locky37 / eventlog-to-syslog Goto Github PK

Is there any way to use wildcards in the config file?  Or is there a better 
recommended way to exclude a few hundred different entries without creating 
a line for each one?

What steps will reproduce the problem?
1. Run on cleanly installed Windows 2008 host.
2. See that registry keys are clearly missing on Windows 2008.

What is the expected output? 
$thedate $host Microsoft-Windows-Security-Auditing: xxxx: An account was 
successfully logged on. Subject: Security ID: S-x-x-x Account Name: - Account 
Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security etc etc.

What do you see instead?
 "Cannot find message file key for "SYSTEM\CurrentControlSet\Services\Eventlog\Security\Microsoft-Windows-Security-Auditing""

What version of the product are you using? On what operating system?
v4.4: 64bit on Windows 2008 (not R2)

Please provide any additional information below.
This is only an issue on Windows 2008. Windows 2008 R2 doesn't have this 
problem.

I've been running this on a multitude of servers here and installed the
service the same way on each.

However, after checking my syslog server, I'm not getting anything except
for security logs from my windows servers... is there a reason for that?

Is eventlog-to-syslog RFC3195 compliant? Meaning - can the service be 
configured to forward the events with TCP instead of UDP? 

Thanks in advance


Regards 
Claus

When I run evtsys.exe in debug mode I create events in separate console window.

When I create event like this: eventcreate /t error /l system /id 100 /d 
"desc", i get message: "error getting message string for RecordID ... the 
message resource is present but the message is not found in string/message 
table."

for some reason it can not read event message.

Another issue is that program cannot recognize event when I create it like 
this:  eventcreate /t error /l application /id 100 /d "desc", (application 
event) then I get no output.

I am running program on win 7, 32 bit.. 

Hi,

I would like to recieve 1 syslog message per event log message.

Currently I'm getting:

2011-07-27T14:52:42.041701+02:00 192.168.20.55 [...] ▒#010#022▒#036L<29>Jul 
27 14:52:59 xxx xxx: Security-Auditing: 4673: [...]<29>Jul 27 14:52:59 xxx xxx: 
[...]<29>Jul 27 14:52:59 xxx xxx: Security-Auditing: 4648: [...]

I would like to receieve one line per Event.

Thanks!

morphium

PS: I'm using TCP

What steps will reproduce the problem?
1. Installed the 64 bit version on Windows 2008 R2 Server into the 
\Windows\System32 directory

2. Installed the service via:
  evtsys -i -h 172.18.1.59

3.  From the command line 
  net start evtsys

What is the expected output? What do you see instead?

Logs to be sent to the Fedora 14 syslog-ng server.  No logs are sent.

What version of the product are you using? On what operating system?

Windows 2008 R2 64 bit
Fedora 14 Syslog-ng server 64 bit
EvtSys 4.4 64 bit

Please provide any additional information below.

HKLM\Software\ECN\EvtSys\3.0
Default = not set
Facility = 3
IncludeOnly = 0
LogHost = 172.18.1.59
LogHost2 = 
LogLevel = 0
Port = 514
QueryDhcp = 0
StatusInterval = 1

Running via evtsys -d -h 172.18.1.59 I get the following every minute:
Feb  1 14:50:00 SHAREPOINT2010 Eventlog to Syslog Service Started: Version 4.4 
(64-bit)
Feb  1 14:50:00 SHAREPOINT2010 Flags: LogLevel=0, IncludeOnly=False, 
StatusInterval=1
Feb  1 14:50:55 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:51:56 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:52:57 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:53:59 SHAREPOINT2010 Eventlog to Syslog Service Running
Feb  1 14:55:02 SHAREPOINT2010 Eventlog to Syslog Service Running

Hi Sherwin,
Would it be possible to enhance eventlog-to-syslog to support an additional 2 
LogHosts, total of 4? 
I understand that currently only two loghosts are supported.

Would you have a workaround for this? Will you add this to your next update?

Why the need to support 4 loghosts?
One set is for operational use, the other set is for auditing purposes. Both 
are redundant.

Best regards,
Mark

It would be great to have evtsys packaged as a MSI files instead of .zip-files, 
so that it could be more easily be distributed via standard Windows software 
deployment tools (such as SCCM).

An enhancement would be to have a "Ping before send" option in case the syslog 
server is temporarily down or otherwise unavailable. This means that the 
evtsys.exe sets a pointer in the evt/evtx logfile and starts reading from that 
position as soon the syslog server comes back up.

