xNightR00T File Manager

##########################################################################
# $Id$
##########################################################################
# $Log: evtsystem,v $
# Revision 1.3  2008/06/30 23:07:51  kirk
# fixed copyright holders for files where I know who they should be
#
# Revision 1.2  2008/03/24 23:31:26  kirk
# added copyright/license notice to each script
#
# Revision 1.1  2007/04/28 22:50:24  bjorn
# Added files for Windows Event Log, by Orion Poplawski.  These are for
# Windows events logged to a server, using Snare Agent or similar.
#
##########################################################################

########################################################
## Copyright (c) 2008 Orion Poplawski
## Covered under the included MIT/X-Consortium License:
##    http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms.  If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions.  If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################

my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

while (defined($ThisLine = <STDIN>)) {
   my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$CategoryString,$DataString,$ExpandedString,$Extra);
   #Determine format
   if ($ThisLine =~ /MSWinEventLog\[/) {  # Snare 4
      #Parse
      ($Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
         ($ThisLine =~ /MSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
   } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3
      #Parse
      ($Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
         ($ThisLine =~ /MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
   }
   if (!defined($Hostname)) {
      print STDERR "Cannot parse $ThisLine";
      next;
   }
   #print STDERR "ExpandedString = $ExpandedString\n";

   if ($System eq "Application Popup") {
      #Ignore these
      next if $ExpandedString =~ /Initialization Failed : The application failed to initialize because the window station is shutting down/;
      next if $ExpandedString =~ /^Application popup: Windows : Other people are logged on to this computer. Shutting down Windows might cause them to lose data\.    Do you want to continue shutting down\?$/;
      next if $ExpandedString =~ /^Application popup: Message from .*: Automatic software deployment is currently updating your system\. Please save all your documents as the the system might reboot without further notice\. Thank you\./;
      next if $ExpandedString =~ /^Application popup: Message from .*: The automated software installation utility has completed installing or updating software on your system\. No reboot was necessary\. All updates are complete\./;
   }

   if ($System eq "BTHUSB") {
      next if $ExpandedString =~ /^Windows cannot store Bluetooth authentication codes \(link keys\) on the local adapter\. Bluetooth keyboards might not work in the system BIOS during startup\.$/ and $Detail < 5;
   }

   if ($System =~ "EventLog") {
      #Ignore these
      next if $ExpandedString =~ /Microsoft \(R\) Windows \(R\) \d+\.\d+\. \d+ Service Pack \d/;
      next if $ExpandedString =~ /^The Event log service was started./;
      next if $ExpandedString =~ /^The Event log service was stopped./;
      next if $ExpandedString =~ /^The system uptime is \d+ seconds/;
   }

   if ($System =~ "LsaSrv") {
      #Ignore these
      next if $ExpandedString =~ /^A logon cache entry for user .* was the oldest entry and was removed\. The timestamp of this entry was/;
   }

   if ($System eq "Microsoft-Windows-Application-Experience") {
      #Ignore these
      next if $ExpandedString eq "The Program Compatibility Assistant service successfully performed phase two initialization.";
   }

   if ($System eq "Microsoft-Windows-DfsSvc") {
      #Ignore these
      next if $ExpandedString =~ /^DFS has finished building all namespaces\.$/;
      next if $ExpandedString =~ /^DFS server has finished initializing\.$/;
   }

   if ($System eq "Microsoft-Windows-FilterManager") {
      #Ignore these
      next if $ExpandedString =~ /^File System Filter .* has successfully loaded and registered with Filter Manager\.$/;
   }

   if ($System eq "Microsoft-Windows-Iphlpsvc") {
      #High Detail
      next if $ExpandedString =~ /^Isatap interface .* with address .* has been brought up\.$/ and $Detail < 10;
      next if $ExpandedString =~ /^Isatap interface .* is no longer active\.$/ and $Detail < 10;
   }

