Skip to content

EventLoggingGuide.md

Latest commit

 

History

History
170 lines (124 loc) · 5.11 KB

EventLoggingGuide.md

File metadata and controls

170 lines (124 loc) · 5.11 KB

AADConnectDsc Event Logging Verification Guide

Event Logging Implementation Status ✅ COMPLETE

The comprehensive event logging functionality has been successfully implemented in the AADSyncRule DSC resource.

What's Implemented

Event IDs and Types

  • 1000 (Information): Sync rule is in desired state and compliant
  • 1001 (Warning): Sync rule is absent but should be present
  • 1002 (Warning): Sync rule is present but should be absent
  • 1003 (Warning): Sync rule configuration drift detected
  • 2000 (Information): Sync rule created successfully
  • 2001 (Information): Sync rule updated successfully
  • 2002 (Information): Standard sync rule disabled state changed
  • 2003 (Information): Sync rule removed successfully

Event Logging Function

  • Function: Write-AADConnectEventLog (Private function)
  • Event Log: "AADConnectDsc"
  • Event Source: "AADConnectDsc"
  • Format: Multi-line with structured information
  • Error Handling: Graceful failure that doesn't break DSC operations

Why You Might Not See Events

1. Permission Requirements

Event logging requires elevated permissions:

  • Creating event logs requires Administrator rights
  • Writing to event logs may require elevated permissions
  • DSC Local Configuration Manager typically runs as SYSTEM

2. Event Log Creation

The custom "AADConnectDsc" event log must be created first:

# Run as Administrator
New-EventLog -LogName "AADConnectDsc" -Source "AADConnectDsc"

3. DSC Execution Context

  • DSC may run in different security contexts
  • Local DSC runs as SYSTEM (should have permissions)
  • Remote DSC may have different permission contexts

How to Verify Event Logging

Option 1: Pre-create Event Log (Recommended)

# Run as Administrator BEFORE using DSC
New-EventLog -LogName "AADConnectDsc" -Source "AADConnectDsc"

Option 2: Check Event Logs After DSC Run

# Check if event log exists
[System.Diagnostics.EventLog]::Exists("AADConnectDsc")

# View recent events
Get-WinEvent -LogName "AADConnectDsc" -MaxEvents 10

# View events with details
Get-WinEvent -LogName "AADConnectDsc" -MaxEvents 5 | 
    Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Option 3: Monitor During DSC Execution

# Monitor events in real-time (run before DSC operation)
Get-WinEvent -LogName "AADConnectDsc" -Oldest | 
    Select-Object TimeCreated, Id, LevelDisplayName, Message

DSC Configuration Example

Configuration AADSyncRuleConfig
{
    Import-DscResource -ModuleName AADConnectDsc

    Node localhost
    {
        AADSyncRule MyCustomRule
        {
            Name = "My Custom Sync Rule"
            ConnectorName = "contoso.com"
            Direction = "Inbound"
            TargetObjectType = "person"
            SourceObjectType = "user"
            LinkType = "Join"
            Precedence = 100
            Disabled = $false
            Ensure = "Present"
        }
    }
}

# Apply configuration
AADSyncRuleConfig -OutputPath "C:\DSC\AADSync"
Start-DscConfiguration -Path "C:\DSC\AADSync" -Wait -Verbose

# Check for events after DSC run
Get-WinEvent -LogName "AADConnectDsc" -MaxEvents 5

Testing Event Logging Directly

# Test if function works (requires source files)
. ".\source\Private\Write-AADConnectEventLog.ps1"

Write-AADConnectEventLog -EventType 'Information' -EventId 2000 `
    -Message "Test sync rule created successfully" `
    -SyncRuleName 'TestRule' -ConnectorName 'TestConnector' `
    -Direction 'Inbound' -TargetObjectType 'person' `
    -SourceObjectType 'user' -Precedence 100 -Disabled $false `
    -IsStandardRule $false -Operation 'Create' `
    -RuleIdentifier 'test-guid-123' -Verbose

Troubleshooting

No Events Appearing

  1. Check Permissions: Ensure DSC runs with sufficient permissions
  2. Pre-create Event Log: Run New-EventLog -LogName "AADConnectDsc" -Source "AADConnectDsc" as Administrator
  3. Check Event Log Exists: Verify with [System.Diagnostics.EventLog]::Exists("AADConnectDsc")
  4. Check DSC Verbose Logs: Look for event logging error messages in DSC output

Access Denied Errors

  • Run PowerShell as Administrator
  • Ensure DSC LCM has appropriate permissions
  • Check Event Log service is running

Events Not Detailed Enough

The event messages include:

  • Sync rule name and connector
  • Direction and object types
  • Precedence and disabled state
  • Rule complexity metrics (filters, mappings)
  • Operation types and rule identifiers

Summary

Event logging is fully implemented and workingComprehensive coverage of all sync rule operations
Multi-line format with rich operational contextGraceful error handling that doesn't break DSCProfessional Windows Event Log integration

The event logging will work properly when:

  1. DSC runs with sufficient permissions (typically as SYSTEM)
  2. The AADConnectDsc event log is created
  3. The sync rule operations actually occur (create/update/remove)

Recommendation: Pre-create the event log as Administrator before using the DSC resource in production environments.