Windows Event logs on Windows Servers are an integral part of Information Technology (IT) staff and Security professionals day to day tasks. They mostly help to look for any suspicious activities and security violations. Getting access to Event logs on a local PC is easy as a pie. However, we will also need access to these logs on the remote computers (servers and workstations). In those cases, we can use the Event Viewer tool to connect to Event logs remotely.
Note: As long as we have the necessary permission granted on both native and target machines, the logs will be fetched without any issues. These permissions depend on how the 2 machines are related to each other(ex. part of a Domain) and how we prefer granting these permissions (ex. Manually, via Group Policy, etc).
How to connect to Remote Machine:
– Log in to Native Computer as Administrator.
– Open either Run dialog or Command prompt, enter eventvwr, and hit OK.
– In the Event Viewer console, Click Action and select “Connect to Another Computer”
– We can simply paste the IP of the machine or if our machine is part of a domain, we Click Browse and search the machine by name.
– Now we should check the option “connect as another user” and pass in AD credentials if any present for the Target machine for authentication.
Once we are connected, we can use native PowerShell commands like “Get-EventLog” with various attributes to fetch the kind of logs we need. Microsoft has a very nice repository of these command attributes at
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1. If you are automating this process or using a ps1 file with help of a task scheduler, passing the full PC name with Domain address(personal advice) makes it easier to connect in a multi-tiered network architecture.
invoke-command {get-eventlog -LogName System -Newest 100} -ComputerName DC-1-test.myadtest.example.com
Troubleshooting: It’s not always a sunny day when we are dealing with remote computers and fetching event viewer logs. Below is an example:
This error generally comes up due to a lack of proper Firewall Rules and required services not enabled/running. As a ramification, we should enable “Com+ Network Access (DCON-In)” in Windows Firewall and Enable/start the services related to the Remote Event Log Management group.
For Firewall-> Run Command control firewall.cpl > Advanced Settings > Inbound Rules > Enable Com+ Network Access (DCON-In)
Enable > Below 3 Rules As well-
Remote Event Log Management (NP-In)
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
For Services-> We should make sure the below ones are running on the target machine.
Run Command services.msc-> Enable below Services
Remote Registry service
Remote Desktop and Remote Assistance
Routing and Remote Access
Further Advanced troubleshooting involving Regedit should only be attempted with proper registry backup. Link- https://www.wintips.org/fix-computer-cannot-be-connected-you-must-enable-com-network-access-in-windows-firewall/
Reference Links: https://social.microsoft.com/Forums/en-US/2b4c84b1-e653-4a9f-b7bb-7f0d85e4920d/event-viewer-cannot-connect-to-computer-computer-namethe-rpc-server-is-unavailable?forum=writergeneral
https://www.zubairalexander.com/blog/unable-to-access-event-viewer-on-a-remote-computer/#:~:text=Go%20to%20Control%20Panel%20%2D%3E%20System,Remote%20Event%20Log%20Management%20group.