We'd like to feed the event logs into a SIEM. In order to do correlation, the 
SIEM needs the IP address (or a resolvable hostname) and using %COMPUTERNAME% 
doesn't get us there. The attached patch will find the first IP address on the 
system and use that in the syslog message. If the IP is resolvable to a FQDN, 
then that will be used. This feature is optional by specifying the command line 
option "-a" when installing the service. 

What steps will reproduce the problem?
1. Running "evtsys.exe -d" on windows 2008 machine. Ignore file is default 
(nothing is ignored)
(32-bit)

Jun  1 05:35:32 WIN2K8VMSGREGOI Flags: LogLevel=0, IncludeOnly=False, EnableTcp=
False, IncludeTag=False, StatusInterval=0


2. Generating events using

logevent -s E -c 3 -r "Hi this is a test" -e 42 "This is a message"

3. Events gets successfully sent to syslogd, as expected. 

4. Stopping "evtsys -d" and then "net start evtsys". 

5. Re-generating same logevent commands. Problem is that the same events are 
not trapped in service mode.

What is the expected output? What do you see instead?

Whatever is trapped in the debug mode should be trapped when run as a service? 
Using the same ignore file and same settings in the registry?

What version of the product are you using? On what operating system?

Latest (4.4.1)

Please provide any additional information below.

Tried setting a service account on the service, still does not work. 

What steps will reproduce the problem?
1.Export all application logs to syslog-ng
2.Export all System logs to syslog-ng
3.

What is the expected output? What do you see instead?
I have MS SQL logs in application which are not being logged to Syslog-ng. I 
would like to have these logs in syslog including failed, Error and success 
logs. This is will enable me to filter the logs and send e-mail Alerts. Sorry 
if there is a solution for this already but I don't know how to configure it. 
By the way where is the configuration file? This is the only thing I could find.

'!!!!THIS FILE IS REQUIRED FOR THE SERVICE TO FUNCTION!!!!
'
'Comments must start with an apostrophe and
'must be the only thing on that line.
'
'Do not combine comments and definitions on the same line!
'
'Format is as follows - EventSource:EventID
'Use * as a wildcard to ignore all ID's from a given source
'E.g. Security-Auditing:*
'
'In Vista/2k8 and upwards remove the 'Microsoft-Windows-' prefix
'**********************:************************** 



What version of the product are you using? On what operating system?
4.4.1 (64-bit) on Windows Server 2008.

Please provide any additional information below.
I want to use this for PCI DSS project. I want to get logs for Security, 
Application and System. I want to pass all the logs from those locations to  
syslog-ng.

What steps will reproduce the problem?
Need any Russian version of Windows

What is the expected output?
in UTF-8 (russian message):
Sep 20 11:05:38 gaidukav.******* GAIDUKAV Service_Control_Manager: 7036: 
Служба "Планировщик классов мультимедиа" 
перешла в состояние Остановлена.

What do you see instead?
in 437 codepage:
Sep 20 11:05:38 gaidukav.******* GAIDUKAV Service_Control_Manager: 7036: 
Сл�\203жба 
"∩┐╜\237╨╗╨░╨╜╨╕∩┐╜\200╨╛╨▓∩┐╜\211╨�
��╨║ ╨║╨╗╨░∩┐╜\201∩┐╜\201╨╛╨▓ 
╨╝∩┐╜\203╨╗∩┐╜\214∩┐╜\202╨╕╨╝╨╡╨┤╨��
�╨░" ╨┐╨╡∩┐╜\200╨╡∩┐╜\210╨╗╨░ ╨▓ 
∩┐╜\201╨╛∩┐╜\201∩┐╜\202╨╛∩┐╜\217╨╜╨╕╨�
�� 
∩┐╜\236∩┐╜\201∩┐╜\202╨░╨╜╨╛╨▓╨╗╨╡╨��
�╨░.

Some chars in russian UTF-8 strings converted to \200, \201, \202... codes.
Result - UTF-8 string not readable.

Applying Perl code (regexp) to each string of log
  $log_string =~ s/\\(\d{3})/chr(oct("0$1"))/egx;
solving the problem.

What version of the product are you using?
Eventlog to Syslog 4.4.2 (64-Bit)

On what operating system?
Windows 7 x64 Russian

I'd like to be able to install this app in a path other than in the system32 
directory.  (I always wary of sticking executables in that dir).  When I had it 
in a separate directory and installed it, the path was hard coded to the 
system32 directory and not the path where it was executed from.

What steps will reproduce the problem?
Some events like Security 560 
(http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?even
tid=560) have success/failure status. It is not reported by evtsys.

What is the expected output? What do you see instead?
A new field indicating the status.

