I need to send the login/logouts of my windows servers.
Evtsys is working with 64 bits servers (Windows 2008 and superior).
My install.bat is:
"c:\windows\system32\xcopy.exe" "64bits\evtsys.exe" "c:\windows\system32" /y
"c:\windows\system32\xcopy.exe" evtsys.cfg "c:\windows\system32" /y
c:\windows\system32\evtsys.exe -i -h 10.140.220.178 -p 5000 -l 0
sc start evtsys
My config file is:
XPath:Security:<Select
Path="Security">*[EventData[Data[@Name='LogonType']='10'] and
(System[(EventID='4624')] or System[(EventID='4634')])]</Select>
The problem is with Windows Server 2003. I can't make it work.
My install.bat is:
"c:\windows\system32\xcopy.exe" "32bits\evtsys.exe" "c:\windows\system32" /y
"c:\windows\system32\xcopy.exe" evtsys.cfg "c:\windows\system32" /y
c:\windows\system32\evtsys.exe -i -h 10.140.220.178 -p 5000 -l 0 -n
sc start evtsys
The only config file that works in with only 1 event ID:
Security:528
How can I send the 528/538 events with 10 type)?
I have tested all of this, and no one works:
XPath:Security: <Select Path="Security">*[(EventID=528 or EventID=538)]</Select>
XPath:Security: <Select Path="Security">*[EventID=528 or EventID=538]</Select>
XPath:Security: <Select Path="Security">*[EventID="528" or
EventID="538"]</Select>
XPath:Security: <Select Path="Security">*(EventID=528 or EventID=538)</Select>
XPath:Security: <Select Path="Security">*</Select>
XPath:Security:<Select Path="Security">*</Select>
XPath:Security:<Select Path="Security">*</Select>
XPath:Application:<Select Path="Application">*</Select>
XPath:Setup:<Select Path="Setup">*</Select>
Path:Setup:<Select Path="Setup">*</Select>
XPath:Security:<Select
Path="Security">*[EventData[Data[@Name='LogonType']='10'] and
(System[(EventID='4624')] or System[(EventID='4634')])]</Select>
Path:Setup:<Select Path="Security">*</Select>
Path:Setup:<Select Path="Setup">*</Select>
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or
@Name='EvtSys'] and (EventID=528 or EventID=538)]]</Select>
XPath:Security: <Select
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or
@Name='EvtSys'] and (EventID=1301 or EventID=1302)]]</Select>
Path:Security: <Select
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or
@Name='EvtSys'] and (EventID=1301 or EventID=1302)]]</Select>
Path:Security: <Select
Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog' or
@Name='EvtSys'] and (EventID=528 or EventID=538)]]</Select>
Path:Security: <Select Path="Security">*[System[(EventID=528 or
EventID=538)]]</Select>
Path:Security:<Select Path="Security">*[System[(EventID=528 or
EventID=538)]]</Select>
XPath:Security:<Select Path="Security">*[System[(EventID=528 or
EventID=538)]]</Select>
Security:<Select Path="Security">*[System[(EventID=528 or
EventID=538)]]</Select>
Security:[XPath:Security:<Select
Path="Security">*[EventData[Data[@Name='LogonType']='10'] and
(System[(EventID='4624')] or System[(EventID='4634')])]</Select>]
XPath:Security:<Select Path=”Security”>*[System[(EventID=528 or
EventID=538)]]</Select>
Path:Security:<Select Path=”Security”>*[System[(EventID=528 or
EventID=538)]]</Select>
Thanks in advance!
What version of the product are you using? On what operating system?
eventlog-to-syslog 4.5.1 32 bits (large and/or normal)
Windows Server 2003 R2
Original issue reported on code.google.com by davidgm...@gmail.com on 24 Mar 2015 at 8:52
Original issue reported on code.google.com by
davidgm...@gmail.com
on 24 Mar 2015 at 8:52