##########################################################################
# $Id: evtsecurity,v 1.1 2007/04/28 22:50:24 bjorn Exp $
##########################################################################
# $Log: evtsecurity,v $
# Revision 1.1  2007/04/28 22:50:24  bjorn
# Added files for Windows Event Log, by Orion Poplawski.  These are for
# Windows events logged to a server, using Snare Agent or similar.
#
##########################################################################
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

while (defined($ThisLine = <STDIN>)) {
   #Parse
   my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$SourceName2,$UserName,$SIDType,$EventLogType,$ComputerName,$CategoryString,$DataString,$ExpandedString,$Extra) =
      ($ThisLine =~ /(\w+) MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t(\w+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]*)\t([^\t]*)\t([^\t]*)/);
   if (!defined($Hostname)) {
      print STDERR "Cannot parse $ThisLine";
      next;
   }
   if ($EventLogType eq "Success Audit") {
      $SucessAudits++;
      $SuccessAuditUsers{$UserName}++;
   }
   elsif ($EventLogType eq "Failure Audit") {
      $FailureAudits{"$Hostname $ExpandedString"}++;
   }
   else {
      # Report any unmatched entries...
      chomp($ThisLine);
      $OtherList{$ThisLine}++;
   }
}

if ($SucessAudits and ($Detail >=0) ) {
   print "\nSuccess Audits " . $SucessAudits . " Time(s)\n";
   foreach $User (keys %SuccessAuditUsers) {
      print "    $User : $SuccessAuditUsers{$User} Times\n";
   }
}

if (keys %FailureAudits) {
   print "\nFailure Audits\n";
   foreach $Error (keys %FailureAudits) {
      print "    $Error : $FailureAudits{$Error} Times\n";
   }
}

exit(0);
if (keys %OtherList) {
   print "\n**** Unmatched entries ****\n";
   foreach $Error (keys %OtherList) {
      print "    $Error : $OtherList{$Error} Times\n";
   }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et