Can any help me figure out why the output of the following script
doesn't list any data?? Just the headers??
=== begin script ===
#!/usr/bin/perl -w
=head1 DESCRIPTION
scanel.pl - NT - Pull errors and warnings out of the event logs
Schedule: 7:30 a.m. every weekday.
Output File: events.txt
Create a summary report of all notable logged events from all servers.
This script dumps the event logs from a list of NT/2000 servers listed
in servers.lst using the somarsoft tool dumpevt.exe (used this tool
because it keeps track of the last event read so we only get stuff we
haven't seen each time we run it). It will create a file listing all
events for each server since the last run.
Commands: `dumpevt.exe /logfile=sys /outfile=$tempfile /computer=$_
/reg=local_machine`;
`dumpevt.exe /logfile=app /outfile=$tempfile /computer=$_
/reg=local_machine`;
`dumpevt.exe /logfile=sec /outfile=$tempfile /computer=$_
/reg=local_machine`;
Search Pattern: /Error|Warning|Save
Dump|,512,|,513,|,516,|,517,|,531,|,533,|,534,|,535,|,539,|,608,|,609,|,610,|,611,|,612,|,618,|,624,|,625,|,626,|,628,|,629,|,630,|,631,|,634,|,635,|,636,|,637,|,638,|,639,|,640,|,641,|,642,|,643,/
Event Description
------------------------------
512 Windows NT is starting up.
513 Windows NT is shutting down. All logon sessions will be
terminated
by this shutdown.
516 Internal resources allocated for the queuing of audit messages
have
been exhausted, leading to the loss of some audits. Number of audit
messages discarded: number
517 The audit log was cleared Primary User Name: user name
Primary Domain: computer name Primary Logon ID: text Client User
Name: user name Client Domain: computer name Client Logon ID:
text
531 Logon Failure: Reason: Account currently disabled User Name:
user
name Domain: name Logon Type: name Logon Process: parameter
Authentication Package: parameter Workstation Name: computer name
533 Logon Failure: Reason: User not allowed to logon at this
computer
User Name: user name Domain: name Logon Type: name Logon Process:
parameter Authentication Package: parameter Workstation Name: computer
name
534 Logon Failure: Reason: The user has not been granted the
requested
logon type at this machine User Name: user name Domain: name Logon
Type:
name Logon Process: parameter Authentication Package: parameter
Workstation Name: computer name
535 Logon Failure: Reason: The specified account's password has
expired
User Name: user name Domain: name Logon Type: name Logon Process:
parameter Authentication Package: parameter Workstation Name: computer
name
539 Logon Failure: Reason: Account locked out User Name: user
name Domain: computer name Logon Type: text Logon Process:
text
Authentication Package: text Workstation Name: computer name
608 User Right Assigned: User Right: parameter Assigned To: name
Assigned By: User Name: name Domain: user name Logon ID: parameter
609 User Right Removed: User Right: parameter Removed From: name
Removed By: User Name: name Domain: user name Logon ID: parameter
610 New Trusted Domain: Domain Name: computer name Domain ID:
text Established By: User Name: user name Domain: computer
name
Logon ID: text
611 Removing Trusted Domain: Domain Name: computer name Domain
ID: text Removed By: User Name: user name Domain: computer
name
Logon ID: text
612 Audit Policy Change: New Policy: Success Failure
parameter parameter System parameter parameter
Logon/Logoff parameter parameter Object Access
parameter parameter Privilege Use parameter parameter0
Detailed Tracking parameter parameter Policy Change
parameter parameter Account Management Changed By: User Name:
user name Domain Name: name Logon ID: number
618 Trusted Domain Information Modified: Domain Name: name Domain
ID:
parameter Modified By: User Name: user name Domain: name Logon ID:
parameter
624 User Account Created: New Account Name: user name New
Domain:
computer name New Account ID: text Caller User Name: user name
Caller Domain: computer name Caller Logon ID: text Privileges
text
625 User Account Type Change: Target Account Name: user name
Target Domain: computer name Target Account ID: text New Type:
text Caller User Name: user name Caller Domain: computer name
Caller Logon ID: text
626 User Account Enabled: Target Account Name: name Target Domain:
name
Target Account ID: parameter Caller User Name: user name Caller Domain:
name Caller Logon ID: parameter
628 User Account password set: Target Account Name: name Target
Domain:
name Target Account ID: value Caller User Name: user name Caller
Domain:
name Caller Logon ID: value
629 User Account Disabled: Target Account Name: name Target Domain:
name Target Account ID: value Caller User Name: user name Caller
Domain:
name Caller Logon ID: value
630 User Account Deleted: Target Account Name: name Target Domain:
name
Target Account ID: value Caller User Name: user name Caller Domain:
name
Caller Logon ID: value Privileges: parameter
631 Global Group Created: New Account Name: account New
Domain:
computer name New Account ID: text Caller User Name: user name
Caller Domain: computer name Caller Logon ID: text Privileges:
text
634 Global Group Deleted: Target Account Name: account Target
