I am trying to implement a logging interface into my c# application that will log the events to "Windows Event Logging" locally or remotely. Locally there is no problem as System.Diagnostics is an easy to use namespace.
However, doing it on a remote machine(logging on another machine's Windows logs) brings authentication and authorization issues, namely "Access is denied". Which is pretty understandable since it would be illogical to let everybody add logs.
I know that creating a new event folder and source can only be accomplished locally, which I have already done(let's call it "My Application". I have also started "Remote Registry" service.
For convenience, I've been testing logging feature with 'eventcreate' tool in order to deduce what is allowed, what is not. On "Run as Administrator" cmd.
eventcreate /s myLogServer /id 999 /T Error /L "My Application" /so "My Application" /d "Log Test"
This naturally fails with "Error: Access is Denied". When I add
/u mydomain\myLogServer /p myPassword
, then it works fine. However, naturally I don't want to give myLogServer's admin credentials. I'd prefer to create a restricted user or even better, use windows authentication via the client machine(which is hopefully what happens when I don't enter any /u /p).
Question: How can I set it up so that only specified users can write logs to specified log folder? Tried setting permissions on registry keys(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog..). Tried setting permissions for event log files(*.evtx).
Sub-question: Will I need to impersonate the specified user in c# code in order to get authorized, or is there a way to add authentication details to an EventLog object?
According to TechNet here:
In Windows Server® 2003, Windows Vista, and Windows Server® 2008, it is possible to customize the permissions on each event log on a computer. This capability was not available in previous versions of Windows. The access control list (ACL) is stored as a Security Descriptor Definition Language (SDDL) string, in a REG_SZ value called "CustomSD" for each event log in the registry.