Development of windows services application compatible with: Windows 7,
Windows XP , Windows 2003/2008 (all service pack), Windows Vista.
The following technologies will be used for the project:
1. .NET Delphi / Delphi 2009 or C#
3. Windows Services;
4. Windows Performance Monitor (not mandatory)
5. Windows Cryptography Providers
-. Source Code
-. Executable file ready to install
-. Copyright tansfer
The Windows services should be installed on all Windows OS version and starts automatically at boot; at regular intervals service reads the Local Windows Event Log for matching specific Event ID/User Name combination ( an xml configuration file will be described later). If there are new entries the service extracts data and creates syslog message for each entry as follow:
Date and Time | Event ID | User | IP Address | Computer Name
If events are of Audit type then the syslog message should also contains the Logon Type field:
Date and Time | EventID |User | IP Address | Computer Name|Event Type| Logon Type|
The service will send those messages as syslog format to a remote server.
The service will have a dedicated tcp port in order to check remotely its network availability and for sending special TCP commands for gathering windows performances like cpu utilization, memory, disk space, bandwidth ( the sequence of command is explained later in this document) . This feature is not mandatory.
A system for code activation (so that service can be executed only on a specific machine) is mandatory and will be described later. So the final work consist of 4 files â€“ executable for installing the service, encrypted list of MACs (activation file) , configuration XML, certificate file for XML file. Service will keep track on what events was already â€œseenâ€ in each event log and store last seen event date in Windows Registry to skip seen events in case of restarts.
1. XML Configuration file
1)[url removed, login to view] â€“ service consumes configuration as an XML document
a)1..a Configuration file allows to configure following values:
b)1..b Event log scan period (default value: 5 secs if not specified);
c)1..c Alive responder port (default value: 12000 if not specified);
d)1..d Syslog server entries having IP address to send messages to;
e)1..e List of User entries having name used for message formatting purposes;
f)1..f List of Log entries having Event Log name to read events from;
g)1..g List of Event Id entries specifying which events should be reported to Syslog
h)1..h Several sections for same server, user of event log are allowed â€“ corresponding
lists of settings will be merged
i) When service is running it checks periodically (every 30 seconds) whether configuration
file is modified, by recalculating its hash and if it is modified â€“ overwrites it with inmemory
copy and sends special message to syslog server if it is modified;
j) Configurationâ€™s file hash is stored in a separate certificate file, if it is missing file is
k) Certificate file contains Triple DES encrypted SHA256 hash calculated on the
Configuration file example:
<?xml version="1.0" encoding="UTF-8"?>
<tosyslog IP=â€™192.168.1.1â€™ scan_period=â€™5â€™>
2. Activation System
1)[url removed, login to view] â€“ service runs only on machines allowed to run on, specified in activation file
a)2..a Activation file contains list of MAC addresses. If server attempting to start service has at least one Ethernet adapter having MAC address from the list â€“ start will be successful.
Otherwise, error message will be recorded to the System Event log and a special syslog service will be also sent to