Blame scripts/services/evtapplication

Packit 57988d
##########################################################################
Packit 57988d
# $Id$
Packit 57988d
##########################################################################
Packit 57988d
# $Log: evtapplication,v $
Packit 57988d
# Revision 1.3  2008/06/30 23:07:51  kirk
Packit 57988d
# fixed copyright holders for files where I know who they should be
Packit 57988d
#
Packit 57988d
# Revision 1.2  2008/03/24 23:31:26  kirk
Packit 57988d
# added copyright/license notice to each script
Packit 57988d
#
Packit 57988d
# Revision 1.1  2007/04/28 22:50:24  bjorn
Packit 57988d
# Added files for Windows Event Log, by Orion Poplawski.  These are for
Packit 57988d
# Windows events logged to a server, using Snare Agent or similar.
Packit 57988d
##########################################################################
Packit 57988d
Packit 57988d
########################################################
Packit 57988d
## Copyright (c) 2008 Orion Poplawski
Packit 57988d
## Covered under the included MIT/X-Consortium License:
Packit 57988d
##    http://www.opensource.org/licenses/mit-license.php
Packit 57988d
## All modifications and contributions by other persons to
Packit 57988d
## this script are assumed to have been donated to the
Packit 57988d
## Logwatch project and thus assume the above copyright
Packit 57988d
## and licensing terms.  If you want to make contributions
Packit 57988d
## under your own copyright or a different license this
Packit 57988d
## must be explicitly stated in the contribution an the
Packit 57988d
## Logwatch project reserves the right to not accept such
Packit 57988d
## contributions.  If you have made significant
Packit 57988d
## contributions to this script and want to claim
Packit 57988d
## copyright please contact logwatch-devel@lists.sourceforge.net.
Packit 57988d
#########################################################
Packit 57988d
Packit 57988d
use URI::URL;
Packit 57988d
Packit 57988d
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
Packit 57988d
Packit 57988d
while (defined($ThisLine = <STDIN>)) {
Packit 57988d
   my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra);
Packit 57988d
   #Determine format
Packit 57988d
   if ($ThisLine =~ /MSWinEventLog\[/) {  # Snare 4
Packit 57988d
      #Parse
Packit 57988d
      ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
Packit 57988d
         ($ThisLine =~ /(\S+)\sMSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
Packit 57988d
   } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3
Packit 57988d
      #Parse
Packit 57988d
      ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
Packit 57988d
         ($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
Packit 57988d
   }
Packit 57988d
   if (!defined($Hostname)) {
Packit 57988d
      print STDERR "Cannot parse $ThisLine";
Packit 57988d
      next;
Packit 57988d
   }
Packit 57988d
   next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen";
Packit 57988d
Packit 57988d
   #print STDERR "ExpandedString = $ExpandedString\n";
Packit 57988d
   if ($Application =~ /Userenv/) {
Packit 57988d
      $ExpandedString = "$UserName $ExpandedString";
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /AutoEnrollment/) {
Packit 57988d
      #Ignore these - we don't run active directory
Packit 57988d
      next if $ExpandedString =~ /Automatic certificate enrollment for local system failed to contact the active directory/;
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /Intel Alert/) {
Packit 57988d
      #Ignore these
Packit 57988d
      next if $ExpandedString =~ /Intel Alert Originator Manager loaded without security/;
Packit 57988d
      next if $ExpandedString =~ /Service Initialized Successfully/;
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /LoadPerf/) {
Packit 57988d
      #Ignore these
Packit 57988d
      next if $ExpandedString =~ /Performance counters for the .* service were loaded successfully/;
Packit 57988d
      next if $ExpandedString =~ /Performance counters for the .* service were removed successfully/;
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /NSCTOP/) {
Packit 57988d
      #Ignore these
Packit 57988d
      next if $ExpandedString =~ /Service started/;
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /Norton Ghost/) {
Packit 57988d
      #Ignore these
Packit 57988d
      next if $ExpandedString =~ /Norton Ghost service started successfully/;
Packit 57988d
      next if $ExpandedString =~ /A scheduled baseline backup of .* completed successfully/;
Packit 57988d
      next if $ExpandedString =~ /A scheduled incremental backup of .* completed successfully/;
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /SNARE/) {
Packit 57988d
      #Ignore these
Packit 57988d
      next if $ExpandedString =~ /The service was started/;
Packit 57988d
      next if $ExpandedString =~ /The service was stopped/;
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /SecurityCenter/) {
Packit 57988d
      #Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1
Packit 57988d
      next if $ExpandedString =~ /The Security Center service has been stopped.  It was prevented from running by a software group policy/;
Packit 57988d
   }
Packit 57988d
Packit 57988d
   if ($Application =~ /Symantec AntiVirus/) {
Packit 57988d
      #Ignore these
Packit 57988d
      next if $ExpandedString =~ /Symantec AntiVirus services startup was successful/;
Packit 57988d
      next if $ExpandedString =~ /Scan Complete:  Risks: 0/;
Packit 57988d
      next if $ExpandedString =~ /Scan started on all drives and all extensions/;
Packit 57988d
      next if $ExpandedString =~ /Scan started on selected drives and folders and all extensions/;
Packit 57988d
      next if $ExpandedString =~ /Download of virus definition file from LiveUpdate server succeeded/;
Packit 57988d
      next if $ExpandedString =~ /Virus definitions are current/;
Packit 57988d
      next if $ExpandedString =~ /Could not scan \d+ files inside .* due to extraction errors encountered by the Decomposer Engines/;
Packit 57988d
   }
Packit 57988d
   if ($Application =~ /cc.*Mgr/) {
Packit 57988d
      #Ignore these
Packit 57988d
      next if $ExpandedString =~ /service is starting/;
Packit 57988d
      next if $ExpandedString =~ /service has started/;
Packit 57988d
   }
Packit 57988d
Packit 57988d
   my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application");
Packit 57988d
   my $urlstr = $url->abs;
Packit 57988d
   $Applications{$Application}->{"$Hostname $ExpandedString\n$url"}++;
Packit 57988d
}
Packit 57988d
Packit 57988d
if (keys %Applications) {
Packit 57988d
   foreach $Application (sort(keys %Applications)) {
Packit 57988d
      print "\n$Application\n";
Packit 57988d
      foreach $Error (sort(keys %{$Applications{$Application}})) {
Packit 57988d
         print "    $Error : $Applications{$Application}->{$Error} Times\n";
Packit 57988d
      }
Packit 57988d
   }
Packit 57988d
}
Packit 57988d
Packit 57988d
exit(0);
Packit 57988d
Packit 57988d
# vi: shiftwidth=3 tabstop=3 syntax=perl et
Packit 57988d
# Local Variables:
Packit 57988d
# mode: perl
Packit 57988d
# perl-indent-level: 3
Packit 57988d
# indent-tabs-mode: nil
Packit 57988d
# End: