##########################################################################
# $Id: evtapplication,v 1.1 2007/04/28 22:50:24 bjorn Exp $
##########################################################################
# $Log: evtapplication,v $
# Revision 1.1 2007/04/28 22:50:24 bjorn
# Added files for Windows Event Log, by Orion Poplawski. These are for
# Windows events logged to a server, using Snare Agent or similar.
#
##########################################################################
use URI::URL;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
while (defined($ThisLine = <STDIN>)) {
#Parse
my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$ComputerName,$CategoryString,$DataString,$ExpandedString,$Extra) =
($ThisLine =~ /(\w+)\sMSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
if (!defined($Hostname)) {
print STDERR "Cannot parse $ThisLine";
next;
}
next if $EventLogType eq "Information";
#print STDERR "ExpandedString = $ExpandedString\n";
if ($Application =~ /Userenv/) {
$ExpandedString = "$UserName $ExpandedString";
}
if ($Application =~ /AutoEnrollment/) {
#Ignore these - we don't run active directory
next if $ExpandedString =~ /Automatic certificate enrollment for local system failed to contact the active directory/;
}
if ($Application =~ /Intel Alert/) {
#Ignore these
next if $ExpandedString =~ /Intel Alert Originator Manager loaded without security/;
next if $ExpandedString =~ /Service Initialized Successfully/;
}
if ($Application =~ /LoadPerf/) {
#Ignore these
next if $ExpandedString =~ /Performance counters for the .* service were loaded successfully/;
next if $ExpandedString =~ /Performance counters for the .* service were removed successfully/;
}
if ($Application =~ /NSCTOP/) {
#Ignore these
next if $ExpandedString =~ /Service started/;
}
if ($Application =~ /Norton Ghost/) {
#Ignore these
next if $ExpandedString =~ /Norton Ghost service started successfully/;
next if $ExpandedString =~ /A scheduled baseline backup of .* completed successfully/;
next if $ExpandedString =~ /A scheduled incremental backup of .* completed successfully/;
}
if ($Application =~ /SNARE/) {
#Ignore these
next if $ExpandedString =~ /The service was started/;
next if $ExpandedString =~ /The service was stopped/;
}
if ($Application =~ /SecurityCenter/) {
#Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1
next if $ExpandedString =~ /The Security Center service has been stopped. It was prevented from running by a software group policy/;
}
if ($Application =~ /Symantec AntiVirus/) {
#Ignore these
next if $ExpandedString =~ /Symantec AntiVirus services startup was successful/;
next if $ExpandedString =~ /Scan Complete: Risks: 0/;
next if $ExpandedString =~ /Scan started on all drives and all extensions/;
next if $ExpandedString =~ /Scan started on selected drives and folders and all extensions/;
next if $ExpandedString =~ /Download of virus definition file from LiveUpdate server succeeded/;
next if $ExpandedString =~ /Virus definitions are current/;
next if $ExpandedString =~ /Could not scan \d+ files inside .* due to extraction errors encountered by the Decomposer Engines/;
}
if ($Application =~ /cc.*Mgr/) {
#Ignore these
next if $ExpandedString =~ /service is starting/;
next if $ExpandedString =~ /service has started/;
}
my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application");
my $urlstr = $url->abs;
$Applications{$Application}->{"$Hostname $ExpandedString\n$url"}++;
}
if (keys %Applications) {
foreach $Application (sort(keys %Applications)) {
print "\n$Application\n";
foreach $Error (sort(keys %{$Applications{$Application}})) {
print " $Error : $Applications{$Application}->{$Error} Times\n";
}
}
}
exit(0);
# vi: shiftwidth=3 tabstop=3 syntax=perl et
