EvtSYS
Eventlog to Syslog Service for Windows
This project is a fork of the eventlog-to-syslog project. This started live as part of an internal project to monitor who was logged in where and when and I wasn't actually planning on releasing it - but here it is.
The main difference is that treats windows auth events differently. If you are a windows admin you know how many auth events happen on a windows server. This version of EvtSys condenses these auth messages so they only include the username, workstation and ip address of the auth event. It also makes an attempt (a lazy one) to filter out service type logins to further reduce spam.
The second big difference is that there is an installer - the nsis is included in the source. You can use the installer to install & configure the service, or you could mod the NSIS script with your settings and make a silent installer
Config Changes (evtsys.cfg)
While the format remains largely unchanged there are two key differences- Include and exclude supported in the same file
- Additional field on xpath lines to define behavior
There are two line formats in the evtsys.cfg file - Include and Exclude
Include lines start with "XPath" and are in the form
XPath:[default|login]:<Application>:<XPath statement>
Note the XPath has the same limitations that apply when filtering the eventlog using the Event Viewer.
You may find it helpful to use the Create Custom View with in Event Viewer to create the XPath Expression
Exclude lines simple have an application and the event ID
<Application>:<EventID>
Example Config - Ignores some common/frequent SQL events
MSSQL$MICROSOFT##SSEE:17137 MSSQL$MICROSOFT##SSEE:2803 MSSQL$MICROSOFT##SSEE:18264 MSSQL$MICROSOFT##SSEE:3197 MSSQL$MICROSOFT##SSEE:3198 XPath:default:Application:<Select Path="Application">*</Select> XPath:login:Security:<Select Path="Security">*[System[(EventID=4624 or EventID=4634)]]</Select> XPath:default:Setup:<Select Path="Setup">*</Select> XPath:default:System:<Select Path="System">*</Select>