Writing ASP.NET errors to the NT Applicaion Event Log

[Graham Harris]

I have some code that presents the user with an error if my web
application errors. I would like to write the same information to the
NT Application Event log. The problem is that Windows 2003 Server does
not allow IIS ASP.NET to write to the event log. What do I need to do
to allow this?

TIA

Graham Harris

 

[Dominick Baier [DevelopMentor]]

Hello Graham,


in w2k3 you can set ACLs on Event Logs - this is done by using an SDDL (Security
Descriptor Description Language).

The default for the Application Log is

O:BAG:SYDD;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)
(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

(nice, eh?)

found under : HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\Eventlog\Application\CustomSD


this basically means service accounts/admins have read/write - no one else

you can find more info on SDDL via
http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp

and more info on how to change that settings:
http://msdn.microsoft.com/library/en-us/dncode/html/secure06122003.asp

 

[Brad]

Our aspx apps write to the Application event log on w2k3 server and we
didn't have to change anything. Are you by chance trying to specify the
Source property of the event? If so, you basically want to create the
Source value as a valid event source in advance. Once you do that it should
work without any permission changes.

 

[Dominick Baier [DevelopMentor]]

Hello Brad,

it all depends under which account your app is running - as you can see,
Service Accounts are allowed to write to the Application Log - but not custom
accounts, by default.

But it is true - you cannot create an Event Source as non admin.

Write a little console app the pre-creates it and run it as admin.