##########################################################################

# $Id$

##########################################################################

# $Log: evtsystem,v $

# Revision 1.3  2008/06/30 23:07:51  kirk

# fixed copyright holders for files where I know who they should be

#

# Revision 1.2  2008/03/24 23:31:26  kirk

# added copyright/license notice to each script

#

# Revision 1.1  2007/04/28 22:50:24  bjorn

# Added files for Windows Event Log, by Orion Poplawski.  These are for

# Windows events logged to a server, using Snare Agent or similar.

#

##########################################################################

########################################################

## Copyright (c) 2008 Orion Poplawski

## Covered under the included MIT/X-Consortium License:

##    http://www.opensource.org/licenses/mit-license.php

## All modifications and contributions by other persons to

## this script are assumed to have been donated to the

## Logwatch project and thus assume the above copyright

## and licensing terms.  If you want to make contributions

## under your own copyright or a different license this

## must be explicitly stated in the contribution an the

## Logwatch project reserves the right to not accept such

## contributions.  If you have made significant

## contributions to this script and want to claim

## copyright please contact logwatch-devel@lists.sourceforge.net.

#########################################################

my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

while (defined($ThisLine = <STDIN>)) {

   my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$CategoryString,$DataString,$ExpandedString,$Extra);

   #Determine format

   if ($ThisLine =~ /MSWinEventLog\[/) {  # Snare 4

      #Parse

      ($Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =

         ($ThisLine =~ /MSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);

   } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3

      #Parse

      ($Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =

         ($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);

   }

   if (!defined($Hostname)) {

      print STDERR "Cannot parse $ThisLine";

      next;

   }

   #print STDERR "ExpandedString = $ExpandedString\n";

   if ($System eq "Application Popup") {

      #Ignore these

      next if $ExpandedString =~ /Initialization Failed : The application failed to initialize because the window station is shutting down/;

      next if $ExpandedString =~ /^Application popup: Windows : Other people are logged on to this computer. Shutting down Windows might cause them to lose data\.    Do you want to continue shutting down\?$/;

      next if $ExpandedString =~ /^Application popup: Message from .*: Automatic software deployment is currently updating your system\. Please save all your documents as the the system might reboot without further notice\. Thank you\./;

      next if $ExpandedString =~ /^Application popup: Message from .*: The automated software installation utility has completed installing or updating software on your system\. No reboot was necessary\. All updates are complete\./;

   }

   if ($System eq "BTHUSB") {

      next if $ExpandedString =~ /^Windows cannot store Bluetooth authentication codes \(link keys\) on the local adapter\. Bluetooth keyboards might not work in the system BIOS during startup\.$/ and $Detail < 5;

   }

   if ($System =~ "EventLog") {

      #Ignore these

      next if $ExpandedString =~ /Microsoft \(R\) Windows \(R\) \d+\.\d+\. \d+ Service Pack \d/;

      next if $ExpandedString =~ /^The Event log service was started./;

      next if $ExpandedString =~ /^The Event log service was stopped./;

      next if $ExpandedString =~ /^The system uptime is \d+ seconds/;

   }

   if ($System =~ "LsaSrv") {

      #Ignore these

      next if $ExpandedString =~ /^A logon cache entry for user .* was the oldest entry and was removed\. The timestamp of this entry was/;

   }

   if ($System eq "Microsoft-Windows-Application-Experience") {

      #Ignore these

      next if $ExpandedString eq "The Program Compatibility Assistant service successfully performed phase two initialization.";

   }

   if ($System eq "Microsoft-Windows-DfsSvc") {

      #Ignore these

      next if $ExpandedString =~ /^DFS has finished building all namespaces\.$/;

      next if $ExpandedString =~ /^DFS server has finished initializing\.$/;

   }

   if ($System eq "Microsoft-Windows-FilterManager") {

      #Ignore these

      next if $ExpandedString =~ /^File System Filter .* has successfully loaded and registered with Filter Manager\.$/;

