I'm writing to the windows event log using C#. I can set every field visible in the mmc.exe "Computer Management" tool, except for the User field.
The client application is ASP.NET and uses forms authentication.
public static void WriteOnce()
{
EventLog log = new EventLog("MyApp");
if (!EventLog.SourceExists("MySource"))
{
EventSourceCreationData data = new EventSourceCreationData("MySource", "MyApp");
EventLog.CreateEventSource(data);
}
log.Source = "MySource";
log.WriteEntry("Hello World", EventLogEntryType.Information,123,456,new byte[]{1,2,3});
}
UPDATE: I checked, in ASP.NET even if set identity impersonation=true & authentication=windows and still no user.
I also checked, in a console app, no user.
Well the user is the current user your AppDomain is running as. This cannot be set and Windows won't allow you to "spoof" another user.
The user name in the Event Log is based on the context in which your application is running. It cannot be explicitly set. If this is an ASP.NET application, it may be using the service account.
EDIT: I found a similar question. It proposes using the Win32 Api ReportEvent function in order to set the user information.
System.Diagnostics allows your ASP.NET application direct access to the Windows Event log. Since your application is an ASP.NET app, you can use
HttpContext.Current.User.Identity.Name
to get the current username (in this case will be Form Auth token since you're using Forms Authentication).
I found a blog entry that explains how to do it, although there doesn't seem to be a completely managed way to do it. To capture the user Id, you have to use pinvoke/native method calls.
http://www.infosysblogs.com/microsoft/2007/09/logging_events_with_user_detai_1.html
For the above, it logs the user as ASPNET or NETWORK SERVICES, or the logged in user for console apps. The api call itself takes a pointer parameter to a SID. I didn't try to see if spoofing was possible.
JPucket may be right, that the only way to get the ID of a forms authenticated user in the System Event Log is via the message field.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贪生不怕死 的文章《How to get EventLog to record user name into Windo》','https://www.manongdao.com/article-777059.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}