JonathanChan Posted April 26, 2007 Share Posted April 26, 2007 (edited) I'm an overbearing sysadmin ... I want to know what is happening on all my computers as it happens... I wrote this script to display on my screen if there are errors going on at my server computers or my users' desktop computers. It monitors 3 things so far... 1. VPN Access from IAS. 2. IIS or Apache hits (definitely would not use this on any server with a logfile > 100MB or a very busy server) 3. Gathers EventLogs from Computers you specify (They must give your current user permission to view EventLogs ie. Domain Admin access) You could tweak this script by editing the SQL to show only critical errors or even have it email you errors... I wrote this because all the logging programs were either pay to use or only showed it on screen or would only send an email... I wanted to be able to run any program I wanted when I received an error. Remember, you can easily add other logs to here. With this script, you can get the basic idea to display logs for your emails or for more! Basically anything logged by windows can be parsed by this script because it uses the LogParser utility. Hope someone finds this as useful as me! expandcollapse popup#cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.1.14 (beta) Author: Jonathan Chan Script Function: Displays Log Files on screen or you can script it to email or run program of your choice to notify you of changes in the log file. You will need MS LogParser2.2 and isaparse from the w2k3 CDs \support\tools\suptools.msi. http://www.microsoft.com/downloads/details.aspx?familyid=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en #ce ---------------------------------------------------------------------------- ; Please Edit Variables Below ;;;;;; IAS Logging $checkIAS=True ; Path of IAS Log file (Best to set IAS Log file to never split log file) $IASFilePath='\\chan\C$\WINDOWS\system32\LogFiles\iaslog0.log' ; IASParse.exe Path? $IASParseExePath="\\media\D$\private\bin\iasparse.exe" ; polltime? (in seconds) $IASPollTime=5 ;;;;;; IIS Hit Logging $checkIIS=True ; How many IIS Log Directories? dim $IISLogDirs[4] ; Actual Log File Locations? $IISLogDirs[0]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC1173680306\ex*.log" $IISLogDirs[1]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC1658629643\ex*.log" $IISLogDirs[2]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC372820554\ex*.log" $IISLogDirs[3]="\\chan\C$\WINDOWS\system32\LogFiles\W3SVC1851386671\ex*.log" ; Valid options are: IIS, IISW3C, IISODBC,NCSA $IISFormat="IISW3C" ; polltime? (in seconds) $IISPollTime=60 ;;;;;; Event Logging - If both false, event logger checker is disabled. $checkEVTLogApplication=True $checkEVTLogSystem=True ; You need to be downloading this application from microsoft. (Log Parser 2.2) $logParserExePath="LogParser.exe" ;PollTime? (in seconds, Maximum polltime is 82800) $EVTLogPollTime=10000 ; How many remote computers you want to check? dim $computers[4] ; And each computer's name? $computers[0]="media" $computers[1]="chan" $computers[2]="erc" $computers[3]="asc-laptop" ; Code Starts HERE, don't edit below here of course... Unless you know what you're doing. #include <File.au3> ;#include "tailRW/tailRW.au3" #include <Array.au3> if $checkIAS=True Then $IASlines=_FileCountLines ( $IASFilePath ) $IASTimer=$IASPollTime EndIf if $checkIIS=True Then $IISTimer=$IISPollTime $IISTimeOffset=SecsToTime($IISPollTime+30) $IISFrom=_ArrayToString($IISLogDirs,",") Switch $IISFormat Case 'IIS' $IIS_selectfields='UserIP' $field_date="Date" Case 'IISOBDC' $IIS_selectfields='ClientHost' $field_date="LogTime" Case 'IISW3C' $IIS_selectfields='s-sitename,c-ip' $field_date="TO_TIMESTAMP(Date,Time)" Case 'NCSA' $IIS_selectfields='RemoteHostName' $field_date="DateTime" case Else msgbox(0,"Error", "Error, $IISFormat not properly set. Disabling IIS Polling.") $checkIIS=False EndSwitch EndIf if $checkEVTLogApplication=True OR $checkEVTLogSystem=True Then $checkEVTLog=true $EVTLogTimer=$EVTLogPollTime $EVTLogTimeOffset=SecsToTime($EVTLogPollTime) Else $checkEVTLog=False EndIf $debugitem = TrayCreateItem("Debug") TrayCreateItem("") $eventitem = TrayCreateItem("EventLogNow") ;TrayCreateItem("") AutoItSetOption("TrayAutoPause",0) AutoItSetOption("TrayIconDebug",1) TraySetState() $begin=TimerInit() while 