2

I am trying to read an exported evtx event log file in an Azure Function. I receive the file content as a byte array and then write to a temporary file. I then try to create an instance of EventLogReader from the Microsoft.Extensions.Logging.EventLog package as follows:

       string tempfile = Path.GetTempFileName();
       string fileout = Path.ChangeExtension(tempfile, ".evtx");
       File.WriteAllBytes(fileout, eventLogData);
       var eventLog = new EventLogReader(fileout, PathType.FilePath);

The EventLogReader fails with the exception:

System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)

Is there anyway to get around this because I assume it should not need additional user privledges to read an event log from a file and so can be used from an Azure Function? If not is there a way to read the evtx file directly from a stream instead of a file path?

robhurry
  • 21
  • 1
  • What is the file path? I suspect your function app maybe don't have the permission to the file path. – Cindy Pau Feb 16 '21 at 03:09
  • @BowmanZhu The file path is d:\local\Temp\{somecharacters}.evtx. The WriteAllBytes succeeds so I assumed that reading it would be ok as well and I don't know of another way to initialize the EventLogReader without a filepath. – robhurry Feb 16 '21 at 08:36

0 Answers0