   if ($System eq "Microsoft-Windows-Kernel-General") {
      #High Detail
      next if $ExpandedString =~ /^The operating system started at system time/ and $Detail < 10;
      next if $ExpandedString =~ /^The operating system is shutting down at system time/ and $Detail < 10;
      #TODO - We should warn is this is big
      next if $ExpandedString =~ /^The system time has changed to .* from/;
   }

   if ($System eq "Microsoft-Windows-Kernel-Power") {
      #High Detail
      next if $ExpandedString =~ /^The system is entering sleep/ and $Detail < 10;
      next if $ExpandedString =~ /^The kernel power manager has initiated a shutdown transition\.$/ and $Detail < 10;

      #Ignore these
      next if $ExpandedString =~ /^ACPI thermal zone .* has been enumerated/;
      next if $ExpandedString =~ /^Processor \d+ in group \d+ exposes the following power management capabilities/;
   }

   if ($System eq "Microsoft-Windows-Kernel-Processor-Power") {
      #Ignore these
      next if $ExpandedString =~ /^Processor \d+ in group \d+ exposes the following:/;
   }

   if ($System eq "Microsoft-Windows-GroupPolicy") {
      #Ignore these
      next if $ExpandedString =~ /^The Group Policy settings for the (computer|user) were processed successfully\. There were no changes detected since the last successful processing of Group Policy\.$/;
      next if $ExpandedString =~ /^The Group Policy settings for the (computer|user) were processed successfully\. New settings from \d+ Group Policy objects were detected and applied\.$/ and $Detail == 0;
   }

   if ($System eq "Microsoft-Windows-Ntfs") {
      #Ignore these
      next if $ExpandedString =~ /^Volume .* is healthy\.  No action is needed\.$/;
   }

   if ($System eq "Microsoft-Windows-Power-Troubleshooter") {
      #High Detail
      next if $ExpandedString =~ /^The system has resumed from sleep/ and $Detail < 10;
   }

   if ($System eq "Microsoft-Windows-Time-Service") {
      #High Detail
      next if $ExpandedString =~ /^The time provider NtpClient is currently receiving valid time data from/ and $Detail < 10;
      next if $ExpandedString =~ /^The time service is now synchronizing the system time with the time source/ and $Detail < 10;
   }

   if ($System eq "Microsoft-Windows-WAS") {
      #High Detail
      next if $ExpandedString =~ /^A worker process with process id of .* serving application pool .* has requested a recycle because the worker process reached its allowed processing time limit/ and $Detail < 10;
   }

   if ($System eq "Microsoft-Windows-WindowsUpdateClient" or
       $System eq "Windows Update Agent") {
      #High Detail
      next if $ExpandedString =~ /^Automatic Updates is now paused\.$/ and $Detail < 10;
      
      #Updates
      if (($InstallDateTime, $Updates) = $ExpandedString =~ /^Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on (.*):  - (.*)$/) {
          $UpdatesReadyForInstall{$Hostname}->{$InstallDateTime} = $Updates;
          next;
      }
      if (($Update) = $ExpandedString =~ /^Installation Successful: Windows successfully installed the following update: (.*)$/) {
          push(@{$UpdatesInstalled{$Hostname}},$Update);
          next;
      }
      if ($ExpandedString =~ /^Restart Required:/) {
          $RestartRequired{$Hostname} = 1;
          next;
      }
   }

   if ($System eq "Microsoft-Windows-Winlogon") {
      #High Detail
      next if $ExpandedString =~ /User \w+ Notification for Customer Experience Improvement Program/ and $Detail < 10;
   }

   if ($System eq "Microsoft-Windows-WinRM") {
      #High Detail
      next if $ExpandedString =~ /^The WinRM service is listening for WS-Management requests/ and $Detail < 10;
   }

