YAMBA - Yet Another Mark Bradshaw App. :o) Got too much time on my hands, so I decided to revisit an oldie. Awhile back I wrote up a perl script, CheckID, to help plug the event log whole in SA. It was very clunky, and required that you have the resource kit utility, a bad thing (tm).
I've whipped up a replacement to CheckID called CheckEvt. This perl script is completely command line driven. No mucking with the code needed. It's also MUCH more flexible in what it can check. If this is something you can use please download it and test it out. Requires a perl interpreter. Following is the "manual". You can download the new app from http://www.networksimplicity.com/utils/#checkevt Mark =================== CheckEvt 1.0 - Copyright 2002, Mark Bradshaw ([EMAIL PROTECTED]) Usage: checkevt.pl [-a] [-p] [-s <char>] <criteria1> <criteria2> ... -a By default any matching criteria will cause an alert, but you can specify the -a parameter to only get an alert when all criteria match. -p Print out all matching events. Useful for debugging. -s Use the next argument as the separation character. By default it's a colon. Criteria are statements that tell checkevt what an error condition looks like. It is formed of eight pieces of information that describe the condition. The information, in order, is: host, log name, time in minutes to search, number of events at which to alert, event type (number), source, field to check, and check contents. This information is concatenated into a single argument, with each piece separated by a colon. If the content field includes spaces surround the argument with quotation marks. A field that can match anything should be marked with an asterisk. The event type is a numeric field. Some common values are: 1 - Error, 2 - Warning, 4 - Information, 8 - success, 16 - failure Example 1: If you want to get an alert when a server called FileServ reboots, you might check for a single event of eventID 6009 in the last 3-5 minutes. Criteria: fileserv:system:5:1:*:*:id:6009 Example 2: You want to get an alert when both of your DNS servers (dns1 and dns2) are down. With the -a parameter set. Criteria: "dns1:system:5:1:*:dns:message:dns server has shutdown" "dns2:system:5:1:*:dns:message:dns server has shutdown" Example 3: Alert when more than 30 bad logins occur in the last 10 minutes. Unsuccessful events are type 16 and successful events are type 8. Criteria: pdc:security:10:30:16:*:id:529 To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive
