Thanks to Stefan Plattner (http://twitter.com/splattne)
Considering that Intel's Matrix Raid does not have a way to send emails
in case of a HDD failure, I've searched for a way of monitoring the
Windows system log and send a mail in case of an event. The monitoring
part can be solved with a simple vbs script (made by splattne), this
script being run as service by the "Non-Sucking Service Manager"
( http://iain.cx/src/nssm/ ).
You can define the events you want to be alerted on, in the vbs script
with the "PushEventToMonitor" call. The arguments are: event ID, event
log name, source, category, type, user, and a regular expression that
can be matched against the log message. We have an example in the vbs
script that matches the start / stop of the TELNET service, as well as
one that will match the startup of the script itself (which logs an
event out to the Application Log) and a real case for Intel MatrixRaid.
In order to install the service, run in a command prompt: "nssm install
SimpleEventLogMonitor" and in the following window choose
"%SystemRoot%\System32\cscript.exe" as Application and
"c:\Path\to\eventmonitor.vbs" as Option.
To uninstall run: "nssm remove SimpleEventLogMonitor confirm" (Warning:
you can uninstall any service with this command!)
vbs script starts here:
Option Explicit
' Main
Dim objShell, objWMIService, objEventSink, dictEventsToMonitor, eventToMonitor
' =====================( Configuration )=====================
' Set to 0 to disable event log reporting of bans / unbans
Const USE_EVENTLOG = 0
Const EVENTLOG_SOURCE = "SimpleEventMonitor"
' SMTP configuration
Const EMAIL_SENDER = "EventLogMonitor@xxxxxxxxxxxx.ca"
Const EMAIL_RECIPIENT = "sorin@xxxxxxxx.com"
Const EMAIL_SMTP_SERVER = "relais.xxxxxxxxxx.ca"
Const EMAIL_SMTP_PORT = 25
Const EMAIL_TIMEOUT = 20
Set dictEventsToMonitor = CreateObject("Scripting.Dictionary")
' Define events that should be monitored. Matches are based on exact matches of all non-NULL fields
' Order: event ID, event log name, source, category, type, user, and a regular expression
'PushEventToMonitor "100", "Application", EVENTLOG_SOURCE, NULL, NULL, NULL, NULL
'PushEventToMonitor "7036", "System", "Service Control Manager", NULL, NULL, NULL, "Telnet service.*(running|stopped).*state"
' Monitor my Intel service
PushEventToMonitor "7202", "System", " IAANTmon", NULL, "Warning", NULL, NULL
' ===================( End Configuration )===================
Set objShell = CreateObject("WScript.Shell")
' Create event sink to catchevents
Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2")
Set objEventSink = WScript.CreateObject("WbemScripting.SWbemSink", "eventSink_")
objWMIService.ExecNotificationQueryAsync objEventSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'"
' Loop sleeping for one week, logging an event each week to say we're still alive
While (True)
LogEvent 100, "INFORMATION", "Simple Event Log Monitor started"
WScript.Sleep(7 * 24 * 60 * 60 * 1000)
Wend
' Fires each time new events are generated
Sub eventSink_OnObjectReady(objEvent, objWbemAsyncContext)
Dim evt, field, boolAlert, regexpMessage
For Each evt In dictEventsToMonitor.Keys
boolAlert = True
For Each field In dictEventsToMonitor.Item(evt).Keys
If UCase(Field) = "MESSAGE" Then
Set regexpMessage = new Regexp
regexpMessage.Pattern = dictEventsToMonitor.Item(evt).Item(Field)
regexpMessage.IgnoreCase = True
If NOT regexpMessage.Test(objEvent.TargetInstance.Properties_(Field)) then boolAlert = False
Else
If UCase(objEvent.TargetInstance.Properties_(Field)) <> UCase(dictEventsToMonitor.Item(evt).Item(field)) Then boolAlert = False
End If
Next ' field
if boolAlert = True Then
SendMessage "Simple Event Log Monitor notification from " & objEvent.TargetInstance.ComputerName, _
"Event ID: " & objEvent.TargetInstance.EventCode & VbCrLf _
& "Date/Time: " & Mid(objEvent.TargetInstance.TimeGenerated, 5, 2) & "/" & Mid(objEvent.TargetInstance.TimeGenerated, 7, 2) & "/" & Mid(objEvent.TargetInstance.TimeGenerated, 1, 4) & " " & Mid(objEvent.TargetInstance.TimeGenerated, 9, 2) & ":" & Mid(objEvent.TargetInstance.TimeGenerated, 11, 2) & ":" & Mid(objEvent.TargetInstance.TimeGenerated, 13, 2) & VbCrLf _
& "Computer: " & objEvent.TargetInstance.ComputerName & vbCrLf _
& "Event Log: " & objEvent.TargetInstance.LogFile & vbCrLf _
& "Event Source: " & objEvent.TargetInstance.SourceName & vbCrLf _
& "Event Category: " & objEvent.TargetInstance.CategoryString & vbCrLf _
& "Event Type: " & objEvent.TargetInstance.Type & vbCrLf _
& "User Name: " & objEvent.TargetInstance.User & vbCrLf _
& "Message:" & vbCrLf & vbCrLF _
& objEvent.TargetInstance.Message
Exit Sub
End If
Next ' evt
End Sub
Sub LogEvent(ID, EventType, Message)
' Log an event to the Windows event log
If USE_EVENTLOG Then objShell.Exec "EVENTCREATE /L APPLICATION /SO " & EVENTLOG_SOURCE & " /ID " & ID & " /T " & EventType & " /D """ & Message & """"
End Sub
Sub SendMessage(strSubject, strBody)
Dim objCDOMessage
Set objCDOMessage = CreateObject("CDO.Message")
objCDOMessage.From = EMAIL_SENDER
objCDOMessage.To = EMAIL_RECIPIENT
objCDOMessage.Subject = strSubject
objCDOMessage.Textbody = strBody
objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = EMAIL_SMTP_SERVER
objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = EMAIL_SMTP_PORT
objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = EMAIL_TIMEOUT
objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objCDOMessage.Configuration.Fields.Update
objCDOMessage.send
End Sub
Sub PushEventToMonitor(strID, strLog, strSource, strCategory, strType, strUser, strMessagePattern)
Dim x
x = dictEventsToMonitor.Count
Set dictEventsToMonitor.Item(x) = CreateObject("Scripting.Dictionary")
If NOT IsNull(strID) Then dictEventsToMonitor.Item(x).Add "EventCode", strID
If NOT IsNull(strLog) Then dictEventsToMonitor.Item(x).Add "LogFile", strLog
If NOT IsNull(strSource) Then dictEventsToMonitor.Item(x).Add "SourceName", strSource
If NOT IsNull(strCategory) Then dictEventsToMonitor.Item(x).Add "CategoryString", strCategory
If NOT IsNull(strType) Then dictEventsToMonitor.Item(x).Add "Type", strType
If NOT IsNull(strType) Then dictEventsToMonitor.Item(x).Add "User", strUser
If NOT IsNull(strMessagePattern) Then dictEventsToMonitor.Item(x).Add "Message", strMessagePattern
End Sub
Image
No comments:
Post a Comment