What version of the product are you using? On what operating system?
4.4 on windows 2003, 2008

Please provide any additional information below.
Mainly occurs on Audit Events, where you can check if an event has succeeded or 
not.

What steps will reproduce the problem?
1. We want to use Korean syslog file to syslog server(Kiwi syslog)
2. English is OK. But Korean is not OK.(Not readable)

What is the expected output? What do you see instead?
 - If I use UTF-8, it should be OK.

What version of the product are you using? On what operating system?
 - Windows 2008 server and evtsys 4.1.0 - 32bit. 

Please provide any additional information below.
 - Windows 2003 server and Windows 7 and evtsys 4.1.0 go well. 

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

I'm testing eventlog-to-syslog, and it looks very interesting - thanks.

However, the evtsys.exe seems to be listening on an UDP port. Why is that? May 
be the documentation should mention it.

Is possible to add the ability to keep the logs stored in cache in case of fail 
of the centralize syslog server?

Many thanks 

Roberto 

I'm running Version 4.4. Although it is possible to increase the message size 
limit with rsyslog and syslog-ng, it seems that evtsys is truncating messages 
that are larger than 1024k.

Is there a possibility to get rid of this limitation?

What steps will reproduce the problem?
1. Standby the computer
2. Turn on the computer
3. Show service.msc, "Eventlog to syslog" service is not running

What version of the product are you using? On what operating system?

I tested the last version 4.4.2 on Windows Seven Pro 64 bits.

This is a great utility, but I'd LOVE to see it be RFC 3164 compliant. It's 
almost there, really; the biggest issue is spaces in the TAG field, and the 
lack of a hostname.

What steps will reproduce the problem?
1.Event log entries like this:

Event Type: Information
Event Source:   sshd
Event Category: None
Event ID:   0
Date:       21.02.2011
Time:       13:33:09
User:       PEXXXX\cyXXXXXXX
Computer:   PEXXXXXX  Description:
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The 
local computer may not have the necessary registry information or message DLL 
files to display messages from a remote computer. You may be able to use the 
/AUXSOURCE= flag to retrieve this description; see Help and Support for 
details. The following information is part of the event: sshd: PID 260: 
Accepted publickey for cyXXXXXXXX from XXXXXXXXXX port 56861 ssh2.

came in the syslog

syslog PEXXXXX daemon err 2011-02-21 13:33:13 find message file key for 
"SYSTEM\CurrentControlSet\Services\Eventlog\Application\sshd" 

What is the expected output? What do you see instead?

The Priority as information and the option -l=3 (level) should not show this 
message.

What version of the product are you using? On what operating system?

Product Version 4.4.0
Operating System is Windows Server 2003 R2 64Bit standard.
Application in this eventlog message is cygwin ssh deamon.

Hello
Is possible add an additional field in the record log that i send to DB.
The field must be of type string, and customizable for each client.

Tahnks in advance 

What steps will reproduce the problem?
1. We want to use Chineses Traditional syslog file to syslog server(Kiwi syslog)
2. English is OK. But  Chineses Traditional is not OK.(Not readable)

What is the expected output? What do you see instead?
i can't read the syslog and have no idea how to solve this problem

What version of the product are you using? On what operating system?
Windows 2008 server、evtsys 4.2.0 - 32bit、kiwi Syslog v9.1

Please provide any additional information below.
Windows 2003 server evtsys 4.2.0 still can't readable

Hi Sherwin

I tried to install the program (evtsys) in Windows 7 and I saw that there are 
two errors (maybe bug):

1 - If you enable the option -n (-n Include only Those events specified in the 
config file) and add in evtsys.cfg:
*************
Security-Auditing: 4624
Security-Auditing: 4634

Do not send anything to syslog server!!!!

2 If the option -n is not active (-n Include only Those events specified in the 
config file)

evtsys send twice the same record to syslog server

4624 event ....
4624 event ....

Please help me

Thank you so much
Roberto

What steps will reproduce the problem?
1. Restart Eventlog to Syslog service


What is the expected output? What do you see instead?

Syslog should only receive new events, instead over 2000 events from the past 
month up to today are sent every time the service restarts.  


What version of the product are you using? On what operating system?

Version 4.4 (64-bit) on Windows Server 2008 R2 Enterprise


Please provide any additional information below.

Uninstalling/reinstalling the service and rebooting the server does not affect 
the behavior.  The same 2000 events are sent each time I restart the service or 
the server.

Events are thrown beginning 05/19 through 06/16 (today).  We have this software 
on several identical servers that do not exhibit this behavior.  This started 
last night after the latest round of windows updates, but again, only on this 
one machine.

