We're currently trying to integrate existing classic ASP pages into our new method of logging to the event log. We're achieving this by calling a .NET assembly exposed as a COM object which does the actual logging to event log. This all works correctly, however when we try to write to the event log we get an error "Cannot open log for source 'SourceName'. You may not have write access.". The logging code itself works when calling from an aspx page. This obviosuly appears to be a permissions problem with the IUSR_machinename account, however, from looking into a number of other related posts we've tried a number of solutions without any success.
- Editing HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/EventLog/Application/RestrictGuestAccess - setting this to 0
- Adding IUSR_machinename to local admin groups and removing the guest group
- Editing CustomSD and appending (A;;0x0002;;;AU) to the value here
The only success we have had is when using ASP.NET impersonation to use a newly created local admin account on the server. With this user it works, however, this is a workaround rather than solving the initial permissions problem. Is there anything else that we can try to get the permissions working with the IUSR_machinename account?
We managed to solve this problem in the end by giving guest users access to the event log. You can carry this out by adding (A;;0xf0002;;;BG) to the customSD or replacing (D;;0xf0007;;;BG) if it is present. Then by setting RestrictGuestAccess to 0.
If you have impersonation set to true in the web config, the impersonated user will be the one trying to access the event logs. In this case you will need to grant access to authenticated users.
Got this solved by setting the impersonate tag in web.config to false: