Important Notice: EventwatchNT has been replaced by EventSentry Light.

EventSentry Light is the freeware version of EventSentry, the powerful commercial successor of EventwatchNT.

You can evaluate and use EventSentry for an unlimited amount of time by downloading EventSentry Light. EventSentry Light is 100% freeware, more stable than EventwatchNT and offers more features.

However we recommend upgrading to EventSentry, a professional event log monitoring solution that offers many more features and comes with free support for one year. See www.eventsentry.com for more details.

EventwatchNT is no longer supported by NETIKUS.NET

 EventwatchNT  v2.33
[ http://www.netikus.net ]   

  Overview
  Benefits
  Technical Benefits
  Functionality
  Freeware
  Requirements
  Security
  Installation / Update
  Configuration
    Syslog configuration
  Command Line Arguments
  Known Problems
  Troubleshooting
  Credits
  Feedback
  Disclaimer
  History


Overview  TOP

EventwatchNT is an eventlog monitoring tool. It runs as a Windows NT / Windows 2000 / Windows XP service and waits for new events in the eventlog(s). If an event occurs (configurable) it will be sent to the recipient(s) via smtp email. EventwatchNT can also receive messages from remote unix syslog daemons. EventwatchNT will not miss events that ocurred during a system boot and will try to resend messages when the network or the smtp server are unavailable.

Benefits  TOP

EventwatchNT informs you of critical eventlog messages in realtime. After a new event (or multiple events) has been written to the eventlog by an application or driver, the events including all details will be sent by email. You can even include audit failures in the emails for security purposes. You can rely on EventwatchNT since you will not miss any message, not even during a reboot or a network failure.


Technical Benefits  TOP

EventwatchNT runs as a service and does not scan the eventlog on regular intervals consuming CPU, memory and/or disk resources. EventwatchNT only becomes active when an event is written to the eventlog. EventwatchNT consumes little memory when active or triggered (depends on the individual Windows NT / Windows 2000 / Windows XP configuration) and almost no memory (~300kb) when idle and waiting for events to occur (depends on operating system and available memory). The service only consists of one small executable programmed in C++, one messagefile DLL (not mandatory but recommended) and the graphical configuration utility. No complicated installation or reboot are necessary.


Functionality  TOP

EventwatchNT can be configured to scan only some eventlogs (system for example), to only report specific events (error for example) and emails can be sent to multiple recipients (with a customizable subject). You can also include events that ocurred while EventwatchNT was stopped (e.g. during reboot) and you can also log Unix syslog daemon messages to the eventlog. Messages can be sent in html format and can also be reduced in size to be sent to cellphones.


Freeware  TOP

EventwatchNT is freeware.

Requirements  TOP

Operating System:Windows NT 4.0, Windows 2000 or Windows XP Professional
Privileges:Administrative Privileges on the machine where EventwatchNT will be installed


Security  TOP

Only administrators are able to install and configure (the registry key where EventwatchNT stores it configuration is only readable by the SYSTEM account and administrators) EventwatchNT. This makes it possible for EventwatchNT to be installed on workstations with security auditing enabled. Failed logon attempts and problems will come to your attention immediately.

There are important issues with the Syslog feature of EventwatchNT, please read the Configuration-Syslog section carefully if you plan on using this feature.


Installation / Update  TOP

Installation:
The installation is very simple and straight forward. EventwatchNT does not have an installation program, instead the GUI which is used for configuration copies the necessary files and creates the service. No reboot will be necessary. Follow these steps and EventwatchNT will be installed in no time.

  1. Make sure you have administrative rights on the machine where EventwatchNT will be installed
  2. Unpack the compressed zip file to any folder
  3. Make sure that all files from the zipfile (evtwatnt.exe, evtwatnt_msg.dll) are in the same folder as eventwatchnt.exe
  4. Click on eventwatchnt.exe to launch the EventwatchNT configuration and installation program
  5. Make sure you are logged on with an account that has administrative privileges
  6. Click on "Install" to install the service and copy the files to the %systemroot%\system32 folder
  7. Configure the settings (see Configuration later for details)
  8. Click on "Start" to start the service
  9. Click on "Test" to verify that your current settings are working
  10. Click OK to quit the configuration utility

The installation is now complete and the service is configured to START everytime Windows NT boots. Just run eventwatchnt.exe if you want to change settings later, but don't forget to RESTART THE SERVICE, as the changes will not become effective otherwise.

