Event Logging Security

The Security log is designed for use by the system. However, users can read and clear the Security log if they have been granted the SE_SECURITY_NAME privilege (the "manage auditing and security log" user right). For more information, see Privileges.

Only the Local Security Authority (Lsass.exe) has write permission for the Security log. No other account can request this privilege. To write an event to the Security log, use the AuthzReportSecurityEvent function.

Access to the Application log, the System log, and custom logs is restricted. The system grants access based on the access rights granted to the account under which the thread is running. The following table shows which types of access are required by the event logging functions.

Access right Description
ELF_LOGFILE_CLEAR (0x0004) Required by ClearEventLog.
ELF_LOGFILE_READ (0x0001) Required by OpenBackupEventLog and OpenEventLog.
ELF_LOGFILE_WRITE (0x0002) Required by RegisterEventSource.

 

Use the CustomSD registry value to configure the security of the Application log, the System log, and custom logs. For more information, see Eventlog Key.

Windows XP/2000: The following table describes the access rights granted for each account on each log.

Log Account Read Write Clear
Application Administrators (system) X X X
Administrators (domain) X X X
LocalSystem X X X
Interactive user X X
System Administrators (system) X X X
Administrators (domain) X X
LocalSystem X X X
Interactive user X
Custom Administrators (system) X X X
Administrators (domain) X X X
LocalSystem X X X
Interactive user X X

 

To grant access to the members of the Guest account, change the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Log\RestrictGuestAccess