Domain: computer name Target Account ID: text Caller User Name:
user name Caller Domain: computer name Caller Logon ID: text
Privileges: text
635 Local Group Created: New Account Name: account New Domain:
computer name New Account ID: text Caller User Name: user name
Caller Domain: computer name Caller Logon ID: text Privileges:
text
636 Local Group Member Added: Member: name Target Account
Name:
name Target Domain: name Target Account ID: number Caller User
Name: user name Caller Domain: name Caller Logon ID: number
Privileges: text
637 Local Group Member Removed: Member: name Target Account
Name:
name Target Domain: name Target Account ID: number Caller User
Name: user name Caller Domain: name Caller Logon ID: number
Privileges: text
638 Local Group Deleted: Target Account Name: account Target
Domain: computer name Target Account ID: text Caller User Name:
user name Caller Domain: text Caller Logon ID: computer name
Privileges: text
639 Local Group Changed: Target Account Name: account Target
Domain: computer name Target Account ID: text Caller User Name:
user name Caller Domain: computer name Caller Logon ID: text
Privileges: text
640 General Account Database Change: Type of change: name
Object
Type: name Object Name: name Object ID: number Caller User
Name: user name Caller Domain: computer name Caller Logon ID:
number
641 Global Group Changed: Target Account Name: account Target
Domain: computer name Target Account ID: text Caller User Name:
user name Caller Domain: computer name Caller Logon ID: text
Privileges: text
642 User Account Changed: account Target Account Name: name Target
Domain: name Target Account ID: value Caller User Name: user name
Caller
Domain: name Caller Logon ID: value Privileges: parameter
643 Domain Policy Changed: Domain: computer name Domain ID: text
Caller
User Name: user name Caller Domain: computer name Caller Logon ID: text
Privileges: text
=head2 Dependancies:
=over 4
=item 1. A flat text file named servers.lst with one resolveable
servername per line.
=item 2. dumpevt.exe and dumpevt.ini are in the path.
=item 3. Run under an admin account that exists on each server.
=item 4. Auditing has been enabled and configured in accordance with
the
standard build procedure.
=back
=head1 CHANGE HISTORY
09/06/01 - Create
11/07/01 - Added confirmation message to the parsing line.
11/13/01 - Added parsing for 'Save Dump' to catch bugcheck
reboots (informational events with a non-unique event id - 1001).
06/26/02 - move output to reports dir
07/06/02 - Formatted output. Added comments and error checking.
07/09/02 - Stripped ^` from description field and normalized
spacing. Changed comments to POD.
07/10/02 - Commented out space normalization. Added additional
event IDs to check for.
=cut
use strict; # don't want sloppy code
use File::Copy; # so we can use perl's copy
function instead of shelling out to command prompt
my ($sec, $min, $hour, $mday, $mon, $year, $wkday, $yday, $isdst) =
localtime(time); # get the current time
my $ts = sprintf "%02.0d/%02.0d/%04.0d %02.0d:%02.0d:%02.0d",($mon+1,
$mday, $year+1900, $hour, $min, $sec); # format current time
my $datestring = sprintf "%02.0d%02.0d%02.0d", $mon+1, $mday,
$year%100;
my $datadir = "c:\\scripts\\scan"; # Base directory
for this program and its output
my $tempdir = "c:\\scripts\\scan\\temp"; # Directory for
dump files (dumpevt didn't like the / so use \\)
my $srvlst = "$datadir\\servers.lst";
# List of NT servers to be checked
my $tempfile = "$tempdir\\event.log"; #
Temporary file to dump events into for parsing
my $outfile = "$datadir\\reports\\events.txt"; # Report
of notable events
my $lastfile = "$datadir\\reports\\events.prev.txt"; #Pre-existing
Report of notable events
my $permfile = "$datadir\\reports\\archive\\events.$datestring.txt"; #
"permanent" dup of above
my ($log, $date, $time, $source, $eventid, $type, $category, $user,
$computer, $description); # the different pieces of information from the
event logs
my @servers; # list
var to store server names
print "# Event Log Scan run at $ts (generated by scanel.pl)\n\n";
print "Saving previous run's file...\n\n";
copy ($outfile, $lastfile) or print "*** Unable to save previous run's
output: $! ***\n"; # Copy current file to "last" copy of file
open OUTFILE, ">$outfile" or die "*** Couldn't open $outfile for
writing: $! ***\n"; # no need to continue if we can't make the report
print OUTFILE "# Event Log Scan run at $ts (generated by
scanel.pl)\n\n"; # standard header
open (SERVERS, $srvlst) or die "*** Couldn't open $srvlst for reading:
$! ***\n"; # no need to continue if we can't get the list of servers
while (<SERVERS>) {
chomp;
push(@servers,$_); # put
the server names in a list to limit disk access
}
close SERVERS;
foreach(@servers) { # dump
the event logs into $tempfile and then look through it for errors &
warnings
chomp;
my $cursrv = $_; #
current server name so we don't lose it when we go into the tempfile
print "Dumping event logs of $cursrv...\n";
$tempfile = "$tempdir\\$cursrv".".event.log"; # create
a temp file based on the server name so we know what were looking at
my $i = 0; #
counter to see if anything is printed to OUTFILE.
