Permission denied writing to event log from global.asa after night

• Previous message: ripp: "RE: only access to ftp for administrator's group"
• Next in thread: WenJun Zhang[msft]: "RE: Permission denied writing to event log from global.asa after night"
• Reply: WenJun Zhang[msft]: "RE: Permission denied writing to event log from global.asa after night"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 30 Aug 2005 07:41:06 -0700

As a reference to the post "Permission denied when writing to eventlog from
global.asa" posted on 6/27/2005. Nobody seems to monitor that post anymore so
I post a new one.

We have an .asp-application running on a Win2003 SP1 with IIS that the user
access using their IE-browser on their XP-clients member of our AD-domain.
The applcation logs to the Event Log when the user performs specific actions
using the following code:
    var WshShell = Server.CreateObject("WScript.Shell");
    WshShell.LogEvent(strMsgLvl, strLogMsg);

It seems like it uses the actual user accessing the .asp-pages to write to
the event log. At first we just got an errormessage in the Application log:
Event Type: Warning
Event Source: Active Server Pages
Event Category: None
Event ID: 9
Date: 2005-06-27
Time: 08:34:02
User: N/A
Description:
Warning: IIS log failed to write entry, File
/LM/W3SVC/18856186/Root/global.asa Line 52 Permission denied. .

What we did then was to change the Security Identifier of the Event Log
(HKLM/System/CurrentControlSet/Services/EventLog/Application) to allow
Built-In Guests and the SID for Domain Users to write to the event
logApplication Log. So the total key is:
O:BAG:SYD:(D;;0xf0007;;;AN)(A;;0xf0002;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x2;;;S-1-5-21-1235689106-1791386253-4322286387-513)

And that works and it logs whatever we want but only until the night and the
next morning it has stop working and we get the Permission Denied error in
the Application log instead.

But if I check the registry key, it's intact and nothing has changed. If I
just reboot the server, logging starts working again until the next night and
so on. We don't have any changes made to the OS during the night but we do
manage security settings using GPOs and if I check the event log what have
happened during the night I can see a message "Security policy in the Group
policy objects has been applied successfully." But I've tried, after reboot
when logging works again, to do a gpupdate /force but logging continues to
work properly, again until the night when it stops working again. I can't
find any other messages in the event log that has anything to do with this.

Any ideas?

• Previous message: ripp: "RE: only access to ftp for administrator's group"
• Next in thread: WenJun Zhang[msft]: "RE: Permission denied writing to event log from global.asa after night"
• Reply: WenJun Zhang[msft]: "RE: Permission denied writing to event log from global.asa after night"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]