ELMAH - Error Logging Modules and Handlers - (Security)

Securing the logs should be one of the important aspects to be considered when using ELMAH. If the logs are not secured, it can open up the inner working of the application to unauthorized personal. 

By default, ELMAH is configured to deny access to the error log it produces unless we are accessing it from the server the site is hosted on.  To secure the logs, we would need to configure the below

• Enabling or disabling remote access to the logs 
• Granting or denying permissions via ASP.Net authorization

Here is what can happen if the logs are not secured -  ASP.NET session hijacking with Google and ELMAH

Enabling or disabling remote access to the logs

ELMAH provides a configuration section and a setting to enable or disable remote access to the error log display and feeds. Here is the snippet that needs to be added to the configuration file.

Remote access is enabled when the value of the allowRemoteAccess attribute is either 1, yes, true or on. Otherwise it is disabled. Local access is always available.

Granting or denying permissions via ASP.Net authorization  

Using ASP.NET’s Membership Provider and in-built authorization system we can deny anonymous access by adding the following definition to our web.config file. It can go anywhere inside the root configuration element.

This will allow any authenticated user to view the error log. If you only want a select group of people to be able to view the log, you could put those users into a ‘Support’ role and use something like:

Happy Coding!!!

ELMAH - Error Logging Modules and Handlers - (Basic)

Creating custom classes or using an existing class for exception handling and logging should be considered/included as part of the design.  Sometimes I've noticed that the exception handling takes the lower priority and this shouldn't be the case. Anything that is coded is error prone and it happens unexpectedly due to the environment, data, etc., all these aspects can play around which can cause YSOD and to debug it we would need as much of info that can lead us to root cause.

After working with multiple logging framework, I found ELMAH to be one of the best in many aspects. Here are few..

• Easy to configure and use
• Can be configured dynamically without re-building or re-deploying the app
• Logs almost all the exceptions
• affable UI to view the entire logs

Here is the basic steps to get it started.

1. Add reference - elmah.dll

2. Add the below configuration to web.config

<configuration>
 <configsections>
  <sectiongroup name="elmah">
   <section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah"></section>
   <section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah"></section>
   <section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah"></section>
   <section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah"></section>
  </sectiongroup>
 </configsections>
 <elmah>
  <errorLog logpath="c:\logs\elmah" type="Elmah.XmlFileErrorLog, Elmah"></errorLog>
 </elmah>
 <system.web>
  <httphandlers>
   <add path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" verb="POST,GET,HEAD"></add>
  </httphandlers>
  <httpmodules>
   <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah"></add>
  </httpmodules>
</system.web>
</configuration>

Just these two steps would configure elmah. Note that we have specified the location to store the logfiles in the config file. The logs would be stored in .xml format. 

To get to the UI, navigate to the handler that is configured on the web.config. In this case, it would be http://localhost:*****/elmah.axd

Here is how the log UI would look like.

Here is how the UI would look when there are exceptions that are logged.

To view more details on the exception, Click on the "details" link in the error section.

Even we can use Nuget to configure elmah.

Package Manager does all the config changes. Now the application is configured to use elmah.  Isn't neat and clean?

Here is the link to elmah. The above is just a basic config of elmah and it has way more features to be explored. Go-head explore and have fun.

Happy Coding!!!