Update:
It is very easy to update EventwatchNT since only the service executable itself is affected (unless otherwise stated). Nevertheless I have developed a commandline tool (upd_evtwatnt.exe) to update existing EventwatchNT installations from the commandline. It is included in all future EventwatchNT downloads and in the update package. Run:

upd_evtwatnt.exe \\SERVERNAME

to update the EventwatchNT service on the machine \\SERVERNAME (include the "\\"). You will have to make sure that the updated service executable evtwatnt.exe is present in the current directory. The application returns the ERRORLEVEL 0 if the service update was successful, otherwise 2.

If you prefer to update EventwatchNT manually then follow this procedure to update EventwatchNT to a new version:

  1. Stop the EventwatchNT service, you can
      - use the GUI to stop the service
      - use the service control panel
      - use a scripting language, sc.exe ...
  2. Replace the service executable, %systemroot%\system32\evtwatnt.exe with the new file
  3. Start the EventwatchNT service
  4. Replace the GUI application executable, eventwatchnt.exe
In some very rare cases it might be necessary to remove all configuration settings to resolve a problem with a previous version. In this case you can either:


Configuration  TOP

Configuration fields are explained here:

Sender Name Simply the name that appears as the sender of the emails EventwatchNT sends
Sender Email Address    The email under which the emails will be sent from EventwatchNT
Recipients The recipients of the EventwatchNT emails, separate multiple recipients with a comma
SMTP server The DNS name of the smtp server EventwatchNT will use to send emails
Test Tries to send a test email through the configured smtp server using the options you specified
   
EMail Subject This is the subject that will appear on each message. The subject will be appended with eventlog scanned and the number of events listed in the particular message, a subject might look like this:
NEW EVENTLOG MESSAGE(S) [Application] [4]
   
Filter Type The filter can either send everything except certain unimportant messages, or only send certain important messages.
Exclude (default): Send all messages except those specified in Filter. This is most likely what you want
Include: Don't send any messages except those who match Filter. This is useful if you are only looking for specific messages.
   
Filter You can exclude unimportant eventlog messages by specifying a filter. You can specify multiple text filters by separating them with a comma. If one of the filters appears in the eventlog entry (including the source, time, ...) the message will not be sent. The filters are case-insensitive.
   
Eventlogs to monitor The eventlogs that should be monitored
Events to report The severity level of the events you want to receive, others will be ignored
Test Creates three eventlog test messages, each with a different severity (INFORMATION, WARNING and ERROR)
   
Syslog Log Syslog messages received from remote Unix machines in the local Application eventlog. Please see the sub-section for more details. Monitoring of the Application eventlog has to be activated for this to work.
   
Error Logging Application is enabled by default and logs standard messages to the logfile in %systemroot%\evtwatnt.log. Not much is being logged so turning off this feature is not recommended. This logfile does usually not exceed a few kilobytes.

SMTP is disabled by default and enabling this feature will log every SMTP command in the logfile (excluding the message itself. Depending on the number of messages your are "watching" this may increase the size of your logfile tremendously. It is recommended to only use this feature if you are having problems receiving emails from EventwatchNT.
   
Options Include Boot Events will make EventwatchNT rescan the eventlog from where it left off when it was stopped the last time. This feature was designed to catch events that occur during a system's boot since EventwatchNT is not started right away. If you stop and restart EventwatchNT then messages written to the eventlog in the meantime are caught as well. EventwatchNT will not rescan the eventlog if it has been cleared in the meantime.

HTML Email will send all messages in HTML format instead of a plain text format. Don't get scared, I don't usually fancy HTML mails myself, but this way ERRORs, WARNINGs, ... are colored in a different and more obvious way.

Mini Email tries to make the emails as small as anyhow possible without loosing important information. Only the Source, ID, User (if present) and message are included. All unnecessary characters are omitted.
   
Start / Stop Start or Stop the EvenwatchNT service
Install / UnInstall Install the service, copy files and create registry information (UnInstall removes all EventwatchNT

Make sure you restart the service when you change configuration parameters.

You can check if your installation of EventwatchNT is up-to-date by clicking on the Is a new version available button in the About EventwatchNT window (left-click the top-left most corner). Please note that no information is sent to netikus.net and that you will need a connection to the internet. Also make sure that are using the GUI configuration utility (eventwatchnt.exe) that came with your service (evtwatnt.exe), otherwise you will get wrong results since both files are independent entities and might be different versions.

Syslog Configuration  TOP

Unix syslog daemons, Cisco devices (do you know other ones?) can optionally send syslog messages to remote syslog daemons, making it possible to centralize logging. Syslog messages are sent to port 514 using the connectionless UDP protocol. EventwatchNT can listen on this UDP port 514 and log those incoming messages to the eventlog.

The nature of the UDP protocol does make this feature a little bit dangerous which is why I added several feature to eliminate risks. The FreeBSD manpage nicely compares this feature with a remote disk filling protocol that doesn't require any authentication.

Here is an example: If an attacker were to find out that you are running EventwatchNT on a Windows-based machine with the syslog option activated (NMAP scans UDP ports), he could simply send thousands of (fake) syslog packets which in turn would all be logged by EventwatchNT, filling up your eventlog and (possibly) overwriting other important events. To avoid this, two configuration features were added: Authorized IP addresses and Threshold settings:

Authorized IP addresses / Networks:
You can specify from which IP addresses EventwatchNT will accept packets. Please note that hostnames are not allowed - simply to avoid DNS lookups and since servers generally have static ip addresses. You can enter IP addresses either with or without specifying the subnet bits. For example, if you only want to add two servers with the IP addresses 184.23.22.11 and 184.23.22.43, then simply add those two IP addresses to the list.
If you want to allow a whole subnet, for example the IP addresses 184.23.22.1 - 184.23.22.254, then you will have to add 184.23.22.0/24. If you only want to allow the range 184.23.22.128 - 184.23.22.254 then you can specify 184.23.22.128/25. If this sounds confusing then I recommend buying a book about TCP/IP and/or downloading the (free) Wildpackets IP Calculator.

Please be aware the simply not authorizing a host to send packets doesn't necessarily prevent this host from sending packets using a fake IP address. While faking IP addresses with connection-oriented protocols like TCP is rather difficult, faking them with UDP is rather easy. Therefore pay close attention to the threshold settings.

Threshold setttings:
This feature allows you to limit the number of packets EventwatchNT will accept (and in turn log to the eventlog). You can configure how many packets are accepted during a certain time period. You will also have to specify if each remote IP address has its own limit, or if the limit applies to any IP address.

Let's take an example: Your threshold settings are set to each ip address and you entered 5 ip addresses into the authorized IP addresses list. Your thresholds are both set to 60. This esentially means that each of the authorized hosts can send you up to 60 packets in 60 seconds, resulting in a total of 300 packets in 60 seconds. This in turn yields a maximum of 18000 messages per hour - you get my point.
If you set the threshold type to any ip address however, EventwatchNT will only log a maximum of 60 messages per minute, no matter from which IP address they originate.

Please set threshold limits very carefully, and especially consider weekends - attackers seem to find weekends very appealing. If you size your eventlogs reasonably big (I recommend at least 5Mb) and choose careful threshold limits (1000 messages per day (=86400 seconds) maximum) then you should be prepared for the worst.

Error Level Mapping:
Syslog defines 8 error levels: EMERG - ALERT - CRIT - ERR - WARNING - NOTICE - INFO - DEBUG. The Windows eventlog as you know only has three: ERROR - WARNING - INFORMATION. But since EventwatchNT logs syslog messages to the Windows eventlog we will have specify how the syslog error levels correspond to the Windows eventlog error levels. This is what this option is for and I think it explains itself!

Configuring /etc/syslog.conf:
Now this is all very nice you might think, but why should your Linux server decide to send you messages? Well, you will have to tell it to do so - and almost every Unix OS uses the file /etc/syslog.conf to configure just that. Since Linux is the easiest I will use it as an example. Follow these steps and your Linux box should be sending your EventwatchNT box messages (all steps have to be performed on the Linux box):
  1. Update the file /etc/hosts so that the Windows box running EventwatchNT can be accessed via its hostname. Check with ping hostname
  2. Edit the syslog configuration file /etc/syslog.conf and add the following line:
    *.debug              @yourhostname    you will need to format this line with the correct number of tabs

    *.debug is an extreme example since it will send you every single message from the Linux box. You can reduce this by choosing a highler level, *.notice for example. If you specify *.level then the syslog daemon will send you all messages from level and higher ones, but not lower ones. Please see the syslog manpage for more details on how to configure syslog.conf.
  3. Restart the syslog daemon by typing /etc/init.d/syslog restart
As stated before you can configure your Cisco IOS to send messages to a Unix syslog server as well, please search the documentation of your particular Cisco equipment for instructions. Of course EventwatchNT will be your syslog server.


Command Line Arguments  TOP

The service executable, evtwatnt.exe, supports only two command line arguments at this time:

START ... to start the service
STOP  ... to stop the service

Simply launching evtwatnt.exe from the command line will show the current service status.


