monitors:winevtmsgs.pl

WinEvtMsgs

Author David Baldwin
Compatibility Xymon 4.2
Requirements Perl, rsyslog/syslog-ng, XymonExt.pm
Download None
Last Update 2010-08-17

Report on Windows Event logs forwarded with SNARE

note: xymon/hobbit user must have read access to logs (see FileGroup in rsyslog.conf)

SNARE is a Windows event log forwarder over syslog.

Client side

Each Windows server needs the appropriate version of Snare installed (Vista/2008 different from older versions of Windows).

Server side

Install on central syslog server. Assumed this is the same as Xymon server (need to use bb-hosts 'evt' tag to denote tested hosts)

Can also report on cluster nodes and cluster resources (e.g. SQL or Exchange) - in such cases each cluster node forwards all events for all nodes.

bb-hosts example for SQL instances:

10.0.0.22 c2n1 # evt
10.0.0.23 c2n2 # evt
10.0.0.24 c2n3 # evt
10.0.0.26 sql1 # evt=10.0.0.22
10.0.0.27 sql2 # evt=10.0.0.22
10.0.0.28 sql3 # evt=10.0.0.22

rsyslog or syslog-ng can be used on a central syslog server to accumulate logs for each host in a separate directory

Sample /etc/rsyslog.conf section to log each host into directory /var/log/rsyslog/IP/messages-YYYYMMDD note: “rsyslogd -x” required to disable DNS lookup on remote IP note: “rsyslogd -c3” required for V3 config (rsyslog V3)

# $ModLoad immark # provides --MARK-- message capability
$ModLoad imudp # provides UDP syslog reception
$UDPServerAddress * # this MUST be before the $UDPServerRun directive!
$UDPServerRun 514
$ModLoad imtcp # provides TCP syslog reception
$InputTCPServerRun 514
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
 
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 
#--------------------ALL REMOTE LOGS----------------------------------------
 
$umask 0000
$DirOwner root
$DirGroup logview
$DirCreateMode 0750
$FileOwner root
$FileGroup logview
$FileCreateMode 0640
$template DynFile,"/var/log/rsyslog/%FROMHOST%/messages-%$YEAR%%$MONTH%%$DAY%"
 
:source , !isequal , "loghost" ?DynFile

Add to hobbitlaunch.cfg

# "winevt" checks forwarded windows event logs

[winevt]
        ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg
        NEEDS hobbitd
        CMD $BBHOME/ext/winevtmsgs.pl
        LOGFILE $BBSERVERLOGS/winevtmsgs.log
        INTERVAL 5m

Install in server/ext directory

Show Code ⇲

Hide Code ⇱

#!/usr/bin/perl -w
#CHKHOSTS evt
#
# winevtmsgs.pl
#
# Report on Windows Event logs forwarded with SNARE
#
# note: xymon/hobbit user must have read access to logs (see FileGroup in rsyslog.conf)
#
# SNARE is a Windows event log forwarder over syslog.
#  http://www.intersectalliance.com/projects/SnareWindows/index.html
#
=begin rsyslog
# rsyslog or syslog-ng can be used on a central syslog server to accumulate logs for each host in a separate directory
#
# http://www.rsyslog.com/
# Sample /etc/rsyslog.conf section to log each host into directory /var/log/rsyslog/IP/messages-YYYYMMDD
#  note: "rsyslogd -x" required to disable DNS lookup on remote IP
#  note: "rsyslogd -c3" required for V3 config
# (rsyslog V3)
 
# $ModLoad immark # provides --MARK-- message capability
$ModLoad imudp # provides UDP syslog reception
$UDPServerAddress * # this MUST be before the $UDPServerRun directive!
$UDPServerRun 514
$ModLoad imtcp # provides TCP syslog reception
$InputTCPServerRun 514
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
 
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 
#--------------------ALL REMOTE LOGS----------------------------------------
 
$umask 0000
$DirOwner root
$DirGroup logview
$DirCreateMode 0750
$FileOwner root
$FileGroup logview
$FileCreateMode 0640
$template DynFile,"/var/log/rsyslog/%FROMHOST%/messages-%$YEAR%%$MONTH%%$DAY%"
 
:source , !isequal , "loghost" ?DynFile
 
=cut
 
my $xymonlib;
BEGIN { $xymonlib = $ENV{BBHOME} && "$ENV{BBHOME}/ext" || "/usr/lib/hobbit/server/ext"; }
 
use strict;
use lib $xymonlib;
use POSIX;
use Fcntl;   # For O_RDWR, O_CREAT, etc.
use DB_File;
use XymonExt;
use Getopt::Long;
 
use Data::Dumper;
 
