hanhongwen / eventlog-to-syslog

Automatically exported from code.google.com/p/eventlog-to-syslog
0 stars 0 forks source link

evtsys.cfg with "Security-Auditing:*" does not stop security-auditing messages #71

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Install evtsys as a service
2. Edit evtsys.cfg, adding "Security-Auditing:*" on a new line
3. net start evtsys

What is the expected output? What do you see instead?
Output should not include Security-Auditing messages

What version of the product are you using? On what operating system?
EvtSys_4.4.3_64-Bit on a Windows 2008 R2 domain controller.

Please provide any additional information below.

I still get messages such as:
Oct 11 10:49:48 lph-domain1.libertypumps.com Oct 11 10:49:48 LPH-DOMAIN1 
Security-Auditing: 4634: An account was logged off. Subject: Security ID: 
S-1-5-18 Account Name: LPH-DOMAIN1$ Account Domain: LIBERTYPUMPS Logon ID: 
0x27c7bcea Logon Type: 3 This event is generated when a logon session is 
destroyed. It may be positively correlated with a logon event using the Logon 
ID value. Logon IDs are only unique between reboots on the same computer.

Original issue reported on code.google.com by kingram...@gmail.com on 11 Oct 2012 at 3:28

GoogleCodeExporter commented 9 years ago
Nevermind. Somehow when I edited and saved the file with Notepad++, it was not 
actually saving the file. Issuing a "type evtsys.cfg" from the command line 
showed the file was unchanged. Running notepad from the command line and saving 
the file did change it successfully, then it worked as expected.

I'm not sure why notepad++ is unable to edit the file. Please close this issue.

Original comment by kingram...@gmail.com on 11 Oct 2012 at 4:04

GoogleCodeExporter commented 9 years ago
Thanks for letting me know you found the issue. I will go ahead and close this.

Original comment by sherwin....@gmail.com on 16 Oct 2012 at 2:00