Option to use "Applications and Service logs" in Win2008

pzbw / eventlog-to-syslog

Automatically exported from code.google.com/p/eventlog-to-syslog

0 stars 0 forks source link

Option to use "Applications and Service logs" in Win2008 #48

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

What steps will reproduce the problem?

1.Run ex. gpudate in cmd

What is the expected output? 

EVTsys send to log entries to the syslog-server.

I can see that when running this GPupdate-command, the GroupPolicy\Operational 
evt-log gets written to, but EVTsys does not record/send these messages.

What do you see instead?

EVTsys should send the events to the syslog server.
I would like an option to specify which "Applications and Service logs" I would 
like EVTsys to monitor, eg in the evtsys.cfg file?! (EVTsys should not by 
default monitor all logs, because there is so much logging going on in these 
logs)

What version of the product are you using? On what operating system?

4.4.0.0

Windows server 2008 R2

Please provide any additional information below.

Original issue reported on code.google.com by jdichm...@gmail.com on 6 Oct 2011 at 8:38

GoogleCodeExporter commented 8 years ago

A solution for this is in the works, and as you mentioned it would be enabled 
by the user on a per-log basis. I hope to have the kinks worked out soon.

Original comment by sherwin....@gmail.com on 20 Oct 2011 at 3:01

Changed state: Started
Added labels: Type-Enhancement
Removed labels: Type-Defect

GoogleCodeExporter commented 8 years ago

Any updates on this?

Original comment by peter.do...@ddrit.com on 14 Mar 2013 at 4:42

GoogleCodeExporter commented 8 years ago

I would also like to know if there is any status on this. This functionality is 
a critical feature for us as we are attempting to monitor the AppLocker log in 
our case.

Original comment by jameswat...@gmail.com on 10 Apr 2013 at 1:38

GoogleCodeExporter commented 8 years ago

No update. I haven't abandoned development on this, just got caught up in other 
things. Will have to wrap my head around it again to see if I can fix it.

Original comment by sherwin....@gmail.com on 11 Apr 2013 at 6:22

GoogleCodeExporter commented 8 years ago

It's really important to be abe monitor "Applications and Service logs".
I need to monitor TerminalServices for logging on/off/reconnect etc.

Security log does not allow it.... maybe it could if 'logon type' event 
attribute could be filtered.

Original comment by jawojte...@gmail.com on 27 Sep 2013 at 8:33

GoogleCodeExporter commented 8 years ago

Fixed n v4.5.0. You can specify a specific XPath query that you want logged, 
this includes any of the Application and Service logs. You can build the query 
in Event Viewer's custom filter dialog and copy it into your config.

Original comment by sherwin....@gmail.com on 30 Sep 2013 at 4:45

Changed state: Fixed

GoogleCodeExporter commented 8 years ago

How would I use XPath for AppLocker logs? I've tried both of the lines below 
but don't seem to be having any success.

XPath:Microsoft-Windows-AppLocker/EXE and DLL:<Select 
Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>

XPath:"Microsoft-Windows-AppLocker/EXE and DLL":<Select 
Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>

We've also tried using specific Event IDs using the format below.

AppLocker:8002
AppLocker:8004
AppLocker:8007
AppLocker:8006
AppLocker:8005

Any ideas? Thanks in advance!

Original comment by paulwe...@gmail.com on 10 Oct 2013 at 3:57