NTsyslog

Windows NT/2000/XP syslog service

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307

Description:

This program runs as a service under Windows NT based operating systems. It formats all System, Security, and Application events into a single line and sends them to a syslog(3) host.

Example:

Oct 18 21:37:34 test1.sabernet.net security[success] Successful Logon:  User
Name:Administrator  Domain:TEST1  Logon ID:(0x0,0x36D166)  Logon Type:7  Logon Process
:User32    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Work
station Name:TEST1

The package is available for download at:

http://sourceforge.net/projects/ntsyslog/

Synopsis:

    NTsyslog [ -install ] [ -remove ]

Options:

    -install       Installs the service

    -remove        Removes the service

Installation:

Install the service by executing the following command:

	NTsyslog -install

The service will be started automatically by the service control manager during system startup. You can start and stop the service manually from the Services Control Panel.

By default the service runs under the LocalSystem account. The service can be configured to run as a local user with the following rights:

Log on as a service
Manage auditing and security log

The user the service runs as can be configured in the NTsyslog Properties page which can be accessed through the Services Control Panel.

A GUI tool, NTSyslogCtrl is provided to configure what types of messages are monitored and what priority to use for each type.

The priority for each event log type controls the service and facility that the syslog message is sent to. Each log type has a seperate priority. If the priority for a particular key does not exist, as if you were upgrading, or using an old NTSyslogCtrl app, the default is 9, user.alert.

Usually, syslog refers to a "facility" and "severity". These are combined in to a single value called "priority".

To calculate the priorities from normal facility and severity codes:

Take the numeric value for the facility, multiply by 8, and add the numeric value for the severity.

Standard facility and severity values are:

Facility:

(0) kernel			(12) ntp
(1) user			(13) log audit
(2) mail			(14) log alert
(3) system			(15) clock 2
(4) security/auth 1		(16) local 0
(5) syslog			(17) local 1
(6) line printer		(18) local 2
(7) news			(19) local 3
(8) uucp			(20) local 4
(9) clock 1			(21) local 5
(10) security/auth 2		(22) local 6
(11) ftp			(23) local 7

Severity:

(0) emergency			(4) warning
(1) alert			(5) notice
(2) critical			(6) information
(3) error			(7) debug

Note that facility 4, 9, 10, and 15 have different meaning on various systems. Please consult your system manual pages or syslogd documentation.
Complete details are available in RFC 3164. See: http://www.ietf.org/rfc/rfc3164.txt

The NTSyslog service must be stopped and restarted for the Registry settings to take effect. By default all messages are sent using the user.alert priority.

Registry Settings:

The NTSyslogCtrl program is the preferred method of configuring the registry. Editing the registry manually is not required when using the configuration tool.

The syslog host is configured by creating the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet]
"Syslog"="loghost.example.com"

An additional syslog host may be configured for redundancy:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet]
"Syslog1"="logbackup.example.com"

The syslog host can be specified by domain name (loghost.example.com) or by IP address (10.123.112.1).

The types of event log messages sent to the syslog host can be configured by setting the dword value for each of the types of messages. All types with a non-zero value will be processed. The included registry file enables all event types for each event log:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\System]
"Information"=dword:00000001
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Security]
"Information"=dword:00000001
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Application]
"Information"=dword:00000001
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

Version 1.11 and later supports user defined event logs. Simply add the appropriate sub-key and settings to the registry in the same format as the three standard event logs:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Directory Service]
"Information"=dword:00000001
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000001
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009