Home > Administration, Event Logging, Share Point, SharePoint 2010 > SharePoint: Cannot open log for source. You may not have write access.

SharePoint: Cannot open log for source. You may not have write access.

    In our SharePoint applications we actively use writing into Application Event Log. After adding a new Windows 2008 Server R2 machine to our SP 2010 farm, we was getting the exception “System.ComponentModel.Win32Exception: Access is denied” with the description “Cannot open log for source {*}. You may not have write access.” Apparently, the given error is caused by writing to log when it’s called under an ordinary user with limited rights, who, however, can view web pages. I tried to provide Authenticated Users group with Full Control to the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog] registry key, with no success though.

The workaround is add or modify the magic CustomSD value under the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application]. So,

  1. Open Registry Editor (click Start, then Run, then type regedit and click Ok);
  2. Locate the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application] key in the registry tree;
  3. If the CustomSD value doesn’t exist, create it (right click on Application key, then click New -> String Value and set CustomSD name). Then set value data to O:BAG:SYD:(A;;0×3;;;AU) (right click on CustomSD, then click Modify, type the O:BAG:SYD:(A;;0×3;;;AU) and click Ok). The result should look as shown on the picture below:
    Create CustomSD Value
  4. If the CustomSD value already exists, append (A;;0×3;;;AU) to the value data (right click on CustomSD, then click Modify, type the (A;;0×3;;;AU) at the end of value data and click Ok). After appending, the resultant value data would be similar to:

    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0x f0007;;;SY)(A;;0×7;;;BA)(A;;0×7;;;SO)(A;;0×3;;;IU)(A;;0×3;;;SU)(A;;0×3;;;S-1-5-3)(A;;0×3;;;AU)

The CustomSD registry value describes which accounts have the read/write/clear permissions to Application Event Log. The format of the value data corresponds to Security Descriptor Definition Language (SDDL), so (A;;0×3;;;AU) consists of

  • 0×3 – ELF_LOGFILE_WRITE (0×2) & ELF_LOGFILE_READ (0×1), the access rights to the EventLog;
  • AU – Authenticated Users group;

It looks funny that direct giving permissions for Authenticated Users group haven’t had effect, while the EventLog‘s security is controlled by the CustomSD registry value.

Update: If a web application supports anonymous access, you’d better replace AU in (A;;0×3;;;AU) with WD, where WD is Everyone or a group that includes all users. So, the final version in this case is (A;;0×3;;;WD).

Related posts:
  1. johnz
    November 12th, 2015 at 14:32 | #1

    Thanks a lot for the detailed explanation!!
    In 2015 you are saving lifes!! :)

  1. No trackbacks yet.