########################################################################## # $Id: evtsecurity,v 1.1 2007/04/28 22:50:24 bjorn Exp $ ########################################################################## # $Log: evtsecurity,v $ # Revision 1.1 2007/04/28 22:50:24 bjorn # Added files for Windows Event Log, by Orion Poplawski. These are for # Windows events logged to a server, using Snare Agent or similar. # ########################################################################## my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; while (defined($ThisLine = <STDIN>)) { #Parse my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$SourceName2,$UserName,$SIDType,$EventLogType,$ComputerName,$CategoryString,$DataString,$ExpandedString,$Extra) = ($ThisLine =~ /(\w+) MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t(\w+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]*)\t([^\t]*)\t([^\t]*)/); if (!defined($Hostname)) { print STDERR "Cannot parse $ThisLine"; next; } if ($EventLogType eq "Success Audit") { $SucessAudits++; $SuccessAuditUsers{$UserName}++; } elsif ($EventLogType eq "Failure Audit") { $FailureAudits{"$Hostname $ExpandedString"}++; } else { # Report any unmatched entries... chomp($ThisLine); $OtherList{$ThisLine}++; } } if ($SucessAudits and ($Detail >=0) ) { print "\nSuccess Audits " . $SucessAudits . " Time(s)\n"; foreach $User (keys %SuccessAuditUsers) { print " $User : $SuccessAuditUsers{$User} Times\n"; } } if (keys %FailureAudits) { print "\nFailure Audits\n"; foreach $Error (keys %FailureAudits) { print " $Error : $FailureAudits{$Error} Times\n"; } } exit(0); if (keys %OtherList) { print "\n**** Unmatched entries ****\n"; foreach $Error (keys %OtherList) { print " $Error : $OtherList{$Error} Times\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et