[Welcome to O'Reilly & Associates] ------------------------------------------------------------------------ Windows NT Event Logging This is the README which describes the contents of the CD-ROM accompanying the book Windows NT Event Logging by James D. Murray and published by O'Reilly & Associates. Copyright notice ------------------------------------------------------------------------ Table of Contents * \BOOK o \CH06 o \CH07 o \CH08 * \3RDPARTY o \ADISCON o \AELITA o \HEYSOFT o \MISSION o \PRINCETON o \SCORPION o \SOMARSOFT o \WFC o \WGWS o \WINPERL5 * O'Reilly Online Catalog * For Further Information ------------------------------------------------------------------------ \BOOK The \BOOK directory contains sample projects that are used as code examples in the book. These working samples are provided for your better understanding of the Windows NT event logging service and API, and to allow you to use them as a base for writing your own applications. \CH06 Chapter 6 discusses the messages files and MESSAGETABLE resources used by event sources to store localized and non-localized strings. The code examples in the CH06 subdirectory demonstrate how to construct message files containing event descriptions in single and multiple languages, and how to access message file messages using the FormatMessage Win32 API function. \LISTMSG ListMsg is used to list out the messages contained within a message file. The index and the language ID of the message may be specified to extract specific messages or a range of messages. \SAMPLE1 Sample One demonstrates how to create an event, category, and parameter message file using only a single locale (United States English). \SAMPLE2 Sample Two demonstrates how to create an event, category, and parameter message file using multiple locales. \SAMPLE3 Sample Three also demonstrates how to create an event, category, and parameter message file using multiple locales and was the source of several of the code examples in Chapter 6. \CH07 Chapter 7 details the use of the Windows NT event logging API to read, backup, clear, and monitor the event logs. The code examples in the CH07 subdirectory demonstrate how to implement code in C that performs these operations using the MS-DOS console window. \BULOGS BuLogs is a very simple program used to demonstrate how to use the event logging API to back up the Windows NT event logs. \CLRLOGS ClrLogs is a very simple program used to demonstrate how to use the event logging API to clear the Windows NT event logs. \DISPLOG DispLog displays the record information stored in the Windows NT event logs. \EVENTSRC EventSrc locates a specified event source in the registry and returns its associated information. \FOREBACK ForeBack demonstrates how to read event records stored in an event log in a forward or backward direction. \GETMSG GetMsg is a very simple example of a program that reads messages from a message file. \GLE Gle demonstrates how to use FormatMessage to retrieve the system error message associated with a value returned by GetLastError. \NOTIFY1 Notify1 is a program that uses a single thread to monitor one of the Windows NT event logs for new event reports. \NOTIFY2 Notify2 is a program that uses a single thread to monitor all three of the Windows NT event logs for new event reports. \NOTIFY3 Notify3 is a program that uses three threads to monitor all three of the Windows NT event logs for new event reports. \OLDNEW OldNew demonstrates how to read the oldest and newest event record from each of the three Windows NT event logs. \CH08 Chapter 8 details the use of the Windows NT event logging API to add and remove event sources from the registry and report events to the event logging service. The code examples in the CH08 subdirectory demonstrate how to implement code in C, C++ (MFC), Java (Visual J++), Visual Basic 5, Perl 5 for Win32, and the Win32 Foundation Classes. These examples run as either Win32 GUI applications or as MS-DOS console programs. either the Win32 GUI or the MS-DOS console window. \C The C subdirectory contains program code examples written using Standard C. These examples have all been compiled and tested using Microsoft Visual C++ 5.0. \ADDREM AddRem is an MS-DOS console program used to demonstrate how to add and remove event sources from the registry. \WRITELOG WriteLog is an MS-DOS console program used to report events to the Windows NT event logs. The event log, event type, event and category ID, and parameter strings may all be specified on the command line. WriteLog is similar to the LOGEVENT program found in the Windows NT Resource Kit. \JAVA The Java subdirectory contains program code examples written using J++. These examples have all been compiled and tested using Microsoft Visual J++ 1.1 and the J++ SDK 2.01. \ELAPI ELAPI demonstrates how to report events from a J++ application. \ELCLASS ELCLASS is a simple event logging class that you can use to build full event log maintenance capabilities into your J++ applications. \MFC The MFC subdirectory contains program code examples written using C++ and the Microsoft Foundation Classes. These examples have all been compiled and tested using Microsoft Visual C++ 5.0. \WRITEEVT