IIS7: Web Application writing to Event Log generates Security Exception

Every tried to write to the Application Event Log out of a Web Application running in Windows Server 2008 / IIS7? Well, i just tried that and spent about an hour to figure out, how to ‘allow’ the Web Application to write to the Event Log. Logo_IIS7

using the following snippet in my code:

EventLog evtLog = new EventLog();
evtLog.Source = "DEMO.Web";
evtLog.WriteEntry("TEST");

(ASP Handler Class) – (.ashx extension) resulted in a:

Server Error in ‘/DEMO/test’ Application.

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.
Exception Details: System.Security.SecurityException: The source was not found, but some or all event logs could not be searched.  Inaccessible logs: Security.

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

Stack Trace:
[SecurityException: The source was not found, but some or all event logs could not be searched.  Inaccessible logs: Security.]
System.Diagnostics.EventLog.FindSourceRegistration(String source, String machineName, Boolean readOnly) +563
System.Diagnostics.EventLog.SourceExists(String source, String machineName) +264
System.Diagnostics.EventLog.VerifyAndCreateSource(String sourceName, String currentMachineName) +84
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +377
System.Diagnostics.EventLog.WriteEntry(String message) +36
DEMOProject.Web.DEMO.ProcessRequest(HttpContext context) in D:\Development\DEMO.ashx.cs:25
System.Web.CallHandlerExecutionStep.System.Web.
HttpApplication.IExecutionStep.Execute() +599
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

I searched for a while until i found this one here:

Network Service is allowed to write to the Event Log, but not create an event source. you could give permissions to HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\ to allow it to create – but if you’ve already created it at install time, there’s no need.

It’s possible that it’s failing on the SourceExists as well – since that requires enumerating the same registry key. I’d probably just remove the SourceExists/Create check and trust that it’s there – if you’re anonymous, you can’t create it anyway.

So i just added the Network Service Account to the EventLog Key granting Full Control for the key and all of its sub keys.

Path is:

Screenshot:

Registry_EventLog_Key_Path

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

 

Screenshot:

Registry_EventLog_Key_Permissions

Now we’re almost done. Now, don’t forget to create the corresponding Application-Event-Source-Whatever-Key! In this case/example the Key is named: DEMO.Web

Screenshot:

Registry_EventLog_SubKey

Now, try it again, logging to Event Manager should be working fine..

EventLogResult

18 thoughts on “IIS7: Web Application writing to Event Log generates Security Exception

  1. Thanks a lot. That helped! Hmm Windows environment becomes more and more complicated

  2. can we do this with a c# program, i guess adding a new key shouldn’t be a problem
    eg.
    Registry.LocalMachine.CreateSubKey(@”SYSTEM\CurrentControlSet\Services\eventlog\Application\your website”);

    but how to grant full access to network service for the eventlog folder

  3. Referred to the link below to add the source key to the register.
    http://www.codeproject.com/Articles/18072/Allow-your-ASP-NET-to-Access-your-Resources
    Added it as self installing program.

    using System.Configuration.Install;
    using System.Diagnostics;
    using System.ComponentModel;
    using System.Reflection;

    [RunInstaller(true)]
    public class YourEventLogInstaller : Installer
    {
    private EventLogInstaller YourEventLogInstallerlog;
    public YourEventLogInstaller()
    {
    // Create an instance of ‘EventLogInstaller’.
    YourEventLogInstallerlog = new EventLogInstaller();
    // Set the ‘Source’ of the event log, to be created.
    YourEventLogInstallerlog.Source = “Your Website”;
    // Set the ‘Event Log’ that the source is created in.
    YourEventLogInstallerlog.Log = “Application”;
    // Add myEventLogInstaller to ‘InstallerCollection’.
    Installers.Add(YourEventLogInstallerlog);
    }
    public static void Main()
    {
    System.Configuration.Install.ManagedInstallerClass.InstallHelper(new string[] { “/i”, Assembly.GetExecutingAssembly().Location });
    }
    }

    once the key is added as part of install activity we wouldn’t have an issue writing to the registry.

  4. This finally got it to work for me, but one part could have been a little clearer. At the end of the article, you say not to forget the “Application-Event-Source-Whatever-Key”. I didn’t quite understand that.
    In the eventlog\Application area, add a key with the name of the “source” in your call to EventLog.WriteEntry(sSource, sEvent, EventLogEntryType.Warning, 234);
    Still, it was this article that got it to work for me. Thanks much. Miguelito

  5. Thanks for putting this information out there…it works like a charm. I was able to get it to work for Network Service acct, but not for the authenticated user acct. I made the same changes that you suggested above, except I made them on the authenticate user acct, but it’s not working. Any thoughts on how I can get this to work on authenticated users?

  6. I’d like to thank you for the efforts you have put in writing this
    blog. I really hope to see the same high-grade content from you in the future as
    well. In truth, your creative writing abilities has motivated me to get my own site now 😉

  7. Pingback: The source was not found, but some or all event logs could not be searched. To create the source, you need permission to read all event logs to make sure that the new source name is unique. Inaccessible logs: Security. | 4itvn

Leave a Reply

Your email address will not be published. Required fields are marked *