GSW Event Logging

The Georgia SoftWorks SSH2/Telnet Server for Windows provides the System Administrator with useful SSH2/Telnet Server Activity information that can be used for generating reports. The System Administrator can enable or disable various events that are logged. The logged information is in an easy to import ASCII comma delimited format.

Two files are of interest

1. The log definition file: gsw_ldef.txt and

2. The actual log file gsw_elog.txt

Event Log Definition File:

The configuration file gsw_ldef.txt specifies the events that are maintained in the log file. This file resides in the SSH2/Telnet server installation directory. Usually this is c:\gs_uts. Each event that can be logged is listed together with its description.

The format of this file is:

Event ID <SPACE> Group ID <SPACE>Description of the event

The “#” character is the comment symbol. Insert a "#" character in column 1 of a line to disable the logging of a specific event. Enabling or Disabling the logging of specific events are the only allowed modifications to this file.

The Default configuration for gsw_ldef.txt is:

1 100 Session Created

2 100 Session Suspended

3 100 Session Reconnected

4 100 Session Exited Normally

5 100 Session Exited Abnormally

6 100 Logon Failed

7 200 Print Job Redirected

8 400 File transferred (put)

9 400 Print File transferred (get)

10 500 Command execution event sent to client

If you do not want to log Print Jobs and Failed Logons you would insert the # as the first character of those events.

1 100 Session Created

2 100 Session Suspended

3 100 Session Reconnected

4 100 Session Exited Normally

5 100 Session Exited Abnormally

#6 100 Logon Failed

#7 200 Print Job Redirected

8 400 File transferred (put)

9 400 Print File transferred (get)

10 500 Command execution event sent to client

NOTE: The event ids and descriptions in the file cannot be changed.

Event Log File

The log file is a comma-delimited text file where the activity events are actually stored. By default the maximum size of log file gsw_elog.txt is 1 megabyte. Once the file has reached the maximum size the file is renamed to gsw_elog.bak and starts logging in a new gsw_elog.txt. This actually provides up to 2 megabytes of log information to the administrator. The size of the gsw_elog.txt can be changed in the registry (See page 188).

The GSW Event Log resides in the "Log" subdirectory of the Installation folder in a comma-delimited file with the name gsw_elog.txt.

Georgia SoftWorks Event Log File Name: gsw_elog.txt

The format of the comma-delimited file is as follows.

Field Description Data Type Description Event ID Integer Event Group ID Integer Useful for Filtering with Reports Login Id Text Quoted Text Field Domain Text Quoted Text Field Session ID Text Quoted Text Field Time Stamp Date/Time YYYY-MM-DD HH:MM:SS Client Type Integer 0 = 3rd Party, 1 = Georgia SoftWorks Encrypted Session Integer 0 = Not Encrypted, 1 = Encrypted Event Specific Integer Integer Event Specific Text Text Quoted Text Field

Table 38 - GSW Event Log File Format

An example of the data in the gsw_elog.txt file may look like:

7,200,'Laura','.','1E339C27B99',2000-09-15 15:42:22,1,0,1326,''

1,100,'Rebecca','.','1E439C27BCD',2000-09-15 15:43:09,1,0,0,''

6,100,'Joseph','.','5A39C27C2C',2000-09-15 15:44:52,1,0,1326,''

1,100,'Anna','.','17F39C27C39',2000-09-15 15:45:03,1,0,0,''

1,100,'benjamin','.','12C39C27C66',2000-09-15 15:45:47,1,0,0,''

4,100,'John','.','1E439C27BCD',2000-09-15 15:46:07,1,0,0,''

5,100,'Wally','.','12C39C27C66',2000-09-15 15:46:37,1,0,0,''

1,100,'Luke','.','12C39C27C66',2000-09-15 15:46:51,1,0,0,''

2,100,'RaySpurg','.','12C39C27C66',2000-09-15 15:47:00,1,0,0,''

3,100,'Doug','.','12C39C27C66',2000-09-15 15:47:12,1,0,0,''

3,100,'Wanda','.','17F39C27C39',2000-09-15 15:47:20,1,0,0,''

Defined Events are: Event Id Event Group ID Name 1 100 Session Created 2 100 Session Suspended 3 100 Session Reconnected 4 100 Session Exited Normally 5 100 Session Exited Abnormally 6 100 Logon Failed 7 200 Print Job Redirected 8 400 File Transferred via GS_PUT 9 400 File Transferred via GS_GET 10 500 Command execution event sent to client

Table 39 - Defined Log Events

Modify the Log File Size

This is how to change the registry key for the size of the Log File. The size is specified in bytes and the default is 1000000.

Note: (you must be on the Windows system that the Georgia SoftWorks SSH2/Telnet Server is installed. However you may connect to the Windows Registry from a remote location).

The key is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GS_Tnet\Parameters\ActivityLogFileLength

1. Click the Start button at the bottom left corner of your screen.

2. Click RUN

3. Type REGEDT32

4. Click OK

5. Select Windows item HKEY_LOCAL_MACHINE

6. Select the menu item Edit

7. Move the mouse pointer and click Find

8. Type ActivityLogFileLength

9. Click on Find Next

10. Select the menu item Edit and then click on Modify

11. Enter the new value for the ActivityLogFileLength and click OK

The new Activity Log File Length will take effect.