http://qs321.pair.com?node_id=462936
Category: Win32 Stuff
Author/Contact Info Eugene Michtchenko
BOFH_of_OZ
michtch@hotmail.com
Description:  

The result of a project i'm working on...

Win32 servers should send their event log messages to a central syslog server, and we are interested in receiving only errors and warnings. An Open Source tool Snare allows us to specify what messages we want to send out. However, the messages themselves carry too much information, so they need to be parsed, which is what that script is for.

The script needs syslog-ng to be installed on the receiving computer. The configuration options specific to this script are here:

destination database { program("/usr/bin/perl /usr/local/bin/sqllog.pl
+"); };

filter f_db { facility(local7) and level(err, warning); };

log { source(net); filter(f_db); destination(database); };

[download]

It all works this way: A Win32 server uses (properly configured) Snare to send syslog messages to a receiving server. The server runs syslog-ng (with above options included) and so redirects those syslog messages to the script. The script is parsing the message, breaks it down, logs into database, and sends out a notification email on error messages.

 

 
#!/usr/bin/perl

use strict;
use DBI;
use DBD::mysql;

sub SendMail($$$);

my @monthnames = (qw(Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec))
+; 
my @msg;
my @datetime;

my ($rin, $nfound, $rout, $what, $dbh, $logtime, $logtable, $month);
my $strSQL = '';
my $category = '';
my $catflag = '';


$dbh = DBI->connect("DBI:mysql:database=logger;host=localhost",
                    "username", "password", {'RaiseError' => 1});

$rin="";
vec($rin,fileno(STDIN),1)=1;
open (TTY, "> /dev/tty1");

while (1) 
{

   sleep 1;
   $nfound=select($rout=$rin,"","",1);
   $what = ($nfound) ? <> : "";
   

   if ($what ne "")
   {
      $what = substr($what, index ($what, "MSWinEventLog"));
      @msg = split(/\t/, $what);
      @datetime = split(/ /, $msg[4]);

      for(0..11)
      {
         if ($monthnames[$_] eq $datetime[1]) {$month=++$_;}
      }
      $logtime = "$datetime[4]-$month-$datetime[2] $datetime[3]";

      if ($msg[9] =~ "Error") 
      {
         $logtable = 'error';
         SendMail($msg[10], $msg[5], $msg[13]);
      }elsif ($msg[9] =~ "Warning") 
      {
         $logtable = 'warning';
      }else 
      {
         $logtable = 'other'; 
         $category = "\'$msg[9]\',"; 
         $catflag='category, ';
      }
   
      $strSQL = "INSERT INTO $logtable ($catflag"."logtime, host, logt
+ype, event_id," .
                " source, message) VALUES ($category \'$logtime\', \'$
+msg[10]\', " .
                "\'$msg[2]\', $msg[5], \'$msg[6]\', \'$msg[13]\')";
      $dbh->do($strSQL);

      $category = $catflag = '';
   }
}

#----------------- Send an email notification ---------------------
sub SendMail($$$)
{
   my ($host, $evnum, $msg) = @_;

   my $smtp = Net::SMTP->new(Host => 'smtp',
                             Timeout => 30,
                             Debug => 0);  #Set to 0 in production ver
+sion

   $smtp->mail('Windows System Event');
   $smtp->to('admin');

   $smtp->data();
   $smtp->datasend("To: System Support\n");
   $smtp->datasend("Subject: Error event $evnum on $host\n");
   $smtp->datasend("\n");

   $smtp->datasend("$msg\n");
   $smtp->dataend();

   $smtp->quit;
}
#-----------------------------------------------------------------

Back to Code Catacombs