Differences

This shows you the differences between two versions of the page.

Link to this comparison view

monitors:winevtmsgs.pl [2010/08/24 01:40] (current)
Line 1: Line 1:
 +====== WinEvtMsgs ======
 +
 +^ Author | [[ dbaldwin@users.sf.net|David Baldwin ]] |
 +^ Compatibility | Xymon 4.2 |
 +^ Requirements | Perl, rsyslog/​syslog-ng,​ [[monitors:​XymonExt.pm]] |
 +^ Download | None |
 +^ Last Update | 2010-08-17 |
 +
 +===== Description =====
 +
 +Report on Windows Event logs forwarded with SNARE
 +
 +note: xymon/​hobbit user must have read access to logs (see FileGroup in rsyslog.conf)
 +
 +[[http://​www.intersectalliance.com/​projects/​SnareWindows/​index.html|SNARE]] is a Windows event log forwarder over syslog.
 +
 +===== Installation =====
 +=== Client side ===
 +Each Windows server needs the appropriate version of Snare installed (Vista/2008 different from older versions of Windows).
 +
 +=== Server side ===
 +Install on central syslog server. Assumed this is the same as Xymon server (need to use bb-hosts '​evt'​ tag to denote tested hosts)
 +
 +Can also report on cluster nodes and cluster resources (e.g. SQL or Exchange) - in such cases each cluster node forwards all events for all nodes.
 +
 +bb-hosts example for SQL instances:
 +<​code>​
 +10.0.0.22 c2n1 # evt
 +10.0.0.23 c2n2 # evt
 +10.0.0.24 c2n3 # evt
 +10.0.0.26 sql1 # evt=10.0.0.22
 +10.0.0.27 sql2 # evt=10.0.0.22
 +10.0.0.28 sql3 # evt=10.0.0.22
 +</​code>​
 +
 +[[http://​www.rsyslog.com/​|rsyslog]] or syslog-ng can be used on a central syslog server to accumulate logs for each host in a separate directory
 +
 +Sample /​etc/​rsyslog.conf section to log each host into directory /​var/​log/​rsyslog/​IP/​messages-YYYYMMDD
 +note: "​rsyslogd -x" required to disable DNS lookup on remote IP
 +note: "​rsyslogd -c3" required for V3 config (rsyslog V3)
 +<code perl>
 +# $ModLoad immark # provides --MARK-- message capability
 +$ModLoad imudp # provides UDP syslog reception
 +$UDPServerAddress * # this MUST be before the $UDPServerRun directive!
 +$UDPServerRun 514
 +$ModLoad imtcp # provides TCP syslog reception
 +$InputTCPServerRun 514
 +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
 +$ModLoad imklog # provides kernel logging support (previously done by rklogd)
 +
 +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 +
 +#​--------------------ALL REMOTE LOGS----------------------------------------
 +
 +$umask 0000
 +$DirOwner root
 +$DirGroup logview
 +$DirCreateMode 0750
 +$FileOwner root
 +$FileGroup logview
 +$FileCreateMode 0640
 +$template DynFile,"/​var/​log/​rsyslog/​%FROMHOST%/​messages-%$YEAR%%$MONTH%%$DAY%"​
 +
 +:source , !isequal , "​loghost"​ ?DynFile
 +</​code>​
 +
 +Add to hobbitlaunch.cfg
 +<​code>​
 +# "​winevt"​ checks forwarded windows event logs
 +
 +[winevt]
 +        ENVFILE /​usr/​lib/​hobbit/​server/​etc/​hobbitserver.cfg
 +        NEEDS hobbitd
 +        CMD $BBHOME/​ext/​winevtmsgs.pl
 +        LOGFILE $BBSERVERLOGS/​winevtmsgs.log
 +        INTERVAL 5m
 +</​code>​
 +
 +
 +===== Source =====
 +==== winevtmsgs.pl ====
 +Install in server/ext directory
 +
 +<hidden onHidden="​Show Code ⇲" onVisible="​Hide Code ⇱">​
 +<code perl>
 +#​!/​usr/​bin/​perl -w
 +#CHKHOSTS evt
 +#
 +# winevtmsgs.pl
 +#
 +# Report on Windows Event logs forwarded with SNARE
 +#
 +# note: xymon/​hobbit user must have read access to logs (see FileGroup in rsyslog.conf)
 +#
 +# SNARE is a Windows event log forwarder over syslog.
 +#  http://​www.intersectalliance.com/​projects/​SnareWindows/​index.html
 +#
 +=begin rsyslog
 +# rsyslog or syslog-ng can be used on a central syslog server to accumulate logs for each host in a separate directory
 +#
 +# http://​www.rsyslog.com/​
 +# Sample /​etc/​rsyslog.conf section to log each host into directory /​var/​log/​rsyslog/​IP/​messages-YYYYMMDD
 +#  note: "​rsyslogd -x" required to disable DNS lookup on remote IP
 +#  note: "​rsyslogd -c3" required for V3 config
 +# (rsyslog V3)
 +
 +# $ModLoad immark # provides --MARK-- message capability
 +$ModLoad imudp # provides UDP syslog reception
 +$UDPServerAddress * # this MUST be before the $UDPServerRun directive!
 +$UDPServerRun 514
 +$ModLoad imtcp # provides TCP syslog reception
 +$InputTCPServerRun 514
 +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
 +$ModLoad imklog # provides kernel logging support (previously done by rklogd)
 +
 +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 +
 +#​--------------------ALL REMOTE LOGS----------------------------------------
 +
 +$umask 0000
 +$DirOwner root
 +$DirGroup logview
 +$DirCreateMode 0750
 +$FileOwner root
 +$FileGroup logview
 +$FileCreateMode 0640
 +$template DynFile,"/​var/​log/​rsyslog/​%FROMHOST%/​messages-%$YEAR%%$MONTH%%$DAY%"​
 +
 +:source , !isequal , "​loghost"​ ?DynFile
 +
 +=cut
 +
 +my $xymonlib;
 +BEGIN { $xymonlib = $ENV{BBHOME} && "​$ENV{BBHOME}/​ext"​ || "/​usr/​lib/​hobbit/​server/​ext";​ }
 + 
 +use strict;
 +use lib $xymonlib;
 +use POSIX;
 +use Fcntl; ​  # For O_RDWR, O_CREAT, etc.
 +use DB_File;
 +use XymonExt;
 +use Getopt::​Long;​
 +
 +use Data::​Dumper;​
 +
 +$|=1;
 +my $debug = 0; # 0 = none  1 = low
 +
 +# config
 +my $logdir = "/​var/​log/​rsyslog";​
 +
 +my $test = "​evt";​
 +my $bbtest = "​evt";​
 +my $topredlim = 5;
 +
 +# end of test config
 +my ($bbstatus,​$bbmsg,​$topred,​$topredcnt);​
 +my $filedump = 0;
 +my $exit_status = 0;
 +my $addr = '';​
 +my $complete = 0;
 +my $previous = 0;
 +my %cluster;
 +my $evthf = "​$BBTMP/​winevtmsgs-hash";​
 +my %logsp;
 +tie(%logsp, '​DB_File',​ $evthf, O_RDWR|O_CREAT,​ 0660)
 +  or die "​Couldn'​t tie DB file '​$evthf':​ $!; aborting";​
 +
 +# Global status variables - don't forget to initialiase in main loop below to clear before checking new host ...
 +#​------------------------------------------------------------------------------
 +
 +while ( $ARGV[0] && $ARGV[0] =~ /^-/ ) {
 + if ( $ARGV[0] eq '​-d'​ || $ARGV[0] eq '​--debug'​ ) { 
 + $debug++;
 + shift @ARGV;
 + next;
 + }
 + if ( $ARGV[0] eq '​-f'​ || $ARGV[0] eq '​--file'​ ) { 
 + $filedump++;​
 + shift @ARGV;
 + next;
 + }
 + if ( $ARGV[0] eq '​-a'​ || $ARGV[0] eq '​--address'​ ) {
 + shift @ARGV;
 + if ( ! $ARGV[0] ) { &usage; exit 5; }
 + $addr = $ARGV[0];
 + shift @ARGV;
 + next;
 + }
 + if ( $ARGV[0] eq '​-c'​ || $ARGV[0] eq '​--complete'​ ) {
 + $complete++;​
 + shift @ARGV;
 + next;
 + }
 + if ( $ARGV[0] eq '​-p'​ || $ARGV[0] eq '​--previous'​ ) {
 + $previous++;​
 + shift @ARGV;
 + next;
 + }
 + exit 5;
 +}
 +if ( $ARGV[0] ) { 
 +  die "​Usage:​ $0 [-a|--address <​FQDN>​] [-d|--debug] [-f|--file] [-c|--complete] [-p|--previous]\n";​
 +}
 +
 +#​------------------------------------------------------------------------------
 +
 +my %tests = do "/​etc/​hobbit/​winevtmsgs.cfg";​
 +
 +sub match {
 +    my ($val,​$match) = @_;
 +    return 0 unless defined $val;
 +    if(ref $match eq "​Regexp"​) {
 +      return $val =~ $match;
 +    } else {
 +      return $val eq $match;
 +    }
 +}
 +
 +my %dbgc = ();
 +
 +sub reportline {
 +    my $line = shift;
 +    my $rephost = shift;
 +    my %fields = ();
 +    @fields{qw{date evt eid src ser tsp evn cat usr na typ hst n1 n2 msg n3}} = split /#​011/,​$line;​
 +    my ($host) = ($fields{date} =~ /​\s(\S+)$/​);​
 +    print "​DBGHD:​ $host $fields{hst} $rephost\n"​ if $debug && ! $dbgc{001}{$host}{$fields{hst}}++;​
 +    return if lc $rephost ne lc $fields{hst};​
 +    my $lcol = "";​
 +    MATCH: foreach my $tk ((grep {$_ ne "​default"​} keys %tests), "​default"​) {
 + print "​DBGKD:​ testing $host in test $tk\n" if $debug && ! $dbgc{000}{$host}{$tk}++;​
 + my %tr = %{$tests{$tk}};​
 + next if defined($tr{host}) && ! match($host,​$tr{host});​
 + print "DBG: matched $host in test $tk\n" if $debug && ! $dbgc{$host}{$tk}++;​
 + if(defined $tr{ignore}) {
 +     foreach my $ik (keys %{$tr{ignore}}) {
 + my %ti = %{$tr{ignore}{$ik}};​
 + my $im = scalar keys %ti;
 +         foreach my $ikt (keys %ti) {
 +     $im &&= match($fields{$ikt},​ $ti{$ikt});
 + }
 + if($im) {
 +     print "​DBGIGN($tk;​$ik):​ $line\n"​ if $debug;
 +     return;
 +         }
 +     }
 + }
 + foreach my $col (qw{red yellow green}) {
 +     TEST: foreach my $ik (keys %{$tr{$col}}) {
 +         print "DBGD: testing $host in $col test $ik\n" if $debug && ! $dbgc{111}{$host}{$col}{$ik}++;​
 + my %ti = %{$tr{$col}{$ik}};​
 +         foreach my $ikt (keys %ti) {
 +             print "​DBGCK:​ ($ikt) $fields{$ikt},​ $ti{$ikt}\n"​ if $debug > 1;
 +     next TEST unless match($fields{$ikt},​ $ti{$ikt});
 + }
 +         print "DBG: matched $col in test $ik group $tk\n" if $debug;
 + $lcol = $col;
 + last MATCH; # exit on first match - otherwise default may override specific match - do we need priority also?
 +     }
 + }
 +    }
 +    return if $lcol eq "";​
 +    my $msg = $fields{msg} || $fields{n1} || "";​
 +    my $evtmsg = "&​$lcol $fields{tsp} ${fields{typ}}[$fields{src}:​$fields{cat}]:​ (User: $fields{usr}) {$fields{evn}} $msg\n";​
 +    $topred .= $evtmsg if $lcol eq "​red"​ && $topredlim > $topredcnt++;​
 +    $bbmsg .= $evtmsg;
 +    XymonExt->​UpdateStatus($lcol);​
 +}
 +
 +### Main loop
 +my @dflist = ();
 +if (length $addr == 0 || ! $debug) {
 +  @dflist = XymonExt->​HostsByTest($test);​
 +} else {
 +  @dflist = ($addr);
 +}
 +if($debug) {
 +  printf "** DEBUG Host list ** %s\n",​join("​ ",​@dflist);​
 +}
 +my @testtime = localtime(time - 300 - $previous*24*60*60);​ # test log for previous 5 minutes
 +if($filedump) {
 +  my $logdate = strftime "​%Y%m%d",​@testtime;​
 +  foreach my $f (keys %logsp) {
 +    my $old = $f =~ /​messages-(\d+)/​ && $1 < $logdate;
 +    print "$f: $logsp{$f} : $old\n";​
 +    if($filedump>​1 && $old) {
 +      delete $logsp{$f};
 +    }
 +  }
 +  exit;
 +}
 +foreach my $bbhost (@dflist) {
 +  my ($shrephost) = split /​\./,​$bbhost;​
 +  my $ipaddr = XymonExt->​HostIP($bbhost);​
 +  my $altipaddr = XymonExt->​HostItems($bbhost,"​$bbtest=.*"​);​
