Examine specific events
Last month, I started my examination of the Perl for Win32 EventLog module. I wrote a simple script that writes user-defined events into the Windows NT Application Log. This month, I continue my examination with a reasonably robust script, elparser.pl, that searches NT event logs on one or more servers for a user-specified event.
You can use elparser.pl for troubleshooting distributed applications such as Exchange or Windows Internet Naming Service (WINS). When an Exchange router or WINS replication partner fails, events are written into the event logs of peer systems. You can search through all the Exchange routers' application logs or all the WINS servers' system logs to quickly pinpoint the faulty system. Looking through multiple event logs with Event Viewer is a time-consuming process. The elparser.pl utility will do the work for you.
You can also use elparser.pl as a report generator that verifies the completion of a task across the enterprise. For example, I'm a member of a team that uses a similar script to monitor the successful completion of backups for hundreds of servers. We've scheduled the script to run every morning to check the results of the previous night's backup based on events written into each backup server's Application Log. Systems administrators verify the output report each morning and take any necessary corrective action. The systems administrators have an exception report waiting when they arrive in the morning. They don't have to connect to each system via a GUI to determine the outcome of the previous night's backup.
The Big Picture
Listing 1, page 214, shows the complete code for elparser.pl. This script searches the Application, Security, or System Log on any number of hosts for a specific event as defined in the script's configuration file; provides an optional input file command line argument that lets you have multiple configuration files to support different event search criteria; includes a time component that tells the script how far back in time to search; and provides a verbose or non-verbose output report mode. The verbose report includes the total number of event matches along with a printout of each record that matched. The non-verbose report provides only the total number of matches.
Let's walk through elparser.pl to get an idea of how it works. The code at callout A in Listing 1 is the initialization block, which initializes data structures and reads in the default or user-specified configuration file. The code at B generates a unique output report filename, opens the output report file, and writes header information to it. It calculates the time cutoff value that tells the script when to stop searching. The code at C comprises the outer loop that traverses the list of servers. In this section, the code attempts to open and set the initial pointer into the target event log. It also writes the results to the output report.
When elparser.pl has successfully opened a log, the while loop at F reads each event sequentially, extracts the data from the returned event record, and tests for a match. The code at G is a format definition, which uses Perl's powerful format facility to specify a template for the output report. The code at H is the PrintHelp subroutine, which simply prints how-to information to the user's screen if the user enters a question mark as the first command-line argument.