Remove From My Forums

PowerShell - Query Event log Remotly

Question
0

Sign in to vote

Hi,

We have a basic script which query the event log in the DCs and in the local exchange server.

These are the commands:

1) Exchange

Get-EventLog -ComputerName Exchange_Server -LogName "MSExchange Management" -EntryType Information -InstanceId 1073741825 -After $BeginDate -Before $EndDate

2) DCs

Get-WinEvent -ComputerName DC_Sevrer -FilterHashtable @{LogName="security"; startTime=$BeginDate; id=4720}

When running the script manually - everything work as expected.

When I tried running the script as a scheduale task, with 'nt authority\system' user, the event log part is failing.

I tried setting the scheduale task with my account - if storing a password it is working, otherwise not.

So I opened PowerShell session with 'nt authority\system' and try run the commands manualy - im getting the following error:

get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation

(Get-EventLog is failing to with a similar error)

The goal is to run this script as scheduale task - 'nt authority\system' is the user that I use for such tasks, but I cant understand what is the issue...

The servers are 2012R2,2016 and 2019 Win Server.

Appriciate your assitance here.

Thanks.

Thursday, October 31, 2019 3:54 PM

Answers

0

Sign in to vote
The account must run elevated to access the security log. That is what the error message is telling you.

When running remotely the task must store the password. A local machine account cannot access protected resources on a remote PC.

\_(ツ)_/
- Marked as answer by Ranr Thursday, October 31, 2019 4:29 PM
Thursday, October 31, 2019 4:17 PM

All replies

0

Sign in to vote
The account must run elevated to access the security log. That is what the error message is telling you.

When running remotely the task must store the password. A local machine account cannot access protected resources on a remote PC.

\_(ツ)_/
- Marked as answer by Ranr Thursday, October 31, 2019 4:29 PM
Thursday, October 31, 2019 4:17 PM
0

Sign in to vote

Understood.

So I would like to use a user dedicated for this task - I will need to create new AD user, but I want to give it the minimal permissions it need for this task. how can I achive this?

Thanks.

Thursday, October 31, 2019 4:29 PM
0

Sign in to vote
Only admins can access the security log or a user with permissions on the security log on that machine. Make the user a member of the "event log readers" local group.

Also do not use Get-Eventlog on Windows. It is deprecated and does not provide output compatible with Get-WinEvent.

$filter = @{ LogName ='MSExchange Management' StartTime = [datetime]::Today.AdDays(-1) EndTime = [datetime]::Today id = 4720 } Get-WinEvent -FilterHashtable $filter -ComputerName Exchange_Server $filter.LogName = 'Security' Get-WinEvent -FilterHashtable $filter -ComputerName DC_Sevrer

\_(ツ)_/
Thursday, October 31, 2019 4:49 PM
0

Sign in to vote

OK - I created a user and added it to the "event log readers" AD group and localy in the Exchange server.

The Exchnage logs are available now.

DCs still same error
Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized
operation..

Thursday, October 31, 2019 5:37 PM
0

Sign in to vote

The security log requires the user to be an administrator or have the security log privilege.

\_(ツ)_/

Thursday, October 31, 2019 5:58 PM
0

Sign in to vote

You can ensure the user has required permissions by connecting the remote pc event log from Event Viewer console. Refer the below image.

Monday, November 4, 2019 12:05 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

PowerShell - Query Event log Remotly

Question

Answers

All replies