 +  print "​DBGIPs:​ $ipaddr $altipaddr\n"​ if $debug;
 +  if( my ($ip) = ($altipaddr =~ /​^$bbtest=(.*)$/​)) {
 +    if( $ip =~ /​^[\d\.]+$/​) {
 +      $ipaddr = $ip;
 +    } else {
 +      push @{$cluster{$1}},​($ipaddr);​
 +    }
 +  }
 +  XymonExt->​InitStatus();​
 +  $bbmsg = "";​
 +  $topred = "";​
 +  $topredcnt = 0;
 +  my $c = 0;
 +  my $newsp = 0;
 +  my $prevsp = 0;
 +  my $logfile = strftime "​$logdir/​$ipaddr/​messages-%Y%m%d",​@testtime;​
 +  print "​\n====\nDBG:​ logfile: $logfile\n"​ if $debug;
 +  if(open LF,​$logfile) {
 +    if(exists $logsp{$logfile} && ! $complete) {
 +      $prevsp = $logsp{$logfile};​
 +      print "DBG: logfile SP: $prevsp\n"​ if $debug;
 +      my $seeksts = seek LF, $prevsp, 0;
 +      print "​DBGSTS:​ $seeksts\n"​ if $debug;
 +    } else {
 +      print "​DBGNOSP:​ No saved SP for $logfile\n"​ if $debug;
 +    }
 +
 +    my $tspat = strftime "^%b %e %H:​%M",​@testtime;​
 +    $tspat =~ s/​[0-4]$/​[0-4]/;​
 +    $tspat =~ s/​[5-9]$/​[5-9]/;​
 +    $tspat .= ":​[0-5][0-9] ";
 +    print "DBG: tspat: /​$tspat/​\n"​ if $debug;
 +    my $tsre = qr{$tspat};
 +    while(my $ll = <LF>) {
 +      print $ll if $debug > 1;
 +      reportline($ll,​$shrephost);​
 +      if( $ll =~ /$tsre/) {
 +        print "​DBGMAT:​ $prevsp new: $newsp\n"​ if $debug;
 + unless( $newsp ) {
 +   $newsp = $prevsp;
 +          print "DBG: set new SP: $newsp\n"​ if $debug;
 + }
 +        $c++;
 +      }
 +      $prevsp = tell(LF) unless $newsp;
 +    }
 +    close LF;
 +    print "DBG: $c\n" if $debug;
 +    print "DBG: new logfile SP: $newsp\n"​ if $debug;
 +    $logsp{$logfile} = $newsp if $newsp > 0;
 +    my $scol = XymonExt->​GetStatus();​
 +    my $warn = $scol eq "​red"​ && "​errors found" || $scol eq "​yellow"​ && "​warnings found" || "​OK";​
 +    my $redcnt = $topredcnt > $topredlim && $topredlim || $topredcnt;
 +    my $redmsg = $topredcnt ? "<​hr>​Top $redcnt red messages:​\n$topred\n<​hr>​\n"​ : "";​
 +    $bbmsg = "​Eventlog $warn\n${redmsg}All messages:​\n$bbmsg\nLogfile:​ $logfile - $c lines matched /​$tspat/​\n";​
 +  } else {
 +    $bbmsg = "​ERROR\nCan'​t open $logfile\n";​
 +    if($testtime[2]*60+$testtime[1] > 15) { # allow 15 minutes after midnight for SOMETHING to be logged
 +      XymonExt->​UpdateStatus("​red"​);​
 +    } else {
 +      XymonExt->​UpdateStatus("​clear"​);​
 +    }
 +  }
 +#​------------------------------------------------------------------------------
 +  if ($debug) {
 +    print "BB: $bbhost.$bbtest sts: "​.XymonExt->​GetStatus()."​ MSG:​\n$bbmsg";​
 +  } else {
 +    XymonExt->​Report($bbhost,​$bbtest,​XymonExt->​GetStatus(),​$bbmsg);​
 +  }
 +
 +
 +} # end main loop
 +exit $exit_status;​
 +
 +#​==============================================================================
 +
 +</​code>​
 +</​hidden>​
 +
 +==== winevtmsgs.cfg ====
 +
 +Install in /​etc/​hobbit/​winevtmsgs.cfg
 +
 +<hidden onHidden="​Show Code ⇲" onVisible="​Hide Code ⇱">​
 +<code perl>
 +#​!/​usr/​bin/​perl -w
 +#​------------------------------------------------------------------------------
 +#  winevtmsgs.pl config file (/​etc/​hobbit/​winevtmsgs.cfg)
 +#
 +#   Field values can be defined as exact string match (plain string) or regexp (qr//).
 +#
 +#  Rules must have unique key (name) - default is always processed last
 +#    host field is matched against host name from syslog file line (generated by SNARE)
 +#    matching rules use key: ignore, red, yellow, green
 +#       ​ignore processed first, then red, yellow, green in that order
 +#       ​allows for raising or lowering of default priority (Error=red, Warning=yellow,​ Information=green)
 +#    other fields for matching purposes are from Event log line (* = displayed in report):
 +#      date = syslog date/time stamp
 +#      evt  = "​MSWinEventLog"​
 +#      eid  = "​0"​
 +#    * src  = Security, Application,​ etc
 +#      ser  = event number (sequence)
 +#    * tsp  = time/date stamp (from Windows host)
 +#    * evn  = event ID
 +#    * cat  = category/​subsystem
 +#    * usr  = account/​username (or Unknown User)
 +#      na   = "​User"​
 +#    * typ  = Warning, Error, Information,​ etc
 +#      hst  = Windows host name or cluster node/​resource name
 +#    ? n1   = sometimes message (e.g. Exchange), often "​None"​
 +#      n2   = ""​
 +#    * msg  = event message (sometime blank - e.g. Exchange)
 +#      n3   = another sequence number?
 +#
 +# Reporting line format is:
 +#   ​colour tsp typ[src:​cat]:​ (User: usr) {evn} msg
 +# (if msg is blank, n1 is reported instead - e.g. some Exchange messages)
 +#    ​
 +#  Tune as required based on "​false"​ reports at inappropriate severity levels
 +#
 +#  sample rule:
 +#    DCs (Domain Controllers)
 +#    host name specified by regexp
 +#    ignore System:​MRxSMB 8003 messages about Browser service
 +#    yellow on System:KDC 26 messages (often Error, but not that significant)
 +#    green on System:​NETLOGON (various) messages (often Error) about deleted/etc computer accounts
 +#
 +#       "​DCs"​ => {
 +#            "​host"​ => qr/​^(dc\d+)/​i,​
 +#    "​ignore"​ => {
 +#        "​Browser"​ => {
 +#            "​src"​ => "​System",​
 +#            "​cat"​ => "​MRxSmb",​
 +#            "​evn"​ => qr/​^(8003)$/,​
 +#        },
 +#    },
 +#    "​yellow"​ => {
 +#        "​KDC"​ => {
 +#            "​src"​ => "​System",​
 +#            "​cat"​ => "​KDC",​
 +#            "​evn"​ => "​26",​
 +#        },
 +#    },
 +#    "​green"​ => {
 +#        "​NoCompAcct"​ => {
 +#            "​src"​ => "​System",​
 +#            "​cat"​ => "​NETLOGON",​
 +#            "​evn"​ => qr/​^(5719|572[23]|5805)$/,​
 +#        },
 +#    },
 +#       },
 +
 +       "​DCs"​ => {
 +            "​host"​ => qr/​^(dc\d+)/​i,​
 +    "​yellow"​ => {
 +        "​KDC"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​KDC",​
 +            "​evn"​ => "​26",​
 +        },
 +    },
 +    "​green"​ => {
 +        "​NoCompAcct"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​NETLOGON",​
 +            "​evn"​ => qr/​^(5719|572[23]|5805)$/,​
 +        },
 +        "​Browser"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​MRxSmb",​
 +            "​evn"​ => qr/​^(8003)$/,​
 +        },
 +        "​KDC mult acct" => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​KDC",​
 +            "​evn"​ => qr/^(11)$/,
 +            "​msg"​ => qr/​altirissdvsv/,​
 +        },
 +    },
 +       },
 +              "WSUS replica"​ => {
 +            "​host"​ => qr/​^(wsusrep)/​i,​
 +    "​yellow"​ => {
 +        "​WSUS synch" => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Windows Server Update Services",​
 +            "​evn"​ => qr/​^(10022)$/,​
 +        },
 +    },
 +    "​green"​ => {
 +        "​WSUS self update"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Windows Server Update Services",​
 +            "​evn"​ => qr/​^(13042)$/,​
 +        },
 +    },
 +       },
 +              "​Citrix"​ => {
 +            "​host"​ => qr/​^(citrix\d+)/​i,​
 +    "​ignore"​ => {
 +        "​Print"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​Print",​
 +            "​evn"​ => qr/​^([34])$/,​
 +        },
 +    },
 +    "​green"​ => {
 +        "​NoPrinterDriver"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​MetaFrameEvents",​
 +            "​evn"​ => qr/​^(110[367]|1116)$/,​
 +        },
 +        "​TRIM"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​TRIM",​
 +            "​evn"​ => qr/​^(100)$/,​
 +        },
 +        "​TermServDev"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​TermServDevices",​
 +            "​evn"​ => qr/​^(1111)$/,​
 +        },
 +        "​Office"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => qr/​^Microsoft Office/,
 +            "​evn"​ => qr/​^([12]000)$/,​
 +        },
 +    },
 +    "​yellow"​ => {
 +        "​msGina"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​MsGina",​
 +            "​evn"​ => qr/​^(1010)$/,​
 +        },
 +        "​Folder Redirection"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Folder Redirection",​
 +            "​evn"​ => qr/​^(107)$/,​
 +        },
 +        "​Folder Redirection 2" => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Folder Redirection",​
 +            "​evn"​ => qr/​^(101)$/,​
 +            "​msg"​ => qr/not enough space on the disk/,
 +        },
 +        "​Userenv"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Userenv",​
 +            "​evn"​ => qr/​^(10[45]3|1085|1096)$/,​
 +        },
 +        "​Application Error" => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Application Error",​
 +            "​evn"​ => qr/​^(1000)$/,​
 +        },
 +        "​Citrix Resource Management"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Citrix Resource Management",​
 +            "​evn"​ => qr/​^(257)$/,​
 +        },
 +        "​UserInit"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​UserInit",​
 +            "​evn"​ => qr/​^(1000)$/,​
 +        },
 +    },
 +       },
 +              "​Citrix-WI"​ => {
 +            "​host"​ => qr/​^(\w*cxwi)/​i,​
 +    "​yellow"​ => {
 +        "​Web Interface"​ => {
 +            "​src"​ => "​Application",​
 +            "​typ"​ => "​Error",​
 +            "​cat"​ => qr/^Web Interface/,
 +            "​evn"​ => qr/^(0)$/,
 +        },
 +    },
 +       },
 +              "​Cluster1"​ => {
 +            "​host"​ => qr/​^(c1n\d)/​i,​
 +    "​ignore"​ => {
 +        "​Exchange"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => qr/​^(MSExchangeIS|EXCDO)/,​
 +            "​evn"​ => qr/​^(8231|9646)$/,​
 +        },
 +    },
 +    "​yellow"​ => {
 +        "​ExchangeMbox"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​MSExchangeIS Mailbox Store",​
 +            "​evn"​ => qr/​^(1022|1147|1203|10001)$/,​
 +        },
 +        "​EXCDO"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​EXCDO",​
 +            "​evn"​ => qr/​^(8206|8217)$/,​
 +        },
 +        "​MSExchangeFBPublish"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​MSExchangeFBPublish",​
 +            "​evn"​ => qr/​^(8275)$/,​
 +        },
 +        "​ClusSvc"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​ClusSvc",​
 +            "​evn"​ => qr/​^(1069)$/,​
 +        },
 +    },
 +       },
 +              "​Exchange"​ => {
 +            "​host"​ => qr/​^(exch\d)/​i,​
 +    "​yellow"​ => {
 +        "​MSExchange Availability"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​MSExchange Availability",​
 +            "​evn"​ => qr/​^(4011)$/,​
 +        },
 +        "​MSExchangeTransport"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​MSExchangeTransport",​
 +            "​evn"​ => qr/​^(12014)$/,​
 +        },
 +    },
 +       },
 +              "​Cluster2"​ => {
 +            "​host"​ => qr/​^(c2n\d)/​i,​
 +    "​yellow"​ => {
 +        "​MSSQL"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => qr/^MSSQL/,
 +            "​evn"​ => qr/​^(17806)$/,​
 +        },
 +        "​WinMgmt"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​WinMgmt",​
 +            "​evn"​ => qr/^(10)$/,
 +        },
 +    },
 +       },
 +
 +              "​All(pre-default)"​ => {
 +    "​green"​ => {
 +        "​BBWin"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​BigBrotherHobbitClient",​
