Adding ELMAH to your ASP.NET Web Site

There’s already a lot of posts out there on how to set up ELMAH (see References below). Still, as I went through the process of adding ELMAH to my own site, I found myself pulling information from multiple posts and even ran into a couple of surprises during deployment. So, in an effort to consolidate the information I needed and post solutions to the issues I had, I give you this post on the unhandled exception and error handling utility that is ELMAH.

In short, ELMAH is a utility that reports unhandled errors and exceptions. Looked at another way, ELMAH will display problems with your site that you might not otherwise see.

Adding ELMAH to an ASP.NET Web Site

1.) Get ELMAH

The first step is to actually get ELMAH. You can download from the Google Code page. Once you’ve got it, copy the file “Elmah.dll” into your site’s bin folder.

2.) Modifying your web.config

There are a couple of initial modifications you’ll have to make to your web.config:

a.) Add the following to the <httpModules> section:

<add name=”ErrorLog” type=”Elmah.ErrorLogModule, Elmah”/>

b.) Add the following to the <httpHandlers> section:

<add verb=”POST,GET,HEAD” path=”elmah.axd” type=”Elmah.ErrorLogPageFactory, Elmah” />

3.) Deployment and dealing with initial issues

For the most basic ELMAH setup, that’s it. You should be able to access your site’s ELMAH logs by accessing http://yoursite/elmah.axd.

However, once you’ve deployed you might run into this error:

You are attempting to access ELMAH from a remote machine whereas it is currently configured not to allow remote access.


Fortunately, getting around this is pretty easy.

a.) Like it says, add a new <sectionGroup>:

<sectionGroup name=”elmah”>
<section name=”security” type=”Elmah.SecuritySectionHandler, Elmah” />

b.) Also, add the <elmah> section. I added it right underneath my <configSection> closing tag.

<security allowRemoteAccess=”yes” />

Again, redeploy the web.config file and we’re done.

Except that, now, everyone in the world can view your ELMAH logs. Not good.

Securing ELMAH against unwanted eyes

Allowing everyone to view your ELMAH logs is generally not a good thing because an astute hacker could easily glean information from those logs and potentially exploit your site. So, we’ll add some basic security.

1.) Include the admin path

Include the admin path in the httpHandler “add” so it looks like:

<add verb=”POST,GET,HEAD” path=”/admin/elmah.axd” type=”Elmah.ErrorLogPageFactory, Elmah” />

2.) Add a <location> section

This stands as it’s own sub-section beneath the main <configuration> tag:

<location path=”admin”>
<deny users=”?”/>

Now, we’re done. When you access http://yoursite/admin/elmah.axd, you should be prompted for your credentials (assuming you’re using ASP.NET’s built-in security; see Phil Haack’s postfor more info).

This is just an ease-of-access thing. If you add ELMAH to your web.sitemap, BlogEngine.NET will automatically pick it up and display in your admin menu.

Just add this to your sitemap file:

<siteMapNode url=”~/admin/elmah.axd” title=”ELMAH” description=”” roles=”administrators”/>