Download, install, and configure the eventlog-to-syslog client

I’m having some troubles with this, so I ran ‘evtsys.exe -d’ enabled IncludeOnly in the registry, this creates output noted as “IGNORING_EVENT”. I wrote the developer, and until the problem is solved, I can’t use this solution. But you might be able to with syslog-ng!

1) Download the latest version of eventlog-to-syslog for your OS (either 32 or 64 bit, as of November 5th, 2012)

2) Extract the contents of .\32-Bit or .\64-Bit within the ZIP to c:\windows\system32\ (so that c:\windows\system32\evtsys.exe exists). This isn’t great, but the program doesn’t work with the service controller without being in that location.

3) Create a configuration file as you wish to exclude certain event IDs. There are several DFS-R related events I do not wish to log:

echo "DFS Replication":4304 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":4202 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":4302 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":4208 >> c:\windows\system32\evtsys.cfg
echo "DFS Replication":5004 >> c:\windows\system32\evtsys.cfg

4) Install evtsys.exe as a service using the native service creation, sending all warning, error or critical events (-l 3):

c:\windows\system32\evtsys.exe -i -h -p 22222 -l 3

5) Start the service and test:
– on the receiving syslog server, tail the syslog:

tail -f /var/log/messages

– Start the service on the Windows/sending server:

sc start evtsys

– Create an event that is logged as an error in the Application event log:

eventcreate /l application /so test /t error /id 1 /d "test event"
  1. March 30, 2017 at 9:15 am

    Any chance you could help my melting mind. I am trying to just configure it to send 4740’s to my syslog. I tried so many Xpath queries and no success. :(

