Scenario: Writing to the event log on a Windows Server 2008 through my c# code. However I’m getting access denied errors when attempting to write events…
It’s an asp.net application written in C#. The application pool user is not the Network Service.
Create an event source. This event source is what my application will write errors to. It means I can filter errors in the event log that are caused by my application alone.
Change the permissions allowing the domain user (who is not the Network Service) to write to the event log.
Create an Event Source
There lots of tools that can create an event source, the following is come vbscript that creates one…
Const EVENT_TYPE_SUCCESS = 0 Const EVENT_TYPE_ERROR = 1 Const EVENT_TYPE_WARNING = 2 Const EVENT_TYPE_INFORMATION = 4 Const EVENT_TYPE_AUDITSUCCESS = 8 Const EVENT_TYPE_AUDITFAILURE = 16 Function MakeEvent() Dim objEvent Set objEvent = ScriptContext.CreateEvent() objEvent.EventSource = "MyApplication" objEvent.EventNumber = 4444 objEvent.EventType = EVENT_TYPE_WARNING objEvent.LoggingDomain = "DOMAIN1" objEvent.SourceDomain = "DOMAIN1" Set MakeEvent = objEvent End Function
Here the C# equivalent
public static void Main ()
Access to Write to Event log
Open Cmd prompt as admin.
Type: C:\>wevtutil gl application > C:\temp\out.txt
This outputs the security credentials for the application event log to the given text file.
Open the generated C:\temp\out.txt file in Notepad
It looks a little bit like this:
The line you’re interested in is the “channelAccess”. (The wonderful Windows SDDL – Security Descriptor Definition Language).
You need to add (append) the following to the end of the line: (A;;0x3;;;AU)
– This gives write/read access (the “0x3” bit ) to Authenticated Users (AU).
You then need to apply the updated setting…
C:\>wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;AU)
You can check the change by:
C:\>wevtutil gl application > C:\temp\updatedout.txt
And you’ll see the change in the channelAccess line.
The more eagle eyed amongst you (and you’d need to be eagle eyed to spot this) will notice that the registry location:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application now has an additional key CustomSD with the updated channelAccess key. This key only appears if the default configuration is changed, i.e. as I have done by granting Authenticated Users write access.
Important Info: Only applies cos the application user is not the NetworkService, but a domain user. The NetworkService user is already part of the approved list, so you won’t need to apply these steps.
If you would like to prevent authenticated users from writing to the event log, and would prefer to lock down security further, you can follow the process above, but rather than giving access to all authenticated users, you can grant access to specific users by adding their SID (security ID) to the channel access list instead. VBScript to find SID for a user.