Known Problems  TOP

Problem (1):The popup window "evtwatnt.exe - Unable to locate DLL" with the message "The dynamic link library INFOCOMM.dll could not be found in the specified path ...." appears (might occur with other DLLs as well)
Description:Eventwatch NT relies on so called "message files" (which are DLLs) to display the detailed error message. Sometimes, unfortuntately, vendor DLLs depend on other DLLs to display the correct message. If one of those "other" DLLs is not found in one of the directories specified in the PATH variable, evtwatnt.exe will complain and not display the correct error message in the email.
Solution:Locate the requested DLL in your directory tree and add the directory where the DLL was found to the system PATH variable. It is recommended that you restart the service or, if this does not resolve the problem, reboot the system.

The particular problem with INFOCOMM.DLL has been solved in version 2.22, you might consider updating.
 
Problem (2):Sometimes the detailed eventlog messages are missing in emails even though they can be seen with the Eventviewer.
Description: If you have already included the path to the application (see Problem 1) and you are still missing detailed messages, then multiple message DLLs could cause this problem. Some vendors specify multiple message DLLs in the registry which is not supported by EventwatchNT yet, but will be in the next release. Please be aware that this only affects certain message sources, all other ones are unaffected and always include the full message.
Solution:This problem has been resolved in EventwatchNT 2.2, please update to the latest version !
 
Problem (3):Even though events from the security eventlog are appearing in the security eventlog they are not being sent by EventwatchNT.
Description: This happens if Auditing was enable after EventwatchNT was started with the Security option enabled.
Solution: Please restart EventwatchNT to also detect Security Eventlog messages or enable auditing before you start EventwatchNT.
 
Problem (4):When I stop the EventwatchNT service under WindowsXP it crashes.
Solution:This problem has been resolved in EventwatchNT 2.21, please update to the latest version !
 
Problem (5):When I clear an eventlog while the EventwatchNT service is running or after it has been stopped, messages are not being sent to me via email anymore for that particular eventlog.
Description:This is a known problem and has been resolved in Version 2.21
Solution:This problem has been resolved in EventwatchNT 2.21, please update to the latest version !
 
Problem (6):An application logged several hundred messages to an eventlog within a few seconds. Those messages were not sent to me via email and the EventwatchNT service crashed.
Description:This is a known problem and has been resolved in Version 2.21
Solution:This problem has been resolved in EventwatchNT 2.21, please update to the latest version !
 
Problem (7):When monitoring DNS, File Replication or Directory Service eventlogs, the recipient address is sometimes changed to a number (like 1009475519); additionally messages logged during a system boot are not reported correctly.
Description:This is a known problem and has been resolved in Version 2.22
Solution:This problem has been resolved in EventwatchNT 2.22, please update to the latest version!
 
Problem (8):EventwatchNT doesn't send me emails even though I know for sure that my SMTP server works and that all entered data is 100% correct.
Description:This is a known problem with all versions up to and including v2.3.
Solution:This problem has been resolved in EventwatchNT 2.31, please update to the latest version!
 
Problem (9):EventwatchNT crashes when it scans very large eventlog entries.
Description:This is a known problem with all versions up to and including v2.3. Very large eventlog entries (entries >4kb) like certain Win2k directory service audit entries.
Solution:This problem has been resolved in EventwatchNT 2.31, please update to the latest version!
 
Problem (10):The EventwatchNT service does not start.
Description:This is a known problem with all versions up to and including v2.3. This usually happens on Windows 2000 / Windows XP installations that were upgraded from Windows 9x machines.
Solution:This problem has been resolved in EventwatchNT 2.31, please update to the latest version!
 
Problem (11):You are unable to receive emails via SMTP and are using version 2.31.
Description:This is a known problem only with version v2.31. This usually happens when a reverse lookup of the configured ip address does not work.
Solution:This problem has been resolved in EventwatchNT 2.32, please update to the latest version!
 
Problem (12):The service does not send emails.
Description:This is a known problem only with very few SMTP servers that send uncommon greetings. The initial connection timeout has also been increased which caused problems with extremely slow SMTP servers.
Solution:This problem has been resolved in EventwatchNT 2.33, please update to the latest version!


Troubleshooting  TOP

No problems are known at this point. EventwatchNT was tested successfully under the following configurations (list will be updated accordingly over time, please send me successful installations!):

If you encounter any problems with EventwatchNT then please upgrade to EventSentry or EventSentry Light since EventwatchNT is no longer supported by NETIKUS.NET.

