Readme_4.3

Eventlog to Syslog v4.3

Release 4.3

Last revised June 16, 2010

This product includes software developed by Purdue University.

The Eventlog to Syslog utility is a windows service originally created by Curtis Smith at Purdue University. The original utility and source code can be found at the following website: https://https://www.wendangku.net/doc/ef17336598.html,/ECN/Resources/Documents/UNIX/evtsys/

Version 4 was modified by Sherwin Faria in July, 2009, in order to meet the needs of Rochester Institute of Technology.

This update of the Eventlog to Syslog client builds upon the original code by offering several bug fixes and some additional features.

Changes in v4.3:

?Fixed a crash dealing with ignored events (Thanks to Pavel)

?Got rid of the evtsys.stat file. Sends the message to the Syslog server instead ?Added a registry key to control if and when the status message is sent.

The key is called StatusInterval with type DWORD and you specify a time in minutes. 0 means disabled.

?Wildcards now work in the config file for event IDs. So to ignore all events from a given source, the format would be: SourceName:*

Send all comments, questions, bug reports, and requests to:

Sherwin Faria

Rochester Institute of Technology

Information & Technology Services, Bldg. 10

1 Lomb Memorial Drive

Rochester, NY 14623, U.S.A.

sherwin.faria@https://www.wendangku.net/doc/ef17336598.html,

TABLE OF CONTENTS

1) Usage

2) Installing the Service

3) Uninstalling the Service

4) Debug Mode

5) Specifying Log Hosts

6) Specifying Syslog Facility

7) Appendix (Includes Changelog)

1. Usage:

Version: 4.2 (32-bit)

Usage: evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port] -i Install service

-u Uninstall service

-d Debug: run as console program

-h host Name of log host

-b host Name of secondary log host (optional)

-f facility Facility level of syslog message

-p port Port number of syslogd

-q bool Query the Dhcp server to obtain the syslog/port to log to (0/1 = disable/enable)

-s minutes Optional interval between status messages. 0 = Disabled

Default port: 514

Default facility: daemon

Default status interval: 0

Host (-h) required if installing.

2. Installing the Service

The Service installs four registry values in HKLM\SOFTWARE\ECN\EvtSys\3.0 Facility (DWORD)

LogHost (String)

LogHost2 (String)

Port (DWORD).

If no secondary host is specified LogHost2 is blank.

It also registers itself as a service under the name evtsys and displays in services.msc as “Eventlog to Syslog”.

The program must be installed from the command line and must be located in

C:\Windows\System32

After you have run evtsys.exe with the -i switch and specified a loghost you can then type net start evtsys to start the service.

To start or stop the service from the command line type: net start evtsys or net

stop evtsys

Alternatively you can start the service from the Services control panel in Administrative Tools. Look for "Eventlog to Syslog".

2.1. Using a DHCP Option

The DHCP option is called EventToSyslogDhcpOption. It is in the format x.x.x.x Notes: (Courtesy of Damien)

Microsoft Windows has a big problem with non-standard DHCP option which

need us to "install" a "persistent DHCP request" in order to be able to retrieve it...

I have seen some windows still not being able to get us the standard options

without using a persistent request, so activating this branch of code will do the

trick, just notice that in order to work, the system will only work after the second boot, because as said in MSDN docs, the persistent request is only done at boot time, so the first registers the request, the second boot does it.

In the sake of being completely documented, knowing where to look in case

things go wrong:

HKLM\System\CurrentControlSet\Services\Dhcp\Parameters:

the GUID keys are the GUID of the network adapters, and the values are simply the DHCP packets, so look into those values, and you will read the options as

passed by the DHCP server (you will recognize the options windows say it knows nothing about.. but here they are).

HKLM\System\CurrentControlSet\Services\Dhcp\Parameters\Options:

lists the "options" windows know about, kind of factory defaults. Unusable for us, but it is here that you will see new keys appear when you activate the "persistent request" mechanism.

3. Uninstalling

Uninstalling the service will delete the registry keys created during installation and unregister the Eventlog to Syslog service. All files will remain in their current location.

4. Debug Mode

Debug mode provides additional information on the operation of the service.

The following information is displayed while in debug mode:

? The source and ID of an ignored event

? All error messages

5. Specifying Log Hosts

Use command line switches –h and –b to specify your primary and secondary Syslog servers. The –b switch is optional, but –h is required when installing the agent.

You may specify either the hostname or IP address of a host. The utility will convert the hostname into an IP address and store that address into the registry.

