开发者

Cannot open log for source {0} on Windows 2003 Server

I am having a huge problem with the eventlog on my server. Right let me first of all explain the setup.

  • I have a domain setup with 2 computers
  • One computer is running IIS the other is a workstation. The IIS is running Win2k3 the workstation Win XP.
  • The IIS computer is hosting a website which uses Windows Impersonation and tries to log an entry to the eventlog for a custom log file called MyApp and a custom event source MySource
  • I have a domain user called MyUser who is just a member of Domain Users.
  • Single Sign On is working 100% because I can write out the logged in user to the page fine.

When I visit the IIS page from the workstation I get one of the following messages (sometimes I get the first sometimes the second)

1) The handle is invalid
2) Cannot open log for source 'MySource'. You may not have write access.

So to try and fix this I have tried all of the following:

Granted the Everyone user FullControl to C:\windows\system32\config\MyApp.evt file

Granted the everyone user FullControl to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog

In the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp\CustomSD I appended the following string (A;;0x0002;;;AU), (the reason for this can be read here http://fgheysels.blogspot.com/2008/01/cannot-open-log-for-source-0-on-windows.html)

I am now totally out of ideas of how to fix this. Has anyone else come across this and have you t开发者_JAVA技巧ried anything else.


The error, as you seem to have found already, relates to writing to event sources or creating them. I would suggest you try the following.

You did not indicate if the event source exists in the registry or weather the .evt files ware created by the system or if you put them on the machine, so it is hard to determine at which point you are stuck.

You also did not mention if this works on some developer's machine, in which case you can compare the registries and even create the keys manually if you have to.

  1. Have a look under ...\Eventlog if a key for your log has been created (MyApp?).
  2. Have a look in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp. There should be a key called Sources. Does your source appear in here?

If these entries do not exist the error is that your user does not have permissions to create the custom log and source.

In the error message it should indicate a ThreadIdentity parameter, which should indicate which user account it is attempting to use to do this. You can also open the permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog and query the "Effective Permissions" for this particular user to ensure it effectively really has full control.

Try granting full control to the entire directory C:\windows\system32\config\ and not just the .evt file as the system needs to create some additional files here as well.

Lastly you can try and enable anonymous access to the website and run it as the machine/Domain administrator user once so all the keys get created before setting it back to the way you like it. You could also try enabling impersonation in the web.config file to ensure that it is not running without a windows identity. These ones you should all be able to undo once the correct keys and files have been created.

Let us know what you find after this and we can take it further.


Well after many hrs of trying to solve this I appear to have a solution which works.

First of all I had to allow the Authenticated Users group write access to the event log. I advice you backup your registry before continuing.

  1. Run regedit
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  3. Open the subkey which matches the EventLog you are writing to (so I will pick Application)
  4. On the right you will see the registry strings, locate one called CustomSD
  5. Right click and modify it.
  6. Append to the end (A;;0x2;;;AU) (I will explain this later)
  7. Save the changes (I don't know if you need to reboot or not)

So that will mean Authenticated Users can write to the Application event log. I needed to apply one more change.

  1. Open the Domain GPO or local computer GPO
  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights > Assignments > Manage auditing and security log
  3. Go to its Properties window
  4. Select Define these policy settings
  5. Add the Administrator group
  6. Add the Authenticated Users group
  7. Save and do a gpupdate /force for the affected computer.

That is the only way I could get it to allow my website users to write to the event log.

I mentioned in part 1 step 6 I would explain the string we added. Please see this page for more details http://support.microsoft.com/kb/323076

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