Get-WinEvent cannot save changes to .LogMode

Welcome Forums General PowerShell Q&A Get-WinEvent cannot save changes to .LogMode

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
1 year ago.

  • Author
    Posts
  • #88366
    Tex

    Participant
    Points: 0
    Rank: Member

    I've been attempting to use the xWinEventLog DSC resource and got stuck on an error. I've nailed it down to the part of the resource that sets the logging mode, i.e. how the logs are retained.

    I've run the following test using just Get-WinEvent, outside of DSC. I can see the property changes, but I cannot get it to save the change:

    PS C:\> Write-Host "Get log: `n"
    $log = Get-WinEvent -ListLog Microsoft-Windows-DeviceSetupManager/Analytic
    $log
    
    Write-host "`nChange log mode`n"
    $log.LogMode = "Retain"
    
    Write-Host "Check property has changed:`n"
    $log
    
    Write-Host "`nSave change:`n"
    $log.SaveChanges()
    
    
    #Output:
    
    Get log: 
    
    LogMode   MaximumSizeInBytes RecordCount LogName                                                                                                                                                                                    
    -------   ------------------ ----------- -------                                                                                                                                                                                    
    Circular             1052672             Microsoft-Windows-DeviceSetupManager/Analytic                                                                                                                                              
    
    Change log mode
    
    Check property has changed:
    
    Retain               1052672             Microsoft-Windows-DeviceSetupManager/Analytic                                                                                                                                              
    
    Save change:
    
    Exception calling "SaveChanges" with "0" argument(s): "The parameter is incorrect"
    At line:12 char:1
    + $log.SaveChanges()
    + ~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : EventLogException
    

    I've tried on a couple of boxes, including Win10 and Server 2012 R2, PS. 5.1, with the same results.
    I've also tried on the Microsoft-Windows-DSC/Admin log and I don't get the error.

    I note that there is an anomaly between the way the GUI works. In Admin, if the event is enabled, "When maximum event log size is reached" options are selectable but when it is disabled, they are grayed out. In Analytic and Debug, this opposite is true.

    If I try to save the changes whilst it is enabled, I get:

    Exception calling "SaveChanges" with "0" argument(s): "The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation"
    At line:1 char:1
    + $log.SaveChanges()
    + ~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : EventLogException
    

    So I make sure it is disabled but then I get the error:

    Exception calling "SaveChanges" with "0" argument(s): "The parameter is incorrect"
    At line:1 char:1
    + $log.SaveChanges()
    + ~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : EventLogException
     

    I also note the Analysis and Debug logs are those that one has to select View -> "Show analytical and debug logs" option to be able to see them. I wonder if this has something to do with it. Either there's a bug or they behave in a different way and I can't use Get-WinEvent.

    As always, if anyone has any ideas, I'd be most grateful if you would share.

    TIA.

    W.

  • #88865

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    It seems like a bug or bad implementation in Get-WinEvent. Honestly, now that that's open source, I'd suggest opening a bug against it in the GitHub repo. You've provided plenty of information to reproduce the problem.

The topic ‘Get-WinEvent cannot save changes to .LogMode’ is closed to new replies.