search

palantir / windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Other
1.22k stars 268 forks source link

wecutil ss error x057 #26

Open adrwh opened 6 years ago

adrwh commented 6 years ago

Hello, thank you for your base files, excellent.

After i update a subscription XML file, and try to update the subscription using wecutil ss .\filename.xml, i receive the following error.

Failed to open subscription. Error = 0x57.

Any clues?

patrickg2525 commented 5 years ago

I think this is a wecutil issue - not specific to any of the subscription xml files here; I ran into the same problems even when copying the examples verbatim from the MS docs (!). My work around was to do a delete subscription (ds) followed by a create subscription (cs).

mdecrevoisier commented 5 years ago

This is a known behavior when pushing for a subscription. The solution is just to remove or comment the line "SourceInitiated" in the XML file. Afterwards, pushing will work.

Source: https://support.microsoft.com/en-za/help/4491324/0x57-error-wecutil-command-update-event-forwarding-subscription

JPvRiel commented 4 years ago

In case someone else runs into the problem and wants to automate a fix, assuming you set $subscription as the subscription name and $subscriptionConfigFile as the config file, then here's a excerpt of a script I wrote that should help:

# KNOWN ISSUE: https://support.microsoft.com/en-za/help/4491324/0x57-error-wecutil-command-update-event-forwarding-subscription
# Hack in extra logic to first read the config file as XML, then delete the SubscriptionType element/node and, write a new temp file, and then apply a version of that file without the element.
[xml]$x = Get-Content -Path $subscriptionConfigFile -ErrorAction Stop
# For whatever lack of care for usability, Microsoft C# / powershell seems to require explicit namespace definitions and won't apply XPath on the default namespace defined...
$ns = @{ns = 'http://schemas.microsoft.com/2006/03/windows/events/subscription'}
$nodeSubscriptionType = (Select-Xml -Xml $x -Namespace $ns -XPath '/ns:Subscription/ns:SubscriptionType' -ErrorAction Stop).Node
$x.SubscriptionType.RemoveChild($nodeSubscriptionType)
$subscriptionConfigFileNameProp = Get-Item $subscriptionConfigFile | Select-Object -Property FullName, DirectoryName, BaseName
$ssSubscriptionConfigFile = "$($subscriptionConfigFileNameProp.DirectoryName)/$($subscriptionConfigFileNameProp.BaseName).ss.xml"
$x.Save($ssSubscriptionConfigFile)
wecutil.exe set-subscription /c:$ssSubscriptionConfigFile
Remove-Item -Path $ssSubscriptionConfigFile
Write-Output "`"$subscription`" subcription overwritten"

For me, I found the way C# / PowerShell deals with XML quite painful when it comes to handling the namespace....

hkelley commented 1 year ago

@JPvRiel 's script is very helpful. I found that a small (and ignorable) exception is thrown when the Configuration mode for the subscription is not Custom (mine is MinLatency) - even if the node is removed.

I also had to change $x.SubscriptionType.RemoveChild to $x.Subscription.RemoveChild

This is the exception I'm choosing to ignore (actually multiple exceptions thrown, one per line?)

wecutil.exe set-subscription /c:$scratchSubscriptionConfigFile
wecutil.exe : Warning: Configuration mode for the subscription is not Custom. Delivery properties are not
At line:1 char:1
+ wecutil.exe set-subscription /c:$scratchSubscriptionConfigFile
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Warning: Config...perties are not:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

customizable for such mode. As a result, Delivery node from the provided configuration file
will be ignored.

This is the script I used:

# KNOWN ISSUE: https://support.microsoft.com/en-za/help/4491324/0x57-error-wecutil-command-update-event-forwarding-subscription
# Hack in extra logic to first read the config file XML doc, then delete the SubscriptionType element/node and, write a new temp file, and then apply a version of that file without the element.

param
(
    [System.IO.FileInfo] $subscriptionConfigFile
)

# For whatever lack of care for usability, Microsoft C# / powershell seems to require explicit namespace definitions and won't apply XPath on the default namespace defined...
$ns = @{ns = 'http://schemas.microsoft.com/2006/03/windows/events/subscription'}

[xml] $subscriptionConfig = Get-Content -Path $subscriptionConfigFile -ErrorAction Stop

$subscriptionName = $subscriptionConfig.Subscription.SubscriptionId

$nodeSubscriptionType = (Select-Xml -Xml $subscriptionConfig -Namespace $ns -XPath '/ns:Subscription/ns:SubscriptionType' -ErrorAction Stop).Node
$subscriptionConfig.Subscription.RemoveChild($nodeSubscriptionType)

$scratchSubscriptionConfigFile = "$($subscriptionConfigFile.DirectoryName)\$($subscriptionConfigFile.BaseName).scratch.xml"

$subscriptionConfig.Save($scratchSubscriptionConfigFile)

Write-Warning " Ignore the Configuration Mode exception, if reported"
wecutil.exe set-subscription /c:$scratchSubscriptionConfigFile

Remove-Item -Path $scratchSubscriptionConfigFile
Write-Output " `"$subscriptionName`" subcription overwritten"