MonitorWare Knowledge Base

I believe there is a minor bug in 5.0beta when including RAW message field (at least for the file logging). To test validity of information captured and stored by WinSysLog, I used NTSYSLOG as the agent on my workstation and WinSysLog 5.0beta (downloaded today) on my server.

The following line gets logged into the file:

2003-08-14,17:19:32,2003-08-14,17:18:53,10.92.12.169,1,1,Aug 14 13:18:53 10.92.12.169 538538 XXXX\TAYLORGO User Logoff: User Name:TAYLORGO Domain:XXXX Logon ID:(0x0,0xDE539C) Logon Type:7

Note, that immediately after the IP address in the raw message, there are two occurences of the eventID. The same thing happens with all events coming from the system so I thought it was the fault of NTSYSLOG. To confirm, I ran NetCat to listen with the following result:

D:\DATA\u>nc -L -p 514 -u -v -v -s 10.92.12.98
listening on [10.92.12.98] 514 ...
connect to [10.92.12.98] from Y3Z7843B [10.92.12.169] 3258
<9>Aug 14 13:10:56 security[success] 528 XXXX\TAYLORGO Successful Logon: User
Name:TAYLORGO Domain:XXXX Logon ID:(0x0,0xDE4711) Logon Type:7 Logon Process
:User32 Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workst
ation Name:Y3Z7843B

Hmmmm… Different result, only a single occurrence of the eventid. So, to rule out the possibily of no-displayable hex characters getting in to way, I had the output pumped to a hex file using NetCat's -o parameter (rather than change the hex value for my obfuscated domain name for this posting, I just replaced these with hex 00). Somehow, winsyslog is duplicating this data. I'm not sure if it's always the same offset on the line, because I don't have a machine available with a longer/shorter IP address.

D:\DATA\u>nc -L -p 514 -u -v -v -s 10.92.12.98 -o test.txt
listening on [10.92.12.98] 514 ...
connect to [10.92.12.98] from Y3Z7843B [10.92.12.169] 3265
<9>Aug 14 13:17:44 security[success] 528 XXXX\TAYLORGO Successful Logon: User
Name:TAYLORGO Domain:XXXX Logon ID:(0x0,0xDE5078) Logon Type:7 Logon Process
:User32 Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workst
ation Name:Y3Z7843B ^C
D:\DATA\u>type test.txt
< 00000000 3c 39 3e 41 75 67 20 31 34 20 31 33 3a 31 37 3a # <9>Aug 14 13:17:
< 00000010 34 34 20 73 65 63 75 72 69 74 79 5b 73 75 63 63 # 44 security[succ
< 00000020 65 73 73 5d 20 35 32 38 20 00 00 00 00 5c 54 41 # ess] 528 XXXX\TA
< 00000030 59 4c 4f 52 47 4f 20 20 53 75 63 63 65 73 73 66 # YLORGO Successf
< 00000040 75 6c 20 4c 6f 67 6f 6e 3a 20 20 55 73 65 72 20 # ul Logon: User
< 00000050 4e 61 6d 65 3a 54 41 59 4c 4f 52 47 4f 20 20 44 # Name:TAYLORGO D
< 00000060 6f 6d 61 69 6e 3a 00 00 00 00 20 20 4c 6f 67 6f # omain:XXXX Logo
< 00000070 6e 20 49 44 3a 28 30 78 30 2c 30 78 44 45 35 30 # n ID:(0x0,0xDE50
< 00000080 37 38 29 20 20 4c 6f 67 6f 6e 20 54 79 70 65 3a # 78) Logon Type:
< 00000090 37 20 20 4c 6f 67 6f 6e 20 50 72 6f 63 65 73 73 # 7 Logon Process
< 000000a0 3a 55 73 65 72 33 32 20 20 20 20 41 75 74 68 65 # :User32 Authe
< 000000b0 6e 74 69 63 61 74 69 6f 6e 20 50 61 63 6b 61 67 # ntication Packag
< 000000c0 65 3a 20 4d 49 43 52 4f 53 4f 46 54 5f 41 55 54 # e: MICROSOFT_AUT
< 000000d0 48 45 4e 54 49 43 41 54 49 4f 4e 5f 50 41 43 4b # HENTICATION_PACK
< 000000e0 41 47 45 5f 56 31 5f 30 20 20 57 6f 72 6b 73 74 # AGE_V1_0 Workst
< 000000f0 61 74 69 6f 6e 20 4e 61 6d 65 3a 59 33 5a 37 38 # ation Name:Y3Z78
< 00000100 34 33 42 20 # 43B

Please let me know if anyone sees different results.

FYI. The "Server" is Windows XP SP1 with all security hotfixes and the "workstation" is NT4.0 SP6a with all security hotfixes.

Tried the same thing using another syslog client software with same result at the same offset in the line. In this case the string was 13 characters long and was repeated a single time as well.

I don't want to go mentioning a bunch of different (competing) products on your site (especially since I think you make a good product), but let me know if you want more info.

Thanks
Gord T.