##########################################################################

# $Id$

##########################################################################

# $Log: evtapplication,v $

# Revision 1.3  2008/06/30 23:07:51  kirk

# fixed copyright holders for files where I know who they should be

#

# Revision 1.2  2008/03/24 23:31:26  kirk

# added copyright/license notice to each script

#

# Revision 1.1  2007/04/28 22:50:24  bjorn

# Added files for Windows Event Log, by Orion Poplawski.  These are for

# Windows events logged to a server, using Snare Agent or similar.

##########################################################################

########################################################

## Copyright (c) 2008 Orion Poplawski

## Covered under the included MIT/X-Consortium License:

##    http://www.opensource.org/licenses/mit-license.php

## All modifications and contributions by other persons to

## this script are assumed to have been donated to the

## Logwatch project and thus assume the above copyright

## and licensing terms.  If you want to make contributions

## under your own copyright or a different license this

## must be explicitly stated in the contribution an the

## Logwatch project reserves the right to not accept such

## contributions.  If you have made significant

## contributions to this script and want to claim

## copyright please contact logwatch-devel@lists.sourceforge.net.

#########################################################

use URI::URL;

my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

while (defined($ThisLine = <STDIN>)) {

   my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra);

   #Determine format

   if ($ThisLine =~ /MSWinEventLog\[/) {  # Snare 4

      #Parse

      ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =

         ($ThisLine =~ /(\S+)\sMSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);

   } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3

      #Parse

      ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =

         ($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);

   }

   if (!defined($Hostname)) {

      print STDERR "Cannot parse $ThisLine";

      next;

   }

   next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen";

   #print STDERR "ExpandedString = $ExpandedString\n";

   if ($Application =~ /Userenv/) {

      $ExpandedString = "$UserName $ExpandedString";

   }

   if ($Application =~ /AutoEnrollment/) {

      #Ignore these - we don't run active directory

      next if $ExpandedString =~ /Automatic certificate enrollment for local system failed to contact the active directory/;

   }

   if ($Application =~ /Intel Alert/) {

      #Ignore these

      next if $ExpandedString =~ /Intel Alert Originator Manager loaded without security/;

      next if $ExpandedString =~ /Service Initialized Successfully/;

   }

   if ($Application =~ /LoadPerf/) {

      #Ignore these

      next if $ExpandedString =~ /Performance counters for the .* service were loaded successfully/;

      next if $ExpandedString =~ /Performance counters for the .* service were removed successfully/;

   }

   if ($Application =~ /NSCTOP/) {

      #Ignore these

      next if $ExpandedString =~ /Service started/;

   }

   if ($Application =~ /Norton Ghost/) {

      #Ignore these

      next if $ExpandedString =~ /Norton Ghost service started successfully/;

      next if $ExpandedString =~ /A scheduled baseline backup of .* completed successfully/;

      next if $ExpandedString =~ /A scheduled incremental backup of .* completed successfully/;

   }

   if ($Application =~ /SNARE/) {

      #Ignore these

      next if $ExpandedString =~ /The service was started/;

      next if $ExpandedString =~ /The service was stopped/;

   }

   if ($Application =~ /SecurityCenter/) {

      #Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1

      next if $ExpandedString =~ /The Security Center service has been stopped.  It was prevented from running by a software group policy/;

   }

   if ($Application =~ /Symantec AntiVirus/) {

      #Ignore these

      next if $ExpandedString =~ /Symantec AntiVirus services startup was successful/;

      next if $ExpandedString =~ /Scan Complete:  Risks: 0/;

      next if $ExpandedString =~ /Scan started on all drives and all extensions/;

      next if $ExpandedString =~ /Scan started on selected drives and folders and all extensions/;

      next if $ExpandedString =~ /Download of virus definition file from LiveUpdate server succeeded/;

      next if $ExpandedString =~ /Virus definitions are current/;

      next if $ExpandedString =~ /Could not scan \d+ files inside .* due to extraction errors encountered by the Decomposer Engines/;

   }

   if ($Application =~ /cc.*Mgr/) {

      #Ignore these

      next if $ExpandedString =~ /service is starting/;

      next if $ExpandedString =~ /service has started/;

   }

   my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application");

   my $urlstr = $url->abs;

   $Applications{$Application}->{"$Hostname $ExpandedString\n$url"}++;

}

if (keys %Applications) {

   foreach $Application (sort(keys %Applications)) {

      print "\n$Application\n";

      foreach $Error (sort(keys %{$Applications{$Application}})) {

         print "    $Error : $Applications{$Application}->{$Error} Times\n";

      }

   }

}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et

# Local Variables:

# mode: perl

# perl-indent-level: 3

# indent-tabs-mode: nil

# End: