Hello, >> It's not possible to centralize NT/2000 EventLogs >> to a single server without commercial third-party >> software. That's right. The EventLog service provides no mechanism for transfering EventLog records to other EventLog services by itself. But you could use the EventLog API with certain limitations (see below). The EventLog API allows you to read/write EventLog records from/to remote EventLog services: for reading data: OpenEventLog, ReadEventLog for writing data: RegisterEventSource, ReportEvent Potentially, there are two possebilities setting up an central EventLog service for native EventLog data on Windows (we have tested these variants): 1. Read local, write remote: (with EventLog agents on the local NT/2000 systems) Read the EventLog records local from the EventLog service with the API function (OpenEventLog(localhost, ...)) and write the date to the remote "central" EventLog service with the RegisterEventSource(remote host, ...)) API call. 2. Read remote, write local: (central service on the system hosting the "central" EventLog) Read the EventLog records remote from the EventLog service with the API function (OpenEventLog(remote host, ...)) and write the data local to the central EventLog host (RegisterEventSource(localhost, ...)). Additionally, for writing the data you must configure the possible event sources in the registry on the central EventLog host. Also, you should install the required "EventMessageFiles" for these event sources on the central EventLog host because they contain message format strings. (These strings are merged into the original message while viewing the events with eventviewer.) We have encountered the following problems: Remote reading is allowed for all EventLog types (Application, System, Security) (you need some special NT/2000 privileges: SE_AUDIT and SE_SECURITY)- so far so good. But if you try to write the data to the local (central) EventLog service using the RegisterEventSource() and ReportEvent API call the record entry for computer name is set automatically to the name of the central host. There seems to be no way to report events with a specified hostname. So the original hostname ist lost. Because of this the record entry "user sid" can not interpreted correctly. The Eventlog API provides no mechanism setting the time the event was generatet and reported. While writing remote to the Eventlog (RegisterEventSource(remote host, ...)), the computer name record entry contains the espected value, so the interpretation of the user sid works fine. But now you face another problem: remote writing is not allowed for the Security EventLog (only local system can write)! Our conclusion are: 1. you can build a central EventLog if you pay no attantion to the Security EventLog (this is unacceptable in most cases) 2. you can build a central database (without EventLog service) for all EventLog types. These are our experinces, based on reading MSDN, Knowlgebase and programming. Any other ideas or informations are welcome! >I use ntsyslog (ntsyslog.sourceforge.net) and must say it works pretty >well for a non-existing tool. And: it's free. sorry, but the ntsyslog is (content from ntsyslog.sourceforge.net): "This program runs as a service under Windows NT 4.0 and Windows 2000. It formats all System, Security, and Application events into a single line and sends them to a syslog(3) host." overall result: ============== there seems to be no way setting up an central EventLog using native EventLog API programming on Windows NT/2000 systems. Birk --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Feb 05 2002 - 08:38:05 PST