WRITEEVT demonstrates how to report events from a Win32 application written using the Microsoft Foundations Classes (MFC). \PERL5 The PERL5 subdirectory contains program code examples written using Perl 5. These examples have all been compiled and tested using ActiveState's Perl 5 for Win32, Build 316. \BULOGS BULOGS is an example Perl program that demonstrates how to back up the event logs. \FIX The FIX subdirectory contains the fixed revision of the Perl for Win32 eventlog.pm module file. This fix is courtesy of Philippe Le Berre \LEBERRE The How To : Using Win32::Packages with Perl 5 page from Philippe Le Berre's Web page. \WRITEVT WRITEEVT is an example Perl program used to demonstrate how to report events from a Perl for Win32 program. \VB5 The VB5 subdirectory contains program code examples written using Visual Basic 5. These examples have all been compiled and tested using Microsoft Visual Basic 5.0, Service Pack 3. \VB5EL VB5EL is an example Visual Basic 5 application that reports events using VB5's native event logging methods. \VB5ELAPI VB5ELAPI is an example Visual Basic 5 application that reports events using the Windows NT event logging API. \WFC The WFC subdirectory contains program code examples written using C++ and the Win32 Foundation Classes. These examples have all been compiled and tested using Microsoft Visual C++ 5.0 and WFC Release 32. \WRITEEVT WRITEEVT demonstrates how to report events from a Win32 application using the Win32 Foundations Classes (WFC). ------------------------------------------------------------------------ \3RDPARTY The \3RDPARTY directory contains many software packages that you may find useful when working with event logging under Windows NT. ------------------------------------------------------------------------ [Adiscon GmbH] NTSLog and EvntSLog - The solution for sending Windows NT event log information to a syslog daemon! NTSLog is a syslog daemon for Windows NT. NTSLog runs on Windows NT Workstation or Server as a service and logs all syslog messages sent to it by other hosts to the Windows NT event logs. It may either run in the foreground (freeware version 1.0 only) or in the background (versions 2.0 and above). NTSLog is designed for people with a mixed Unix and Windows NT ™ environment. It is also of use for those running no Unix box but using syslog enabled devices like routers. EvntSLog is also a Win32 service that runs in the background and periodically reads the NT event logs, searches for new records, and formats and sends each new event message to a syslog daemon. EvntSLog then sleeps in the background for a specific period of time before waking up to search for more new event log records. Included on this CD-ROM are NTSLog 2.0 (shareware) and EvntSLog 2.0. Documentation in HTML format is also included. Adiscon GmbH provides high quality, state of the art IS solutions to medium sized customers in a flexible and timely manner. Adiscon's products are software and services for systems including Windows NT, Unix, and IBM mainframes. For more information, call Adiscon at +49 - 22 35 - 98 50 04 or +49 - 93 41- 89 81 10, send email to info@adiscon.com, or visit the Adiscon Web site at http://www.adiscon.com. ------------------------------------------------------------------------ [Aelita Software Group] EventAdmin - Enterprise Audit Policy and Event Log Manager, and Network Analysis and Security Reporting Tool EventAdmin gives system administrators a central point for collecting, storing and analyzing the information contained in event logs. Event log information is stored in a central ODBC-compliant database to enable an administrator to centrally analyze events on distributed servers and workstations, to search the stored information and create queries to find the critical information. Sample database contains a large number of predefined queries, forms and reports for comprehensive network analysis. If your goals are network analysis, troubleshooting or security assessment, EventAdmin is the answer. A 30-day evaluation copy of EventAdmin version 2.5 is included on this CD-ROM. You can also download the latest version of Event Admin from the NTSecurity web page. There you will also find a sample EventAdmin database, and the EventAdmin FAQ and Audit Policy FAQ. Aelita Software Group is the leading provider of integrated solutions for Windows NT network management and security administration. Aelita's products employ the full range of the new technologies and industry standards in distributed network environment. Aelita's solutions extend and enhance Microsoft Windows NT and BackOffice products, to scale to meet the requirements of enterprise networking. Aelita's Customers include medium-to-large companies worldwide. For more information, contact Aelita via the Internet at support@aelita.net, and visit the Aelita Web site at http://www.aelita.net. ------------------------------------------------------------------------ [Frank Heyne Software] ElWiz and EventSave - Event Log Viewing and Maintence Tools Elwiz is an event log viewing tool like Windows NT Event Viewer, but with quite a few improvements, including: * Sort the log you are viewing by