Hello,
I’m using the following test configuration in order to set up windows event forwarders in our environment.
configuration WEF_SEC { Install-Module xWindowsEventForwarding Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName xWindowsEventForwarding xWEFCollector Enabled { Ensure = "Present" Name = "Enabled" } xWEFSubscription Windows_Security { SubscriptionID = "Windows_Security" Ensure = "Present" LogFile = "ForwardedEvents" SubscriptionType = 'SourceInitiated' DependsOn = "[xWEFCollector]Enabled" Description = "All Security event logs" Query = @('Security:*') } } WEF_SEC
But the configuration for the subscriptions is failing, and I’m not sure why. The following error message is found in the event logs
Job {69D9AD28-C4BB-11E7-AFBA-005056852032} : This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on MSFT_xWEFSubscription DSC resource. FullyQualifiedErrorId is NativeCommandErrorMessage. Error Message is The data is invalid.
I’m not sure what data specifically is invalid, I looked at the page github page for xWindowsEventForwarding and I didn’t see anything missing in my config.
Here is also a resource instance error
{ Resource instance error "Exception": { "Message": "The PowerShell DSC resource \u0027[xWEFSubscription]Windows_Security\u0027 with SourceInfo \u0027C:\\Users\\user\\Documents\\Folder\\Config.ps1::15::7::xWEFSubscription\u0027 threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.", "Data": { }, "InnerException": null, "TargetSite": null, "StackTrace": null, "HelpLink": null, "Source": null, "HResult": -2146233079 }, "TargetObject": null, "CategoryInfo": { "Category": 7, "Activity": "", "Reason": "InvalidOperationException", "TargetName": "", "TargetType": "" }, "FullyQualifiedErrorId": "NonTerminatingErrorFromProvider", "ErrorDetails": null, "InvocationInfo": null, "ScriptStackTrace": null, "PipelineIterationInfo": [ ] }
Any ideas?