LISTING 1: The Elparser.pl Utility
Note: The symbol * signals a wrapped line.

use Win32::EventLog;


@EventTypes  = ("None","Error","Warning","N/A","Information",


* "N/A","N/A","N/A","Success Audit","N/A","N/A","N/A",


* "N/A","N/A","N/A","N/A","Failure Audit");


%LegalParams = ("eventlog"=>1, "eventid"=>1, "eventsource"=>1, 


*"eventstring"=>1, eventtype"=>1, "timewindow"=>1, 


*"eventstring"=>1, "verbose"=>1,  "server"=>2);


$configfile = $ARGV[0];


($configfile =~ /\?/) and &PrintHelp();


($configfile eq "")  and ($configfile = 'elparser.ini');


open(INIFILE,$configfile) || die "Error opening configuration 


* file ($configfile): $!\n";


while (<INIFILE>) {


/^#|^\s*$/ && next;


/^(\S+)\s*=\s*(.*?)\s*$/ || die "Unable to parse initialization 


 * file line: $_";


$param = lc($1);


$value = $2;


chomp $value;


if ($LegalParams{$param} == 1) {


$$param = $value;


} elsif ($LegalParams{$param} == 2) {


push(@{${param}."s"}, $value);


} else {


print STDERR "Ignoring illegal field $1\n";


}


}


close(INIFILE);


($sec,$min,$hour,$mday,$mon,$year,$sday,$yday,$isdst) =


* localtime(time);


$date = sprintf("%02d\%02d\%02d@%02d%02d",$mon+1,$mday,$year,


* $hour,$min);


$reportfilename = "elparser_".$date.".txt";


open(REPORT, ">$reportfilename") || die "Unable to open output 


* file $reportfilename. $!";


print REPORT "Event Log Parser Report\n".


"-----------------------\n\n".


"Script Start Time: $date\n\n".


"Script Parameters:\n".


"EventLog:$eventlog\n".


"EventID:$eventid\n".


"EventSource:$eventsource\n".


"EventString: $eventstring\n".


"EventType:$eventtype\n".


"TimeWindow:$timewindow\n".


"Verbose:$verbose\n\n".


"HostnameNumber of $eventsource $eventid Event


 * Records\n".


"-----------------------------------------------\n";


$timewindow = time - $timewindow;



foreach $server (@servers) {


select(STDOUT);


print "\nAnalyzing $server...";


$eventsfound = 0;


$numevents   = 0;


$oldestevent = 0;


undef $EventObj;


undef @EventList;


Win32::EventLog::Open($EventObj, $eventlog, $server);


$EventObj->GetNumber($numevents);


if($numevents == 0) {


$eventsfound = "ERROR";


select(REPORT);


write(REPORT);


next;


}


$EventObj->GetOldest($oldestevent);


$EventObj->Read((EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ),


* $numevents + $oldestevent,$EventData);


while($numevents) {


$EventObj->Read((EVENTLOG_SEQUENTIAL_READ | EVENTLOG_


 * BACKWARDS_READ), 0, $EventData);


$recordnumber= $EventData->{'RecordNumber'};


$source= $EventData->{'Source'};


$timewritten= $EventData->{'Timewritten'};


$id= $EventData->{'EventID'} & 0xffff;


$category= $EventData->{'Category'};


$type= $EventData->{'EventType'};


$strings= $EventData->{'Strings'}; chomp($strings);


$computer= $EventData->{'Computer'};


($timewritten< $timewindow) && last;


($sec,$min,$hour,$mday,$mon,$year,$sday,$yday,$isdst) = 


 * localtime($timewritten);


$twritten = sprintf("%02d\-%02d\-%02d %02d:%02d",


 * $year,$mon+1,$mday,$hour,$min);


if(($source =~ /$eventsource/) &&


($eventtype eq $EventTypes[$type]) &&


($id == $eventid) &&


(!$eventstring || ($strings =~ /$eventstring/))) {


$EventList[$eventsfound++] = ("\t$recordnumber "."$twritten 


 * "."$source "."$id"."$category "."$EventTypes[$type] 


          * "."$computer\n");


}


$numevents--;


}


select(REPORT);


write(REPORT);


if($verbose =~ /^Yes/i) {


foreach(@EventList) { print; }


}


}


($sec,$min,$hour,$mday,$mon,$year,$sday,$yday,$isdst) =

* localtime(time);


$date = sprintf("%02d\%02d\%02d@%02d%02d",

* $mon+1,$mday,$year,$hour,$min);


print REPORT "\nScript Stop Time: $date";


close(REPORT);


exit(0);


format REPORT =


@<<<<<<<<<<<<<<<<<<<@<<<<<<<<<<<<


$server, $eventsfound


.


sub PrintHelp {


print <<END;


Event Log Parser How To


-----------------------


Syntax: c:\\> perl elparser.pl [configfilename]


ELParser.pl is a Perl for Win32 script that parses NT Event 


Logs searching For a user specified event, and generates a 


report containing the number of Successful matches. By default, 


the script searches one or more servers for The event defined 


in elparser.ini. An alternate configuration file may be 


Specified on the command line at the time the script is run. 


This allows Multiple copies of the script to be run 


simultaneously, each looking for a Different event. Refer to 


elparser.ini for information related to configuring Script 


configuration files.


END


exit(0);


}