Rather than having two flags two different logservers, please have a single 
flag that takes a comma delimited list of logservers. This would allow for more 
flexibility in wide deployments.

Thanks,
Ben

What steps will reproduce the problem?
1.evtsys.exe -i -h hostname.domain -l 0
2.
3.

What is the expected output? What do you see instead?
Server receive all logs (Application, System, Security) to same facility 
(daemon).

What version of the product are you using? On what operating system?
version 4.4.2 , Windows XP 32-bit

Please provide any additional information below.

I could not install more than one facility through the key "-f". So I left the 
default value (3).
Is it possible to split logs, for example System log to daemon facility; 
Security to security/authorization facility; application log to user-level 
facility; etc?

What steps will reproduce the problem?
1. Using 64bit Version of evtsys
2. Copying evtsys.exe and evtsys.dll to C:\Windows\System32
3. executing command "evtsys -i -h <IP-address>"

What is the expected output? What do you see instead?
Instead of installing, i get the following:
C:\Windows\System32>evtsys -i -h <IP>
Checking ignore file...
Jan 14 17:51:45 ATVIESV051 Error opening file: evtsys.cfg: The system cannot 
find the file specified.

Jan 14 17:51:45 ATVIESV051 Creating file with filename: evtsys.cfg
Jan 14 17:51:45 ATVIESV051 File could not be created: evtsys.cfg: Access is 
denied.

Jan 14 17:51:45 ATVIESV051 File Check Failed!!!
Command did not complete due to a failure

I tried to manually create the evtsys.cfg file, but also did not help:
C:\Windows\System32>evtsys -i -h <IP>
Checking ignore file...
Jan 14 17:54:35 ATVIESV051 Cannot initialize access to registry: 
"Software\ECN\EvtSys\3.0": The operation completed successfully.

Command did not complete due to a failure

What version of the product are you using? On what operating system?
evtsys 4.4 64bit ono Windows Server 2008 R2 64bit

Please provide any additional information below.

Any help would be appreciated...

Greetz,
G.

What steps will reproduce the problem?
1. Build with VS2010++ Express
2. Debug

What is the expected output?

Application starts normaly.

What do you see instead?

AccessViolation occurs.

What version of the product are you using? On what operating system?

Latest 4.0 on Windows XP

Please provide any additional information below.

It seems to be a problem with the timestamp variable. Removing the declaration 
and replacing it in Global Space with:

  char timestamp[16];

Allows the application to start.

It would be great to have the ability to filter client side which messages to 
send and which to ignore.
I´d really hope to ignore specific events with regexed tags on client side 
already. 
Like:
Ignoring all users with '%$' that come from events 4624, 4634, 538, 540.

I´m looking at horrendous network traffic and SQL operations right now - all 
for events that are essentially of no value to anyone.

regards

Is possible to set the priority as "ETC" "WARNING" "NOTICE" etc when i start 
evtsys?

What steps will reproduce the problem?
1. Run evtsys IncludeOnly=False
2. LogLevel=0
3. Run debug to view ignored events

What is the expected output? What do you see instead?
Login failures should be sent to syslog. Instead they're dropped.

IGNORING_EVENT: SOURCE=Security & ID=529

What version of the product are you using? On what operating system?
v4.4 on XPsp3

Please provide any additional information below.

What steps will reproduce the problem?

1.Run ex. gpudate in cmd


What is the expected output? 

EVTsys send to log entries to the syslog-server.

I can see that when running this GPupdate-command, the GroupPolicy\Operational 
evt-log gets written to, but EVTsys does not record/send these messages.

What do you see instead?

EVTsys should send the events to the syslog server.
I would like an option to specify which "Applications and Service logs" I would 
like EVTsys to monitor, eg in the evtsys.cfg file?! (EVTsys should not by 
default monitor all logs, because there is so much logging going on in these 
logs)


What version of the product are you using? On what operating system?

4.4.0.0

Windows server 2008 R2


Please provide any additional information below.

What steps will reproduce the problem?
1. Copy the 4.4.1 executables to the system32 directory
2. Run evtlog.exe -i -h [host] -l 4

What is the expected output? What do you see instead?
Expected: Service created.
Result: Bad level: 4 Must be between 0 and 3

What version of the product are you using? On what operating system?
4.4.1 on Windows 7

Please provide any additional information below.
Just now looking at using the program.  Assuming 4 is less verbose than 0, this 
is what my organization is looking at using.

