home *** CD-ROM | disk | FTP | other *** search
- BackLog version 1.6a
- --------------------
- Copyright (c) 2001 InterSect Alliance Pty Ltd.
-
- BackLog is a program that facilitates the central collection and processing of
- Windows NT Event Log information. All three NT event logs (Application, System
- and Security) are monitored, and event information is converted to tab delimited
- text format, then delivered over UDP to a remote server.
-
- BackLog is currently configured to deliver audit information to a SYSLOG server
- running on a remote (or local) machine. A configuration utility allows you to set
- the appropriate syslog target and priority, as well as the target DNS or IP address
- of the server that should receive the audit information.
-
- The BackLog service will automatically start after you have completed the initial
- configuration process. However, a small executable called 'startlog.exe' will run
- first, setting the current audit 'tally' for each of the three audit logs in the
- registry. This step will ensure that the first invocation of the audit service will
- not flood your syslog server with (potentially) multiple megabytes of data.
-
- We also recommend that you configure appropriate access controls on the BackLog
- registry entries using regedt32.exe - perhaps restricting the permission to modify
- the keys and values to Local or Domain Administrators only.
- BackLog stores it's registry settings in:
- HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService
-
- Please remember that auditing is a complex area in most modern operating
- systems, and is not often very granular. Turning on significant auditing
- for a system can often produce unpredictable results, and could seriously detract
- from the resources available to the rest of your system or network.
- We recommend that you have a good understanding of exactly what audit information
- is going to be used for, proir to enabling auditing on your servers.
-
- *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING
-
- We recommend that you do NOT set file auditing on the file
- C:\WINNT\System32\MSAUDITE.DLL
- This file is read by the Windows Event Viewer, and BackLog
- Your system could get into an endless auditing loop.
-
- *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING
-
-
- Version History:
- BackLog 1.0 - initial public release.
- BackLog 1.01 - Included a registry write when the system advises the
- software that system shutdown is pending. Thanks to Adrian Mink
- of FIData for the suggestion.
- BackLog 1.1 - Installation process modified so that service startup is automatic
- on installation, and service will be automatically stopped prior
- to removal.
- BackLog 1.2 - Fixed a loop that did not respond quickly to service exit requests.
- Created a StartLog executable that sets the initial log tally prior
- to first service execution. Thanks to John Yu of Boston University
- for the suggestion.
- BackLog 1.3 - Fixed a nasty problem relating to sending data to local*
- Syslog identifiers 12-15 were reserved for other purposes.
- BackLog 1.4 - Version 1.3 did not correctly fix the local* problem.
- BackLog 1.5 - Update to cater for events that do not provide a correct audit
- template (eg: sshd for windows).
- MANY thanks to Marc Waller of Buy&Hold for a great deal of debugging
- resources.
- - Also added some extra sanity checks on audit event data.
- - And fixed a problem that causes Backlog to terminate if
- the eventlog buffer setting is very low,
- and a large number of events are being generated.
- BackLog 1.5b - Small update for events that request X inputs to the
- formatmessage string (eg: 10), but only supply X-1 (eg: 9)
- MSExchange application event 5402 is a prime example.
- BackLog 1.6 - A small memory leak has been fixed.
- BackLog 1.6b - A debug release seemed to creep into 1.6, causing debug events
- to be written to c:\backlog.log. This release removes that log file.
-
- You are free to install, use and distribute the software in binary form
- without modification provided the following conditions are met:
-
- 1. Distributions must retain the above copyright notice, this list of
- conditions and the following disclaimer in the documentation and/or
- other materials provided with the distribution.
-
- 2. The end-user documentation provided with the distribution must include the
- following acknowledgement:
- "This product includes software developed by InterSect Alliance Pty Ltd
- (http://www.intersectalliance.com)"
- Alternatively, this acknowledgement may appear in the software itself, if
- and wherever such third-party acknowledgements appear.
-
- 3. THIS SOFTWARE IS PROVIDED 'AS IS', AND ANY EXPRESSED OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
- INTERSECT ALLIANCE PTY LTD BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTANTIVE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
- IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARRISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- InterSect Alliance Pty Ltd
- http://www.intersectalliance.com/