$|=1;
my $debug = 0; # 0 = none  1 = low
 
# config
my $logdir = "/var/log/rsyslog";
 
my $test = "evt";
my $bbtest = "evt";
my $topredlim = 5;
 
# end of test config
my ($bbstatus,$bbmsg,$topred,$topredcnt);
my $filedump = 0;
my $exit_status = 0;
my $addr = '';
my $complete = 0;
my $previous = 0;
my %cluster;
my $evthf = "$BBTMP/winevtmsgs-hash";
my %logsp;
tie(%logsp, 'DB_File', $evthf, O_RDWR|O_CREAT, 0660)
  or die "Couldn't tie DB file '$evthf': $!; aborting";
 
# Global status variables - don't forget to initialiase in main loop below to clear before checking new host ...
#------------------------------------------------------------------------------
 
while ( $ARGV[0] && $ARGV[0] =~ /^-/ ) {
	if ( $ARGV[0] eq '-d' || $ARGV[0] eq '--debug' ) { 
		$debug++;
		shift @ARGV;
		next;
	}
	if ( $ARGV[0] eq '-f' || $ARGV[0] eq '--file' ) { 
		$filedump++;
		shift @ARGV;
		next;
	}
	if ( $ARGV[0] eq '-a' || $ARGV[0] eq '--address' ) {
		shift @ARGV;
		if ( ! $ARGV[0] ) { &usage; exit 5; }
		$addr = $ARGV[0];
		shift @ARGV;
		next;
	}
	if ( $ARGV[0] eq '-c' || $ARGV[0] eq '--complete' ) {
		$complete++;
		shift @ARGV;
		next;
	}
	if ( $ARGV[0] eq '-p' || $ARGV[0] eq '--previous' ) {
		$previous++;
		shift @ARGV;
		next;
	}
	exit 5;
}
if ( $ARGV[0] ) { 
  die "Usage: $0 [-a|--address <FQDN>] [-d|--debug] [-f|--file] [-c|--complete] [-p|--previous]\n";
}
 
#------------------------------------------------------------------------------
 
my %tests = do "/etc/hobbit/winevtmsgs.cfg";
 
sub match {
    my ($val,$match) = @_;
    return 0 unless defined $val;
    if(ref $match eq "Regexp") {
      return $val =~ $match;
    } else {
      return $val eq $match;
    }
}
 
my %dbgc = ();
 
sub reportline {
    my $line = shift;
    my $rephost = shift;
    my %fields = ();
    @fields{qw{date evt eid src ser tsp evn cat usr na typ hst n1 n2 msg n3}} = split /#011/,$line;
    my ($host) = ($fields{date} =~ /\s(\S+)$/);
    print "DBGHD: $host $fields{hst} $rephost\n" if $debug && ! $dbgc{001}{$host}{$fields{hst}}++;
    return if lc $rephost ne lc $fields{hst};
    my $lcol = "";
    MATCH: foreach my $tk ((grep {$_ ne "default"} keys %tests), "default") {
	print "DBGKD: testing $host in test $tk\n" if $debug && ! $dbgc{000}{$host}{$tk}++;
	my %tr = %{$tests{$tk}};
	next if defined($tr{host}) && ! match($host,$tr{host});
	print "DBG: matched $host in test $tk\n" if $debug && ! $dbgc{$host}{$tk}++;
	if(defined $tr{ignore}) {
	    foreach my $ik (keys %{$tr{ignore}}) {
		my %ti = %{$tr{ignore}{$ik}};
		my $im = scalar keys %ti;
	        foreach my $ikt (keys %ti) {
		    $im &&= match($fields{$ikt}, $ti{$ikt});
		}
		if($im) {
		    print "DBGIGN($tk;$ik): $line\n" if $debug;
		    return;
	        }
	    }
	}
	foreach my $col (qw{red yellow green}) {
	    TEST: foreach my $ik (keys %{$tr{$col}}) {
	        print "DBGD: testing $host in $col test $ik\n" if $debug && ! $dbgc{111}{$host}{$col}{$ik}++;
		my %ti = %{$tr{$col}{$ik}};
	        foreach my $ikt (keys %ti) {
	            print "DBGCK: ($ikt) $fields{$ikt}, $ti{$ikt}\n" if $debug > 1;
		    next TEST unless match($fields{$ikt}, $ti{$ikt});
		}
	        print "DBG: matched $col in test $ik group $tk\n" if $debug;
		$lcol = $col;
		last MATCH; # exit on first match - otherwise default may override specific match - do we need priority also?
	    }
	}
    }
    return if $lcol eq "";
    my $msg = $fields{msg} || $fields{n1} || "";
    my $evtmsg = "&$lcol $fields{tsp} ${fields{typ}}[$fields{src}:$fields{cat}]: (User: $fields{usr}) {$fields{evn}} $msg\n";
    $topred .= $evtmsg if $lcol eq "red" && $topredlim > $topredcnt++;
    $bbmsg .= $evtmsg;
    XymonExt->UpdateStatus($lcol);
}
 
