Download, install, and configure the eventlog-to-syslog client


I’m having some troubles with this, so I ran ‘evtsys.exe -d’ enabled IncludeOnly in the registry, this creates output noted as “IGNORING_EVENT”. I wrote the developer, and until the problem is solved, I can’t use this solution. But you might be able to with syslog-ng!

1) Download the latest version of eventlog-to-syslog for your OS (either 32 or 64 bit, as of November 5th, 2012)

2) Extract the contents of .\32-Bit or .\64-Bit within the ZIP to c:\windows\system32\ (so that c:\windows\system32\evtsys.exe exists). This isn’t great, but the program doesn’t work with the service controller without being in that location.

3) Create a configuration file as you wish to exclude certain event IDs. There are several DFS-R related events I do not wish to log:

echo "DFS Replication":4304 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":4202 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":4302 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":4208 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":5004 >> c:\windows\system32\evtsys.cfg

4) Install evtsys.exe as a service using the native service creation, sending all warning, error or critical events (-l 3):

c:\windows\system32\evtsys.exe -i -h 127.0.0.1 -p 22222 -l 3

5) Start the service and test:
– on the receiving syslog server, tail the syslog:

tail -f /var/log/messages

– Start the service on the Windows/sending server:

sc start evtsys

– Create an event that is logged as an error in the Application event log:

eventcreate /l application /so test /t error /id 1 /d "test event"
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: