

Exception calling "SaveChanges" with "0" argument(s): "The parameter is incorrect"
At line:1 char:1
+ $log.SaveChanges()
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : EventLogException
 

I also note the Analysis and Debug logs are those that one has to select View -> "Show analytical and debug logs" option to be able to see them. I wonder if this has something to do with it. Either there's a bug or they behave in a different way and I can't use Get-WinEvent.

As always, if anyone has any ideas, I'd be most grateful if you would share.

TIA.

W.

December 12, 2017 at 3:23 pm

It seems like a bug or bad implementation in Get-WinEvent. Honestly, now that that's open source, I'd suggest opening a bug against it in the GitHub repo. You've provided plenty of information to reproduce the problem.