xWindowsEventForwarding icon indicating copy to clipboard operation
xWindowsEventForwarding copied to clipboard
verified publisher icon dsccommunity

Invalid Data with queries.

Open dotps1 opened this issue 8 years ago • 1 comments

I for the life of me cannot figure out why this config does not work:

        xWEFSubscription "WEFSubscription" {
            SubscriptionID = "AppLocker"
            SubscriptionType ="SourceInitiated"
            Enabled = $true
            Ensure = "Present"
            Description = "Collects forwarded AppLocker events."
            HeartBeatInterval = 900000
            MaxLatencyTime = 900000
            Query = @(
                'Microsoft-Windows-AppLocker/EXE and DLL:*[System[(Level=2)]]',
                'Microsoft-Windows-AppLocker/MSI and Script:*[System[(Level=2)]]',
                'Microsoft-Windows-AppLocker/Packaged app-Deployment:*[System[(Level=2)]]',
                'Microsoft-Windows-AppLocker/Packaged app-Execution:*[System[(Level=2)]]'
            )
        }

here is the output:

VERBOSE: [WIN2016-DSC]: LCM:  [ Start  Resource ]  [[xWEFSubscription]WEFSubscription]
VERBOSE: [WIN2016-DSC]: LCM:  [ Start  Test     ]  [[xWEFSubscription]WEFSubscription]
VERBOSE: [WIN2016-DSC]: LCM:  [ End    Test     ]  [[xWEFSubscription]WEFSubscription]  in 0.1400 seconds.
VERBOSE: [WIN2016-DSC]: LCM:  [ Start  Set      ]  [[xWEFSubscription]WEFSubscription]
VERBOSE: [WIN2016-DSC]:                            [[xWEFSubscription]WEFSubscription] SubscriptionID: AppLocker
Failed to save subscription. Error = 0xd.
    + CategoryInfo          : NotSpecified: (Failed to save ...n. Error = 0xd.:) [], CimException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : win2016-dsc
 
The data is invalid.
VERBOSE: [WIN2016-DSC]: LCM:  [ End    Set      ]  [[xWEFSubscription]WEFSubscription]  in 0.3530 seconds.
The PowerShell DSC resource '[xWEFSubscription]WEFSubscription' with SourceInfo '::18::9::xWEFSubscription' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged 
to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : win2016-dsc

I'm really not sure what the problem is. the ETW channel just says the same errors. I have tried removing the Microsoft-Windows-AppLocker from the path. I have tried wildcarding the log Microsoft-WIndows-AppLocker*:*... I have tried replacing the / with %4 as what the log is actually named in the file system.

I am using WMF 5.1 on server 2016 core, x64.

And just to add, I built this from an existing subscriptions XML, so the queries do work when imported in with wecutil.

dotps1 avatar Feb 09 '17 16:02 dotps1

Turns out this was due to the XML being generated with the tags <CredentialsType> with is not correct. As soon as I change the xml tag to <CredentialType> it corrects the issue. I have submitted the correction is Pull Request #11.

dotps1 avatar Feb 09 '17 17:02 dotps1