##########################################################################
# $Id$
##########################################################################
# $Log: evtapplication,v $
# Revision 1.3 2008/06/30 23:07:51 kirk
# fixed copyright holders for files where I know who they should be
#
# Revision 1.2 2008/03/24 23:31:26 kirk
# added copyright/license notice to each script
#
# Revision 1.1 2007/04/28 22:50:24 bjorn
# Added files for Windows Event Log, by Orion Poplawski. These are for
# Windows events logged to a server, using Snare Agent or similar.
##########################################################################
########################################################
## Copyright (c) 2008 Orion Poplawski
## Covered under the included MIT/X-Consortium License:
## http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms. If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions. If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################
use URI::URL;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
while (defined($ThisLine = <STDIN>)) {
my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra);
#Determine format
if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4
#Parse
($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
($ThisLine =~ /(\S+)\sMSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
} elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3
#Parse
($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
}
if (!defined($Hostname)) {
print STDERR "Cannot parse $ThisLine";
next;
}
next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen";
#print STDERR "ExpandedString = $ExpandedString\n";
if ($Application =~ /Userenv/) {
$ExpandedString = "$UserName $ExpandedString";
}
if ($Application =~ /AutoEnrollment/) {
#Ignore these - we don't run active directory
next if $ExpandedString =~ /Automatic certificate enrollment for local system failed to contact the active directory/;
}
if ($Application =~ /Intel Alert/) {
#Ignore these
next if $ExpandedString =~ /Intel Alert Originator Manager loaded without security/;
next if $ExpandedString =~ /Service Initialized Successfully/;
}
if ($Application =~ /LoadPerf/) {
#Ignore these
next if $ExpandedString =~ /Performance counters for the .* service were loaded successfully/;
next if $ExpandedString =~ /Performance counters for the .* service were removed successfully/;
}
if ($Application =~ /NSCTOP/) {
#Ignore these
next if $ExpandedString =~ /Service started/;
}
if ($Application =~ /Norton Ghost/) {
#Ignore these
next if $ExpandedString =~ /Norton Ghost service started successfully/;
next if $ExpandedString =~ /A scheduled baseline backup of .* completed successfully/;
next if $ExpandedString =~ /A scheduled incremental backup of .* completed successfully/;
}
if ($Application =~ /SNARE/) {
#Ignore these
next if $ExpandedString =~ /The service was started/;
next if $ExpandedString =~ /The service was stopped/;
}
if ($Application =~ /SecurityCenter/) {
#Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1
next if $ExpandedString =~ /The Security Center service has been stopped. It was prevented from running by a software group policy/;
}
if ($Application =~ /Symantec AntiVirus/) {
#Ignore these
next if $ExpandedString =~ /Symantec AntiVirus services startup was successful/;
next if $ExpandedString =~ /Scan Complete: Risks: 0/;
next if $ExpandedString =~ /Scan started on all drives and all extensions/;
next if $ExpandedString =~ /Scan started on selected drives and folders and all extensions/;
next if $ExpandedString =~ /Download of virus definition file from LiveUpdate server succeeded/;
next if $ExpandedString =~ /Virus definitions are current/;
next if $ExpandedString =~ /Could not scan \d+ files inside .* due to extraction errors encountered by the Decomposer Engines/;
}
if ($Application =~ /cc.*Mgr/) {
#Ignore these
next if $ExpandedString =~ /service is starting/;
next if $ExpandedString =~ /service has started/;
}
my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application");
my $urlstr = $url->abs;
$Applications{$Application}->{"$Hostname $ExpandedString\n$url"}++;
}
if (keys %Applications) {
foreach $Application (sort(keys %Applications)) {
print "\n$Application\n";
foreach $Error (sort(keys %{$Applications{$Application}})) {
print " $Error : $Applications{$Application}->{$Error} Times\n";
}
}
}
exit(0);
# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: