Can't remotely fetch event viewer logs of the logname Security-CodePudding

I have been trying to get the event viewer logs of application, security and system and store the output into an xml file. While application and system work just fine I have been having problems with security. I am using credentials which are read from an xml file. This is how my code looks like:

$main = (Get-Item .).FullName

Import-Module C:\repos\IPA\Tests\separate\GetCredsFromFile.psm1
Import-Module C:\repos\IPA\Tests\separate\SaveCredsToFile.psm1

function Get-EV {
    param(
        [Parameter(Mandatory)] [string] $logName,
        [Parameter(Mandatory)] [string] $ServerIP, 
        [Parameter()] [datetime] $DateLimit = (Get-Date).AddDays(-7)
    )
    try {
        if (-not(Test-Path "$main\creds.xml")) {
            SaveCredsToFile -File "$main\creds.xml"
        }
        $creds = GetCredsFromFile -File "$main\creds.xml"

        $datelimit = $DateLimit.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffffffZ")
        $logs = Get-WinEvent -LogName $logname -ComputerName $ServerIP -Credential $creds -MaxEvents 10
        $logs | Export-Clixml -Path "$copyto\$ServerIP - $logName.xml"  

    } catch {Write-Error $_.exception.message}
}

function Get-SELogs {
    param(
        [Parameter(Mandatory)] [string] $ServerIP,
        [Parameter()] [string] $LogName,
        [Parameter()] [string] $copyto = "$main\logdir\", 
        [Parameter()] [datetime] $OldDate
    )
    try{
        switch ($LogName) {
            "app" {
                Get-EV -logName "Application" -ServerIP $ServerIP
            }
            "sys" {
                Get-EV -logName "System" -ServerIP $ServerIP
            }
            "sec" {
                Get-EV -logName "Security" -ServerIP $ServerIP
            }
            Default {
                # Default gets all
                $logNames = @("Application", "System", "Security")

                foreach ($logName in $logNames){
                    Get-EV -logName $logName -ServerIP $ServerIP
                }
            }
        }
    } catch {
        Write-Error $_.exception.message
    }
}
Get-SELogs -ServerIP 192.168.1.176 -LogName sec

When I run this code I get the following error:

Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation..
At C:\repos\IPA\Tests\separate\Get-SELogs.ps1:20 char:17
  ...     $logs = Get-WinEvent -LogName $logname -ComputerName $ServerIP -C ...
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CategoryInfo          : NotSpecified: (:) [Get-WinEvent], Exception
      FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Get-WinEvent : There is not an event log on the 192.168.1.176 computer that matches "Security".
At C:\repos\IPA\Tests\separate\Get-SELogs.ps1:20 char:17
  ...     $logs = Get-WinEvent -LogName $logname -ComputerName $ServerIP -C ...
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CategoryInfo          : ObjectNotFound: (Security:String) [Get-WinEvent], Exception
      FullyQualifiedErrorId : NoMatchingLogsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Does the user I authenticate with have to be in a specific group or administrator? Currently the user is in the "Event Log Readers" group. I have been searching on the internet but I haven't been able to find the answers.

CodePudding user response：

The Security event log is secured to machine administrators only.

As you've added your account to the "Event Log Readers" group, you need to add the "BUILTIN\Event Log Readers" group to the following registry key permissions:

HKLM\System\CurrentControlSet\Services\Eventlog\Security

This key only

Query Value, Enumerate Subkeys, Notify, Read Control

On a domain you can do this using group policy to cover all machines:

Group Policy Object Editor: Computer Configuration > Policies > Windows Settings > Security Settings