xWEFSubscription configuration failure

This topic contains 2 replies, has 2 voices, and was last updated by  yamfiddler 1 week, 3 days ago.

  • Author
    Posts
  • #83839

    yamfiddler
    Participant

    Hello,

    I'm using the following test configuration in order to set up windows event forwarders in our environment.

    configuration WEF_SEC
    {
    
        Install-Module xWindowsEventForwarding
        Import-DscResource -ModuleName PSDesiredStateConfiguration
        Import-DscResource -ModuleName xWindowsEventForwarding
    
        
        xWEFCollector Enabled 
        {
            Ensure = "Present"
            Name = "Enabled"
        }
    
          xWEFSubscription Windows_Security
        {
            SubscriptionID = "Windows_Security"
            Ensure = "Present"
            LogFile = "ForwardedEvents"
            SubscriptionType = 'SourceInitiated'
            DependsOn = "[xWEFCollector]Enabled"
            Description = "All Security event logs"
            Query = @('Security:*')
                   
        }
    
    }
    
    WEF_SEC
    
    

    But the configuration for the subscriptions is failing, and I'm not sure why. The following error message is found in the event logs

    Job {69D9AD28-C4BB-11E7-AFBA-005056852032} : 
    This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on MSFT_xWEFSubscription DSC resource. FullyQualifiedErrorId is NativeCommandErrorMessage. Error Message is The data is invalid.
    

    I'm not sure what data specifically is invalid, I looked at the page github page for xWindowsEventForwarding and I didn't see anything missing in my config.

    Here is also a resource instance error

    {
    Resource instance error
        "Exception":  {
                          "Message":  "The PowerShell DSC resource \u0027[xWEFSubscription]Windows_Security\u0027 with SourceInfo \u0027C:\\Users\\user\\Documents\\Folder\\Config.ps1::15::7::xWEFSubscription\u0027 threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.",
                          "Data":  {
    
                                   },
                          "InnerException":  null,
                          "TargetSite":  null,
                          "StackTrace":  null,
                          "HelpLink":  null,
                          "Source":  null,
                          "HResult":  -2146233079
                      },
        "TargetObject":  null,
        "CategoryInfo":  {
                             "Category":  7,
                             "Activity":  "",
                             "Reason":  "InvalidOperationException",
                             "TargetName":  "",
                             "TargetType":  ""
                         },
        "FullyQualifiedErrorId":  "NonTerminatingErrorFromProvider",
        "ErrorDetails":  null,
        "InvocationInfo":  null,
        "ScriptStackTrace":  null,
        "PipelineIterationInfo":  [
    
                                  ]
    }
    

    Any ideas?

  • #83899

    Alex Aymonier
    Participant

    Hi Yamfiddler,

    Have you checked out the examples under C:\Program Files\WindowsPowerShell\Modules\xWindowsEventForwarding\1.0.0.0\Resources and got that working 1st to see if the resources is behaving itself?

  • #83947

    yamfiddler
    Participant

    Hello Alex,

    I have not tested a collector initiated configuration since source initiated was preferable in my case. But I will test the Collector initated configuration.

You must be logged in to reply to this topic.