1

I asked this question in SuperUser without much luck and so I am posting it here to see if anyone can assist.

We have a central syslog server and we want it to capture event log events from Windows hosts. We are specifically interested in logging service start/stop events. We installed "Eventlog to Syslog" on these windows hosts and all works well with XP hosts (Events come from Service Control Manager). However, we are having issues with Win2k hosts. For some reason, service start/stop events do not get logged in the Event Log for Win2k hosts. I got another friend from another company to test on a Win2k host and he does get start/stop events on them. I have searched around for local audit policies i need to enable but with not much luck. Anyone have any ideas?

Thanks in advance.

molecule
  • 83
  • 1
  • 4
  • 12

2 Answers2

0

Try with syslogAgent (http://syslogserver.com/syslogagent.html) which doesn't need any special configuration (I haven't try eventlog so i don't know).

If it fails again, then your audit deamon is propably deactivated. Otherwise, the problem is eventlog's configurations. (Maybe it will help you http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html )

Nikolaidis Fotis
  • 2,032
  • 11
  • 13
0

My initial suspicion would be that something like the COM+ or SENS services are disabled or broken on your W2K servers. I'm not certain that either of these would cause your problem but they would be a good place to start. If you are still getting logon\logoff events on the affected systems then this isn't likely to be the cause as those will be disabled if something is wrong with either of these services. It might be worth working through the list of "standard" Windows 2000 services here to see if there is anything significant that is either disabled or failing to start.

You can use SysInternals Process Monitor to try and zero in on anything that is failing when you Start\Stop some services. It may not be able to help in this case but there's a good chance that if there is an error or an access rights issue preventing the events being logged then Process Monitor should report that every time you start\stop services.

Another approach that might work, even if you can't figure out how to get the stop\start events themselves to generate events, is to enable auditing on the services. If you are using actual service accounts for the services themselves then you should be able to trap the account logon\logoff events associated with starting\stopping the associated services. This Technet link should get you started if you want to try this.

Helvick
  • 20,019
  • 4
  • 38
  • 55