##########################################################################
# $Id: evtsecurity,v 1.3 2008/06/30 23:07:51 kirk Exp $
##########################################################################
# $Log: evtsecurity,v $
# Revision 1.3  2008/06/30 23:07:51  kirk
# fixed copyright holders for files where I know who they should be
#
# Revision 1.2  2008/03/24 23:31:26  kirk
# added copyright/license notice to each script
#
# Revision 1.1  2007/04/28 22:50:24  bjorn
# Added files for Windows Event Log, by Orion Poplawski.  These are for
# Windows events logged to a server, using Snare Agent or similar.
##########################################################################

########################################################
## Copyright (c) 2008 Orion Poplawski
## Covered under the included MIT/X-Consortium License:
##    http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms.  If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions.  If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################

my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

while (defined($ThisLine = <STDIN>)) {
   #Parse
   my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$SourceName2,$UserName,$SIDType,$EventLogType,$ComputerName,$CategoryString,$DataString,$ExpandedString,$Extra) =
      ($ThisLine =~ /(\w+) MSWinEventLog\t(\d+)\t(\w+)\t\d+\t([^\t]+)\t(\d+)\t(\w+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]*)\t([^\t]*)\t([^\t]*)/);
   if (!defined($Hostname)) {
      print STDERR "Cannot parse $ThisLine";
      next;
   }
   if ($EventLogType eq "Success Audit") {
      $SucessAudits++;
      $SuccessAuditUsers{$UserName}++;
   }
   elsif ($EventLogType eq "Failure Audit") {
      $FailureAudits{"$Hostname $ExpandedString"}++;
   }
   else {
      # Report any unmatched entries...
      chomp($ThisLine);
      $OtherList{$ThisLine}++;
   }
}

if ($SucessAudits and ($Detail >=0) ) {
   print "\nSuccess Audits " . $SucessAudits . " Time(s)\n";
   foreach $User (keys %SuccessAuditUsers) {
      print "    $User : $SuccessAuditUsers{$User} Times\n";
   }
}

if (keys %FailureAudits) {
   print "\nFailure Audits\n";
   foreach $Error (keys %FailureAudits) {
      print "    $Error : $FailureAudits{$Error} Times\n";
   }
}

exit(0);
if (keys %OtherList) {
   print "\n**** Unmatched entries ****\n";
   foreach $Error (keys %OtherList) {
      print "    $Error : $OtherList{$Error} Times\n";
   }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: