Sign in to follow this  
Followers 0
JonathanChan

Admin Event / Logging Notifier

3 posts in this topic

#1 ·  Posted (edited)

I'm an overbearing sysadmin :shocked:... I want to know what is happening on all my computers as it happens... I wrote this script to display on my screen if there are errors going on at my server computers or my users' desktop computers. It monitors 3 things so far...

1. VPN Access from IAS.

2. IIS or Apache hits (definitely would not use this on any server with a logfile > 100MB or a very busy server)

3. Gathers EventLogs from Computers you specify (They must give your current user permission to view EventLogs ie. Domain Admin access)

You could tweak this script by editing the SQL to show only critical errors or even have it email you errors... I wrote this because all the logging programs were either pay to use or only showed it on screen or would only send an email... I wanted to be able to run any program I wanted when I received an error. Remember, you can easily add other logs to here. With this script, you can get the basic idea to display logs for your emails or for more! Basically anything logged by windows can be parsed by this script because it uses the LogParser utility. Hope someone finds this as useful as me!

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.1.14 (beta)
 Author:         Jonathan Chan

 Script Function:
    Displays Log Files on screen or you can script it to email or run program
of your choice to notify you of changes in the log file.
    You will need MS LogParser2.2 and isaparse from the w2k3 CDs \support\tools\suptools.msi.
    
http://www.microsoft.com/downloads/details.aspx?familyid=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
#ce ----------------------------------------------------------------------------

; Please Edit Variables Below

;;;;;; IAS Logging
$checkIAS=True
; Path of IAS Log file (Best to set IAS Log file to never split log file)
$IASFilePath='\\chan\C$\WINDOWS\system32\LogFiles\iaslog0.log'
; IASParse.exe Path?
$IASParseExePath="\\media\D$\private\bin\iasparse.exe"
; polltime? (in seconds)
$IASPollTime=5

;;;;;; IIS Hit Logging
$checkIIS=True
; How many IIS Log Directories?
dim $IISLogDirs[4]
; Actual Log File Locations?
$IISLogDirs[0]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC1173680306\ex*.log"
$IISLogDirs[1]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC1658629643\ex*.log"
$IISLogDirs[2]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC372820554\ex*.log"
$IISLogDirs[3]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC1851386671\ex*.log"
; Valid options are: IIS, IISW3C, IISODBC,NCSA
$IISFormat="IISW3C"
; polltime? (in seconds)
$IISPollTime=60

;;;;;; Event Logging - If both false, event logger checker is disabled.
$checkEVTLogApplication=True
$checkEVTLogSystem=True
; You need to be downloading this application from microsoft. (Log Parser 2.2)
$logParserExePath="LogParser.exe"
;PollTime? (in seconds, Maximum polltime is 82800)
$EVTLogPollTime=10000

; How many remote computers you want to check?
dim $computers[4]
; And each computer's name?
$computers[0]="media"
$computers[1]="chan"
$computers[2]="erc"
$computers[3]="asc-laptop"


; Code Starts HERE, don't edit below here of course... Unless you know what you're doing.
#include <File.au3>
;#include "tailRW/tailRW.au3"
#include <Array.au3>

if $checkIAS=True Then
    $IASlines=_FileCountLines ( $IASFilePath )
    $IASTimer=$IASPollTime
EndIf

if $checkIIS=True Then
    $IISTimer=$IISPollTime
    $IISTimeOffset=SecsToTime($IISPollTime+30)
    
    $IISFrom=_ArrayToString($IISLogDirs,",")
    Switch $IISFormat
    Case 'IIS'
        $IIS_selectfields='UserIP'
        $field_date="Date"
    Case 'IISOBDC'
        $IIS_selectfields='ClientHost'
        $field_date="LogTime"
    Case 'IISW3C'
        $IIS_selectfields='s-sitename,c-ip'
        $field_date="TO_TIMESTAMP(Date,Time)"
    Case 'NCSA'
        $IIS_selectfields='RemoteHostName'
        $field_date="DateTime"
    case Else
        msgbox(0,"Error", "Error, $IISFormat not properly set. Disabling IIS Polling.")
        $checkIIS=False
    EndSwitch
EndIf

if $checkEVTLogApplication=True OR $checkEVTLogSystem=True Then
    $checkEVTLog=true
    $EVTLogTimer=$EVTLogPollTime
    $EVTLogTimeOffset=SecsToTime($EVTLogPollTime) 
Else
    $checkEVTLog=False
EndIf

$debugitem  = TrayCreateItem("Debug")
TrayCreateItem("")
$eventitem  = TrayCreateItem("EventLogNow")
;TrayCreateItem("")

AutoItSetOption("TrayAutoPause",0)
AutoItSetOption("TrayIconDebug",1)
TraySetState()

$begin=TimerInit()
while 1
    $traymsg = TrayGetMsg()
    Select
    Case $traymsg = 0
        ;
    Case $traymsg = $debugitem
        if $debug=True then 
            $debug=False
        else 
            $debug=True
        EndIf
    case $traymsg=$eventitem
        EventLog()
    EndSelect
    if TimerDiff($begin) > 999 Then
        circle()
        $begin=TimerInit()
    EndIf
WEnd

func circle()
    ; IAS Logger Portion
    if $checkIAS=true AND $IASTimer=$IASPollTime Then
        $IASTimer=1
        $IASnewlines=_FileCountLines ( $IASFilePath )
        if $IASlines <> $IASnewlines Then
            $tmp=FileReadLine($IASFilePath,$IASnewlines)
            if NOT FileWrite("tmp.log",$tmp) Then
                msgbox(0,"Debug","Could not write to tmp.log file.")
            EndIf
            
