Re: Cannot open log for source {0} -- again

From: Nicole Calinoiu (calinoiu)
Date: 04/07/05 

Date: Thu, 7 Apr 2005 14:57:03 -0400

"Craig Wagner" <craig_d_wagner@hotmail.com> wrote in message
news:ukfa51dvep3bfd5cmfrk0547rvo3p9j1ii@4ax.com...
> "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote:
<snip>
> So when you said that writing to the event log from a web app wasn't a
> good
> idea, what you really meant was writing to the default application event
> log
> wasn't a good idea.

Writing to a custom event log incurs less overall risk than writing to the
default application log, but I still wouldn't consider it to be a
particularly wonderful approach for many situations.

> Now what if there are no other apps running on the server? This is the
> only
> application.

I suspect that you might other applications (e.g.: IIS) writing to the
application event log on your server.

>>That's fine if only your application (and/or others that also require the
>>same logging permissions) are run under this account. However,
>>applications
>>that cannot be trusted to write to the log should not run under an account
>>with logging permissions.
>
> Agreed. But every application running on the server is an in-house
> developed
> application, so they can all be trusted to write to the log and, in fact,
> we
> want them logging a subset of their activities and unhandled exceptions
> should
> they occur for troubleshooting and debugging purposes.

Today, every application meets these criteria. Tomorrow, something new may
be installed.

> We could mitigate some of the potential for abuse by having each
> application
> (assuming there was more than one at some point) write to a different
> custom
> event log I suppose. But it seems to me the bottom line from this thread
> is that
> we just keep moving or mitigating the potential for trouble.

Yup. Personally, I would probably choose an alternate mechanism for
tracking application events. However, it's really a risk-management issue
more than anything else, and nobody else can specify your level or risk
tolerance for you....

> And I purposely used the term "potential" twice, because we're a very
> targeted
> site used by our clients only. Yes, someone could stumble on it and try to
> be a
> *** and bring it down, but we're hardly worth the effort. We've had no
> incidents in the past five years. Sure, ignorance is no defense, and it
> isn't
> the only thing we do to take steps to protect ourselves, but we also need
> to
> weigh potential against complexity.

As a trade-off between complexity and security, why not at least have all
your in-house apps write to a single custom log rather than the main
application event log? Besides avoiding the possibility of filling the main
log, you'll also gain the advantage of having all your applications' events
isolated in a single file that doesn't need to be filtered to eliminate
"noise" from other applications.

>
> --
> Craig Wagner, craig.wagner(at)comcast.net
> Portland, OR
>
> "Don't ban high-performance vehicles, ban low-performance drivers!"