Event Monitor Service

What is Event Monitor Service?

We released a new version:
http://www.novirusthanks.org/products/event-monitor-service/

 

You create many nice tools, maybe pack them all under one "monitoring" application will be cool

 

I was looking at those many nice tools and then I had same thoughts about unity. Honestly it's kind of inconvenient to install and maintain them separately.

 

Exactly

 

Btw.: Event Monitor Service includes functionality from:

• Process Logger Service (Process Creations+Terminations)
• Registry Guard Service (Access to Registry Keys)
• PE Capture Service (capturing of dropped executables)

...and some more monitoring features.

But it's good to have them separately.
If i only want to log all Process Creations, and instead of installing "the whole package" (and disabling of unneeded functionality in the settings) i can install the Process Logger Service only.

 

Alright. This is something should be mentioned since the beginning in the first post or subsequent one (no offense @novirusthanks ) but as usual you, @mood, always quick and willing to test software then your comments save my day.
* Btw, when you say "includes functionality from..." do you actually mean to say full functionality or just some features of them?
* If yes, then I'll be switching to Event Monitor Service asap.

Different points of view mate. Perhaps you're right anyway.

 

99% functionality
The most details of Process Creations you'll get with Process Logger Service (for example it is logging these information: Bitness, Integrity Level, Protected Process, ...)
And with Event Monitor Service Process Creations and Process Terminations are logged in different log-files .

And because it is a Monitoring Service, changes in the registry are logged but not prevented.

 

Not much of an issue for me. As I'm always in shadow mode I really don't care for reg changes. Just a reboot an all is gone.

So it's a go for me. Next time I restart the PC I will install it.

Thanks for your kind explanation.

 

It has also some other nice monitoring features like monitoring loaded dll's, drivers, created files, deleted files...
Good monitoring suite.
I guess for malware researchers it can be very useful.

Btw.: The logfiles can be read by anyone. To mitigate this, the logs-folder can be hidden or ACLs can be modified to deny the access to the logs-folder for regular users.
This was also mentioned on the website:

 

Oh now this is good stuff.

Appreciate the new service.

 

@mood Currently I use NVT Process Logger Service, and Registry Guard Service.

I am thinking of installing Event Logger Service, instead of the Process Logger Service due it's additional monitoring. What info would I 'lose' that Process Logger Service has?

But I will retain Registry Guard Service due to it's blocking ability, but am thinking of going the GUI version when it gets updated, as it will probably be easier to disable for installs (currently I have a desktop shortcut for the service config.ini).

Edit: Re-reading your post, I suppose one gets most info's using all three, despite the overhead of maintaining / running three services. Perhaps Andreas could consider switches to turn on / off process monitoring or registry monitoring in Event Monitor Service (where these overlap with the others).

 

If i need information about file deletions/file creations/dropped files or other information then i would run Event Monitor Service.
For more detailled information about processes or "blocking ability" if a program wants to write to the registry, might be a better choice: #7
And they don't need to inject a dll into each process, which can lead to some problems under specific circumstances. Some programs "don't like this".
Event Monitor Services is injecting the file: EventMon.dll / EventMon32.dll

 

Thanks @mood
Just installed and disabled ProcessCreations, ProcessTerminations and Registry as these are already covered by the other two services. (So Andreas does have these switches already).

I see my logs are in .xml format? How should I view these - with Notepad?

Edit: Did I do something wrong? I have tried installing twice with same result.

 

Then the output-format has been changed with the new version
These files should be readable with a normal file-viewer or notepad, but i haven't tested the version v1.3 yet. I'll do it at a later time.

 

@novirusthanks @mood My logs are in .xml format (unlike Process Logger Service or Registry Guard Service). Any idea why this is so and what I could be doing wrong on install?

 

I had the idea to look into the changelog, and i found this:

Code:

[17-Nov-2016] v1.1.0.0
+ Events are saved in an XML-like format (no root element)

It seems it is by design, with Event Monitor Service v1.1.0.0 and newer versions.
You did nothing wrong

 

I wonder why. It is much less readable (in Notepad).

 

An option for choosing the format of the log-file would be nice:

Code:

@ config.ini
LogfileOutput: xml
LogfileOutput: txt

Only an idea ...

 

Nice idea anyway whether it's considered or not.

 

@mood @paulderdash @EASTER

We've released a new version 1.4:
http://www.novirusthanks.org/products/event-monitor-service/

Changelog:

Code:

[27-Apr-2017] v1.4.0.0

+ Made XML log format optional, default is Plain Text now
+ To enable XML logging edit Config.ini and set LogAsXml = y

This is the full Config.ini file with the new LogAsXml option:

Code:

[Monitoring]

FileCreations = y
FileDeletions = y
PEImageDrops = y
LoadedDrivers = y
ProcessCreations = y
ProcessTerminations = y
LoadedDLLs = y
Registry = y

[Folders]

Logs = C:\EMSvc\Logs
Exclusions = C:\EMSvc\Exclude

[Paths]

RegistryExcludeFile = C:\EMSvc\Registry\
RegistryRuleFile = C:\EMSvc\Registry\

[Settings]
DeleteLogsOlderThanNDays=0

[Logging]
LogAsXml=n

 

This issue is fixed with v1.4

 

Andreas, you are amazing!

I am currently running Process Logger Service, Registry Guard Service and now Event Monitor Service with Process Creations, Process Terminations, and Registry set to 'n' (to avoid duplication) for monitoring and control.

Though for my purposes Event Monitor Service alone would be fine for monitoring only.

I do understand that with Registry Guard Service one has the ability to not just monitor but protect the registry, but is there a benefit running Process Logger Service over and above the process monitoring provided by Event Monitor Service?

 

Event Monitor Service v1.5 Released (21 May 2017)
http://www.novirusthanks.org/products/event-monitor-service/

 

@novirusthanks No biggie, but could you add an 'Enabled=y' config.ini parameter (a la Process Logger Service?)