Thank you
-Brian

What steps will reproduce the problem?
1. Not sure, seems to be somewhat random
2. But, currently have several Windows 2003 servers exhibiting problem
3. And several, using the same exact install, that don't exhibit the problem

What is the expected output? What do you see instead?
   The expected hostname is "HOSTNAME", in the log message.  Instead, there seems to be an extra space, and the log message displays " HOSTNAME" in it's place, and I can't seem to get rsyslog to match the hostname correctly.  Sometimes the hostname appears correctly, such as in the service startup messages, like 'Eventlog to Syslog Service Started: ...', but most of the time, for example, when it's a 'Security:' message, the extra space/non-printing character appears in the message.


What version of the product are you using? On what operating system?
Evtsys version: 4.3, both 32-bit and 64-bit
OS: MS Win Server 2003 Enterprise Ed, SP2 (32-bit); MS Win Svr 2003 R2, 64-bit 
Std Ed, SP2;

Please provide any additional information below.

http://ntsyslog.sourceforge.net/

The above tool, which no longer seems to be being developed, is capable of 
mapping various event types to different syslog facilities.  For instance, 
Security events go to the auth facility, rather than mapping everything to 
daemon or whatever.  Could something like this be added to this software?  It 
would make further processing by something like syslog-ng, logwatch, etc. much 
nicer.

Thanks,
Brian

Hi!
Is there an possibility to use the local hostname instead of the IP-adress in 
the sended syslog message? 

josef

What steps will reproduce the problem?
1.Installed on a Win 2003 Domain Controller
2.Facility set to "User"
3.No exclusions

What is the expected output? What do you see instead?
To see Security Event ID 566 on the syslog server.  This event is what 
registers all Active Directory object creation: Users, computers, OU's, etc.  
On my syslog server, I don't see this event pop up at all.

What version of the product are you using? On what operating system?
442 32bit

Please provide any additional information below.

The maximum message size for a syslog message is normally 1024 bytes.
Some syslog implementations like rsyslogd will accept larger message sizes if 
told to even though it's not according the standard.

Request: A way to change the max message size without recompiling the program.

What steps will reproduce the problem?
1.All messages from german servers have priority notice.   
2.On english servers the priority depens on the eventlog.

What is the expected output? What do you see instead?
If logons fails on german dcs, i need a priority err.
Instead all messages have priority notice.

What version of the product are you using? On what operating system?
Evtsys_4.3.1_64-Bit

Is possible to convert you code to SharpDevelop C#
Many tanks
Roberto

Hello,

I am currently testing evtsys and it seems to work fine.
As a enhancement, are you planning to add a disk buffer feature, to preserve 
data in case of TCP connection problems?

Thank you,
Pierluigi

Aug  2 10:44:00 P Security: 593: P\Administrator: 
宸茬粡閫€鍑烘煇杩囩▼: 杩囩▼ ID: 980 鍥惧儚鏂囦欢鍚? 
C:\mrtg-2.16.2\bin\rateup.exe 鐢ㄦ埛鍚? Administrator 鍩? P 鐧诲綍 ID: 
(0x0,0x10D07)

What steps will reproduce the problem?
1. A Windows 2008 server has print service started
2.
3.

What is the expected output? What do you see instead?
The Admin/Operational logs under "Application and Services 
Log"->"Microsoft"->"Windows"->"PrintService" didn't send to the syslog server.

What version of the product are you using? On what operating system?
Windows 2008 R2 64bit. Syslog server: Centos 5.5

Please provide any additional information below.
Many thanks for your time!

What steps will reproduce the problem?
1. Install on 2k8 
2. Observe performance when size goes above 50 megabytes

What is the expected output? What do you see instead?
Evtsys uses the EvtQuery API call in 2008, which means that it searches the 
entire log file every five seconds based on the query.  This causes massive 
performance problems.  A better solution is to use the EvtSubscribe API call to 
be notified about new events as they come in.

What version of the product are you using? On what operating system?
Latest from SVN on Windows Server 2008 R2.

Please provide any additional information below.
Here's the API doc for EvtSubscribe:
http://msdn.microsoft.com/en-us/library/aa385487%28v=vs.85%29.aspx

An enhancement would be to support TCP delivery to avoid syslog messages 
getting lost in transit, or sending to an offline syslog server.

Attempting to run the program results in the following error:


C:\eventlog-to-syslog>evtsys.exe -d -h syslogserver
Checking ignore file...
Jun 28 12:12:08 myserver1 Cannot initialize access to registry: "Software\ECN\
EvtSys\3.0": The operation completed successfully.

Command did not complete due to a failure


This was tested on windows 2000 and 2003 32bit using the contents of 
Evtsys_4.3.0_32-Bit.zip