Source, Category, Event-ID, Computer or Account. * Archive events based on filter setting. * Show new events that have been reported since last time Elwiz was started. * Watch specific machines for predefined events based on Event category, Event ID, User ID, machine name, and strings in the event description. * Show users currently logged on to watched machines. * Display the uptime and event log settings of all watched machines. * Display access statistics (number of successful and failed logons, age of the user's password, etc.) of each user. * Change all event logging policy settings, including the CrashOnAuditFail registry key. EventSave is used to automatically back up and clear the event log files. Elwiz version 1.21 and EventSave version 2.4 are included on this CD-ROM. Frank Heyne Software is also the source for the Report Event for Windows NT software package. This collection of event logging tools evaluates the event log files and reports on specific events (logon/logout, printjobs, RAS, process tracking, etc.) and generates a report on their occurrence and system usage. The Report Event package is downloadable as shareware from the FHS Web page. You can contact Frank Heyne via the Internet at order@heysoft.de. And also visit the Frank Heyne Software Windows NT - Event Logging - Problems and Solutions Web page at www.heysoft.de. And be sure to check out Frank's The Eventlog of Windows NT FAQ while you are there. ------------------------------------------------------------------------ [LogCaster] LogCaster NT is a real-time monitoring system that provides detection and early warning of system and application-related problems as they occur. Auditing policies are easily enforced, and security breaches as well as access to sensitive data can be identified and prevented. Included on this CD-ROM is LogCaster 1.6.5 for NT Intel and Alpha. LogCaster NT 1.6.5 features include: * Real-time Monitoring of NT Event Logs, Services, and TCP/IP Devices. * Real-time Alerts based on NT Performance Counters. * Real-time Corrective Actions and Event Filtering. * Built-in remote shell, reboot scheduling, and services remote control. * Paging via Email, web paging, dialup paging, and more. * Sends and receives SNMP traps. * HTML and ODBC database support. * Internet enabled by design. * Automated installation. For more information on LogCaster contact Current Software Distribution, Inc. at 800-794-9777 Toll Free (US and Canada), +1 215-321-9600 (International and Local), or 215-321-9300 (Fax). Or via the Internet at nickc@ntcurrent.com or http://www.ntcurrent.com. ------------------------------------------------------------------------ [Mission Critical Software] SeNTry - the Enterprise Event Manager (SeNTry EEM) is the premier Windows NT enterprise event management software tool. SeNTry EEM collects and consolidates important events from multiple sources on computers throughout your organization. The information SeNTry EEM collects includes: * Windows NT security, system, and application event log entries * Microsoft Internet Information Server (IIS) log entries * Microsoft SQL Server trace log entries * Missing events * Performance thresholds * Capacity planning data * Service and process state changes * Application events * SNMP traps SeNTry EEM collects information from various sources, applies filters to exclude events you consider unimportant, and forwards the important events to a central collection point. SeNTry EEM issues alerts for critical conditions that you define, classifies each event, and stores the information in a central ODBC-compliant database for future analysis and reporting. Included on this CD-ROM is SeNTry EEM 2.5. Mission Critical Software (MCS), Inc., a Microsoft Certified Solution Provider, develops and markets advanced systems management products that simplify and automate the administration of distributed Windows NT enterprise environments, and lower total cost of ownership. You can contact MCS via the Internet at info@missioncritical.com and via the MCS Web page at http://www.missioncritical.com. ------------------------------------------------------------------------ Scorpion Software A utility that I like to use which has nothing to do with NT event logging is Hexedit. It's a very nice and simple binary editor for Windows 95 and NT. HexEdit was written by John Blackmon; he may be reached at blackmon@gate.net. You can download the latest version of HexEdit via Shareware.Com. Included on this CD-ROM is HexEdit version 1.01. ------------------------------------------------------------------------ Somarsoft, Inc. Somarsoft DumpEvt is a Windows NT application used to dump the event logs using a format suitable for importing into a database. It is used as basis for event log management systems, for long-term tracking of security violations, and so forth. DumpEvt is similar to the DUMPEL utility found in the Windows NT Resource Kit, but fixes various defects found in that utility that make the output unsuitable for importing into databases. A DLL version of DumpEvt is also available which allows formatted event log records to be read from Visual Basic. This is quite useful for writing a real-time event monitoring