Top 10 PowerShell DSC Node Events to Monitor

In a previous blog post I demonstrated how to get a list of all possible PowerShell Desired State Configuration (DSC) events for monitoring. Admittedly, that was an overwhelming list. Today I want to narrow that down to the essentials of DSC monitoring events.

These are the events you’re looking for.

Recently I was working with a customer who wanted specific events for DSC monitoring. I did my testing with a Windows Server 2012 R2 node running WMF 5.1. The pull server was on the same versions. I fired up a node connected to the pull server and labbed a number of common scenarios you would want to monitor.

DSC node events are recorded in the Microsoft-Windows-DSC/Operational log. Here are the main events you want to capture. I have assigned a simple category to each of these.

In some cases there may be other events to indicate similar status. These IDs are the least chatty. Of these ten events I have highlighted the three essential error conditions for monitoring.

Note the following points:

• Event 4249 only shows up in ApplyAndMonitor configuration mode to indicate configuration drift. In my testing I could not find an event indicating configuration drift when ApplyAndAutocorrect actually makes a correction to the configuration.
• In the message body of some events you will see PerformRequiredConfigurationChecks. These bit flag values are documented here.
• Event 4252 appears for all kinds of conditions. Differentiate the events by the message body and the Error Category data inside the event.

Scripting to Capture Logs

Here is some quick syntax to remotely query the events. Note that I limit the total number of events returned for performance reasons. Tweak MaxEvents as needed.

Invoke-Command -ComputerName server1,server2,server3 -ScriptBlock {
  Get-WinEvent -LogName 'Microsoft-Windows-DSC/Operational' -MaxEvents 50} |
  Select-Object PSComputerName,TimeCreated,LevelDisplayName,Id,Message |
  Out-Gridview

Here is some quick syntax to export all of the DSC event logs, optional pull server details, and zip them up for analysis off-box. I use this when troubleshooting DSC.

New-Item -ItemType Directory -Path C:\logs -ErrorAction SilentlyContinue
(Get-WinEvent -ListLog *desired*,*dsc*).LogName |
Where-Object {$_ -notlike "*admin*"} |
ForEach-Object {
    wevtutil export-log /overwrite:true $_ "C:\logs\$($env:COMPUTERNAME)_$($_.Replace('/','-')).evtx"
}
'System','Application' | ForEach-Object {
    wevtutil export-log /overwrite:true $_ "C:\logs\$($env:COMPUTERNAME)_$($_).evtx"
}
If ((Get-WindowsFeature DSC-Service).Installed) {
    Get-ChildItem 'C:\Program Files\WindowsPowerShell\DscService' > C:\logs\DscService.txt
    Copy-Item -Path 'C:\inetpub\wwwroot\PSDSCPullServer\web.config' -Destination C:\logs
}
$PSVersionTable > C:\logs\PSVersionTable.txt
Compress-Archive -Path C:\logs\*.evtx,C:\logs\*.config,C:\logs\*.txt `
    -DestinationPath "C:\logs\$($env:COMPUTERNAME)_DSC_Logs.zip" -Update

The xDscDiagnostics module has a function New-xDscDiagnosticsZip which will get most of these things and a few other items. This code above is tailored for my own DSC troubleshooting needs. Note that my version will attempt to collect additional details from a pull server, assuming the default install paths.

Additional Resources

For more info on troubleshooting DSC and logs see the documentation here: https://msdn.microsoft.com/en-us/powershell/dsc/troubleshooting

Don’t forget to check out my previous blog post for more on working with DSC event logs.

Comments

What do you monitor for DSC events? Did I miss any? If so, let me know in the comments area below.