6. Specifying Facility

The Syslog protocol specifies 24 facilities:

0 kernel messages

1 user-level messages

2 mail system

3 system daemons

4 security/authorization messages

5 messages generated internally by syslogd

6 line printer subsystem

7 network news subsystem

8 UUCP subsystem

9 clock daemon

10 security/authorization messages

11 FTP daemon

12 NTP subsystem

13 log audit

14 log alert

15 clock daemon

16 local use 0 (local0)

17 local use 1 (local1)

18 local use 2 (local2)

19 local use 3 (local3)

20 local use 4 (local4)

21 local use 5 (local5)

22 local use 6 (local6)

23 local use 7 (local7)

By default the “Eventlog to Syslog” service logs to facility 3, system daemon, but it can be configured to log to whatever facility you specify using the –f switch.

7. Appendix

7.1 The Configuration File

If no configuration file is found a default configuration file is generated with the

following contents:

'!!!!THIS FILE IS REQUIRED FOR THE SERVICE TO FUNCTION!!!!

'

'Comments must start with an apostrophe and

'must be the only thing on that line.

'

'Do not combine comments and definitions on the same line!

'

'Format is as follows - EventSource:EventID

'Use * as a wildcard to ignore all ID's from a given source

'E.g. Security-Auditing:*

'

'In Vista/2k8 and upwards remove the 'Microsoft-Windows-' prefix

'**********************:**************************

Note:

In Vista/Server 2008 and onward certain Microsoft specific publishers have a Microsoft-Window s- prefix attached to them. The “Eventlog to Syslog” utility strips this prefix in order to save space in the sent message. If you want to ignore one of these events then be sure to remove the prefix when you specify it in the configuration file.

7.2 The Status File (Obsolete)

The status file is updated by the agent approximately every two minutes. The agent places a single line in the file in the following format:

Mmm dd hh:mm:ss - Eventlog to Syslog Service Running

You may delete this file at any time and the agent will recreate it at the next interval.

7.3 Miscellaneous

7.3.1 Maximum message size

The maximum size of a Syslog message is defined as 1024 bytes. Anything beyond this threshold is truncated.

7.3.2 Polling interval

The “Eventlog to Syslog” service polls for messages every 5 seconds.

7.3.3 Timestamps

Event timestamps are captured from the event itself.

The agent generates its own timestamps for error and informational messages.

7.4 Compiling

Compiling the service requires Microsoft Visual Studio. I use 2008, but earlier versions should also work.

You can change the type of compile you are doing using the vcvarsall.bat script. Details can be found at this site:

https://www.wendangku.net/doc/ef17336598.html,/en-us/library/x4d2c09s%28VS.80%29.aspx

1. Open the appropriate Visual Studio Command Prompt in (There may be 32Bit

and 64Bit shortcuts)

Start>Programs>Visual Studio 200x>Visual Studio Tools

2. Navigate to the directory containing the source files

3. Type nmake

4. Wait for the task to complete. All you will need is evtsys.exe and evtsys.dll. There

is also an evtsys.pdb file created for debugging if you choose to keep it.

5. Once completed you can type nmake clean to delete all created files, but be

sure to move evtsys.exe and evtsys.dll first as those will also be deleted.

7.5 Changelog

Changes in v4.3:

?Fixed a crash dealing with ignored events (Thanks to Pavel)

?Wildcards now work in the config file for event IDs. So to ignore all events from a given source, the format would be: SourceName:*

?Got rid of the evtsys.stat file. Sends the message to the Syslog server instead ?Added a registry key to control if and when the status message is sent.

The key is called StatusInterval with type DWORD and you specify a

time in minutes. 0 means disabled.

Changes in v4.2:

?Thanks to Damien Mascre for his help with this update (UTF-8 and DHCP) ?Added UTF-8 support, so messages are now sent using UTF-8 encoding Note: Tested using Syslog Watch Personal. Had to force UTF-8 codepage ?Added hostname immediately after timestamp to comply with RFC-3164

?Added ability to use a DHCP option to set syslog server (by Damien)

?Removed spaces from event source (tag) field in sent message

Changes in v4.0:

?Added ability to ignore specific events

?Added a status file for monitoring service operation

?Added event’s timestamp to outgoing messages

?Added compatibility with the Vista/Server 2008 Windows Events service

?Added ability to send to two Syslog servers simultaneously

?Fixed a possible memory exception with bad message definitions

?Fixed a bug where utility would not search all message files