Below is a script that I would like to format the output a little better... I would
like to add time and date... the actual eventype and the event description. This
script parses the eventlog from an NT machine.
======= Begin script ===========
use Win32;
use Win32::EventLog;
do
{
✓
print ("Sleeping for 60 seconds\n");
sleep (60);
} until ($junk eq "forever");
sub check
{
# Puts current Date and Time into D1 and T1
$var1 = localtime (time());
@A1 = split (" ", "$var1");
$D1 = ("$A1[1] $A1[2],$A1[4]");
$T1 = ("$A1[3]");
# Define the server to check, the log files to check and the Email recipients
$server = ("172.16.54.59");
@typelog = ("Application", "Security", "System");
$recipients = '[EMAIL PROTECTED]';
# Define the array and load the data element with NULL values.
my %info=
(
'Length',NULL,
'RecordNumber',NULL,
'TimeGenerated',NULL,
'TimeWritten',NULL,
'EventID',NULL,
'EventType',NULL,
'Category',NULL,
'ClosingRecordNumber',NULL,
'Source',NULL,
'Computer',NULL,
'Strings',NULL,
'Data',NULL,
);
# Define the array and conversion elements.
my %EventType =
(
0,'Error',
2,'Warning',
4,'Information',
8,'Audit success',
16,'Audit failure'
);
$sdir = ("C:\\EVENTS");
# Creates the directory C:\DRVSPACE if it doesn't exist
mkdir ($sdir, 0777);
# Counter used to count down the typelog array.
$count2 = 0;
# Define the temporary file to be used.
$outfile = "C:\\EVENTS\\temp.txt";
# Creates the temporary file.
open(OUTFILE, ">$outfile") || die "Can't open $outfile";
close OUTFILE;
# Opens the temporary file for appending writes.
open(OUTFILE, ">>$outfile") || die "Can't open $outfile";
# Sets up the loop for the three logfile types.
# Source variable used in Email subject and hits variable is used to fix source
seperator
$hits = 0;
while ($count2 < @typelog)
{
# Loads the logfile to be used during this loop.
$logfile = ("$typelog[$count2]");
# Opens the logfile on the server.
$log = Win32::EventLog -> new ($logfile, "\\\\$server") || die "Can't open $logfile";
# Clears the cnt variable the loads it with the total number of records in the logfile.
$cnt = undef;
$log->GetNumber($cnt);
# Open the marker file for read operation.
$infile = ("C:\\events\\$server $logfile.cnt");
if (open(INFILE, "$infile"))
{
# Does nothing if the file exist
}
else
# If the file doesn't exist then it creates it by opening it with a write operation
then
# closing it and reopening it with a read operation
{
print "Creating a marker file recording $cnt entries in the $logfile logfile on
$server\n";
open(INFILE, ">$infile")|| die ("cannot open file ", $infile, "\n");
print INFILE ("$cnt");
close INFILE;
open(INFILE, "$infile")
}
# Clears the line variable, loads the first line of the marker file into it then
closes the file.
$line = undef;
$line = <INFILE>;
close INFILE;
# Checks the current number of records agianst the recorded number of records from the
marker file.
# If the current number of records is greater additional entries have been made to the
logfile.
# The program therefore loops through getting these additional entries.
if ($cnt > $line)
{
# used to fill variables for the subject of the Email
@logsub[$hits] = $logfile;
$hits++;
# Forces the marker amount up by one so that the marker record is not duplicated.
$line = ($line + 1);
# Retrieves the record number of the first record in the logfile.
$log->GetOldest($first);
# Clears the info variable then opens the logfile for a read operation starting at a
sum of
# the first record number plus the total number of records this should be the last
record.
# The read operation is set to read backward from that point
$info = undef;
$log->Read(EVENTLOG_SEEK_READ|EVENTLOG_BACKWARDS_READ, $cnt+$first, $info);
# Sets a loop for the number of previous records (+1) and the number of current records
# and performs the same functions as above to them.
foreach ($line..$cnt)
{
# Reads in the next record
$log->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_BACKWARDS_READ),0,$info);
$info->{'EventID'} = $info->{'EventID'} & 0xffff;
$info->{'EventType'} = $EventType{ $info->{'EventType'} };
foreach $key ('EventType','Source','Computer','Strings')
{
print OUTFILE ("$key, $info->{$key}\n");
}
print OUTFILE ("\n");
}
# Reopens the marker file for write operation, writes the current number of records to
it
# then closes the file.
open(CNTFILE, ">$infile") || die ("cannot open file ", $cntfile, "\n");
print CNTFILE ("$cnt");
close CNTFILE;
}
# Closes the logfile then advances the loop counter
$log->CloseEventLog;
$count2++;
}
# Closes the append operation on the temporary file
close OUTFILE;
# Reads the byte size of the temporary file into the size variable
$size = -s $outfile;
# Checks to see if there is any data in the temporary file that needs to be mailed.
# If not the program effectively terminates with out any action
if ($size > 0)
{
# Reopens the temporary file for a read operation in binary mode.
open(OUTFILE, "$outfile") || die "Can't open $outfile";
binmode OUTFILE;
# Reads the ASCII charecters and CR/LF from the file into the message array
# then closes the file
undef $/;
$_=<OUTFILE>;
@message=/([ -~\n]+)/g;
close OUTFILE;
# Reopens the file for write operation and overwrites the content with the
# non-binary content then closes the file
open(OUTFILE, ">$outfile") || die "Can't open $outfile";
print OUTFILE (@message);
close OUTFILE;
# Emails the content of the file to the predefined recipients.
# Make a pretty subject line - selects either x or x & x or x, x & x.
$lognum = @logsub;
if ($lognum == 1)
{
$subject = ("@logsub[0] events from $server at $D1 $T1");
}
elsif ($lognum == 2)
{
$subject = ("@logsub[0] & @logsub[1] events from $server at $D1 $T1");
}
elsif ($lognum == 3)
{
$subject = ("@logsub[0], @logsub[1] & @logsub[2] events from $server at $D1 $T1");
}
$out=`e:\\mrtg-2.9.10\\bin\\sendmail\\blat \"$outfile\" -s \"$subject\" -t
\"$recipients\"`;
print "$out\n";
}
# Deletes the temporary file.
unlink $outfile;
}
==== End Script ======
==== Current Output ====
EventType,
Source, Wins
Computer, SEA-MONITOR
Strings,
===== End Output ======
===
Mike Singleton CCNA, CNE, MCSE
Network Analyst
(253) 272-1916 x1259p made to the logfile.
# The prog
(253) 405-1968 (cellular)
[EMAIL PROTECTED]
DaVita Inc.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