Credits  TOP

Lot's of thanks to Dieter who helped me get started with C programming, otherwise this would have taken a lot more time or would never have happened. Also lot's of thanks to Gernot, Helmut and Juergen (alphabetically ordered :-) ) who helped test and therefore improve the quality of EventwatchNT.

Additional thanks to all users of EventwatchNT which not only reported problems but worked together with me to resolve them.


Feedback  TOP

We encourage you to send as any type of feedback. Please send comments, suggestions, ideas to eventsentry@netikus.net and let the us know what you think about this application - may it be good or bad. Just write "great", "good", "ok", "crap" if you lack time :-), We'll understand.


Disclaimer  TOP

The author of this software is not responsible for any damage, loss of data, downtime or anything else that may result either directly or indirectly from using this application.
When purchasing EventwatchNT you have tested the shareware version of EventwatchNT and found it functional. Due to the little amount of money received payments will not be refunded, unless the author is willing to do so by his own will.


History  TOP

10th May 2001:Version 1.0Distributed to a limited number of users for final testing
22nd May 2001:Version 2.0Released at www.netikus.net
12th July 2001:Version 2.1New features include:
  • Advanced logging features
  • A simple filter capability
  • Command line arguments to control the service
17th August 2001:Version 2.1Re-release: Fixed problems when viewing help with Netscape.
9th September 2001:Version 2.2 I like to call this version the "Enterprise Version" - the great new features are:
  • Messages created before EventwatchNT starts (usually boot events) are also included
  • EventwatchNT will try to re-send messages for 2 days when the network or the SMTP server becomes unavailable
  • Multiple Messagefile DLLs can be handled now as well
  • Emails can be sent in HTML format (with coloring!)
  • The logfile optionally includes a timestamps and can be opened conveniently from the GUI
16th December 2001:Version 2.21 This version resolves following problems:
  • Clearing an eventlog while EventwatchNT was running resulted in no more emails being sent for that eventlog
  • Clearing the eventlog after EventwatchNT was stopped sometimes lead to problems
  • EventwatchNT would crash if several hundred messages (~500 if html was configured, ~1000 otherwise) were logged in an eventlog within a short amount of time (~2 seconds)
  • When running on Windows XP Professional, EventwatchNT would often crash when stopping the service
27th December 2001:Version 2.22 This version resolves following problems:
  • The recipient email address is sometimes changed to a number similar to this one: 1009475519
  • When installed on a machine running IIS the popup message (... infocomm.dll could not be found) interrupts the service
27th February 2002:Version 2.3 This version adds the following new features:
  • Syslog messages (Unix, Linux, Cisco ...) sent to EventwatchNT are logged to the eventlog
  • The filter can now be either inclusive or exclusive
  • Messages can be sent in a mini format suitable for most cellphones
  • Time and date of an event are now taken from the system settings rather than always using European style
  • Little question marks in the GUI explain configuration features
  • You can check for a new version of EventwatchNT from the GUI via the about window
  • A restart button was added to the GUI
The following features were removed:
  • Timestamp logging, the timestamp is now always included when logging is turned on
The following problems were resolved:
  • Logging boot events has been greatly improved
  • Some Win2k message files with the .sys extension were not properly interpreted
  • The shutdown sequence was improved
  • Other minor (and not so minor) problems were fixed
5th May 2002:Version 2.31 This version adds the following new features:
  • The "Test" SMTP button in the GUI now tries to send an email rather than just connecting to port 25 of the specified SMTP server
The following problems were resolved:
  • The SMTP routine has been rewritten to avoid problems with certain SMTP server implementations
  • EventwatchNT would crash when processing large eventlog entries
  • The EventwatchNT service would not start
14th August 2002:Version 2.32 The following problems were resolved:
  • A bug in the SMTP routine has been fixed which prevented some users from sending emails, in most cases this was related to reverse lookup problems.
3rd November 2002:Version 2.33 The following problems were resolved:
  • The connection timeout in the SMTP routine has been increased to one minute
  • The SMTP routine has been fixed to solve a problem connection to some smtp servers (e.g. earthlink.net).
  • All versions prior to 2.32 would not release certain thread and registry handles. This problem did not seem to negatively impact systems significantly, however if running the service continuously for a while then several thousand (unused) handles could accumulate.
  • The date and time of emails would be one hour off if the Daylight Saving Time feature of Windows would be used.
  • As usual other minor bugs have been fixed