{"id":13573135,"url":"https://github.com/devnulli/EvlWatcher","last_synced_at":"2025-04-04T11:31:27.877Z","repository":{"id":7164880,"uuid":"8465208","full_name":"devnulli/EvlWatcher","owner":"devnulli","description":"a \"fail2ban\" style modular log file analyzer for windows","archived":false,"fork":false,"pushed_at":"2024-10-21T19:59:18.000Z","size":38357,"stargazers_count":416,"open_issues_count":16,"forks_count":51,"subscribers_count":24,"default_branch":"master","last_synced_at":"2024-11-05T07:35:41.507Z","etag":null,"topics":["fail2ban","logfile-analysis","windows"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devnulli.png","metadata":{"files":{"readme":"README.md","changelog":"NEWS.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-02-27T20:54:13.000Z","updated_at":"2024-11-01T11:26:24.000Z","dependencies_parsed_at":"2023-11-10T19:23:48.435Z","dependency_job_id":"9a529b4f-ec1a-4f30-beac-cd6f7b7e0987","html_url":"https://github.com/devnulli/EvlWatcher","commit_stats":{"total_commits":78,"total_committers":1,"mean_commits":78.0,"dds":0.0,"last_synced_commit":"52ef6e487040f6fc468fe79bd5ea8d378dfa63bb"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devnulli%2FEvlWatcher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devnulli%2FEvlWatcher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devnulli%2FEvlWatcher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devnulli%2FEvlWatcher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devnulli","download_url":"https://codeload.github.com/devnulli/EvlWatcher/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247170307,"owners_count":20895451,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fail2ban","logfile-analysis","windows"],"created_at":"2024-08-01T15:00:30.488Z","updated_at":"2025-04-04T11:31:22.869Z","avatar_url":"https://github.com/devnulli.png","language":"C#","readme":"# _What's EvlWatcher?_\n\nIt's basically a fail2ban for windows. Its goals are also mainly what we love about fail2ban:\n- *pre-configured*\n- *no-initial-fucking-around-with-scripts-or-config-files*\n- *install-and-forget*\n\nYou can download it [here](https://github.com/devnulli/EvlWatcher/raw/master/Versions/v2/EvlWatcher-v2.1.62-setup.exe) ( v2.1.62 - May 2024 ) .\n\n## Also, we love issues!\n\nIf anyone needs something or has questions about something, please feel free to open an issue. \nWe are especially happy to get issues about log-entry samples we don't react on, or ideas of how we can **support more protocols**. \n\n# A bit more detailed description of what EvlWatcher does.\n\n## Scenario: there are those bad people out there, hammering your service (RDP and whatnot) with brute force attempts.\n\n- You can see them and their IPs clearly in the Windows Event-Log. \n- You have searched the web and yea, there are plenty of tools, scripts, and all that, to read the event-log and automatically ban the attackers IP.\n- *You however, are lazy.* You need something like fail2ban, with a preconfigured set of rules to just RUN right away and it works. \n- But then, it still needs enough flexibility for you to completely configure it, should you wish to do so.\n\n## EvlWatcher does that. It scans the Windows-Event-Log, and reacts. \n\nIt works by installing a service that scans the event log for unsuccessful login attempts. When one of its rules are violated (e.g. trying to log in without correct credentials, more than 5 times in 2 minutes), it will place that poor bastard into a generic firewall rule, and thereby ban the attacker for 2 hours.\n\nAlso, when someone is repeatedly trying, there is a permanent ban list for that, where people defaultly land on when they've had three strikes.\n\nYou can, of course, adjust the rules to your liking. They are basically a consisting of an _event source_, and a _Regex_ to extract an IP, its pretty simple.\n\n# Installation\n\nRun the setup executable. It is not required that you remove previous versions of EvlWatcher, the installer will take care of that.