EvtSYS

Eventlog to Syslog Service for Windows

This project is a fork of the eventlog-to-syslog project. This started live as part of an internal project to monitor who was logged in where and when and I wasn't actually planning on releasing it - but here it is.

The main difference is that treats windows auth events differently. If you are a windows admin you know how many auth events happen on a windows server. This version of EvtSys condenses these auth messages so they only include the username, workstation and ip address of the auth event. It also makes an attempt (a lazy one) to filter out service type logins to further reduce spam.

The second big difference is that there is an installer - the nsis is included in the source. You can use the installer to install & configure the service, or you could mod the NSIS script with your settings and make a silent installer

Config Changes (evtsys.cfg)

• Include and exclude supported in the same file
• Additional field on xpath lines to define behavior

There are two line formats in the evtsys.cfg file - Include and Exclude

Include lines start with "XPath" and are in the form

XPath:[default|login]:<Application>:<XPath statement>

Note the XPath has the same limitations that apply when filtering the eventlog using the Event Viewer.

You may find it helpful to use the Create Custom View with in Event Viewer to create the XPath Expression

Exclude lines simple have an application and the event ID

<Application>:<EventID>

Example Config - Ignores some common/frequent SQL events

MSSQL$MICROSOFT##SSEE:17137
MSSQL$MICROSOFT##SSEE:2803
MSSQL$MICROSOFT##SSEE:18264
MSSQL$MICROSOFT##SSEE:3197
MSSQL$MICROSOFT##SSEE:3198
XPath:default:Application:<Select Path="Application">*</Select>
XPath:login:Security:<Select Path="Security">*[System[(EventID=4624 or EventID=4634)]]</Select>
XPath:default:Setup:<Select Path="Setup">*</Select>
XPath:default:System:<Select Path="System">*</Select>