   }

   if ($System eq "Microsoft-Windows-Iphlpsvc") {

      #High Detail

      next if $ExpandedString =~ /^Isatap interface .* with address .* has been brought up\.$/ and $Detail < 10;

      next if $ExpandedString =~ /^Isatap interface .* is no longer active\.$/ and $Detail < 10;

   }

   if ($System eq "Microsoft-Windows-Kernel-General") {

      #High Detail

      next if $ExpandedString =~ /^The operating system started at system time/ and $Detail < 10;

      next if $ExpandedString =~ /^The operating system is shutting down at system time/ and $Detail < 10;

      #TODO - We should warn is this is big

      next if $ExpandedString =~ /^The system time has changed to .* from/;

   }

   if ($System eq "Microsoft-Windows-Kernel-Power") {

      #High Detail

      next if $ExpandedString =~ /^The system is entering sleep/ and $Detail < 10;

      next if $ExpandedString =~ /^The kernel power manager has initiated a shutdown transition\.$/ and $Detail < 10;

      #Ignore these

      next if $ExpandedString =~ /^ACPI thermal zone .* has been enumerated/;

      next if $ExpandedString =~ /^Processor \d+ in group \d+ exposes the following power management capabilities/;

   }

   if ($System eq "Microsoft-Windows-Kernel-Processor-Power") {

      #Ignore these

      next if $ExpandedString =~ /^Processor \d+ in group \d+ exposes the following:/;

   }

   if ($System eq "Microsoft-Windows-GroupPolicy") {

      #Ignore these

      next if $ExpandedString =~ /^The Group Policy settings for the (computer|user) were processed successfully\. There were no changes detected since the last successful processing of Group Policy\.$/;

      next if $ExpandedString =~ /^The Group Policy settings for the (computer|user) were processed successfully\. New settings from \d+ Group Policy objects were detected and applied\.$/ and $Detail == 0;

   }

   if ($System eq "Microsoft-Windows-Ntfs") {

      #Ignore these

      next if $ExpandedString =~ /^Volume .* is healthy\.  No action is needed\.$/;

   }

   if ($System eq "Microsoft-Windows-Power-Troubleshooter") {

      #High Detail

      next if $ExpandedString =~ /^The system has resumed from sleep/ and $Detail < 10;

   }

   if ($System eq "Microsoft-Windows-Time-Service") {

      #High Detail

      next if $ExpandedString =~ /^The time provider NtpClient is currently receiving valid time data from/ and $Detail < 10;

      next if $ExpandedString =~ /^The time service is now synchronizing the system time with the time source/ and $Detail < 10;

   }

   if ($System eq "Microsoft-Windows-WAS") {

      #High Detail

      next if $ExpandedString =~ /^A worker process with process id of .* serving application pool .* has requested a recycle because the worker process reached its allowed processing time limit/ and $Detail < 10;

   }

   if ($System eq "Microsoft-Windows-WindowsUpdateClient" or

       $System eq "Windows Update Agent") {

      #High Detail

      next if $ExpandedString =~ /^Automatic Updates is now paused\.$/ and $Detail < 10;

      #Updates

      if (($InstallDateTime, $Updates) = $ExpandedString =~ /^Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on (.*):  - (.*)$/) {

          $UpdatesReadyForInstall{$Hostname}->{$InstallDateTime} = $Updates;

          next;

      }

      if (($Update) = $ExpandedString =~ /^Installation Successful: Windows successfully installed the following update: (.*)$/) {

          push(@{$UpdatesInstalled{$Hostname}},$Update);

          next;

      }

      if ($ExpandedString =~ /^Restart Required:/) {

          $RestartRequired{$Hostname} = 1;

          next;

      }

   }

   if ($System eq "Microsoft-Windows-Winlogon") {

      #High Detail

      next if $ExpandedString =~ /User \w+ Notification for Customer Experience Improvement Program/ and $Detail < 10;

   }

   if ($System eq "Microsoft-Windows-WinRM") {

      #High Detail

      next if $ExpandedString =~ /^The WinRM service is listening for WS-Management requests/ and $Detail < 10;