### Main loop
my @dflist = ();
if (length $addr == 0 || ! $debug) {
  @dflist = XymonExt->HostsByTest($test);
} else {
  @dflist = ($addr);
}
if($debug) {
  printf "** DEBUG Host list ** %s\n",join(" ",@dflist);
}
my @testtime = localtime(time - 300 - $previous*24*60*60); # test log for previous 5 minutes
if($filedump) {
  my $logdate = strftime "%Y%m%d",@testtime;
  foreach my $f (keys %logsp) {
    my $old = $f =~ /messages-(\d+)/ && $1 < $logdate;
    print "$f: $logsp{$f} : $old\n";
    if($filedump>1 && $old) {
      delete $logsp{$f};
    }
  }
  exit;
}
foreach my $bbhost (@dflist) {
  my ($shrephost) = split /\./,$bbhost;
  my $ipaddr = XymonExt->HostIP($bbhost);
  my $altipaddr = XymonExt->HostItems($bbhost,"$bbtest=.*");
  print "DBGIPs: $ipaddr $altipaddr\n" if $debug;
  if( my ($ip) = ($altipaddr =~ /^$bbtest=(.*)$/)) {
    if( $ip =~ /^[\d\.]+$/) {
      $ipaddr = $ip;
    } else {
      push @{$cluster{$1}},($ipaddr);
    }
  }
  XymonExt->InitStatus();
  $bbmsg = "";
  $topred = "";
  $topredcnt = 0;
  my $c = 0;
  my $newsp = 0;
  my $prevsp = 0;
  my $logfile = strftime "$logdir/$ipaddr/messages-%Y%m%d",@testtime;
  print "\n====\nDBG: logfile: $logfile\n" if $debug;
  if(open LF,$logfile) {
    if(exists $logsp{$logfile} && ! $complete) {
      $prevsp = $logsp{$logfile};
      print "DBG: logfile SP: $prevsp\n" if $debug;
      my $seeksts = seek LF, $prevsp, 0;
      print "DBGSTS: $seeksts\n" if $debug;
    } else {
      print "DBGNOSP: No saved SP for $logfile\n" if $debug;
    }
 
    my $tspat = strftime "^%b %e %H:%M",@testtime;
    $tspat =~ s/[0-4]$/[0-4]/;
    $tspat =~ s/[5-9]$/[5-9]/;
    $tspat .= ":[0-5][0-9] ";
    print "DBG: tspat: /$tspat/\n" if $debug;
    my $tsre = qr{$tspat};
    while(my $ll = <LF>) {
      print $ll if $debug > 1;
      reportline($ll,$shrephost);
      if( $ll =~ /$tsre/) {
        print "DBGMAT: $prevsp new: $newsp\n" if $debug;
	unless( $newsp ) {
	  $newsp = $prevsp;
          print "DBG: set new SP: $newsp\n" if $debug;
	}
        $c++;
      }
      $prevsp = tell(LF) unless $newsp;
    }
    close LF;
    print "DBG: $c\n" if $debug;
    print "DBG: new logfile SP: $newsp\n" if $debug;
    $logsp{$logfile} = $newsp if $newsp > 0;
    my $scol = XymonExt->GetStatus();
    my $warn = $scol eq "red" && "errors found" || $scol eq "yellow" && "warnings found" || "OK";
    my $redcnt = $topredcnt > $topredlim && $topredlim || $topredcnt;
    my $redmsg = $topredcnt ? "<hr>Top $redcnt red messages:\n$topred\n<hr>\n" : "";
    $bbmsg = "Eventlog $warn\n${redmsg}All messages:\n$bbmsg\nLogfile: $logfile - $c lines matched /$tspat/\n";
  } else {
    $bbmsg = "ERROR\nCan't open $logfile\n";
    if($testtime[2]*60+$testtime[1] > 15) { # allow 15 minutes after midnight for SOMETHING to be logged
      XymonExt->UpdateStatus("red");
    } else {
      XymonExt->UpdateStatus("clear");
    }
  }
#------------------------------------------------------------------------------
  if ($debug) {
    print "BB: $bbhost.$bbtest sts: ".XymonExt->GetStatus()." MSG:\n$bbmsg";
  } else {
    XymonExt->Report($bbhost,$bbtest,XymonExt->GetStatus(),$bbmsg);
  }
 
