Update 07/07/ 11: Fix bug in around identifying missing entries
This KS allows the Windows Event Log to be scanned for multiple search criteria within a single KS. If you need to search for a number of different types of Events, then you can define all of the criteria within a single KS rather than implementing multiple instances of General_EventLog. The KS raises a separate event for each unique combination EventID, Log, Source, Type, or, alternatively a user defined message. In addition, there are a number of parameters to change the KS's behaviour, for example, don't perform the search if a related Windows service is not running, only alert when x events are found within y hours, or exclude specific event entries from monitoring. One can also monitor for the absence of an event.
' Scan the Event Log for multiple sets of criteria ' Raise a separate event for each unique combination of EventID, Log, Source, Type - or user defined message
' Store each individual set in an XML string. The following fields are permitted: ' log The Log to scan. ' NOTE: this field is MANDATORY, the rest are optional - but need Event ID or Source
' source The Event source(s) ' type The Event type - can use the term 'Any' if you wish ' id The Event ID(s) ' category The Event Category(ies) ' user The Event User(s) ' computer The Event Computer(s) ' The above fields can be used in the same way as in General_EventLog
' Additional fields ' text The Event description. NOTE: supports Regular Expressions ' shortmsg Short event Message. Overrides the default value of EventID:<> Log:<> Source:<> Type:<> ' Can also use value '$longmsg' to set it to the Event description ' object The Console object to blink. If ends with a colon, the MachineName will be appended. If not set, uses NT_MachineFolder ' eg, object='ACTIVEDS_ADSERVER = AD Server:', object='ISA_SERVER = ISA Server:', object='SQLT_SERVER = SQL Server:' ' severity Override the default severity ' doevent Raise event or not, ie y or n. If not defined then default = y ' sendall Create separate event for each individual event log entry. ' Override event collapsing by appending time to short message ' dodata Collect data or not, ie y or n ' count the number of times the event must occur before eventing. = 1 if not defined ' hours the number of hours to scan the event log for. 0/undefined = since last iteration, -1 = all ' NOTE: the hours value must be greater than the run schedule of the script, unless run once ' service The name of a Windows Service on which the monitoring of the event relies. ' If defined, the event will be monitored only if the specified service is running ' missing Raise an Event if the search criteria are not found, i.e. y or n. If not defined then default = n. Note that this option does not collect data.
' Examples ' <event id='6005' source='EventLog' log='System' type='Any' shortmsg='The server was rebooted' doevent='N' dodata='Y'/> ' <event id='6005' source='EventLog' log='System' type='Any' shortmsg='The server was NOT rebooted in the last 24 hours' missing='Y' hours='24'/> ' <event id='6005' source='EventLog' log='System' type='Any' count='5' hours='1' shortmsg='The server was rebooted 5 times in the last hour'/>
' Parameters ' SUPPRESS_DUPLICATES ' If multiple events, only pass one back to the MS. ' Duplicate detection logic based on ShortMessage ' EXCLUDE_LIST Comma separated list of Source:EventID:Log:Type ' Suppresses Alert for a defined entry ' DO_DELETE If too old, delete the INI file, which stores the last reached Record Numbers ' Prevents lots of old alerts if an agent is stopped ' Also resets the script if message flood and the agent can't keep up ' MAX_INI_AGE Max Age in hours of the INI file - if DO_DELETE = 'y' ' INI_PATH Path to the INI file. Can be a full path or a path relative to installation directory ' The folder will be created if it does not exist - but only if the parent folder already exists
' NOTES ' none of XML information is case sensitive ' If more than 250 XML entries required, you will need to extend the BuildXML function appropriately ' Can only have one event source per line
' IMPORTANT '######################################################## ' If running more than one instance of the script on an agent, you MUST change the name of the INI file ' to prevent the scripts writing to a single INI file. This will lead to missed events.
' Don't pass just a Log and a Type, particularly if it's not one of the 'standard' logs, ' ie Application/System/Security. If the Log doesn't exist, the EventLog object seems to scan the ' Application log. However seems to work OK if another parameter is used, such as ID or Source. ' ########################################################
' Execution Logic ' Connect to NetIQ, FileSystem & Regular Expression objects etc ' Quit if unable to instantiate objects or any other errors ' Get NetIQ install path, use this to determine Trace & INI Folders ' Create the INI folder if it doesn't exist ' If appropriate, delete the INI file if it's too old ' If the INI file exists, read the last record numbers from the INI file into a Dictionary Object
' Loop through each line of the Event Log Parameters ' Separate the XML into its component parts ' Pass the information to the Event Log function ' Skip the entry if Event Log Name not provided ' Count the number of loops of the Event log call. Just in case, exit if exceeds 200 (ie 1000 events) ' Store the Record Number returned by EventLog call, for writing to INI file later ' Strip the header from the Result string using a Replace ' Split the remaining string and rebuild into nice looking message ' If 'text' parameter defined, then pass it through regular expression pattern match ' Determine whether to raise an Action or Not - ' This depends on 'SendMessage', Suppress_Duplicates, SendAll and EXCLUDE_LIST parameters ' If Suppress Duplicates, then add each new Event to a dictionary object ' If over count threshold then alert ' If required log a data point ' Once finished, write the Record number reached for each log into an INI file for use next Time