|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
# $Id$
|
|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
# $Log: evtapplication,v $
|
|
Packit |
57988d |
# Revision 1.3 2008/06/30 23:07:51 kirk
|
|
Packit |
57988d |
# fixed copyright holders for files where I know who they should be
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.2 2008/03/24 23:31:26 kirk
|
|
Packit |
57988d |
# added copyright/license notice to each script
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.1 2007/04/28 22:50:24 bjorn
|
|
Packit |
57988d |
# Added files for Windows Event Log, by Orion Poplawski. These are for
|
|
Packit |
57988d |
# Windows events logged to a server, using Snare Agent or similar.
|
|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
########################################################
|
|
Packit |
57988d |
## Copyright (c) 2008 Orion Poplawski
|
|
Packit |
57988d |
## Covered under the included MIT/X-Consortium License:
|
|
Packit |
57988d |
## http://www.opensource.org/licenses/mit-license.php
|
|
Packit |
57988d |
## All modifications and contributions by other persons to
|
|
Packit |
57988d |
## this script are assumed to have been donated to the
|
|
Packit |
57988d |
## Logwatch project and thus assume the above copyright
|
|
Packit |
57988d |
## and licensing terms. If you want to make contributions
|
|
Packit |
57988d |
## under your own copyright or a different license this
|
|
Packit |
57988d |
## must be explicitly stated in the contribution an the
|
|
Packit |
57988d |
## Logwatch project reserves the right to not accept such
|
|
Packit |
57988d |
## contributions. If you have made significant
|
|
Packit |
57988d |
## contributions to this script and want to claim
|
|
Packit |
57988d |
## copyright please contact logwatch-devel@lists.sourceforge.net.
|
|
Packit |
57988d |
#########################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
use URI::URL;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
while (defined($ThisLine = <STDIN>)) {
|
|
Packit |
57988d |
my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra);
|
|
Packit |
57988d |
#Determine format
|
|
Packit |
57988d |
if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4
|
|
Packit |
57988d |
#Parse
|
|
Packit |
57988d |
($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
|
|
Packit |
57988d |
($ThisLine =~ /(\S+)\sMSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
|
|
Packit |
57988d |
} elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3
|
|
Packit |
57988d |
#Parse
|
|
Packit |
57988d |
($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
|
|
Packit |
57988d |
($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if (!defined($Hostname)) {
|
|
Packit |
57988d |
print STDERR "Cannot parse $ThisLine";
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen";
|
|
Packit |
57988d |
|
|
Packit |
57988d |
#print STDERR "ExpandedString = $ExpandedString\n";
|
|
Packit |
57988d |
if ($Application =~ /Userenv/) {
|
|
Packit |
57988d |
$ExpandedString = "$UserName $ExpandedString";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /AutoEnrollment/) {
|
|
Packit |
57988d |
#Ignore these - we don't run active directory
|
|
Packit |
57988d |
next if $ExpandedString =~ /Automatic certificate enrollment for local system failed to contact the active directory/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /Intel Alert/) {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /Intel Alert Originator Manager loaded without security/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Service Initialized Successfully/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /LoadPerf/) {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /Performance counters for the .* service were loaded successfully/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Performance counters for the .* service were removed successfully/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /NSCTOP/) {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /Service started/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /Norton Ghost/) {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /Norton Ghost service started successfully/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /A scheduled baseline backup of .* completed successfully/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /A scheduled incremental backup of .* completed successfully/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /SNARE/) {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /The service was started/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /The service was stopped/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /SecurityCenter/) {
|
|
Packit |
57988d |
#Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1
|
|
Packit |
57988d |
next if $ExpandedString =~ /The Security Center service has been stopped. It was prevented from running by a software group policy/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($Application =~ /Symantec AntiVirus/) {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /Symantec AntiVirus services startup was successful/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Scan Complete: Risks: 0/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Scan started on all drives and all extensions/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Scan started on selected drives and folders and all extensions/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Download of virus definition file from LiveUpdate server succeeded/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Virus definitions are current/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Could not scan \d+ files inside .* due to extraction errors encountered by the Decomposer Engines/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($Application =~ /cc.*Mgr/) {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /service is starting/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /service has started/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application");
|
|
Packit |
57988d |
my $urlstr = $url->abs;
|
|
Packit |
57988d |
$Applications{$Application}->{"$Hostname $ExpandedString\n$url"}++;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %Applications) {
|
|
Packit |
57988d |
foreach $Application (sort(keys %Applications)) {
|
|
Packit |
57988d |
print "\n$Application\n";
|
|
Packit |
57988d |
foreach $Error (sort(keys %{$Applications{$Application}})) {
|
|
Packit |
57988d |
print " $Error : $Applications{$Application}->{$Error} Times\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
exit(0);
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# vi: shiftwidth=3 tabstop=3 syntax=perl et
|
|
Packit |
57988d |
# Local Variables:
|
|
Packit |
57988d |
# mode: perl
|
|
Packit |
57988d |
# perl-indent-level: 3
|
|
Packit |
57988d |
# indent-tabs-mode: nil
|
|
Packit |
57988d |
# End:
|