 +            "​evn"​ => qr/^(20)$/,
 +        },
 +        "​Print"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​Print",​
 +            "​evn"​ => "​6161",​
 +        },
 +        "​SChannel"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​Schannel",​
 +            "​evn"​ => qr/​^(36874)$/,​
 +        },
 +    },
 +    "​yellow"​ => {
 +        "​Microsoft-Windows-GroupPolicy"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​Microsoft-Windows-GroupPolicy",​
 +            "​evn"​ => "​1058",​
 +        },
 +        "​Foundation Agents"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​Foundation Agents",​
 +            "​evn"​ => qr/​^(1181)$/,​
 +        },
 +        "​Kerberos"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​Kerberos",​
 +            "​evn"​ => qr/^(4)$/,
 +        },
 +        "​Userenv"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Userenv",​
 +            "​evn"​ => qr/​^(1053)$/,​
 +        },
 +        "​W32Time"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​W32Time",​
 +            "​evn"​ => qr/^(29)$/,
 +        },
 +        "​NETLOGON"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​NETLOGON",​
 +            "​evn"​ => qr/​^(5719)$/,​
 +        },
 +        "​TermDD"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​TermDD",​
 +            "​evn"​ => qr/​^(5[06])$/,​
 +        },
 +        "​AV"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​eTrust ITM",
 +            "​evn"​ => qr/^(23)$/,
 +        },
 +        "​ASP.Net"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => qr/^ASP.NET \d/,
 +            "​evn"​ => qr/​^(1093)$/,​
 +        },
 +        "​.NET Runtime Optimization Service"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => ".NET Runtime Optimization Service",​
 +            "​evn"​ => qr/​^(1101)$/,​
 +        },
 +    },
 +    "​red"​ => {
 +        "​SRMSVC"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​SRMSVC",​
 +            "​evn"​ => "​12324",​
 +        },
 +        "​HP Ethernet"​ => {  # only Warning - I'd rather red!
 +            "​src"​ => "​System",​
 +            "​cat"​ => "HP Ethernet",​
 +            "​evn"​ => "​4",​
 +        },
 +            },
 +       },
 +       "​default"​ => {
 +           "​ignore"​ => {
 +        "​DCOM"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​DCOM",​
 +            "​evn"​ => qr/​^(1000[05]|10015)$/,​
 +        },
 +        "​VMdebug"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​vmdebug",​
 +            "​evn"​ => "​3",​
 +        },
 +        "​W3CTRS"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​W3CTRS",​
 +            "​evn"​ => qr/​^(200[13])$/,​
 +        },
 +        "​Perflib"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​Perflib",​
 +            "​evn"​ => qr/​^(1008|101[0578]|102[123]|200[23])$/,​
 +        },
 +        "​loadperf"​ => {
 +            "​src"​ => "​Application",​
 +            "​cat"​ => "​LoadPerf",​
 +            "​evn"​ => qr/​^(3012)$/,​
 +        },
 +        "​NetBT"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​NetBT",​
 +            "​evn"​ => qr/​^(4321)$/,​
 +        },
 +        "​Browser"​ => {
 +            "​src"​ => "​System",​
 +            "​cat"​ => "​BROWSER",​
 +            "​evn"​ => qr/​^(80[01]9|8032)$/,​
 +        },
 +   },
 +           "​red"​ => {
 +        "​Error"​ => {
 +            "​typ"​ => "​Error",​
 + },
 +   },
 +           "​yellow"​ => {
 + "​Warning"​ => {
 +            "​typ"​ => "​Warning",​
 + },
 +   },
 +           "​green"​ => {
 + "​Information"​ => {
 +            "​typ"​ => "​Information",​
 + },
 +   },
 +       },
 +#​==============================================================================
 +
 +</​code>​
 +</​hidden>​
 +===== Known  Bugs and Issues =====
 +
 +===== To Do =====
 +
 +===== Credits =====
 +
 +===== Changelog =====
 +
 +  * **2010-08-17**
 +    * Initial release
  
  • monitors/winevtmsgs.pl.txt
  • Last modified: 2010/08/24 01:40
  • (external edit)