########################################################################## # $Id$ ########################################################################## # $Log: evtapplication,v $ # Revision 1.3 2008/06/30 23:07:51 kirk # fixed copyright holders for files where I know who they should be # # Revision 1.2 2008/03/24 23:31:26 kirk # added copyright/license notice to each script # # Revision 1.1 2007/04/28 22:50:24 bjorn # Added files for Windows Event Log, by Orion Poplawski. These are for # Windows events logged to a server, using Snare Agent or similar. ########################################################################## ######################################################## ## Copyright (c) 2008 Orion Poplawski ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use URI::URL; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; while (defined($ThisLine = )) { my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra); #Determine format if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4 #Parse ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) = ($ThisLine =~ /(\S+)\sMSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/); } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3 #Parse ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) = ($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/); } if (!defined($Hostname)) { print STDERR "Cannot parse $ThisLine"; next; } next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen"; #print STDERR "ExpandedString = $ExpandedString\n"; if ($Application =~ /Userenv/) { $ExpandedString = "$UserName $ExpandedString"; } if ($Application =~ /AutoEnrollment/) { #Ignore these - we don't run active directory next if $ExpandedString =~ /Automatic certificate enrollment for local system failed to contact the active directory/; } if ($Application =~ /Intel Alert/) { #Ignore these next if $ExpandedString =~ /Intel Alert Originator Manager loaded without security/; next if $ExpandedString =~ /Service Initialized Successfully/; } if ($Application =~ /LoadPerf/) { #Ignore these next if $ExpandedString =~ /Performance counters for the .* service were loaded successfully/; next if $ExpandedString =~ /Performance counters for the .* service were removed successfully/; } if ($Application =~ /NSCTOP/) { #Ignore these next if $ExpandedString =~ /Service started/; } if ($Application =~ /Norton Ghost/) { #Ignore these next if $ExpandedString =~ /Norton Ghost service started successfully/; next if $ExpandedString =~ /A scheduled baseline backup of .* completed successfully/; next if $ExpandedString =~ /A scheduled incremental backup of .* completed successfully/; } if ($Application =~ /SNARE/) { #Ignore these next if $ExpandedString =~ /The service was started/; next if $ExpandedString =~ /The service was stopped/; } if ($Application =~ /SecurityCenter/) { #Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1 next if $ExpandedString =~ /The Security Center service has been stopped. It was prevented from running by a software group policy/; } if ($Application =~ /Symantec AntiVirus/) { #Ignore these next if $ExpandedString =~ /Symantec AntiVirus services startup was successful/; next if $ExpandedString =~ /Scan Complete: Risks: 0/; next if $ExpandedString =~ /Scan started on all drives and all extensions/; next if $ExpandedString =~ /Scan started on selected drives and folders and all extensions/; next if $ExpandedString =~ /Download of virus definition file from LiveUpdate server succeeded/; next if $ExpandedString =~ /Virus definitions are current/; next if $ExpandedString =~ /Could not scan \d+ files inside .* due to extraction errors encountered by the Decomposer Engines/; } if ($Application =~ /cc.*Mgr/) { #Ignore these next if $ExpandedString =~ /service is starting/; next if $ExpandedString =~ /service has started/; } my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application"); my $urlstr = $url->abs; $Applications{$Application}->{"$Hostname $ExpandedString\n$url"}++; } if (keys %Applications) { foreach $Application (sort(keys %Applications)) { print "\n$Application\n"; foreach $Error (sort(keys %{$Applications{$Application}})) { print " $Error : $Applications{$Application}->{$Error} Times\n"; } } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: