ApplicationPoolIdentity ran web service cannot write to the Event log

http://support.thycotic.com/KB/a220/giving-application-pool-access-to-event-log.aspx

(From Article) states giving NETWORK SERVICE permission to eventLog

1. Determine the account that is running Secret Server. This can be done by logging in to Secret Server, clicking on "Administration", and then on "Diagnostics". Look for any of the "Thread Identity" labels. These will contain the identity of Secret Server (often NT AUTHORITY\NETWORK SERVICE).

You can also determine the identity by logging in and navigating to http://yoursecretserverurl/Installer.aspx

The first step of this installer/updater page will tell you the application pool identity.

2. Open the Registry Editor on the machine running Secret Server (start->run-regedit)

3. On the left, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog

4. Right click on the "eventlog" folder in your registry editor and select "Permissions"

5. Give the account running Secret Server Full Control to this folder