\n\n## Silent installation\n\nBy the way, when you run the setup executable with the /S parameter, it will install silently (e.g. no UI). This can be used for remote or mass roll-outs of EvlWatcher, i.e via group policy.\n\n## After you have installed EvlWatcher\n\nYou now have 2 things installed, \n - a Windows Service that will immediately start running (called EvlWatcher) with its default configuration file\n - a management Console (in the binary directory)\n\n## The Service\n\nYou can see it in your Services as \"EvlWatcher\". It is set to local system and auto start - meaning it cannot communicate over the network and will always run.\n\nThe service makes a firewall rule called EvlWatcher. And updates it every 30 seconds, based on your event log. Simple as that.\nJust one thing: Its normal when the rule is disabled. When there are no IPs banned, its automatically disabled. Dont worry, EvlWatcher will enable it as soon as there is the first ban victim.\n\n## The Configuration\n\nYou can see it as config.xml in the binary directory. \nIt's made to cover all sorts of brute force attacks out of the box, but can also be expanded. Just take a look inside, if you want.\n\n## The Console (EvlWatcherConsole.exe).\n\nYou can use the console to see how your service is doing.\nThe console can be found in the start menu, or in the installation folder. \n\nThe service keeps running, no matter if you have the console open or closed.. \n\nThere are several tabs in the console.\n\n### Overview Tab\n\nShows you which IPS are currently banned or whitelisted\n\n![image](https://user-images.githubusercontent.com/3720480/98728537-eee6be80-2399-11eb-9420-9926cc3704f0.png)\n\n### Live Tab\n\nShows you what the service is doing and what it is currently thinking about.\n\n![image](https://user-images.githubusercontent.com/3720480/98728504-e2626600-2399-11eb-987c-c101a22003e8.png)\n\n### Global Settings Tab\n\n![image](https://user-images.githubusercontent.com/3720480/98728386-bb0b9900-2399-11eb-9792-d3e770334316.png)\n\n### Rule Tester Tab\n\nWhen you find something you want automatically banned, you can use this tab to help you compose a rule for it. You copy your Windows Event-Log XML here and try to find a Regex for it. When you hit the \"test button\", and an IP can be extracted, you've found a new rule.\n\nOnce you did that, you can either build a new ban task in your config, or post an issue here, so we add it to the config globally.\n\n*Note: When you copy past regex into a xml, you must escape brackets with `\u0026lt;` and `\u0026gt;`*\n\n![image](https://user-images.githubusercontent.com/3720480/98728355-ab8c5000-2399-11eb-918f-3b9a8e316516.png)\n\n# Community\n\n## If you want to support EvlWatcher practically\n- Please feel free to contribute\n- We always need good devs and testers to support us.\n- Please, if you have an MSSQL Server or FTP or whatever open to the webs, help up to also cover that with EvlWatcher, by providing us Events.\n\n[![Gitter](https://badges.gitter.im/EvlWatcher/community.svg)](https://gitter.im/EvlWatcher/community?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge)\n\n## If you want to support EvlWatcher monetarily\n\nEvlWatcher doesnt have a lot of expenses, except the initial cost of code-signing, which were already covered by donations,\nand about 25€ / year for keeping up the certificate. Therefore, we don't really need much monetary support. \n\nBut if you want to say thanks, I would be happy if you would buy me a coffee or a beer here:\n\n\u003ca href='https://ko-fi.com/F2F02MKY9' target='_blank'\u003e\u003cimg height='36' style='border:0px;height:36px;' src='https://cdn.ko-fi.com/cdn/kofi2.png?v=2' border='0' alt='Buy Me a Coffee at ko-fi.com' /\u003e\u003c/a\u003e\n\nOr you could just donate to your favorite charity.\n\nApart from that, EvlWatcher is, and will always be, completely free.\n\nCya..\n\nMike\n","funding_links":["https://ko-fi.com/F2F02MKY9'"],"categories":["C# #"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevnulli%2FEvlWatcher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevnulli%2FEvlWatcher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevnulli%2FEvlWatcher/lists"}