Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Win/Snare syslog message parser

by bofh_of_oz (Hermit)
on Jun 02, 2005 at 14:40 UTC ( #462936=sourcecode: print w/replies, xml ) Need Help??
Category: Win32 Stuff
Author/Contact Info Eugene Michtchenko


The result of a project i'm working on...

Win32 servers should send their event log messages to a central syslog server, and we are interested in receiving only errors and warnings. An Open Source tool Snare allows us to specify what messages we want to send out. However, the messages themselves carry too much information, so they need to be parsed, which is what that script is for.

The script needs syslog-ng to be installed on the receiving computer. The configuration options specific to this script are here:

destination database { program("/usr/bin/perl /usr/local/bin/ +"); }; filter f_db { facility(local7) and level(err, warning); }; log { source(net); filter(f_db); destination(database); };

It all works this way: A Win32 server uses (properly configured) Snare to send syslog messages to a receiving server. The server runs syslog-ng (with above options included) and so redirects those syslog messages to the script. The script is parsing the message, breaks it down, logs into database, and sends out a notification email on error messages.



use strict;
use DBI;
use DBD::mysql;

sub SendMail($$$);

my @monthnames = (qw(Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec))
my @msg;
my @datetime;

my ($rin, $nfound, $rout, $what, $dbh, $logtime, $logtable, $month);
my $strSQL = '';
my $category = '';
my $catflag = '';

$dbh = DBI->connect("DBI:mysql:database=logger;host=localhost",
                    "username", "password", {'RaiseError' => 1});

open (TTY, "> /dev/tty1");

while (1) 

   sleep 1;
   $what = ($nfound) ? <> : "";

   if ($what ne "")
      $what = substr($what, index ($what, "MSWinEventLog"));
      @msg = split(/\t/, $what);
      @datetime = split(/ /, $msg[4]);

         if ($monthnames[$_] eq $datetime[1]) {$month=++$_;}
      $logtime = "$datetime[4]-$month-$datetime[2] $datetime[3]";

      if ($msg[9] =~ "Error") 
         $logtable = 'error';
         SendMail($msg[10], $msg[5], $msg[13]);
      }elsif ($msg[9] =~ "Warning") 
         $logtable = 'warning';
         $logtable = 'other'; 
         $category = "\'$msg[9]\',"; 
         $catflag='category, ';
      $strSQL = "INSERT INTO $logtable ($catflag"."logtime, host, logt
+ype, event_id," .
                " source, message) VALUES ($category \'$logtime\', \'$
+msg[10]\', " .
                "\'$msg[2]\', $msg[5], \'$msg[6]\', \'$msg[13]\')";

      $category = $catflag = '';

#----------------- Send an email notification ---------------------
sub SendMail($$$)
   my ($host, $evnum, $msg) = @_;

   my $smtp = Net::SMTP->new(Host => 'smtp',
                             Timeout => 30,
                             Debug => 0);  #Set to 0 in production ver

   $smtp->mail('Windows System Event');

   $smtp->datasend("To: System Support\n");
   $smtp->datasend("Subject: Error event $evnum on $host\n");


Replies are listed 'Best First'.
Re: Win/Snare syslog message parser
by Anonymous Monk on Aug 01, 2005 at 05:06 UTC
    Looks great bofh :) Have a peek at our perl 'server' code (, in the linux or solaris archives) if you'd like a solaris event grabbing sample. Regards, Leigh (Snare programmer).

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://462936]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (5)
As of 2021-01-23 21:43 GMT
Find Nodes?
    Voting Booth?