>Is the .NET EventLog component the tool I should be using to go about this?

You could, Mindy, though I understand you need to employ impersonation and establish permissions for the account you're impersonating as the ASPNET account cannot modify the event log. Some examples I've seen actually create a new log - in addition to the "Application", "Security" and "System" logs that already exist, and this requires an even higher level of permissions, and some who are more security-savvy than I am may advise that granting these kinds of permissions to your web app compromises your system's security.

What I did was create an XML error log file in a folder outside of the web server's directory tree, then I just open it with a browser. This way the app account only needs permission to write a file to a folder - no execute, read or other permissions.

You can find more information here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbconsecurityramificationsofeventlogs.asp

I'd be interested to know what the opinion of older and wiser heads is on this. It would seem maintaining an error log "file" would be "safer" than using the EventLog.