Category: Win32 Stuff
Author/Contact Info Eugene Michtchenko


The result of a project i'm working on...

Win32 servers should send their event log messages to a central syslog server, and we are interested in receiving only errors and warnings. An Open Source tool Snare allows us to specify what messages we want to send out. However, the messages themselves carry too much information, so they need to be parsed, which is what that script is for.

The script needs syslog-ng to be installed on the receiving computer. The configuration options specific to this script are here:

destination database { program("/usr/bin/perl /usr/local/bin/ +"); }; filter f_db { facility(local7) and level(err, warning); }; log { source(net); filter(f_db); destination(database); };

It all works this way: A Win32 server uses (properly configured) Snare to send syslog messages to a receiving server. The server runs syslog-ng (with above options included) and so redirects those syslog messages to the script. The script is parsing the message, breaks it down, logs into database, and sends out a notification email on error messages.



use strict;
use DBI;
use DBD::mysql;

sub SendMail($$$);

my @monthnames = (qw(Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec))
my @msg;
my @datetime;

my ($rin, $nfound, $rout, $what, $dbh, $logtime, $logtable, $month);
my $strSQL = '';
my $category = '';
my $catflag = '';

$dbh = DBI->connect("DBI:mysql:database=logger;host=localhost",
                    "username", "password", {'RaiseError' => 1});

open (TTY, "> /dev/tty1");

while (1) 

   sleep 1;
   $what = ($nfound) ? <> : "";

   if ($what ne "")
      $what = substr($what, index ($what, "MSWinEventLog"));
      @msg = split(/\t/, $what);
      @datetime = split(/ /, $msg[4]);

         if ($monthnames[$_] eq $datetime[1]) {$month=++$_;}
      $logtime = "$datetime[4]-$month-$datetime[2] $datetime[3]";

      if ($msg[9] =~ "Error") 
         $logtable = 'error';
         SendMail($msg[10], $msg[5], $msg[13]);
      }elsif ($msg[9] =~ "Warning") 
         $logtable = 'warning';
         $logtable = 'other'; 
         $category = "\'$msg[9]\',"; 
         $catflag='category, ';
      $strSQL = "INSERT INTO $logtable ($catflag"."logtime, host, logt
+ype, event_id," .
                " source, message) VALUES ($category \'$logtime\', \'$
+msg[10]\', " .
                "\'$msg[2]\', $msg[5], \'$msg[6]\', \'$msg[13]\')";

      $category = $catflag = '';

#----------------- Send an email notification ---------------------
sub SendMail($$$)
   my ($host, $evnum, $msg) = @_;

   my $smtp = Net::SMTP->new(Host => 'smtp',
                             Timeout => 30,
                             Debug => 0);  #Set to 0 in production ver

   $smtp->mail('Windows System Event');

   $smtp->datasend("To: System Support\n");
   $smtp->datasend("Subject: Error event $evnum on $host\n");


Replies are listed 'Best First'.
Re: Win/Snare syslog message parser
by Anonymous Monk on Aug 01, 2005 at 05:06 UTC
    Looks great bofh :) Have a peek at our perl 'server' code (, in the linux or solaris archives) if you'd like a solaris event grabbing sample. Regards, Leigh (Snare programmer).