Event Logging Security

Event Logging Security

The Security log is designed for use by the system. However, users can read and clear the Security log if they have been granted the SE_SECURITY_NAME privilege (the "manage auditing and security log" user right). For more information, see Privileges.

Only the Local Security Authority (Lsass.exe) has write permission for the Security log. No other account can request this privilege. To write an event to the Security log, use the AuthzReportSecurityEvent function.

Access to the Application log, the System log, and custom logs is restricted. The system grants access based on the access rights granted to the account under which the thread is running. The following table shows which types of access are required by the event logging functions.

Access rightDescription
ELF_LOGFILE_CLEAR (0x0004)Required by ClearEventLog.
ELF_LOGFILE_READ (0x0001)Required by OpenBackupEventLog and OpenEventLog.
ELF_LOGFILE_WRITE (0x0002)Required by RegisterEventSource.


Use the CustomSD registry value to configure the security of the Application log, the System log, and custom logs. For more information, see Eventlog Key.

Windows XP/2000:  The following table describes the access rights granted for each account on each log.

ApplicationAdministrators (system)XXX
Administrators (domain)XXX
LocalSystem XXX
Interactive userXX
SystemAdministrators (system)XXX
Administrators (domain)XX
Interactive userX
CustomAdministrators (system)XXX
Administrators (domain)XXX
Interactive userXX


To grant access to the members of the Guest account, change the following registry value:




Community Additions

© 2015 Microsoft