Can't access remote EVT Log file: "Access Denied"
Last post Jun 14, 2005 12:38 PM by Anonymous
Oct 20, 2004 12:42 PM|anonymous|LINK
I managed to write a query to parse Event Logs on my local machine, and my query looks like:
"SELECT * FROM
\\<LOCAL_MACHINE_NAME>\Application WHERE TimeGenerated >= '10/20/2004 9:44:00' AND TimeGenerated <= '10/20/2004 11:44:00'"
When instead of LOCAL_MACHINE_NAME I plug REMOTE_MACHINE_NAME I keep receiveing error message:
CLogQueryClass: Error 80070005: Execute: error executing query: Cannot open : Error opening event log "REMOTE_MACHINE_NAME\Application": Access is denied. [ Access is denied. ]
Is there anything wrong with my query?
EVT input format
Oct 21, 2004 12:36 PM|anonymous|LINK
The query is totally fine, the problem is with authentication.
1. What user are you running as on the Log Parser box?
2. Is this user recognized on the remote box? Are you in a domain?
3. Are you running this in a script or in an asp page?
Jun 07, 2005 02:02 PM|anonymous|LINK
I am having the same issue...
I am running the query from the aspx page and use whatever the default user. I think is iuser or aspnet.
what authentication should I set.. I am on a domain..
Jun 08, 2005 01:40 PM|anonymous|LINK
If what you need to do it parse the local event logs, you need to enable NTLM authentication.
What event logs do you need to parse from the asp page? System/Security/Application?
Jun 13, 2005 02:21 PM|anonymous|LINK
I would like to parse all logs (System, Application, Security)... also IIS logs on the same server... I would like to run the aspx application on a saparate IIS server ( for example, my local server) but access and monitor all the other logs on the other
production servers ( Currently I have about a dozen of other servers, some have IIS and some don't) Is this possiple?.. and what is NTLM authentication?.. Do you have any further suggestions
I need this really bad...
Thank for your help...
Jun 14, 2005 12:38 PM|anonymous|LINK
Well, if you want an IIS box to access logs (Event Logs or IIS logs) on a remote box, the thing gets hairy.
What you need to work on is called delegation. When a user makes a request to IIS and provides credentials, the IIS server
impersonates that user in everything it does. However, by default, that impersonation is not "good enough" to hop onto another box - in other words, if the aspx page is impersonating "TestUser1", when the aspx page tries to access another box, the
other box does not see the aspx page a "TestUser1" but rather as the IIS app pool account (usually the NETWORK SERVICE account of the IIS box). 'Delegation' is a Windows mechanism that allows the aspx page to be seen as "TestUser1" by other boxes.
So, you either have to set the IIS apppool to run with a domain account, or you need to enable delegation. There's a whitepaper about delegation somewhere on microsoft.com.
Sorry I can't help more than this, this topic is mostly an IIS-admin issue :-)