breakstorm / eventlog-to-syslog

Automatically exported from code.google.com/p/eventlog-to-syslog
0 stars 0 forks source link

Windows Server 2003 config file problem #99

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
I need to send the login/logouts of my windows servers.

Evtsys is working with 64 bits servers (Windows 2008 and superior).

My install.bat is:
"c:\windows\system32\xcopy.exe" "64bits\evtsys.exe" "c:\windows\system32" /y
"c:\windows\system32\xcopy.exe" evtsys.cfg "c:\windows\system32" /y
c:\windows\system32\evtsys.exe -i -h 10.140.220.178 -p 5000 -l 0 
sc start evtsys

My config file is:
XPath:Security:<Select 
Path="Security">*[EventData[Data[@Name='LogonType']='10'] and 
(System[(EventID='4624')] or System[(EventID='4634')])]</Select>

The problem is with Windows Server 2003. I can't make it work.

My install.bat is:
"c:\windows\system32\xcopy.exe" "32bits\evtsys.exe" "c:\windows\system32" /y
"c:\windows\system32\xcopy.exe" evtsys.cfg "c:\windows\system32" /y
c:\windows\system32\evtsys.exe -i -h 10.140.220.178 -p 5000 -l 0 -n
sc start evtsys

The only config file that works in with only 1 event ID:
Security:528

How can I send the 528/538 events with 10 type)?
I have tested all of this, and no one works:
XPath:Security: <Select Path="Security">*[(EventID=528 or EventID=538)]</Select>
XPath:Security: <Select Path="Security">*[EventID=528 or EventID=538]</Select>
XPath:Security: <Select Path="Security">*[EventID="528" or 
EventID="538"]</Select>
XPath:Security: <Select Path="Security">*(EventID=528 or EventID=538)</Select>
XPath:Security: <Select Path="Security">*</Select>
XPath:Security:<Select Path="Security">*</Select>
XPath:Security:<Select Path="Security">*</Select>
XPath:Application:<Select Path="Application">*</Select>
XPath:Setup:<Select Path="Setup">*</Select>
Path:Setup:<Select Path="Setup">*</Select>
XPath:Security:<Select 
Path="Security">*[EventData[Data[@Name='LogonType']='10'] and 
(System[(EventID='4624')] or System[(EventID='4634')])]</Select>
Path:Setup:<Select Path="Security">*</Select>
Path:Setup:<Select Path="Setup">*</Select>
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or 
@Name='EvtSys'] and (EventID=528 or EventID=538)]]</Select>
XPath:Security: <Select 
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or 
@Name='EvtSys'] and (EventID=1301 or EventID=1302)]]</Select>
Path:Security: <Select 
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or 
@Name='EvtSys'] and (EventID=1301 or EventID=1302)]]</Select>
Path:Security: <Select 
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or 
@Name='EvtSys'] and (EventID=528 or EventID=538)]]</Select>
Path:Security: <Select Path="Security">*[System[(EventID=528 or 
EventID=538)]]</Select>
Path:Security:<Select Path="Security">*[System[(EventID=528 or 
EventID=538)]]</Select>
XPath:Security:<Select Path="Security">*[System[(EventID=528 or 
EventID=538)]]</Select>
Security:<Select Path="Security">*[System[(EventID=528 or 
EventID=538)]]</Select>
Security:[XPath:Security:<Select 
Path="Security">*[EventData[Data[@Name='LogonType']='10'] and 
(System[(EventID='4624')] or System[(EventID='4634')])]</Select>]
XPath:Security:<Select Path=”Security”>*[System[(EventID=528 or 
EventID=538)]]</Select>
Path:Security:<Select Path=”Security”>*[System[(EventID=528 or 
EventID=538)]]</Select>

Thanks in advance!

What version of the product are you using? On what operating system?
eventlog-to-syslog 4.5.1 32 bits (large and/or normal)
Windows Server 2003 R2

Original issue reported on code.google.com by davidgm...@gmail.com on 24 Mar 2015 at 8:52