 
} # end main loop
exit $exit_status;
 
#==============================================================================

Install in /etc/hobbit/winevtmsgs.cfg

Show Code ⇲

Hide Code ⇱

#!/usr/bin/perl -w
#------------------------------------------------------------------------------
#  winevtmsgs.pl config file (/etc/hobbit/winevtmsgs.cfg)
#
#   Field values can be defined as exact string match (plain string) or regexp (qr//).
#
#  Rules must have unique key (name) - default is always processed last
#    host field is matched against host name from syslog file line (generated by SNARE)
#    matching rules use key: ignore, red, yellow, green
#       ignore processed first, then red, yellow, green in that order
#       allows for raising or lowering of default priority (Error=red, Warning=yellow, Information=green)
#    other fields for matching purposes are from Event log line (* = displayed in report):
#      date = syslog date/time stamp
#      evt  = "MSWinEventLog"
#      eid  = "0"
#    * src  = Security, Application, etc
#      ser  = event number (sequence)
#    * tsp  = time/date stamp (from Windows host)
#    * evn  = event ID
#    * cat  = category/subsystem
#    * usr  = account/username (or Unknown User)
#      na   = "User"
#    * typ  = Warning, Error, Information, etc
#      hst  = Windows host name or cluster node/resource name
#    ? n1   = sometimes message (e.g. Exchange), often "None"
#      n2   = ""
#    * msg  = event message (sometime blank - e.g. Exchange)
#      n3   = another sequence number?
#
# Reporting line format is:
#   colour tsp typ[src:cat]: (User: usr) {evn} msg
# (if msg is blank, n1 is reported instead - e.g. some Exchange messages)
#    
#  Tune as required based on "false" reports at inappropriate severity levels
#
#  sample rule:
#    DCs (Domain Controllers)
#    host name specified by regexp
#    ignore System:MRxSMB 8003 messages about Browser service
#    yellow on System:KDC 26 messages (often Error, but not that significant)
#    green on System:NETLOGON (various) messages (often Error) about deleted/etc computer accounts
#
#	      "DCs" => {
#	           "host" => qr/^(dc\d+)/i,
#		   "ignore" => {
#		       "Browser" => {
#		           "src" => "System",
#		           "cat" => "MRxSmb",
#		           "evn" => qr/^(8003)$/,
#		       },
#		   },
#		   "yellow" => {
#		       "KDC" => {
#		           "src" => "System",
#		           "cat" => "KDC",
#		           "evn" => "26",
#		       },
#		   },
#		   "green" => {
#		       "NoCompAcct" => {
#		           "src" => "System",
#		           "cat" => "NETLOGON",
#		           "evn" => qr/^(5719|572[23]|5805)$/,
#		       },
#		   },
#	      },
 
