Eventlog to Syslog v4.4
Release 4.4.1
Last revised March 8, 2011
This product includes software developed by Purdue University.
The Eventlog to Syslog utility is a windows service originally created by Curtis Smith at Purdue University. The original utility and source code can be found at the following website:
engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ Version 4 was modified by Sherwin Faria in July, 2009, in order to meet the needs of Rochester Institute of Technology.
This update of the Eventlog to Syslog client builds upon the original code by offering several bug fixes and some additional features.
Changes in v4.4.1:
•Fixed a bug checking the windows events engine installed
Changes in v4.4:
•Finally added the ability to send only specified events
•Set Audit Failures to show as Error instead of Notice on Vista/2k8+
•Allow user to specify the minimum severity to process
•Added registry keys to configure the minimum severity and mode
•The keys are LogLevel and IncludeOnly. Both DWORD values where 0 is disabled. See readme for additional details.
Send all comments, questions, bug reports, and requests to:
Sherwin Faria
Rochester Institute of Technology
Information & Technology Services, Bldg. 10
1 Lomb Memorial Drive
Rochester, NY 14623, U.S.A.
sherwin.faria@gmail
TABLE OF CONTENTS
1) Usage
2) Installing the Service
3) Uninstalling the Service
4) Debug Mode
5) Specifying Log Hosts
6) Specifying Syslog Facility
7) Appendix (Includes Changelog)
1. Usage:
Version: 4.4 (32-bit)
Usage: -i|-u|-d [-h host] [-b host] [-f facility] [-p port]        [-s minutes] [-l level] [-n]
-i          Install service
-u          Uninstall service
-d          Debug: run as console program
-h host      Name of log host
-b host      Name of secondary log host (optional)
-f facility  Facility level of syslog message
-l level    Minimum level to send to syslog.\n", stderr);
0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info  -n          Include only those events specified in the config file.
-p port      Port number of syslogd
-q bool      Query the Dhcp server to obtain the syslog/port to log
to
(0/1 = disable/enable)
-s minutes  Optional interval between status messages. 0 = Disabled
Default port: 514
Default facility: daemon
Default status interval: 0
Host (-h) required if installing.
2. Installing the Service
windows meThe Service installs eight registry values in HKLM\SOFTWARE\ECN\EvtSys\3.0 Facility (DWORD) Default: 3
IncludeOnly (DWORD) Default: 0
LogHost (String) Default: N/A
LogHost2 (String) Default: <empty>
LogLevel (DWORD) Default: 0
Port (DWORD) Default: 514
QueryDhcp (DWORD) Default: 0
StatusInterval (DWORD) Default: 0
If no secondary host is specified LogHost2 is blank.
It also registers itself as a service under the name evtsys and displays in
services.msc as “Eventlog to Syslog”.
The program must be installed from the command line and must be located in C:\Windows\System32
After you have with the -i switch and specified a loghost you can then type net start evtsys to start the service.
To start or stop the service from the command line type: net start evtsys or net stop evtsys
Alternatively you can start the service from the Services control panel in Administrative Tools. Look for "Eventlog to Syslog".
2.1. Using a DHCP Option
The DHCP option is called EventToSyslogDhcpOption. It is in the format
<
Notes: (Courtesy of Damien)
Microsoft Windows has a big problem with non-standard DHCP option
which need us to "install" a "persistent DHCP request" in order to be able to
I have seen some windows still not being able to get us the standard
options without using a persistent request, so activating this branch of
code will do the trick, just notice that in order to work, the system will only work after the second boot, because as said in MSDN docs, the persistent request is only done at boot time, so the first registers the request, the
second boot does it.
In the sake of being completely documented, knowing where to look in
case things go wrong:
HKLM\System\CurrentControlSet\Services\Dhcp\Parameters:
the GUID keys are the GUID of the network adapters, and the values are simply the DHCP packets, so look into those values, and you will read the options as passed by the DHCP server (you will recognize the options
windows say it knows nothing about.. but here they are).
HKLM\System\CurrentControlSet\Services\Dhcp\Parameters\Options:
lists the "options" windows know about, kind of factory defaults. Unusable for us, but it is here that you will see new keys appear when you activate
the "persistent request" mechanism.
3. Uninstalling
Uninstalling the service will delete the registry keys created during installation and unregister the Eventlog to Syslog service. All files will remain in their current location.
4. Debug Mode
Debug mode provides additional information on the operation of the service. The following information is displayed while in debug mode:
•The source and ID of an ignored event
•All error messages
5. Specifying Log Hosts
Use command line switches –h and –b to specify your primary and secondary Syslog servers. The –b switch is optional, but –h is required when installing the agent.
You may specify either the hostname or IP address of a host. The utility will convert the hostname into an IP address and store that address into the registry.
6. Specifying Facility
The Syslog protocol specifies 24 facilities:
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
By default the “Eventlog to Syslog” service logs to facility 3, system daemon, but
it can be configured to log to whatever facility you specify using the –f switch.
7. Appendix
7.1 The Configuration File
If no configuration file is found a default configuration file is generated with the following contents:
'!!!!THIS FILE IS REQUIRED FOR THE SERVICE TO FUNCTION!!!!
'
'Comments must start with an apostrophe and
'must be the only thing on that line.
'
'Do not combine comments and definitions on the same line!
'
'Format is as follows - EventSource:EventID
'Use * as a wildcard to ignore all ID's from a given source
'E.g. Security-Auditing:*
'
'In Vista/2k8 and upwards remove the 'Microsoft-Windows-' prefix
'**********************:**************************
Note:
In Vista/Server 2008 and onward certain Microsoft specific publishers have a Microsoft-Windows- prefix attached to them. The “Eventlog to Syslog” utility strips this prefix in order to save space in the sent message. If you want to ignore one of these events then be sure to remove the prefix when you
specify it in the configuration file.
7.2 The Status File (Obsolete)
The status file is updated by the agent approximately every two minutes. The agent places a single line in the file in the following format:
Mmm dd hh:mm:ss - Eventlog to Syslog Service Running
You may delete this file at any time and the agent will recreate it at the next interval.
7.3 Minimum Log Level/Severity
The LogLevel registry key limits the events that are processed by the utility.
Only logs with a severity less than or equal to the set level will be processed.
The severity ratings are as follows:
Type Pre-2k8 Vista/2k8+
CRITICAL N/A    1
ERROR    1 or 2    2
WARNING    3    3
INFORMATION 4    4
AUDIT/ALL 0 0
Note: Since a CRITICAL severity is not available on systems prior to
Vista/2k8, Level 1 is mapped to error, which is 2.

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。