Sunday, March 26, 2006

Allowing impersonated accounts to write to your custom event log

Here's a little tid-bit of information that I've had laying around for a while that I'd thought I'd share. .NET lets us easily create our own custom event logs with:
EventLog.CreateEventSource(source, logname)
As long as your an administrator running this code, it will create a custom event log. On a Windows 2003 machine only interactive users, services, batch accounts, admins, and server operators can read and write to this log. If you have components impersonating a least privileged user account then you will not be able to write to your event log. There's a couple ways I know of that you can do to fix this. You can allow any authenticated user write access to your log or you can allow the specific user SID write access. Open up the registry editor to your event log CustomSD key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\MyLogName\CustomSD
To allow all authenticated users write access add the following security permission:
(A;;0x0002;;;AU)
To allow a specific user write access you would specify their SID:
(A;;0x0002;;;SID-OF-USER-ACCOUNT)
For more information see Development Impacts of Security Changes in Windows Server 2003

2 comments:

Anonymous said...

damn youre beautiful for a pc nerd.

ill be back...dont worry!

Craig said...

Beth,

Good to know. However, many of the log reporting tools used by IT shops are not setup to report on custom logs, only the standard Application, Security, and System.