dumpevt2.pl dumps all EventLogs of each machine you designate into an Excel
spreadsheet (NOTE: Be sure to edit line 14 of dumpevt2.pl to include the names
of your machines!). Uses the Win32::Lanman module available
from http://jenda.krynicky.cz/perl, and Win32::Perms.
/* ---------------------------------------------------------- */
#! c:\perl\bin\perl.exe
use strict;
use Win32::Lanman;
use Win32::Perms;
use Win32::OLE;
use Win32::OLE::Variant;
use Win32::OLE::Const 'Microsoft Excel';
Win32::Perms::LookupDC(0);
#my $server = shift || Win32::NodeName;
# List of machines to get EventLogs from...
my @servers = ("MUSASHI","MUSASHI","MUSASHI");
# Cursors to keep track of row in the spreadsheet
my $app_cursor = 1;
my $sec_cursor = 1;
my $sys_cursor = 1;
# Create and set up the spreadsheet
my $class = "Excel.Application";
my $file = Win32::GetCwd."\\DumpEvt.xls";
unlink ($file) if (-e $file);
my $Excel = Win32::OLE->GetActiveObject($class);
if (!$Excel) {
$Excel = new Win32::OLE($class,\&quitExcel) ||
die "Could not create an OLE '$class' object: $!\n";
}
# Don't show the spreadsheet
$Excel->{Visible} = 0;
# Create one page for each EventLog
$Excel->{SheetsInNewWorkbook} = 3;
my $Workbook = $Excel->Workbooks->Add;
my $Sec = $Workbook->Worksheets(1);
$Sec->{Name} = "Security";
$Sec->Range("A1:J1")->{Value} = ["Computer","Category","EventID","Type","S
ource","SourceName","Time","Flags","U
ser", "Description"];
$sec_cursor++;
my $Sys = $Workbook->Worksheets(2);
$Sys->{Name} = "System";
$Sys->Range("A1:J1")->{Value} = ["Computer","Category","EventID","Type","S
ource","SourceName","Time","Flags","U
ser", "Description"];
$sys_cursor++;
my $App = $Workbook->Worksheets(3);
$App->{Name} = "Application";
$App->Range("A1:J1")->{Value} = ["Computer","Category","EventID","Type","S
ource","SourceName","Time","Flags","U
ser", "Description"];
$app_cursor++;
foreach my $server (@servers) {
print "Getting $server Security Logs...\n";
$sec_cursor = GetEvents($server,"Security",$Sec,$sec_cursor);
print "Getting $server System Logs...\n";
$sys_cursor = GetEvents($server,"System",$Sys,$sys_cursor);
print "Getting $server Application Logs...\n";
$app_cursor = GetEvents($server,"Application",$App,$app_cursor);
}
print "EventLogs collection complete.\n";
print "Saving spreadsheet...\n";
$Workbook->SaveAs($file);
sub GetEvents {
my($server,$evtlog,$sheet,$cursor) = @_;
my(@events,$event,$desc);
my %types = (1 => "(Error)",
4 => "(Information)",
8 => "(Success Audit)",
16 => "(Failure Audit)");
my %category = (0 => "(None)",
1 => "(System Event)",
2 => "(Logon/Logoff)",
3 => "(Object Access)",
4 => "(Privilege Use)",
6 => "(Policy Change)");
if(Win32::Lanman::ReadEventLog("\\\\$server", $evtlog, 0xffffffff, 0, \@events)) {
foreach $event (@events) {
my $id = ${$event}{eventid} & 0xffff;
if (Win32::Lanman::GetEventDescription("\\\\$server", $event)) {
$desc = ${$event}{eventdescription};
}
else {
my $strings = ${$event}{strings};
foreach (@$strings) {
$_ =~ s/\s+//g;
$_ = "+".$_;
}
$desc = join(";",@$strings);
}
my $time = "".localtime(${$event}{timegenerated});
$time =~ s/^.*?\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*)/$1 $2 $4 $3/;
my $user = Win32::Perms::ResolveAccount(${$event}{usersid});
$sheet->Range("A$cursor:J$cursor")->{Value} = [
${$event}{computername},
${$event}{eventcategory}." ".$category{${$event}{eventcategory}},
$id,
${$event}{eventtype}." ".$types{${$event}{eventtype}},
${$event}{source},
${$event}{sourcename},
$time,
${$event}{reservedflags},
$user,
$desc];
$cursor++;
}
}
else {
my $err = Win32::FormatMessage Win32::Lanman::GetLastError();
$err = Win32::Lanman::GetLastError() if ($err eq "");
print "$server: ReadEventLog error: $err.\n";
}
undef @events;
return $cursor;
}
sub quitExcel {
my($obj) = @_;
print "Closing ".$obj->{Name}."\n";
$obj->Quit();
}
/* ---------------------------------------------------------- */
Credits
-- UnKnown --
|