Answered by:
PowerShell - Query Event log Remotly

Question
-
Hi,
We have a basic script which query the event log in the DCs and in the local exchange server.
These are the commands:
1) Exchange
Get-EventLog -ComputerName Exchange_Server -LogName "MSExchange Management" -EntryType Information -InstanceId 1073741825 -After $BeginDate -Before $EndDate
2) DCs
Get-WinEvent -ComputerName DC_Sevrer -FilterHashtable @{LogName="security"; startTime=$BeginDate; id=4720}
When running the script manually - everything work as expected.
When I tried running the script as a scheduale task, with 'nt authority\system' user, the event log part is failing.
I tried setting the scheduale task with my account - if storing a password it is working, otherwise not.
So I opened PowerShell session with 'nt authority\system' and try run the commands manualy - im getting the following error:
get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation
(Get-EventLog is failing to with a similar error)
The goal is to run this script as scheduale task - 'nt authority\system' is the user that I use for such tasks, but I cant understand what is the issue...
The servers are 2012R2,2016 and 2019 Win Server.
Appriciate your assitance here.
Thanks.
Thursday, October 31, 2019 3:54 PM
Answers
-
The account must run elevated to access the security log. That is what the error message is telling you.
When running remotely the task must store the password. A local machine account cannot access protected resources on a remote PC.
\_(ツ)_/
- Marked as answer by Ranr Thursday, October 31, 2019 4:29 PM
Thursday, October 31, 2019 4:17 PM
All replies
-
The account must run elevated to access the security log. That is what the error message is telling you.
When running remotely the task must store the password. A local machine account cannot access protected resources on a remote PC.
\_(ツ)_/
- Marked as answer by Ranr Thursday, October 31, 2019 4:29 PM
Thursday, October 31, 2019 4:17 PM -
Understood.
So I would like to use a user dedicated for this task - I will need to create new AD user, but I want to give it the minimal permissions it need for this task. how can I achive this?
Thanks.
Thursday, October 31, 2019 4:29 PM -
Only admins can access the security log or a user with permissions on the security log on that machine. Make the user a member of the "event log readers" local group.
Also do not use Get-Eventlog on Windows. It is deprecated and does not provide output compatible with Get-WinEvent.
$filter = @{ LogName ='MSExchange Management' StartTime = [datetime]::Today.AdDays(-1) EndTime = [datetime]::Today id = 4720 } Get-WinEvent -FilterHashtable $filter -ComputerName Exchange_Server $filter.LogName = 'Security' Get-WinEvent -FilterHashtable $filter -ComputerName DC_Sevrer
\_(ツ)_/
Thursday, October 31, 2019 4:49 PM -
OK - I created a user and added it to the "event log readers" AD group and localy in the Exchange server.
The Exchnage logs are available now.
DCs still same error
Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized
operation..Thursday, October 31, 2019 5:37 PM -
The security log requires the user to be an administrator or have the security log privilege.
\_(ツ)_/
Thursday, October 31, 2019 5:58 PM -
You can ensure the user has required permissions by connecting the remote pc event log from Event Viewer console. Refer the below image.
Monday, November 4, 2019 12:05 PM