   if ($System eq "Service Control Manager") {
      #Ignore these
      next if $ExpandedString =~ /^The (.*) service entered the running state\./;
      next if $ExpandedString =~ /^The (.*) service entered the stopped state\./;
      next if $ExpandedString =~ /^The (.*) service was successfully sent a start control\./;
      next if $ExpandedString =~ /^The (.*) service was successfully sent a stop control\./;
   }

   if ($System eq "USER32") {
      #High Detail
      next if $ExpandedString =~ /^The process .* has initiated the power off of computer \w+ on behalf of user .* for the following reason: .*$/ and $Detail < 10;
   }

   if ($System eq "Virtual Disk Service") {
      #High Detail
      next if $ExpandedString =~ /Service (started|stopped)/ and $Detail < 10;
   }

   if ($System eq "atikmdag") {
      #Ignore these
      next if $ExpandedString =~ /^UVD Information$/;
      #High Detail
      next if $ExpandedString =~ /^Display is not active$/ and $Detail < 10;
   }

   if ($System eq "volsnap") {
      #Med Detail
      next if $ExpandedString =~ /^The oldest shadow copy of volume .* was deleted to keep disk space usage for shadow copies of volume .* below the user defined limit\.$/ and $Detail < 5;
   }

   next if $ExpandedString =~ /client service is started$/ and $Detail < 10;
   next if $ExpandedString =~ /started successfully\.$/ and $Detail < 10;
   next if $ExpandedString =~ /has successfully (?:started|stopped)\./ and $Detail < 10;
   next if $ExpandedString =~ /service .* (?:started|stopped)/i and $Detail < 10;
   next if $ExpandedString =~ /Module has (?:started|stopped)/ and $Detail < 10;
   next if $ExpandedString =~ /Driver initialized successfully\.$/ and $Detail < 10;
   next if $ExpandedString =~ /Network controller configured for .* link\.$/ and $Detail < 10;
   next if $ExpandedString =~ /^The driver package installation has succeeded\.$/ and $Detail < 10;
   next if $ExpandedString =~ /^The .* service entered the .* state/ and $Detail < 10;
   next if $ExpandedString =~ /^The process .* has initiated the (?:power off|restart|shutdown) of computer .* on behalf of user .* for the following reason/ and $Detail < 5;
   next if $ExpandedString =~ /^UVD Information$/;
   next if $ExpandedString =~ /Link has been established:/;

   # Add to the list
   $Systems{$System}->{"$Hostname $ExpandedString"}++;
}

# Handle high priority errors first
$System = "Microsoft-Windows-WER-SystemErrorReporting";
if (defined($Systems{$System})) {
   print "\nSYSTEM ERRORS!:\n";
   foreach $Error (sort(keys %{$Systems{$System}})) {
      print "    $Error : $Systems{$System}->{$Error} Times\n";
   }
   delete($Systems{$System});
}
print "\n";

if (keys %Systems) {
   foreach $System (sort(keys %Systems)) {
      print "\n$System\n";
      foreach $Error (sort(keys %{$Systems{$System}})) {
         print "    $Error : $Systems{$System}->{$Error} Times\n";
      }
   }
}

if (keys %UpdatesReadyForInstall or keys %UpdatesInstalled) {
   print "\nWindows Update Summary:\n";
   foreach $Hostname (sort(keys %UpdatesReadyForInstall)) {
      foreach $InstallDateTime (sort(keys %{$UpdatesReadyForInstall{$Hostname}})) {
         print "    Updates ready for install on $Hostname on $InstallDateTime:\n"; 
         print "        $UpdatesReadyForInstall{$Hostname}->{$InstallDateTime}\n";
      }
   }
   foreach $Hostname (sort(keys %UpdatesInstalled)) {
      print "    Updates successfully installed on $Hostname:\n";
      foreach $Update (@{$UpdatesInstalled{$Hostname}}) {
          print "        $Update\n";
      }
   }
   print "    Restart required on hosts: " if keys %RestartRequired;
   foreach $Hostname (sort(keys %RestartRequired)) {
      print "$Hostname ";
   }
   print "\n";
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: