How do I prevent ASP.NET from logging authentication failures?

Question

My Windows Azure web role ASP.NET MVC application serves REST API requests on some of the routes and those routes require "basic" authentication. Client programs often fail to authenticate - most of them are in the middle of being debugged - and so authentication failures are quite common. For every event I get a record like this in the Application log (accessible via Event Viewer or System.Diagnostics.EventLog class)

Date and Time Here (ASP.NET 4.0.30319.0): Event code: 100001
Event message: Authentication failure
Event time: Date and time
Event time (UTC): UTC date and time
// lots of information follows

I'm sure I'll never read those messages and writing them consumes some CPU time and IO bandwidth on the service VMs.

How do I get those failures not logged?

Answer 1

This behavior is configured using <system.web><healthMonitoring> element in web.config. The default behavior is logging all unhandled exceptions and authentication failures to Application event log. There're two "rules" - one for the former and one for the latter.

So I just added this:

<healthMonitoring>
  <rules>
    <clear />
  </rules>
</healthMonitoring>

which made those default rules disappear and the problem is solved for me. Note that this also removes the rule for logging unhandled exceptions which I don't need either.

Answer 2

For anyone reading the accepted answer today; please note that this is not a recommended security best practice. Logging authentication errors is critical to identify application attacks. This logging should never be disabled in production systems and/or internet facing systems. Password attacks include brute force, dictionary attacks, password spraying, credential stuffing, etc. These can be detected by logging and monitoring for authentication failures.

Whilst the author explains that this is a development environment, the mere fact that an application is being debugged does not imply that we should accept authentication failures. If the application is internet facing, then it is most ideal to detect any intrusions and attacks against the system so that appropriate security measures can be taken.