   }

   if ($System eq "Service Control Manager") {

      #Ignore these

      next if $ExpandedString =~ /^The (.*) service entered the running state\./;

      next if $ExpandedString =~ /^The (.*) service entered the stopped state\./;

      next if $ExpandedString =~ /^The (.*) service was successfully sent a start control\./;

      next if $ExpandedString =~ /^The (.*) service was successfully sent a stop control\./;

   }

   if ($System eq "USER32") {

      #High Detail

      next if $ExpandedString =~ /^The process .* has initiated the power off of computer \w+ on behalf of user .* for the following reason: .*$/ and $Detail < 10;

   }

   if ($System eq "Virtual Disk Service") {

      #High Detail

      next if $ExpandedString =~ /Service (started|stopped)/ and $Detail < 10;

   }

   if ($System eq "atikmdag") {

      #Ignore these

      next if $ExpandedString =~ /^UVD Information$/;

      #High Detail

      next if $ExpandedString =~ /^Display is not active$/ and $Detail < 10;

   }

   if ($System eq "volsnap") {

      #Med Detail

      next if $ExpandedString =~ /^The oldest shadow copy of volume .* was deleted to keep disk space usage for shadow copies of volume .* below the user defined limit\.$/ and $Detail < 5;

   }

   next if $ExpandedString =~ /client service is started$/ and $Detail < 10;

   next if $ExpandedString =~ /started successfully\.$/ and $Detail < 10;

   next if $ExpandedString =~ /has successfully (?:started|stopped)\./ and $Detail < 10;

   next if $ExpandedString =~ /service .* (?:started|stopped)/i and $Detail < 10;

   next if $ExpandedString =~ /Module has (?:started|stopped)/ and $Detail < 10;

   next if $ExpandedString =~ /Driver initialized successfully\.$/ and $Detail < 10;

   next if $ExpandedString =~ /Network controller configured for .* link\.$/ and $Detail < 10;

   next if $ExpandedString =~ /^The driver package installation has succeeded\.$/ and $Detail < 10;

   next if $ExpandedString =~ /^The .* service entered the .* state/ and $Detail < 10;

   next if $ExpandedString =~ /^The process .* has initiated the (?:power off|restart|shutdown) of computer .* on behalf of user .* for the following reason/ and $Detail < 5;

   next if $ExpandedString =~ /^UVD Information$/;

   next if $ExpandedString =~ /Link has been established:/;

   # Add to the list

   $Systems{$System}->{"$Hostname $ExpandedString"}++;

}

# Handle high priority errors first

$System = "Microsoft-Windows-WER-SystemErrorReporting";

if (defined($Systems{$System})) {

   print "\nSYSTEM ERRORS!:\n";

   foreach $Error (sort(keys %{$Systems{$System}})) {

      print "    $Error : $Systems{$System}->{$Error} Times\n";

   }

   delete($Systems{$System});

}

print "\n";

if (keys %Systems) {

   foreach $System (sort(keys %Systems)) {

      print "\n$System\n";

      foreach $Error (sort(keys %{$Systems{$System}})) {

         print "    $Error : $Systems{$System}->{$Error} Times\n";

      }

   }

}

if (keys %UpdatesReadyForInstall or keys %UpdatesInstalled) {

   print "\nWindows Update Summary:\n";

   foreach $Hostname (sort(keys %UpdatesReadyForInstall)) {

      foreach $InstallDateTime (sort(keys %{$UpdatesReadyForInstall{$Hostname}})) {

         print "    Updates ready for install on $Hostname on $InstallDateTime:\n"; 

         print "        $UpdatesReadyForInstall{$Hostname}->{$InstallDateTime}\n";

      }

   }

   foreach $Hostname (sort(keys %UpdatesInstalled)) {

      print "    Updates successfully installed on $Hostname:\n";

      foreach $Update (@{$UpdatesInstalled{$Hostname}}) {

          print "        $Update\n";

      }

   }

   print "    Restart required on hosts: " if keys %RestartRequired;

   foreach $Hostname (sort(keys %RestartRequired)) {

      print "$Hostname ";

   }

   print "\n";

}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et

# Local Variables:

# mode: perl

# perl-indent-level: 3

# indent-tabs-mode: nil

# End: