|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
# $Id$
|
|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
# $Log: evtsystem,v $
|
|
Packit |
57988d |
# Revision 1.3 2008/06/30 23:07:51 kirk
|
|
Packit |
57988d |
# fixed copyright holders for files where I know who they should be
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.2 2008/03/24 23:31:26 kirk
|
|
Packit |
57988d |
# added copyright/license notice to each script
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.1 2007/04/28 22:50:24 bjorn
|
|
Packit |
57988d |
# Added files for Windows Event Log, by Orion Poplawski. These are for
|
|
Packit |
57988d |
# Windows events logged to a server, using Snare Agent or similar.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
########################################################
|
|
Packit |
57988d |
## Copyright (c) 2008 Orion Poplawski
|
|
Packit |
57988d |
## Covered under the included MIT/X-Consortium License:
|
|
Packit |
57988d |
## http://www.opensource.org/licenses/mit-license.php
|
|
Packit |
57988d |
## All modifications and contributions by other persons to
|
|
Packit |
57988d |
## this script are assumed to have been donated to the
|
|
Packit |
57988d |
## Logwatch project and thus assume the above copyright
|
|
Packit |
57988d |
## and licensing terms. If you want to make contributions
|
|
Packit |
57988d |
## under your own copyright or a different license this
|
|
Packit |
57988d |
## must be explicitly stated in the contribution an the
|
|
Packit |
57988d |
## Logwatch project reserves the right to not accept such
|
|
Packit |
57988d |
## contributions. If you have made significant
|
|
Packit |
57988d |
## contributions to this script and want to claim
|
|
Packit |
57988d |
## copyright please contact logwatch-devel@lists.sourceforge.net.
|
|
Packit |
57988d |
#########################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
while (defined($ThisLine = <STDIN>)) {
|
|
Packit |
57988d |
my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$CategoryString,$DataString,$ExpandedString,$Extra);
|
|
Packit |
57988d |
#Determine format
|
|
Packit |
57988d |
if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4
|
|
Packit |
57988d |
#Parse
|
|
Packit |
57988d |
($Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
|
|
Packit |
57988d |
($ThisLine =~ /MSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
|
|
Packit |
57988d |
} elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3
|
|
Packit |
57988d |
#Parse
|
|
Packit |
57988d |
($Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
|
|
Packit |
57988d |
($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if (!defined($Hostname)) {
|
|
Packit |
57988d |
print STDERR "Cannot parse $ThisLine";
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
#print STDERR "ExpandedString = $ExpandedString\n";
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Application Popup") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /Initialization Failed : The application failed to initialize because the window station is shutting down/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Application popup: Windows : Other people are logged on to this computer. Shutting down Windows might cause them to lose data\. Do you want to continue shutting down\?$/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Application popup: Message from .*: Automatic software deployment is currently updating your system\. Please save all your documents as the the system might reboot without further notice\. Thank you\./;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Application popup: Message from .*: The automated software installation utility has completed installing or updating software on your system\. No reboot was necessary\. All updates are complete\./;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "BTHUSB") {
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Windows cannot store Bluetooth authentication codes \(link keys\) on the local adapter\. Bluetooth keyboards might not work in the system BIOS during startup\.$/ and $Detail < 5;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System =~ "EventLog") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /Microsoft \(R\) Windows \(R\) \d+\.\d+\. \d+ Service Pack \d/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The Event log service was started./;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The Event log service was stopped./;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The system uptime is \d+ seconds/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System =~ "LsaSrv") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^A logon cache entry for user .* was the oldest entry and was removed\. The timestamp of this entry was/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Application-Experience") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString eq "The Program Compatibility Assistant service successfully performed phase two initialization.";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-DfsSvc") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^DFS has finished building all namespaces\.$/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^DFS server has finished initializing\.$/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-FilterManager") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^File System Filter .* has successfully loaded and registered with Filter Manager\.$/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Iphlpsvc") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Isatap interface .* with address .* has been brought up\.$/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Isatap interface .* is no longer active\.$/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Kernel-General") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The operating system started at system time/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The operating system is shutting down at system time/ and $Detail < 10;
|
|
Packit |
57988d |
#TODO - We should warn is this is big
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The system time has changed to .* from/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Kernel-Power") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The system is entering sleep/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The kernel power manager has initiated a shutdown transition\.$/ and $Detail < 10;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^ACPI thermal zone .* has been enumerated/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Processor \d+ in group \d+ exposes the following power management capabilities/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Kernel-Processor-Power") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Processor \d+ in group \d+ exposes the following:/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-GroupPolicy") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The Group Policy settings for the (computer|user) were processed successfully\. There were no changes detected since the last successful processing of Group Policy\.$/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The Group Policy settings for the (computer|user) were processed successfully\. New settings from \d+ Group Policy objects were detected and applied\.$/ and $Detail == 0;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Ntfs") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Volume .* is healthy\. No action is needed\.$/;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Power-Troubleshooter") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The system has resumed from sleep/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Time-Service") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The time provider NtpClient is currently receiving valid time data from/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The time service is now synchronizing the system time with the time source/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-WAS") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^A worker process with process id of .* serving application pool .* has requested a recycle because the worker process reached its allowed processing time limit/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-WindowsUpdateClient" or
