xWEFSubscription configuration failure

yamfiddler · February 19, 2021, 11:26am

Hello,

I’m using the following test configuration in order to set up windows event forwarders in our environment.

configuration WEF_SEC
{

    Install-Module xWindowsEventForwarding
    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName xWindowsEventForwarding

    
    xWEFCollector Enabled 
    {
        Ensure = "Present"
        Name = "Enabled"
    }

      xWEFSubscription Windows_Security
    {
        SubscriptionID = "Windows_Security"
        Ensure = "Present"
        LogFile = "ForwardedEvents"
        SubscriptionType = 'SourceInitiated'
        DependsOn = "[xWEFCollector]Enabled"
        Description = "All Security event logs"
        Query = @('Security:*')
               
    }

}

WEF_SEC

But the configuration for the subscriptions is failing, and I’m not sure why. The following error message is found in the event logs

Job {69D9AD28-C4BB-11E7-AFBA-005056852032} : 
This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on MSFT_xWEFSubscription DSC resource. FullyQualifiedErrorId is NativeCommandErrorMessage. Error Message is The data is invalid.

I’m not sure what data specifically is invalid, I looked at the page github page for xWindowsEventForwarding and I didn’t see anything missing in my config.

Here is also a resource instance error

{
Resource instance error
    "Exception":  {
                      "Message":  "The PowerShell DSC resource \u0027[xWEFSubscription]Windows_Security\u0027 with SourceInfo \u0027C:\\Users\\user\\Documents\\Folder\\Config.ps1::15::7::xWEFSubscription\u0027 threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.",
                      "Data":  {

                               },
                      "InnerException":  null,
                      "TargetSite":  null,
                      "StackTrace":  null,
                      "HelpLink":  null,
                      "Source":  null,
                      "HResult":  -2146233079
                  },
    "TargetObject":  null,
    "CategoryInfo":  {
                         "Category":  7,
                         "Activity":  "",
                         "Reason":  "InvalidOperationException",
                         "TargetName":  "",
                         "TargetType":  ""
                     },
    "FullyQualifiedErrorId":  "NonTerminatingErrorFromProvider",
    "ErrorDetails":  null,
    "InvocationInfo":  null,
    "ScriptStackTrace":  null,
    "PipelineIterationInfo":  [

                              ]
}

Any ideas?

alex-aymonier · February 19, 2021, 11:26am

Hi Yamfiddler,

Have you checked out the examples under C:\Program Files\WindowsPowerShell\Modules\xWindowsEventForwarding\1.0.0.0\Resources and got that working 1st to see if the resources is behaving itself?

yamfiddler · February 19, 2021, 11:26am

Hello Alex,

I have not tested a collector initiated configuration since source initiated was preferable in my case. But I will test the Collector initated configuration.

p0w3rs · February 19, 2021, 11:29am

Hi

I am also facing the same issue with trying to setup a windows event collector. Did you manage to find a solution to this?