Re: How to enable event logging IIS 5.1
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 07/26/05
- Next message: Wknight: "Re: WSUS Security Nightmare"
- Previous message: Wknight: "Re: WSUS Security Nightmare"
- In reply to: Jeffrey Exconde: "Re: How to enable event logging IIS 5.1"
- Next in thread: Jeffrey Exconde: "Re: How to enable event logging IIS 5.1"
- Reply: Jeffrey Exconde: "Re: How to enable event logging IIS 5.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Jul 2005 23:00:30 +1000
Hi Jeffrey,
Please just answer the question - *how* are you writing these events to the
Application log? Are you using some ASP.NET code? A COM object? etc. *IIS*
does not natively do this logging for you. You need to have some code that
does it. And, depending on what the code is, you may need to tweak
permissions so that the user context that the code is runing under has
permissions to write to the relevant log. For example, in Windows 2003
Server, ASP.NET runs as NT AUTHORITY\Network Service (by default) but on
Windows XP/IIS5.1 ASP.NET runs as Machine\ASPNET by default.
Cheers
Ken
-- IIS Blog: www.adopenstatic.com/cs/blogs/ken/ Web: www.adopenstatic.com "Jeffrey Exconde" <j.exconde@fincad.com> wrote in message news:%23A$ZF9SkFHA.3960@TK2MSFTNGP12.phx.gbl... : Here is what i meant in windows 2003 event logging. But it is not working in : IIS 5.1 Windows XP : : : Here is the link : http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure06122003.asp : : Tighter ACLs on Event Logs : We also tightened up the ACLs on the event logs to restrict what accounts : can read and write to the logs. Better still, the security of each log is : configured locally through the values in the following registry key: : : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog : For example, the Application log Security Descriptor is configured through : the following registry value: : : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD : And the System log Security Descriptor is configured through the following: : : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD : The Security Descriptor for each log is specified by using Security : Descriptor Definition Language (SDDL) syntax. The following is an example : from the Application event log: : : O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA) : (A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3) : Quick, what is this ACL in English? You can read about SDDL at : http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp. : This string means: : : Entry Meaning : O:BA Object owner is Built-in Admin (BA). : G:SY Primary group is System (SY). : D: This is a DACL, rather than an audit entry or SACL. : (D;;0xf0007;;;AN) Deny Anonymous (AN) all access. : (D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access. : (A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, : READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000). : (A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR. : (A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR. : (A;;0x3;;;IU) Allow Interactive Users READ and WRITE. : (A;;0x3;;;SU) Allow Service accounts READ and WRITE. : (A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE. : : The specific event log access mask bits are: : : 0x0001 ELF_LOGFILE_READ Permission to read log files. : 0x0002 ELF_LOGFILE_WRITE Permission to write log files. : 0x0004 ELF_LOGFILE_CLEAR Permission to clear log files. : : The only time you should see a failure in your application when writing to : the event log is because of an ACL issue. Please do not relax the ACL too : much. Add your own ACE to the SDDL string and then restart the Event Log : service. For example, if your process runs under an account MyAccount, that : has the SID S-1-5-21-853885456-2109860151-3743179773-1190, and you want the : process to write to the Application log, simply add this string to the SDDL : string in the registry: : : (A;;0x2;;; S-1-5-21-853885456-2109860151-3743179773-1190) : : : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message : news:ulp1wj4jFHA.3692@TK2MSFTNGP09.phx.gbl... : > IIS does not natively log logons to the Application Log. : > : > If you change the local security policy (Start -> Run -> secpol.msc) you : > can : > change the options for Windows Logon/Logoff event auditing. This will log : > events to the Security log. : > : > However, if you are doing some custom logging to the Application event log : > (e.g. through your own custom COM object), then you need to enable this. : > : > Cheers : > Ken : > : > -- : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ : > Web: www.adopenstatic.com : > : > : > "Jeffrey Exconde" <j.exconde@fincad.com> wrote in message : > news:uz%238ZVyjFHA.4000@TK2MSFTNGP12.phx.gbl... : > : We have an application that used IIS. And when some logs in to our : > website : > : it writes something to the application log and we used it for debugging. : > : : > : Sorry, I am not talking about iis log. : > : : > : Thanks : > : : > : : > : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message : > : news:%23TFVRbnjFHA.3784@tk2msftngp13.phx.gbl... : > : > Can you explain what you mean by "event logging"? What do you want to : > log? : > : > : > : > Cheers : > : > Ken : > : > : > : > -- : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ : > : > Web: www.adopenstatic.com : > : > : > : > : > : > "Jeffrey Exconde" <j.exconde@fincad.com> wrote in message : > : > news:ejpT2VkjFHA.3540@TK2MSFTNGP14.phx.gbl... : > : > : Hi, : > : > : : > : > : How do you enable event logging in IIS 5.1 : > : > : : > : > : Thanks : > : > : : > : > : : > : > : > : > : > : : > : : > : > : :
- Next message: Wknight: "Re: WSUS Security Nightmare"
- Previous message: Wknight: "Re: WSUS Security Nightmare"
- In reply to: Jeffrey Exconde: "Re: How to enable event logging IIS 5.1"
- Next in thread: Jeffrey Exconde: "Re: How to enable event logging IIS 5.1"
- Reply: Jeffrey Exconde: "Re: How to enable event logging IIS 5.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