	      "DCs" => {
	           "host" => qr/^(dc\d+)/i,
		   "yellow" => {
		       "KDC" => {
		           "src" => "System",
		           "cat" => "KDC",
		           "evn" => "26",
		       },
		   },
		   "green" => {
		       "NoCompAcct" => {
		           "src" => "System",
		           "cat" => "NETLOGON",
		           "evn" => qr/^(5719|572[23]|5805)$/,
		       },
		       "Browser" => {
		           "src" => "System",
		           "cat" => "MRxSmb",
		           "evn" => qr/^(8003)$/,
		       },
		       "KDC mult acct" => {
		           "src" => "System",
		           "cat" => "KDC",
		           "evn" => qr/^(11)$/,
		           "msg" => qr/altirissdvsv/,
		       },
		   },
	      },
              "WSUS replica" => {
	           "host" => qr/^(wsusrep)/i,
		   "yellow" => {
		       "WSUS synch" => {
		           "src" => "Application",
		           "cat" => "Windows Server Update Services",
		           "evn" => qr/^(10022)$/,
		       },
		   },
		   "green" => {
		       "WSUS self update" => {
		           "src" => "Application",
		           "cat" => "Windows Server Update Services",
		           "evn" => qr/^(13042)$/,
		       },
		   },
	      },
              "Citrix" => {
	           "host" => qr/^(citrix\d+)/i,
		   "ignore" => {
		       "Print" => {
		           "src" => "System",
		           "cat" => "Print",
		           "evn" => qr/^([34])$/,
		       },
		   },
		   "green" => {
		       "NoPrinterDriver" => {
		           "src" => "Application",
		           "cat" => "MetaFrameEvents",
		           "evn" => qr/^(110[367]|1116)$/,
		       },
		       "TRIM" => {
		           "src" => "Application",
		           "cat" => "TRIM",
		           "evn" => qr/^(100)$/,
		       },
		       "TermServDev" => {
		           "src" => "System",
		           "cat" => "TermServDevices",
		           "evn" => qr/^(1111)$/,
		       },
		       "Office" => {
		           "src" => "Application",
		           "cat" => qr/^Microsoft Office/,
		           "evn" => qr/^([12]000)$/,
		       },
		   },
		   "yellow" => {
		       "msGina" => {
		           "src" => "Application",
		           "cat" => "MsGina",
		           "evn" => qr/^(1010)$/,
		       },
		       "Folder Redirection" => {
		           "src" => "Application",
		           "cat" => "Folder Redirection",
		           "evn" => qr/^(107)$/,
		       },
		       "Folder Redirection 2" => {
		           "src" => "Application",
		           "cat" => "Folder Redirection",
		           "evn" => qr/^(101)$/,
		           "msg" => qr/not enough space on the disk/,
		       },
		       "Userenv" => {
		           "src" => "Application",
		           "cat" => "Userenv",
		           "evn" => qr/^(10[45]3|1085|1096)$/,
		       },
		       "Application Error" => {
		           "src" => "Application",
		           "cat" => "Application Error",
		           "evn" => qr/^(1000)$/,
		       },
		       "Citrix Resource Management" => {
		           "src" => "Application",
		           "cat" => "Citrix Resource Management",
		           "evn" => qr/^(257)$/,
		       },
		       "UserInit" => {
		           "src" => "Application",
		           "cat" => "UserInit",
		           "evn" => qr/^(1000)$/,
		       },
		   },
	      },
              "Citrix-WI" => {
	           "host" => qr/^(\w*cxwi)/i,
		   "yellow" => {
		       "Web Interface" => {
		           "src" => "Application",
		           "typ" => "Error",
		           "cat" => qr/^Web Interface/,
		           "evn" => qr/^(0)$/,
		       },
		   },
	      },
              "Cluster1" => {
	           "host" => qr/^(c1n\d)/i,
		   "ignore" => {
		       "Exchange" => {
		           "src" => "Application",
		           "cat" => qr/^(MSExchangeIS|EXCDO)/,
		           "evn" => qr/^(8231|9646)$/,
		       },
		   },
		   "yellow" => {
		       "ExchangeMbox" => {
		           "src" => "Application",
		           "cat" => "MSExchangeIS Mailbox Store",
		           "evn" => qr/^(1022|1147|1203|10001)$/,
		       },
		       "EXCDO" => {
		           "src" => "Application",
		           "cat" => "EXCDO",
		           "evn" => qr/^(8206|8217)$/,
		       },
		       "MSExchangeFBPublish" => {
		           "src" => "Application",
		           "cat" => "MSExchangeFBPublish",
		           "evn" => qr/^(8275)$/,
		       },
		       "ClusSvc" => {
		           "src" => "System",
		           "cat" => "ClusSvc",
		           "evn" => qr/^(1069)$/,
		       },
		   },
	      },
              "Exchange" => {
	           "host" => qr/^(exch\d)/i,
		   "yellow" => {
		       "MSExchange Availability" => {
		           "src" => "Application",
		           "cat" => "MSExchange Availability",
		           "evn" => qr/^(4011)$/,
		       },
		       "MSExchangeTransport" => {
		           "src" => "Application",
		           "cat" => "MSExchangeTransport",
		           "evn" => qr/^(12014)$/,
		       },
		   },
	      },
              "Cluster2" => {
	           "host" => qr/^(c2n\d)/i,
		   "yellow" => {
		       "MSSQL" => {
		           "src" => "Application",
		           "cat" => qr/^MSSQL/,
		           "evn" => qr/^(17806)$/,
		       },
		       "WinMgmt" => {
		           "src" => "Application",
		           "cat" => "WinMgmt",
		           "evn" => qr/^(10)$/,
		       },
		   },
	      },
 
