In the end I went with setting the permissions on the logs folder at deploy time. It's actually pretty straightforward with icacls
, only a couple of lines in rake for instance, assuming you know where your logs folder is going to be:
sh %{icacls "#{logs_dir}" /grant "#{username}":(OI)(W)}
Not calling UseNLog()
in the service config would also be a simple option, any install-time errors would go in the Windows event log in that case.