Access to the event logs is determined by the account under which the application is running. The LocalSystem account is a special account that Windows NT services can use. The Administrator account consists of the administrators for the system. The Server Operator account (ServerOp) consists of the administrators of the domain server. The World account includes all users on all systems.
The following table shows which accounts are granted read, write, and clear access to each log.
| Log | Account | Access | ||
|---|---|---|---|---|
| Application | LocalSystem | Read | Write | Clear |
| Adminstrator | Read | Write | Clear | |
| ServerOp | Read | Write | Clear | |
| World | Read | Write | ||
| Security | LocalSystem | Read | Write | Clear |
| Adminstrator | Read | Clear | ||
| World | Read | Clear | ||
| System | LocalSystem | Read | Write | Clear |
| Adminstrator | Read | Write | Clear | |
| ServerOp | Read | Clear | ||
| World | Read |
In addition, users can read and clear the Security log if they have been granted one of the following:
The following table shows which types of access are required for each event logging function:
| Function | Access Required |
|---|---|
| OpenEventLog | Read |
| OpenBackupEventLog | Read |
| RegisterEventSource | Write |
| ClearEventLog | Clear |
As an example, OpenEventLog requires read access. A member of the ServerOp account can call OpenEventLog for the Application event log and the System event log, because ServerOp has read access for both of these logs. However, a member of the ServerOp account cannot call OpenEventLog for the Security log, because it does not have read access for this log.