Event log write permissions

Scenario: Writing to the event log on a Windows Server 2008 through my c# code. However I’m getting access denied errors when attempting to write events…

It’s an asp.net application written in C#. The IIS application pool user is not the Network Service.

Plan:

Create an event source. This event source is what my application will write errors to. It means I can filter errors in the event log that are caused by my application alone.

Change the permissions allowing the domain user (who is not the Network Service) to write to the event log.

Create an Event Source

There lots of tools that can create an event source, the following is come vbscript that creates one…

Const EVENT_TYPE_SUCCESS = 0
Const EVENT_TYPE_ERROR   = 1
Const EVENT_TYPE_WARNING = 2
Const EVENT_TYPE_INFORMATION = 4
Const EVENT_TYPE_AUDITSUCCESS = 8
Const EVENT_TYPE_AUDITFAILURE = 16

Function MakeEvent()
    Dim objEvent

    Set objEvent = ScriptContext.CreateEvent()

    objEvent.EventSource = "MyApplication"
    objEvent.EventNumber = 4444
    objEvent.EventType = EVENT_TYPE_WARNING
    objEvent.LoggingDomain = "DOMAIN1"
    objEvent.SourceDomain = "DOMAIN1"

    Set MakeEvent = objEvent
End Function

Here the C# equivalent

using System;
using System.Diagnostics;
class MainClass
{
  public static void Main ()
  {
    if (!EventLog.SourceExists("MyApplication"))
    {
      EventLog.CreateEventSource("MyApplication", "Application");
    }
  }
}

Access to Write to Event log

Open Cmd prompt as admin. Type:

C:\>wevtutil gl application > C:\temp\out.txt

This outputs the security credentials for the application event log to the given text file.

Open the generated C:\temp\out.txt file in Notepad

It looks a little bit like this:

name: application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\application.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:

The line you’re interested in is the “channelAccess”. (The wonderful Windows SDDL – Security Descriptor Definition Language).

You need to add (append) the following to the end of the line: (A;;0x3;;;AU)

–          This gives write/read access (the “0x3” bit ) to Authenticated Users (AU).

You then need to apply the updated setting…

C:\>wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;AU)

Done.

You can check the change by:

C:\>wevtutil gl application > C:\temp\updatedout.txt

And you’ll see the change in the channelAccess line.

The more eagle eyed amongst you (and you’d need to be eagle eyed to spot this) will notice that the registry location:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application

now has an additional key CustomSD with the updated channelAccess key. This key only appears if the default configuration is changed, i.e. as I have done by granting Authenticated Users write access.

Important Info: Only applies cos the application user is not the NetworkService, but a domain user. The NetworkService user is already part of the approved list, so you won’t need to apply these steps.

Further Reading:
If you would like to prevent all authenticated users from writing to the event log, and would prefer to lock down security further, you can follow the process above, but rather than giving access to all authenticated users, you can grant access to specific users by adding their SID (security ID) to the channel access list instead. VBScript to find SID for a user.

Ta

Padda