|
|
Packit |
57988d |
$System eq "Windows Update Agent") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Automatic Updates is now paused\.$/ and $Detail < 10;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
#Updates
|
|
Packit |
57988d |
if (($InstallDateTime, $Updates) = $ExpandedString =~ /^Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on (.*): - (.*)$/) {
|
|
Packit |
57988d |
$UpdatesReadyForInstall{$Hostname}->{$InstallDateTime} = $Updates;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if (($Update) = $ExpandedString =~ /^Installation Successful: Windows successfully installed the following update: (.*)$/) {
|
|
Packit |
57988d |
push(@{$UpdatesInstalled{$Hostname}},$Update);
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if ($ExpandedString =~ /^Restart Required:/) {
|
|
Packit |
57988d |
$RestartRequired{$Hostname} = 1;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-Winlogon") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /User \w+ Notification for Customer Experience Improvement Program/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Microsoft-Windows-WinRM") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The WinRM service is listening for WS-Management requests/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Service Control Manager") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The (.*) service entered the running state\./;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The (.*) service entered the stopped state\./;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The (.*) service was successfully sent a start control\./;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The (.*) service was successfully sent a stop control\./;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "USER32") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The process .* has initiated the power off of computer \w+ on behalf of user .* for the following reason: .*$/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "Virtual Disk Service") {
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /Service (started|stopped)/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "atikmdag") {
|
|
Packit |
57988d |
#Ignore these
|
|
Packit |
57988d |
next if $ExpandedString =~ /^UVD Information$/;
|
|
Packit |
57988d |
#High Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^Display is not active$/ and $Detail < 10;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($System eq "volsnap") {
|
|
Packit |
57988d |
#Med Detail
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The oldest shadow copy of volume .* was deleted to keep disk space usage for shadow copies of volume .* below the user defined limit\.$/ and $Detail < 5;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
next if $ExpandedString =~ /client service is started$/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /started successfully\.$/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /has successfully (?:started|stopped)\./ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /service .* (?:started|stopped)/i and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Module has (?:started|stopped)/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Driver initialized successfully\.$/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Network controller configured for .* link\.$/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The driver package installation has succeeded\.$/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The .* service entered the .* state/ and $Detail < 10;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^The process .* has initiated the (?:power off|restart|shutdown) of computer .* on behalf of user .* for the following reason/ and $Detail < 5;
|
|
Packit |
57988d |
next if $ExpandedString =~ /^UVD Information$/;
|
|
Packit |
57988d |
next if $ExpandedString =~ /Link has been established:/;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# Add to the list
|
|
Packit |
57988d |
$Systems{$System}->{"$Hostname $ExpandedString"}++;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# Handle high priority errors first
|
|
Packit |
57988d |
$System = "Microsoft-Windows-WER-SystemErrorReporting";
|
|
Packit |
57988d |
if (defined($Systems{$System})) {
|
|
Packit |
57988d |
print "\nSYSTEM ERRORS!:\n";
|
|
Packit |
57988d |
foreach $Error (sort(keys %{$Systems{$System}})) {
|
|
Packit |
57988d |
print " $Error : $Systems{$System}->{$Error} Times\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
delete($Systems{$System});
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
print "\n";
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %Systems) {
|
|
Packit |
57988d |
foreach $System (sort(keys %Systems)) {
|
|
Packit |
57988d |
print "\n$System\n";
|
|
Packit |
57988d |
foreach $Error (sort(keys %{$Systems{$System}})) {
|
|
Packit |
57988d |
print " $Error : $Systems{$System}->{$Error} Times\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %UpdatesReadyForInstall or keys %UpdatesInstalled) {
|
|
Packit |
57988d |
print "\nWindows Update Summary:\n";
|
|
Packit |
57988d |
foreach $Hostname (sort(keys %UpdatesReadyForInstall)) {
|
|
Packit |
57988d |
foreach $InstallDateTime (sort(keys %{$UpdatesReadyForInstall{$Hostname}})) {
|
|
Packit |
57988d |
print " Updates ready for install on $Hostname on $InstallDateTime:\n";
|
|
Packit |
57988d |
print " $UpdatesReadyForInstall{$Hostname}->{$InstallDateTime}\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
foreach $Hostname (sort(keys %UpdatesInstalled)) {
|
|
Packit |
57988d |
print " Updates successfully installed on $Hostname:\n";
|
|
Packit |
57988d |
foreach $Update (@{$UpdatesInstalled{$Hostname}}) {
|
|
Packit |
57988d |
print " $Update\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
print " Restart required on hosts: " if keys %RestartRequired;
|
|
Packit |
57988d |
foreach $Hostname (sort(keys %RestartRequired)) {
|
|
Packit |
57988d |
print "$Hostname ";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
print "\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
exit(0);
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# vi: shiftwidth=3 tabstop=3 syntax=perl et
|
|
Packit |
57988d |
# Local Variables:
|
|
Packit |
57988d |
# mode: perl
|
|
Packit |
57988d |
# perl-indent-level: 3
|
|
Packit |
57988d |
# indent-tabs-mode: nil
|
|
Packit |
57988d |
# End:
|