            $pid=run($IASParseExePath&" -f:tmp.log",@WorkingDir,@SW_HIDE,2)
            sleep(500)
            $msg=StdoutRead($pid)
            $msg=StringStripWS($msg,3)
            $offset=StringInStr($msg,@CRLF,0)
            $msg=StringTrimLeft($msg,$offset)
            $msg=StringStripWS($msg,3)
            FileDelete("tmp.log")
            msgbox(0,"VPN Activity",$msg)
        EndIf
        $IASlines=$IASnewlines
    Else
        $IASTimer=$IASTimer+1
    EndIf
    
    ; EVTLog Portion
    if $EVTLogTimer=$EVTLogPollTime AND $checkEVTLog=True Then
        ;msgbox(0,"Debug","We are processing Event Logs.")
        $EVTLogTimer=1
        
        ; build FROM section of query
        $from=''
        for $computer in $computers
            if ping($computer) Then
                if $checkEVTLogApplication=True Then
                    $from=$from&"\\"&$computer&"\Application,"
                EndIf
                if $checkEVTLogSystem=True Then
                    $from=$from&"\\"&$computer&"\System,"
                EndIf
            EndIf
        Next
        $from=StringTrimRight($from,1)
        $sql="""SELECT * INTO DATAGRID FROM "&$from&" WHERE TimeGenerated >= TO_LOCALTIME ( SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP('"&$EVTLogTimeOffset&"','hh:mm:ss') ) )"""
        Run($logParserExePath&" "&$sql&" -rtp:-1 -resolveSIDs:ON" ,@workingdir, @SW_SHOWDEFAULT)
    Else
        $EVTLogTimer=$EVTLogTimer+1
        
    EndIf
    
    ; IIS Hit Logging
    if $checkIIS=true AND $IISPollTime=$IISTimer Then
        ;msgbox(0,"Debug","We are processing IIS Logs.")
        $IISTimer=1
        $sql="""SELECT DISTINCT "&$IIS_selectfields&" FROM "&$IISFrom&" WHERE "&$field_date&" >= SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP('"&$IISTimeOffset&"','hh:mm:ss') )"""
        ;msgbox(0,"test",$sql)
        $run=$logParserExePath&" "&$sql&" -i:"&$IISFormat&" -o:CSV -headers:OFF"
        $pid=run($run,@WorkingDir,@SW_HIDE,2)
        while ProcessExists($pid) 
            sleep(1000)
        WEnd
        
        $msg=StdoutRead($pid)
        $tmpoffset=StringInStr($msg,"Statistic")-1
        $msg=StringLeft($msg,$tmpoffset)
        $msg=StringStripWS($msg,3)
        if $msg <> "" Then
            TrayTip("Latest Hits in the past "&$IISTimeOffset&":",$msg,5)
        EndIf
        
        ;InputBox("test","just debug",$run)
    else 
        $IISTimer=$IISTimer+1
    EndIf
EndFunc

func EventLog() 
    $seconds=InputBox("Time?","How many seconds ago do you want to see the logs?","1000")
    $tmp=secstotime($seconds)
    ; build FROM section of query
    $from=''
    for $computer in $computers
        if ping($computer) Then
            if $checkEVTLogApplication=True Then
                $from=$from&"\\"&$computer&"\Application,"
            EndIf
            if $checkEVTLogSystem=True Then
                $from=$from&"\\"&$computer&"\System,"
            EndIf
        EndIf
    Next
    $from=StringTrimRight($from,1)
    $sql="""SELECT * INTO DATAGRID FROM "&$from&" WHERE TimeGenerated >= TO_LOCALTIME ( SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP('"&$tmp&"','hh:mm:ss') ) )""";
    Run($logParserExePath&" "&$sql&" -rtp:-1 -resolveSIDs:ON" ,@workingdir, @SW_SHOW)
EndFunc

func SecsToTime($secs) 
    local $time, $hour, $minute, $second,$offset
    $time=$secs
    
    if $time > 59 Then
        $minute=floor($time/60)
        $second=mod($time,60)
        if $minute > 59 Then
            $hour=floor($minute/60)
            $minute=mod($minute,60)
        Else
            $hour='00'
        EndIf
    Else
        $hour='00'
        $minute='00'
        $second=$time
    EndIf
    $tmpHourLength=StringSplit($hour,'')
    $tmpMinuteLength=StringSplit($minute,'')
    $tmpSecondLength=StringSplit($second,'')
    if $tmpHourLength[0] < 2 Then
        $hour='0'&$hour
    EndIf
    if $tmpMinuteLength[0] < 2 Then
        $minute='0'&$minute
    EndIf
    if $tmpSecondLength[0] < 2 Then
        $second='0'&$second
    EndIf
    
    $offset=$hour&":"&$minute&":"&$second
    return $offset
EndFunc
Edited by JonathanChan

Share this post


Link to post
Share on other sites



@JonathanChan

LogParser is a great Tool

LogParser in AU3

regards,

ptrex

Awww... That's a shame... I should have written this with your plugin :shocked:....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0