I am trying to read an exported evtx event log file in an Azure Function. I receive the file content as a byte array and then write to a temporary file. I then try to create an instance of EventLogReader from the Microsoft.Extensions.Logging.EventLog package as follows:
string tempfile = Path.GetTempFileName();
string fileout = Path.ChangeExtension(tempfile, ".evtx");
File.WriteAllBytes(fileout, eventLogData);
var eventLog = new EventLogReader(fileout, PathType.FilePath);
The EventLogReader fails with the exception:
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)
at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)
Is there anyway to get around this because I assume it should not need additional user privledges to read an event log from a file and so can be used from an Azure Function? If not is there a way to read the evtx file directly from a stream instead of a file path?