0

I have two ASP.NET web applications and in both I use EventLog.WriteEntry with a custom source name to write custom events to the application log.

Both on my programming machine and on the webserver this works in one of the applications, in the other it doesn't - I get a security exception:

[SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.]

I am wondering why this happens, both web applications are identical (as far as I see it). The only difference from a security point of view is the authentication mode: one uses Forms (there Eventlog.WriteEntry works) and one uses Windows (here it doesn't work). Can this be the reason?

Giving "everyone" read access to the application log doesn't change this behavior.

Jan Kniffka
  • 3
  • 3
  • Do both web apps run under the same app pool? If not, then do both app pool accounts have the same level of access to the machine/logs? – Stinky Towel Oct 11 '16 at 16:56
  • Yes, both use the same app pool, that was what confused me. The reason that it worked for one was, that I chose an existing source name - see my comment below... – Jan Kniffka Oct 12 '16 at 07:58

1 Answers1

0

Your problem on Windows authentication mode essentially similar with these problems:

System.Security.SecurityException when writing to Event Log

System.Security.SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.

The exception means that your web app tried to write on event log using a value given to "source" which has not been registered due to insufficent privilege on corresponding account.

When using Windows authentication mode to perform event log tasks, you need to give read permission on NETWORK SERVICE account on eventlog\Security key. Below are these steps to do:

  1. Open Regedit (Registry Editor).
  2. Go to HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security
  3. Right click the branch, select "Permissions".
  4. Click "Add", find RDN named NETWORK SERVICE or type it directly, then add the account.
  5. Under "Permissions for Network Service", check "Read" or "Full Control" to give the read permission, then apply the change.
  6. Restart your application pool on IIS host.

If it still not enough, do actions below:

  1. Open IIS Manager. Check the Identity column on Application Pools section, it should given LocalSystem or NetworkService.

  2. When you need to change Identity, right click the application pool with Windows authentication, choose Advanced Settings.

  3. Under Process Model, change ApplicationPoolIdentity to LocalSystem or NetworkService, apply your edit and restart the application pool.

NB: NetworkService identity is more preferred to LocalSystem due to security vulnerability reasons.

Also you may try setting <trust level="Full" /> in web.config file, depending on security consideration.

If all solutions above still won't work, set Visual Studio on development machine or deployed app on web server to run as administrator privilege, gaining full access to Windows authentication event log. After all, it depends of your choice to ensure proper security measure was applied.

Community
  • 1
  • 1
Tetsuya Yamamoto
  • 24,297
  • 8
  • 39
  • 61
  • Lol, I just realized that I accidently have chosen an existing source name for my custom source. So that’s why it worked for one application and not for the other. In the end I just created both custom source names as sub keys under HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application and it works without changing the App pool identity or the permissions on the registry keys. Thanks for your help though! – Jan Kniffka Oct 12 '16 at 07:52