xWindowsEventForwarding icon indicating copy to clipboard operation
xWindowsEventForwarding copied to clipboard
verified publisher icon dsccommunity

Enable support for log suppression in xWEFSubscription Query.

Open Coleeb opened this issue 7 years ago • 2 comments

Thanks for building out this DSC resource, it's been really helpful.

The hash table is intuitive for specifying which logs to include in the query, but I haven't been able to replicate the xml syntax of excluding certain event IDs through experimentation. That functionality is available when manually creating a subscription.

Here's an example of an XML with some logs suppressed:

<Query Id="0" Path="Application">
    <Select Path="Application">*</Select>
    <Select Path="Security">*</Select>
    <Select Path="System">*</Select>
    <Suppress Path="Security">*[System[(EventID=5152 or EventID=5157)]]</Suppress>
  </Query>
</QueryList>

In the filter menu, you would use -[Event ID] to generate this output, but it doesn't exactly match when specified in the config, eg -

xWEFSubscription  HostsToGather{
  SubscriptionID = "testsub1"
  Ensure = "Present"
  SubscriptionType = 'CollectorInitiated'
  DependsOn = "[xWEFCollector]Enabled"
  Query = @('Application:*', 'System:*', 'Security:*', 'Security:-5152, -5157')
  Address =$someboxes
}

which generates something like:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*</Select>
    <Select Path="System">*</Select>
    <Select Path="Security">*</Select>
    <Select Path="Security">-5152, -5157</Select>
  </Query>
</QueryList>

Totally possible that I'm just missing something about the syntax... Thanks for having a look at this!

Coleeb avatar Apr 09 '18 23:04 Coleeb

I can't find any method of suppressing in the current code. Adding this as an enhancement and labeled as help wanted so that anyone in the community can run with this.

johlju avatar May 16 '18 12:05 johlju

Hey man, i made some tests, and i believe it can work if you alter the Syntax of the Query that you want to suppress like that

xWEFSubscription  HostsToGather{
  SubscriptionID = "testsub1"
  Ensure = "Present"
  SubscriptionType = 'CollectorInitiated'
  DependsOn = "[xWEFCollector]Enabled"
  Query = @('Application:*', 'Suppress System:*', 'Security:*'')
  Address =$someboxes
}

And for the Module Set-TargetResource you can made the following modification in the loop for the Querys

foreach ($q in $Query){
        $h = Convert-QueryString $q
        if ($h.Path -match "Suppress"){
            
            $Create += @"
<Suppress Path="$($h.Path.Replace('Suppress ',''))">$($h.Select)</Suppress>
"@
}
        else {
        $Create += @"
<Select Path="$($h.Path)">$($h.Select)</Select>
"@
}

}

I hope that change enhance this DSC Resource, because it'll be a massive help in a project i'm working right now

tecnojp avatar Jul 31 '19 14:07 tecnojp