Menu
We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.
This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?
We running an ASP.NET MVC app on IIS 6.
924
Description. ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. It can be dynamically added to a running ASP.NET web application, or even all ASP.NET web applications on a machine, without any need for re-compilation or re-deployment.
Build the application, run it in the browser, and navigate to http://www.yoursite.com/elmah.axd. You are prompted to log in before you see the content. After a successful authentication, you see a web page to remotely view the entire log of recorded exceptions.
ELMAH doesn't support ASP.NET Core.
The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.
Here's what I would recommend you:
elmah.axd handler on your main siteelmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.
92
I found this is most acceptable for MVC applications:
http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