my $j = 0; #
counter to see if anything is read from the TEMPFILE.
`dumpevt.exe /logfile=sys /outfile=$tempfile /computer=$cursrv
/reg=local_machine`; # the /reg=local_machine puts the last read event
number in the HKLM so it will keep track no matter what account the
script is run under
`dumpevt.exe /logfile=app /outfile=$tempfile /computer=$cursrv
/reg=local_machine`;
`dumpevt.exe /logfile=sec /outfile=$tempfile /computer=$cursrv
/reg=local_machine`;
print "Logging notable events for $_, Please wait...\n";
print OUTFILE "\n------------\n$cursrv\n------------\n"; #
standard report seperator
print OUTFILE "Log Date Time Description\n";
print OUTFILE
"---------------------------------------------------------------------------------------------------------------------------\n";
if(open (TEMPFILE, $tempfile)) {
while (<TEMPFILE>) {
if (/Error|Warning|Save
630,|,631,|,634,|,635,|,636,|,637,|,638,|,639,|,640,|,641,|,642,|,643,/)
{ # whatever we are looking for, usually bad stuff
($log, $date, $time, $source, $eventid,
$type, $category, $user,
$computer, $description) = split (/,/); # seperate the raw line into
its parts (it is comma seperated)
$description =~ s/\^\`//g; # get
rid of the ^` in the output
#$description =~ s/\s+/ /g; # make
the spacing consistant
write (OUTFILE); # if we
find it, put it in the report
$i++; #
increment the counter so we know we printed something for this server
} # end
parsing if
$j++; #
increment the counter so we know we read something for this server
} # end
while (<TEMPFILE>)
close TEMPFILE;
unlink ($tempfile); # erase
this runs tempfiles, for fresh start next time
if ($i == 0 and $j > 1) { # if we
didn't find anything everything must be ok
print OUTFILE "No notable events detected.\n";
} # end
validity if
} else {
print OUTFILE "*** Unable to open event logs: $! ***\n";
# we don't want to stop, just note which server didn't respond
} # end
open (TEMPFILE, $tempfile) if/else
} # end
foreach(@servers)
($sec, $min, $hour, $mday, $mon, $year, $wkday, $yday, $isdst) =
localtime(time); # get the time again so we can see how long it took
$ts = sprintf "%02.0d/%02.0d/%04.0d %02.0d:%02.0d:%02.0d",($mon+1,
$mday, $year+1900, $hour, $min, $sec); # format current time
print "\n--- scanel.pl finished processing at $ts ---\n";
print OUTFILE "\n\n--- scanel.pl finished processing at $ts ---\n"; #
standard footer
close OUTFILE;
print "\n\nArchiving results file...\n";
copy ($outfile, $permfile); # Create
permanent copy of events file
exit 0;
############################ formats #############################
format OUTFILE =
@<< @>>>>>>>>> @>>>>>>>
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$log, $date, $time, $description
~~
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$description
.
==== end script ====
==== begin output ===
# Event Log Scan run at 07/17/2002 06:36:01 (generated by scanel.pl)
------------
mikesdell
------------
Log Date Time Description
---------------------------------------------------------------------------------------------------------------------------
------------
sea-mon
------------
Log Date Time Description
---------------------------------------------------------------------------------------------------------------------------
------------
sea-monitor2
------------
Log Date Time Description
---------------------------------------------------------------------------------------------------------------------------
*** Unable to open event logs: No such file or directory ***
--- scanel.pl finished processing at 07/17/2002 06:36:02 ---
==== end output ====
===
Mike Singleton
Network Analyst
(253) 272-1916 x1259
(253) 405-1968 (cellular)
[EMAIL PROTECTED]
DaVita Inc.
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
