14

I am running an ASP.NET Core web server as a Windows service and am using Serilog to log to a file in %PROGRAMDATA%. When I run the service as Local System, nothing is logged.

I am using .Net Core 2.2 on Windows 10. I am testing by triggering an error in my service that writes a log event at the error level. I've tried running the service as my own administrative account and the logging works fine; the issue only occurs when running as Local System.

I have other Windows Services using .Net Framework that run as Local System and have no problem logging to %PROGRAMDATA% with Serilog, but this is the first time I have tried it on .Net Core. I can manually create and write to the log file within the service with Directory.CreateDirectory and File.AppendText and that works while running as Local System, but the Serilog logging does not.

Here is my Program.Main:

public static async Task Main(string[] args)
{
    var isService = !(Debugger.IsAttached || args.Contains("--console"));       
    if (isService)
    {
        var pathToExe = Process.GetCurrentProcess().MainModule.FileName;
        var pathToContentRoot = Path.GetDirectoryName(pathToExe);
        Directory.SetCurrentDirectory(pathToContentRoot);
    }

    var host = WebHost.CreateDefaultBuilder(args.Where(arg => arg != "--console").ToArray())
        .UseStartup<Startup>()
        .UseSerilog((hostingContext, loggerConfiguration) => loggerConfiguration
            .ReadFrom.Configuration(hostingContext.Configuration)
            .Enrich.FromLogContext())
        .Build();

    // additional async initialization omitted

    if (isService)
    {
        host.RunAsService();
    }
    else
    {
        host.Run();
    }
}

And here is the Serilog section of my appsettings.json:

"Serilog": {
  "MinimumLevel": {
    "Default": "Verbose",
    "Override": {
      "Microsoft": "Warning",
      "System": "Warning"
    }
  },
  "WriteTo": [
    {
      "Name": "File",
      "Args": {
        "path": "%PROGRAMDATA%/foo/bar baz/logs/qux.log",
        "fileSizeLimitBytes": 1048576,
        "rollOnFileSizeLimit": "true",
        "retainedFileCountLimit": 99,
        "flushToDiskInterval": "00:00:01",
        "outputTemplate": "[{Timestamp:yyyy-MM-dd HH:mm:ss.fff} {Level:u3}] {Message:lj} [{SourceContext}]{NewLine}{Exception}"
      }
    },
    {
      "Name": "Console",
      "Args": {
        "outputTemplate": "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj} [{SourceContext}]{NewLine}{Exception}"
      }
    }
  ]
}

I expected logging to be written to the file in %PROGRAMDATA% when the service is running as Local System, but nothing happens. Logging is written without issue when the service is run as any other administrative account.

Allen Aston
  • 521
  • 5
  • 9
  • Not a direct answer to your question, but there are few scenarios where it's appropriate to run a third-party service under administrative credentials, especially `LocalSystem`. You can use any other account, including a [virtual service account](https://learn.microsoft.com/windows/security/identity-protection/access-control/service-accounts), and assign it the privileges it needs to run properly. This is much better than leaving your service open as an attack vector in case there's anything exploitable in it. – Jeroen Mostert Jun 06 '19 at 10:44
  • 1
    Serilog has a [self log](https://github.com/serilog/serilog/wiki/Debugging-and-Diagnostics#selflog) option. Have you tried that? – mason Jun 07 '19 at 20:22
  • Check Create and manage the Windows Service https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/windows-service?view=aspnetcore-2.2&tabs=visual-studio#create-and-manage-the-windows-service I think you need to set `FileSystemAccessRule` for this local user. – ElasticCode Jun 09 '19 at 10:44
  • We have other services being installed at the same time as this one, running as the same user account, and they don't have any issues with logging. The difference is that the other services are full .NET framework and don't use Serilog. – Matt Casto Jun 10 '19 at 12:30
  • @Matt Casto Can you share where you try to log? and used NuGet packeges? – ElasticCode Jun 11 '19 at 11:29
  • Do you run the service with the LocalSystem-Account or LocalService-Account? LocalService-Account has minimum privileges on the system. – swissben Jun 14 '19 at 20:06

1 Answers1

2

If i dont miss-understood it is nteresting with account system permissions:

A local system account of "local admin" is the same as an admin account.

if you have a Domain admin and you have a local admin. Both pretty much have the same function.

If you are part of a domain you typically do not want to log into your computer as the domain admin.

You always want to use the local admin account if you can. The reason behind this is that your computer may have a virus on it and you log in as domain admin you have just opened the door for to virus across your entire network

If you need to write to %PROGRAMDATA% then you should give the permission and use like this https://stackoverflow.com/a/30792263/914284

Hamit YILDIRIM
  • 4,224
  • 1
  • 32
  • 35