From the standpoint of application that generates the events to be written to the event log, i.e. Application, System, Security, InTrust for AD and from the InTrust application that reads these events from the log that is being gathered against, the location of the event log file makes no difference. InTrust does not work directly with the log file, as we don't use conventional methods like Event Viewer to manipulate the event log. Applications use Microsoft Windows Event Log service to write their events to the event log file and InTrust also uses this service to read those events.
For example, an application that logs an event gives it to the operating system for further processing, whatever the event is. An application that reads events just requests them from the OS and it is the OS that knows where the event log files reside. The Event Log service (i.e. operating system) is always aware of where the log resides, and an application just needs to know how to communicate with this service. This is achieved by using standard Microsoft APIs, which InTrust uses to gather event logs.
