views:

905

answers:

4

I'm writing to the windows event log using C#. I can set every field visible in the mmc.exe "Computer Management" tool, except for the User field.

The client application is ASP.NET and uses forms authentication.

public static void WriteOnce()
{
    EventLog log = new EventLog("MyApp");
    if (!EventLog.SourceExists("MySource"))
    {
        EventSourceCreationData data = new EventSourceCreationData("MySource", "MyApp");
        EventLog.CreateEventSource(data);
    }
    log.Source = "MySource";
    log.WriteEntry("Hello World", EventLogEntryType.Information,123,456,new byte[]{1,2,3});
}

UPDATE: I checked, in ASP.NET even if set identity impersonation=true & authentication=windows and still no user.

I also checked, in a console app, no user.

+2  A: 

Well the user is the current user your AppDomain is running as. This cannot be set and Windows won't allow you to "spoof" another user.

Andrew Hare
But it doesn't event log any user, spoofed or otherwise.
MatthewMartin
+2  A: 

The user name in the Event Log is based on the context in which your application is running. It cannot be explicitly set. If this is an ASP.NET application, it may be using the service account.

EDIT: I found a similar question. It proposes using the Win32 Api ReportEvent function in order to set the user information.

Jose Basilio
I think the context gets ignored all together for my sample code. If I could get the logger to use the context, I'd be happy.
MatthewMartin
Check out this similar question: http://stackoverflow.com/questions/147307/-net-how-to-set-user-information-in-an-eventlog-entry
Jose Basilio
+1  A: 

System.Diagnostics allows your ASP.NET application direct access to the Windows Event log. Since your application is an ASP.NET app, you can use

HttpContext.Current.User.Identity.Name

to get the current username (in this case will be Form Auth token since you're using Forms Authentication).

Jonathan
A: 

I found a blog entry that explains how to do it, although there doesn't seem to be a completely managed way to do it. To capture the user Id, you have to use pinvoke/native method calls.

http://www.infosysblogs.com/microsoft/2007/09/logging_events_with_user_detai_1.html

For the above, it logs the user as ASPNET or NETWORK SERVICES, or the logged in user for console apps. The api call itself takes a pointer parameter to a SID. I didn't try to see if spoofing was possible.

JPucket may be right, that the only way to get the ID of a forms authenticated user in the System Event Log is via the message field.

MatthewMartin