NTsyslog

Windows NT syslog service

Copyright © 1998-1999, Jason R. Rhoads All rights reserved.

This software may be freely copied, modified and redistributed without fee for non-commercial purposes provided that this copyright notice is preserved intact on all copies.

There is no warranty or other guarantee of fitness of this software. It is provided solely "as is". The author disclaims all responsibility and liability with respect to this software's usage or its effect upon hardware or computer systems.

Revisions:

09-May-1999 Version 1.1
18-Oct-1998 Version 1.0

Description:

This program runs as a service under Windows NT 4.0. It formats all System, Security, and Application events into a single line and sends them to a syslog(3) host.

Example: 


Oct 18 21:37:34 test1.sabernet.net security[success] Successful Logon:  User

Name:jason  Domain:TEST1  Logon ID:(0x0,0x36D166)  Logon Type:7  Logon Process

:User32    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Work

station Name:TEST1

The NTsyslog package is available for download at:

http://www.sabernet.net/software/ntsyslog.exe


Installation:

The syslog host is set by creating the following Registry entry: 


[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet]

"Syslog"="loghost.some.com"

The syslog host can be specified by domain name (loghost.some.com) or by IP address (10.123.112.1).

The types of event log messages sent to the syslog host can be configured by setting the dword value for each of the types of messages. All types with a non-zero value will be processed. The following Registry file enables all event types for each event log: 


[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\System]

"Information"=dword:00000001

"Warning"=dword:00000001

"Error"=dword:00000001

"Audit Success"=dword:00000001

"Audit Failure"=dword:00000001



[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Security]

"Information"=dword:00000001

"Warning"=dword:00000001

"Error"=dword:00000001

"Audit Success"=dword:00000001

"Audit Failure"=dword:00000001



[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Application]

"Information"=dword:00000001

"Warning"=dword:00000001

"Error"=dword:00000001

"Audit Success"=dword:00000001

"Audit Failure"=dword:00000001

The NTSyslog service must be stopped and restarted for the Registry settings to take effect. All messages are sent using the user.alert priority.

Install the service by executing the following command: 


	NTsyslog -install

The service will be started automatically by the service control manager during system startup. You can start and stop the service manually from the Services Control Panel.



Synopsis:


    NTsyslog [ -install ] [ -remove ]



Options:


    -install       Installs the service



    -remove        Removes the service



Bug Reports:

Please send bug reports to bugs@sabernet.net.