              "All(pre-default)" => {
		   "green" => {
		       "BBWin" => {
		           "src" => "Application",
		           "cat" => "BigBrotherHobbitClient",
		           "evn" => qr/^(20)$/,
		       },
		       "Print" => {
		           "src" => "System",
		           "cat" => "Print",
		           "evn" => "6161",
		       },
		       "SChannel" => {
		           "src" => "System",
		           "cat" => "Schannel",
		           "evn" => qr/^(36874)$/,
		       },
		   },
		   "yellow" => {
		       "Microsoft-Windows-GroupPolicy" => {
		           "src" => "System",
		           "cat" => "Microsoft-Windows-GroupPolicy",
		           "evn" => "1058",
		       },
		       "Foundation Agents" => {
		           "src" => "System",
		           "cat" => "Foundation Agents",
		           "evn" => qr/^(1181)$/,
		       },
		       "Kerberos" => {
		           "src" => "System",
		           "cat" => "Kerberos",
		           "evn" => qr/^(4)$/,
		       },
		       "Userenv" => {
		           "src" => "Application",
		           "cat" => "Userenv",
		           "evn" => qr/^(1053)$/,
		       },
		       "W32Time" => {
		           "src" => "System",
		           "cat" => "W32Time",
		           "evn" => qr/^(29)$/,
		       },
		       "NETLOGON" => {
		           "src" => "System",
		           "cat" => "NETLOGON",
		           "evn" => qr/^(5719)$/,
		       },
		       "TermDD" => {
		           "src" => "System",
		           "cat" => "TermDD",
		           "evn" => qr/^(5[06])$/,
		       },
		       "AV" => {
		           "src" => "Application",
		           "cat" => "eTrust ITM",
		           "evn" => qr/^(23)$/,
		       },
		       "ASP.Net" => {
		           "src" => "Application",
		           "cat" => qr/^ASP.NET \d/,
		           "evn" => qr/^(1093)$/,
		       },
		       ".NET Runtime Optimization Service" => {
		           "src" => "Application",
		           "cat" => ".NET Runtime Optimization Service",
		           "evn" => qr/^(1101)$/,
		       },
		   },
		   "red" => {
		       "SRMSVC" => {
		           "src" => "Application",
		           "cat" => "SRMSVC",
		           "evn" => "12324",
		       },
		       "HP Ethernet" => {  # only Warning - I'd rather red!
		           "src" => "System",
		           "cat" => "HP Ethernet",
		           "evn" => "4",
		       },
	           },
	      },
	      "default" => {
	          "ignore" => {
		       "DCOM" => {
		           "src" => "System",
		           "cat" => "DCOM",
		           "evn" => qr/^(1000[05]|10015)$/,
		       },
		       "VMdebug" => {
		           "src" => "System",
		           "cat" => "vmdebug",
		           "evn" => "3",
		       },
		       "W3CTRS" => {
		           "src" => "Application",
		           "cat" => "W3CTRS",
		           "evn" => qr/^(200[13])$/,
		       },
		       "Perflib" => {
		           "src" => "Application",
		           "cat" => "Perflib",
		           "evn" => qr/^(1008|101[0578]|102[123]|200[23])$/,
		       },
		       "loadperf" => {
		           "src" => "Application",
		           "cat" => "LoadPerf",
		           "evn" => qr/^(3012)$/,
		       },
		       "NetBT" => {
		           "src" => "System",
		           "cat" => "NetBT",
		           "evn" => qr/^(4321)$/,
		       },
		       "Browser" => {
		           "src" => "System",
		           "cat" => "BROWSER",
		           "evn" => qr/^(80[01]9|8032)$/,
		       },
		  },
	          "red" => {
		       "Error" => {
		           "typ" => "Error",
			},
		  },
	          "yellow" => {
			"Warning" => {
		           "typ" => "Warning",
			},
		  },
	          "green" => {
			"Information" => {
		           "typ" => "Information",
			},
		  },
	      },
#==============================================================================
  • 2010-08-17
    • Initial release
  • monitors/winevtmsgs.pl.txt
  • Last modified: 2010/08/24 01:40
  • by 127.0.0.1