Bassie Bassie - 2 months ago 30
C# Question

Unauthorized Operation When Querying Event Logs

I have the following code for querying some events on a remote computer:

filter = $"*[System[(EventID='5061' or EventID='5058') and TimeCreated[timediff(@SystemTime) <= {Timespan}]]]";
EventLogSession session;

using (var pw = GetPassword())
{
session = new EventLogSession(
"PCNAME",
"DOMAIN",
"USERNAME",
pw,
SessionAuthentication.Default);
}

var query = new EventLogQuery("Security", PathType.LogName, filter)
{ Session = session };

var reader = EventLogReader(query);


When we reach the last line,
EventLogReader(query)
throws an error:


Attempted to perform an unauthorized operation.


Where user
USERNAME
is a member of the
Event Log Readers
group on AD in the same domain. Is there some other group that he needs to be a member of? Or is there some way of configuring the
Event Log Readers
group to allow certain types of access?

Answer

This was happening because the user specified in in EventLogSession did not have local admin rights on the PC being queried.

After adding "USER" as a local admin on "PCNAME", I was able to query the logs successfully.


I thought this had already been set up, but because "USER" was added as an admin to all PCs via a script, the list of computers that it applied to must have been incomplete due to a bug in that script.

Comments