locked
PowerShell - Query Event log Remotly RRS feed

  • Question

  • Hi,

    We have a basic script which query the event log in the DCs and in the local exchange server.

    These are the commands:

    1) Exchange

    Get-EventLog -ComputerName Exchange_Server -LogName "MSExchange Management" -EntryType Information -InstanceId 1073741825 -After $BeginDate -Before $EndDate

    2) DCs

    Get-WinEvent -ComputerName DC_Sevrer -FilterHashtable @{LogName="security"; startTime=$BeginDate; id=4720}

    When running the script manually - everything work as expected.

    When I tried running the script as a scheduale task, with 'nt authority\system' user, the event log part is failing.

    I tried setting the scheduale task with my account - if storing a password it is working, otherwise not.

    So I opened PowerShell session with 'nt authority\system' and try run the commands manualy - im getting the following error:

    get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation 

    (Get-EventLog is failing to with a similar error)

    The goal is to run this script as scheduale task - 'nt authority\system' is the user that I use for such tasks, but I cant understand what is the issue...

    The servers are 2012R2,2016 and 2019 Win Server.

    Appriciate your assitance here.

    Thanks.

    Thursday, October 31, 2019 3:54 PM

Answers

  • The account must run elevated to access the security log.  That is what the error message is telling you.

    When running remotely the task must store the password.  A local machine account cannot access protected resources on a remote PC.


    \_(ツ)_/

    • Marked as answer by Ranr Thursday, October 31, 2019 4:29 PM
    Thursday, October 31, 2019 4:17 PM

All replies

  • The account must run elevated to access the security log.  That is what the error message is telling you.

    When running remotely the task must store the password.  A local machine account cannot access protected resources on a remote PC.


    \_(ツ)_/

    • Marked as answer by Ranr Thursday, October 31, 2019 4:29 PM
    Thursday, October 31, 2019 4:17 PM
  • Understood.

    So I would like to use a user dedicated for this task - I will need to create new AD user, but I want to give it the minimal permissions it need for this task. how can I achive this? 

    Thanks.

    Thursday, October 31, 2019 4:29 PM
  • Only admins can access the security log or a user with permissions on the security log on that machine.  Make the user a member of the "event log readers" local group.

    Also do not use Get-Eventlog on Windows.  It is deprecated and does not provide output compatible with Get-WinEvent.

    $filter = @{
        LogName ='MSExchange Management'
        StartTime = [datetime]::Today.AdDays(-1)
        EndTime = [datetime]::Today
        id = 4720
    }
    Get-WinEvent -FilterHashtable $filter -ComputerName Exchange_Server 
    $filter.LogName = 'Security'
    Get-WinEvent -FilterHashtable $filter -ComputerName DC_Sevrer
    


    \_(ツ)_/

    Thursday, October 31, 2019 4:49 PM
  • OK - I created a user and added it to the "event log readers" AD group and localy in the Exchange server.

    The Exchnage logs are available now.

    DCs still same error 

    Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized
    operation..

    Thursday, October 31, 2019 5:37 PM
  • The security log requires the user to be an administrator or have the security log privilege.


    \_(ツ)_/

    Thursday, October 31, 2019 5:58 PM
  • You can ensure the user has required permissions by connecting the remote pc event log from Event Viewer console. Refer the below image.

    Connect Remote PC Event Log

    Monday, November 4, 2019 12:05 PM