Monthly Archives: November 2021

Setting up Windows to read events from remote computers over a local network.

Reading event logs from remote computers is crucial for network audit. Both Event Log Explorer and Windows Event Viewer applications allow the system administrators to read event logs remotely. However sometimes (mainly in no Active Directory environment) sysadmins have problems with accessing remote event logs. In this article, I’ll explain how to setup Windows to make event logs accessible over a network.

As a rule, you don’t need to change anything on your client computer (the computer on which you run Event Log Explorer or Windows Event Viewer). All the changes should be done on the audited computer.

First, you need to set up the firewall.

Run Windows application: Windows Defender Firewall with Advanced Security.

Select Inbound rules for your profile

Enable the following inbound rules:

  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)
  • Remove Event Monitor (RPC)
  • Remote Event Monitor (RPC-EPMAP)

Note that these settings are applied locally. If you run Active Directory and want to change these settings globally, you can do it in a similar way using Group Policy Management Editor.

Next, if you have a serverless network, you should check sharing and security model for local accounts.  Open Local Security Policy, select Local Policies->Security Options in the left pane and make sure that the policy “Network access: Sharing and security model for local accounts” is set to Classic – local users authenticate as themselves.

Finally, you should grant permission to read event logs to your users. In no Active Directory environment, you can use Computer Management. In AD use Active Directory Users and Computers console.

Select the user under Local Users and Groups (or under your domain users). Double click on it to display Properties and select Member Of. Click Add and type Event Log Readers.

That’s all. If you modified Group Policy settings, you should apply your changes (e.g. by using gpupdate command).

Now you can start Event Log Explorer or Windows Event Viewer and open remote event logs.

Download Event Log Explorer right now and check the benefits it brings compared to Windows Event Viewer.

Facebooktwitterredditpinterestlinkedinmail