Top 10 PowerShell DSC Node Events to Monitor

01_blivitIn a previous blog post I demonstrated how to get a list of all possible PowerShell Desired State Configuration (DSC) events for monitoring. Admittedly, that was an overwhelming list. Today I want to narrow that down to the essentials of DSC monitoring events.

These are the events you’re looking for.

Recently I was working with a customer who wanted specific events for DSC monitoring. I did my testing with a Windows Server 2012 R2 node running WMF 5.1. The pull server was on the same versions. I fired up a node connected to the pull server and labbed a number of common scenarios you would want to monitor.

DSC node events are recorded in the Microsoft-Windows-DSC/Operational log. Here are the main events you want to capture. I have assigned a simple category to each of these.

Category Event ID Level Status
Desired State 4115 / 4343 Information Consistency scan completed (ie. in desired state if 4249 is not also present)
Desired State 4249 Warning Failed consistency scan (ie. not in desired state). Only appears in ApplyAndMonitor mode.
Configuration Apply 4097 Error Configuration failed to apply
Configuration Apply 4332 Information Listing of resources applied in the configuration
Configuration Apply 4257 Information LCM settings during the configuration
Node Pull 4252 Error Node failed to download from pull server, only event 4252 with Error Category 8 in the message
Node Report 4264 / 4266 Information Node successfully reported to report server
Node Report 4260 Error Node failed reporting to report server


In some cases there may be other events to indicate similar status. These IDs are the least chatty. Of these ten events I have highlighted the three essential error conditions for monitoring.

Note the following points:

  • Event 4249 only shows up in ApplyAndMonitor configuration mode to indicate configuration drift. In my testing I could not find an event indicating configuration drift when ApplyAndAutocorrect actually makes a correction to the configuration.
  • In the message body of some events you will see PerformRequiredConfigurationChecks. These bit flag values are documented here.
  • Event 4252 appears for all kinds of conditions. Differentiate the events by the message body and the Error Category data inside the event.

Scripting to Capture Logs

Here is some quick syntax to remotely query the events. Note that I limit the total number of events returned for performance reasons. Tweak MaxEvents as needed.

Invoke-Command -ComputerName server1,server2,server3 -ScriptBlock {            
  Get-WinEvent -LogName 'Microsoft-Windows-DSC/Operational' -MaxEvents 50} |            
  Select-Object PSComputerName,TimeCreated,LevelDisplayName,Id,Message |            

Here is some quick syntax to export all of the DSC event logs, optional pull server details, and zip them up for analysis off-box. I use this when troubleshooting DSC.

New-Item -ItemType Directory -Path C:\logs -ErrorAction SilentlyContinue            
(Get-WinEvent -ListLog *desired*,*dsc*).LogName |             
Where-Object {$_ -notlike "*admin*"} |             
ForEach-Object {            
    wevtutil export-log /overwrite:true $_ "C:\logs\$($env:COMPUTERNAME)_$($_.Replace('/','-')).evtx"            
'System','Application' | ForEach-Object {            
    wevtutil export-log /overwrite:true $_ "C:\logs\$($env:COMPUTERNAME)_$($_).evtx"            
If ((Get-WindowsFeature DSC-Service).Installed) {            
    Get-ChildItem 'C:\Program Files\WindowsPowerShell\DscService' > C:\logs\DscService.txt            
    Copy-Item -Path 'C:\inetpub\wwwroot\PSDSCPullServer\web.config' -Destination C:\logs            
$PSVersionTable > C:\logs\PSVersionTable.txt            
Compress-Archive -Path C:\logs\*.evtx,C:\logs\*.config,C:\logs\*.txt `
    -DestinationPath "C:\logs\$($env:COMPUTERNAME)" -Update

The xDscDiagnostics module has a function New-xDscDiagnosticsZip which will get most of these things and a few other items. This code above is tailored for my own DSC troubleshooting needs. Note that my version will attempt to collect additional details from a pull server, assuming the default install paths.

Additional Resources

For more info on troubleshooting DSC and logs see the documentation here:

Don’t forget to check out my previous blog post for more on working with DSC event logs.


What do you monitor for DSC events? Did I miss any? If so, let me know in the comments area below.

Comments (0)

Skip to main content