utility. Included on this CD-ROM are DumpEvt V1.7.3 for Intel, DumpEvt DLL for Intel, and DumpEvt V1.5.2 for Alpha. DumpEvt is distributed as shareware and is fully functional. You can also download the latest version of DumpEvt from the Somarsoft Web page. You can also contact Somarsoft via email at info@somarsoft.com. ------------------------------------------------------------------------ WFC - Win32 Foundation Classes WFC is a collection of C++ classes that implement Windows NT-specific support not found in the Microsoft Foundation Classes (MFC). If you use MFC to write Windows NT applications, then you are probably frustrated with MFC's lack of support for the creation of NT services, the reading and writing the event logs, and the ability manipulate NT system security, and access other NT system facilities. If this sound like you (or sounds like it may be you in the future), then you will probably be delighted with the features you will find implemented the WFC. The WFC was written by Sam Blackburn--because he needed such a class library and nobody else seemed to be writing one. You can find the latest version of WFC (including full documentation and source code) on Sam's home page. Release 35 (09 Jun 98) of the WFC is included on this CD-ROM. You can email Sam at wfc@pobox.com. He's always open to suggestions for additional features. ------------------------------------------------------------------------ [West Georgia Web Service] SyslogD Server is a system logging daemon for the Microsoft Windows NT operating system. SyslogD runs as a native Windows NT service and mimics the SYSLOGD daemon found on most Unix systems. Its features include: * Receive event reports from routers, firewalls, workstation, and other network hosts. * Log event reports to the Windows NT event logs or to a text file. * Start a program on the report of a selected event. SyslogD Server is shareware and runs on Windows NT 3.51 or 4.0 Workstation or Server. SyslogD Version 1.2 is included on this CD-ROM. For more information on SyslogD, contact West Georgia Web Service via email at info@wgws.net. The latest version of SyslogD can be downloaded from the WGWS web page at http://www.wgws.net ------------------------------------------------------------------------ [ActiveState] Perl 5 for Win32 is ActiveState's port of most of the functionality found in Perl, with the addition of extra Win32 API specific calls that allow you to take advantage of Windows specific functionality. Perl for Win32 runs on Windows 95 and Windows NT 3.5 and later. (NOTE: Windows NT versions older than 4.0 are not tested with new builds.) The Perl for Win 32 package consists of perl.exe, perlx00.dll, documentation, and a collection of extensions that add Win32 functionality. PerlScript™ is ActiveState's ActiveX scripting engine that allows you to write PerlScript code for any ActiveX compliant host. PerlScript™ is compatible with Internet Explorer 3.0 and 4.0, Microsoft Internet Information Server 3.0 and 4.0, Exchange 5.5 and other ActiveX scripting hosts. Perl for ISAPI is a DLL that runs Perl CGI programs in process with Microsoft Internet Information Server and other ISAPI compliant Web servers. Perl for ISAPI offers a significant increase in performance over perl.exe by running in process with the server, eliminating the necessity of launching a process to run a Perl CGI program. The build of Perl for Win32, PerlScript, and Perl for ISAPI included on this CD-ROM is Build 316 and is based on 5.003_07 Core Perl code. You can always download the latest version of Perl for Win32 directly from ActiveState at http://www.activestate.com. And be sure to check out ActiveState's other Perl tools, including ActivePerl, PerlEx, and the ActiveState Perl Debugger. You can find more about Perl packages and browse the Perl for Win32 FAQ at http://www.inforoute.capway.com/leberre1/. [Programming Republic of Perl] ------------------------------------------------------------------------ [Oreilly Online Catalog] [Perl Resource Kit] Perl Resource Kit -- Win32 Edition The Perl Resource Kit -- Win32 Edition is an essential tool for Perl programmers who are expanding their platform expertise to include Win32, and Win32 webmasters and system administrators who have discovered the power and flexibility of Perl. The Kit contains some of the latest commercial Win32 Perl software from Dick Hardt's ActiveState company, along with a collection of hundreds of Perl modules that run on Win32, and a definitive documentation set from O'Reilly. You can order the Perl Resource Kits for both Win32 and Unix directly from the O'Reilly online catalog. ------------------------------------------------------------------------ For Further information For the latest information about updates and additions to the contents of this CD, please check the O'Reilly Web site and O'Reilly FTP site. ------------------------------------------------------------------------ O'Reilly Bookstores | How to Order | O'Reilly Contacts International | About O'Reilly | Affiliated Companies ------------------------------------------------------------------------ Wednesday, 12 August 1998. Copyright © 1998 by O'Reilly & Associates.