Bassie Bassie - 1 year ago 196
C# Question

Unauthorized Operation When Querying Event Logs

I have the following code for querying some events on a remote computer:

filter = $"*[System[(EventID='5061' or EventID='5058') and TimeCreated[timediff(@SystemTime) <= {Timespan}]]]";
EventLogSession session;

using (var pw = GetPassword())
session = new EventLogSession(

var query = new EventLogQuery("Security", PathType.LogName, filter)
{ Session = session };

var reader = EventLogReader(query);

When we reach the last line,
throws an error:

Attempted to perform an unauthorized operation.

Where user
is a member of the
Event Log Readers
group on AD in the same domain. Is there some other group that he needs to be a member of? Or is there some way of configuring the
Event Log Readers
group to allow certain types of access?

Answer Source

This was happening because the user specified in in EventLogSession did not have local admin rights on the PC being queried.

After adding "USER" as a local admin on "PCNAME", I was able to query the logs successfully.

I thought this had already been set up, but because "USER" was added as an admin to all PCs via a script, the list of computers that it applied to must have been incomplete due to a bug in that script.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download