One of our networks has just a few production Windows servers on it, and a whole bunch of Linux boxes. Being a Unix sysadmin by trade and inclination, this situation is mostly dreamy except for one thing: auditing the event logs on the Windows servers. We can’t just put our head in the sand and ignore them, but reading through them each morning is beyond tedious and frankly, since we found ourselves in a family way, it makes us nauseous.

We have a central syslog server which has automatic log filtering set up on it. See this article on setting up centralized syslog. We still use logsentry, formerly called logcheck, which is a great and simple log filtering and notification program that was put out by Psionic. When Psionic was purchased by Cisco, the useful free products logsentry and portsentry went into the void. Look around, you can find other free log checking programs. But we digress.

The folks who run Purdue’s Engineering Computer Network have come up with Eventlog to Syslog, a utility which simply outputs event log messages to a syslog server. It is free, and it is easy to install. Download it here. We downloaded the precompiled executable, unzipped it, and followed the simple instructions on the Eventlog to Syslog web page. All that’s required for installation is three steps.

After unzipping the package:
1. Copy evtsys.dll and evtsys.exe to WINNT\system32.
2. cd to that directory and run: evtsys -i -h syslogserver
Where syslogserver is the name of your syslog server 😉This installs a registry entry for the service.
3. Go to Services in the Management Console or Control Panel, and open up the Eventlog to Syslog service. You can start it up now, and set it to start automatically.

Tail the logs on your syslog server so you can see your Windows box magically logging in clear, plain beautiful text! Test this on your non-production systems before installing on production, remember all registry changes are potentially hazardous.

-Urbana Der Ga’had