1 $traymsg = TrayGetMsg() Select Case $traymsg = 0 ; Case $traymsg = $debugitem if $debug=True then $debug=False else $debug=True EndIf case $traymsg=$eventitem EventLog() EndSelect if TimerDiff($begin) > 999 Then circle() $begin=TimerInit() EndIf WEnd func circle() ; IAS Logger Portion if $checkIAS=true AND $IASTimer=$IASPollTime Then $IASTimer=1 $IASnewlines=_FileCountLines ( $IASFilePath ) if $IASlines <> $IASnewlines Then $tmp=FileReadLine($IASFilePath,$IASnewlines) if NOT FileWrite("tmp.log",$tmp) Then msgbox(0,"Debug","Could not write to tmp.log file.") EndIf $pid=run($IASParseExePath&" -f:tmp.log",@WorkingDir,@SW_HIDE,2) sleep(500) $msg=StdoutRead($pid) $msg=StringStripWS($msg,3) $offset=StringInStr($msg,@CRLF,0) $msg=StringTrimLeft($msg,$offset) $msg=StringStripWS($msg,3) FileDelete("tmp.log") msgbox(0,"VPN Activity",$msg) EndIf $IASlines=$IASnewlines Else $IASTimer=$IASTimer+1 EndIf ; EVTLog Portion if $EVTLogTimer=$EVTLogPollTime AND $checkEVTLog=True Then ;msgbox(0,"Debug","We are processing Event Logs.") $EVTLogTimer=1 ; build FROM section of query $from='' for $computer in $computers if ping($computer) Then if $checkEVTLogApplication=True Then $from=$from&"\\"&$computer&"\Application," EndIf if $checkEVTLogSystem=True Then $from=$from&"\\"&$computer&"\System," EndIf EndIf Next $from=StringTrimRight($from,1) $sql="""SELECT * INTO DATAGRID FROM "&$from&" WHERE TimeGenerated >= TO_LOCALTIME ( SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP('"&$EVTLogTimeOffset&"','hh:mm:ss') ) )""" Run($logParserExePath&" "&$sql&" -rtp:-1 -resolveSIDs:ON" ,@workingdir, @SW_SHOWDEFAULT) Else $EVTLogTimer=$EVTLogTimer+1 EndIf ; IIS Hit Logging if $checkIIS=true AND $IISPollTime=$IISTimer Then ;msgbox(0,"Debug","We are processing IIS Logs.") $IISTimer=1 $sql="""SELECT DISTINCT "&$IIS_selectfields&" FROM "&$IISFrom&" WHERE "&$field_date&" >= SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP('"&$IISTimeOffset&"','hh:mm:ss') )""" ;msgbox(0,"test",$sql) $run=$logParserExePath&" "&$sql&" -i:"&$IISFormat&" -o:CSV -headers:OFF" $pid=run($run,@WorkingDir,@SW_HIDE,2) while ProcessExists($pid) sleep(1000) WEnd $msg=StdoutRead($pid) $tmpoffset=StringInStr($msg,"Statistic")-1 $msg=StringLeft($msg,$tmpoffset) $msg=StringStripWS($msg,3) if $msg <> "" Then TrayTip("Latest Hits in the past "&$IISTimeOffset&":",$msg,5) EndIf ;InputBox("test","just debug",$run) else $IISTimer=$IISTimer+1 EndIf EndFunc func EventLog() $seconds=InputBox("Time?","How many seconds ago do you want to see the logs?","1000") $tmp=secstotime($seconds) ; build FROM section of query $from='' for $computer in $computers if ping($computer) Then if $checkEVTLogApplication=True Then $from=$from&"\\"&$computer&"\Application," EndIf if $checkEVTLogSystem=True Then $from=$from&"\\"&$computer&"\System," EndIf EndIf Next $from=StringTrimRight($from,1) $sql="""SELECT * INTO DATAGRID FROM "&$from&" WHERE TimeGenerated >= TO_LOCALTIME ( SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP('"&$tmp&"','hh:mm:ss') ) )"""; Run($logParserExePath&" "&$sql&" -rtp:-1 -resolveSIDs:ON" ,@workingdir, @SW_SHOW) EndFunc func SecsToTime($secs) local $time, $hour, $minute, $second,$offset $time=$secs if $time > 59 Then $minute=floor($time/60) $second=mod($time,60) if $minute > 59 Then $hour=floor($minute/60) $minute=mod($minute,60) Else $hour='00' EndIf Else $hour='00' $minute='00' $second=$time EndIf $tmpHourLength=StringSplit($hour,'') $tmpMinuteLength=StringSplit($minute,'') $tmpSecondLength=StringSplit($second,'') if $tmpHourLength[0] < 2 Then $hour='0'&$hour EndIf if $tmpMinuteLength[0] < 2 Then $minute='0'&$minute EndIf if $tmpSecondLength[0] < 2 Then $second='0'&$second EndIf $offset=$hour&":"&$minute&":"&$second return $offset EndFunc Edited April 26, 2007 by JonathanChan Link to comment Share on other sites More sharing options...
ptrex Posted April 26, 2007 Share Posted April 26, 2007 @JonathanChanLogParser is a great ToolLogParser in AU3regards,ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
JonathanChan Posted April 26, 2007 Author Share Posted April 26, 2007 @JonathanChanLogParser is a great ToolLogParser in AU3regards,ptrexAwww... That's a shame... I should have written this with your plugin .... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now