Reading event log remotely with Get-EventLog in Powershell

Question

I've a powershell script which runs on server(test-server) and reads the log file of his client(DC1).

Both sides can ping to each other.
On both sides, firewalls are disabled.

Remote Desktop and Remote Assistance are enabled on DC1.

Get-EventLog System -ComputerName test-server -Source Microsoft-Windows-Winlogon # WORKS
Get-EventLog System -ComputerName DC1 -Source Microsoft-Windows-Winlogon # DOESN'T WORK

I run this script on test-server. As you see when I read the local log file on test-server it works fine but if I try to read the log file of DC1 remotely I get the error "Get-EventLog : The network path was not found.".

Screenshot of the error: enter image description here

How can I avoid this error and read the log file of DC1 from test-server with using Get-EventLog?

Lack of permissions?Can you execute 'dir \\dc1\c$' from test server? — Shay Levy, May 28 '13 at 11:30
@Shay Levy I just tried it. I get the directory list, so I can. — Korki Korkig, May 28 '13 at 11:32
@Shay Levy It's getting strange. `Get-Service -ComputerName DC1` gave me a long list without any error, so this works too I assume. — Korki Korkig, May 28 '13 at 12:00
What do you get for: Get-EventLog System -ComputerName DC1 ? — Shay Levy, May 28 '13 at 12:56
Is DC1 a Windows XP machine? http://tediousscripts.blogspot.nl/2009/01/powershell-geteventlog-on-windows-xp.html — Lars Truijens, May 28 '13 at 18:33
Is the remote registry service enabled on DC1? http://paragonwindows.wordpress.com/2012/03/01/how-to-open-event-log-of-remote-computer-using-powershell/ — Lars Truijens, May 28 '13 at 18:34
@Lars Truijens, Yes that did the trick, it works now! I've set this service 'Automatic'. Thank you! — Korki Korkig, May 29 '13 at 07:31

score 14 · Accepted Answer · edited Sep 23 '16 at 14:12

14

@Lars Truijens's suggestion solved my issue. But other suggestions are also important to check.

So, here is the checklist if you get this kind of error when you try to get log files remotely:

Disable or set firewall settings on both sides.
Enable Remote Desktop and Remote Assistance on client machine.
Can you ping to the client machine?
Run dir \\dc1\c$ to see that you are allowed to reach to the harddisk. (@Shay Levy's suggestion)
Run Get-Service -ComputerName YOURCOMPUTERNAME to see that you are allowed to reach to the services. (@Shay Levy's suggestion)
Start the Remote Registry service. (@Lars Truijens's suggestion and this made it work for me)

Here is the screenshot of this solution: SolutionScreenshot

edited Sep 23 '16 at 14:12

Yannick Meeus

5,643
1
35
34

answered May 29 '13 at 07:28

Korki Korkig

2,736
9
34
51

1

The firewall is perhaps necessary, but the remote registry was the key. sc \\ config remoteregistry start=demand sc \\ start remoteregistry Those two commands will get you going – Takophiliac Nov 19 '19 at 17:14
For Powershell: `Get-Service -Name RemoteRegistry -ComputerName | Set-Service -StartupType Automatic` (because it's probably disabled) and then `Get-Service -Name RemoteRegistry -ComputerName | Start-Service` to start it – duct_tape_coder Dec 31 '20 at 19:15

score 11 · Answer 2 · edited Jun 20 '20 at 09:12

Starting the RemoteRegistry service did not help in my case.

Apparently, there is a difference between the remoting that is accessed via the ComputerName parameter in some cmdlets such as Get-Service and the newer form of remoting accessed with cmdlets such as Invoke-Command.

Since traditional remote access is implemented by individual cmdlets, it is inconsistent (uses different techniques and demands different requirements) and available only in selected cmdlets. The technology used for remote access can vary from cmdlet to cmdlet and is not readily known to you. Each cmdlet uses whatever remoting technology its author chose. Most cmdlets use Remote Procedure Call (RPC), but might also require additional services and settings on the target system.

Beginning in Windows PowerShell 2.0, there is an alternate and more universal way of accessing remote systems: Windows PowerShell Remoting. With this type of remoting, Windows PowerShell handles remote access for all commands. It transfers your commands to the remote system using the relatively new and highly configurable WinRM service, executes the code in a separate session that runs on the remote system, and returns the results to the calling system.

http://powershell.com/cs/media/p/7257.aspx

When I swapped from this command

get-eventlog -LogName System -computername <ServerName>

to this

invoke-command {get-eventlog -LogName System} -ComputerName <ServerName>

I no longer got the following error

get-eventlog : The network path was not found.

(oops: I downvoted this totally by mistake - and now my vote is locked - I was actually trying to upvote it) :-/ — monojohnny, Apr 11 '16 at 14:32
@monojohnny I edited the question - you should be able to change your vote now. — default, Apr 13 '16 at 13:32
Invoke-Command is executed with WinRM while Get-Eventlog does not (I think maybe uses the Remote Registry service given the above answers?) — duct_tape_coder, Dec 31 '20 at 19:20

Reading event log remotely with Get-EventLog in Powershell

2 Answers2

Linked