 Reading the Event log using Lua and WMI |
  |
 Mar 11 2009, 08:09 PM
Post
#1
|
|
|
INM wizard  Group: Root Admin Posts: 2,328 Joined: 24-August 04 From: Intellipool AB, Härnösand, Sweden Member No.: 3  |
CODE ----------------------------------------------------------------- -- Name: check_event_log.lua -- Author: Robert Aronsson, Intellipool AB -- Required INM version: 3.4 -- Version: 1.0 -- Date: 2009-03-11 -- Description: This is an example of how to query the Windows event log -- using WMI and Lua. It is not to be seen as a complete script, but a starting -- point for a specialized event log monitor -- ----------------------------------------------------------------- function OnEnumerate(sFieldToEnum) -- The variable returned must be called "Enum" so INM can find it. Enum = LuaScriptEnumResult() -- Second argument if sFieldToEnum == "Event Type" then Enum:Add("Error","1") Enum:Add("Warning","2") Enum:Add("Informational","3") Enum:Add("Audit success","4") Enum:Add("Audit failure","5") end -- Second argument if sFieldToEnum == "Event Log" then Enum:Add("System") Enum:Add("Application") Enum:Add("Security") Enum:Add("Directory Service") Enum:Add("DNS Server") end return Enum end -- This function is called by INM to retrieve a script configuration function OnConfigure() -- The variable returned must be called "Config" so INM can find it. Config = LuaScriptConfigurator() -- Author. Config:SetAuthor("Robert Aronsson") -- Description. Config:SetDescription("Example Lua script to query a Windows event log using WMI"); -- Minimum build version of INM, set to zero for if no specific build version is required. Config:SetMinBuildVersion(0) -- Script version (major/minor) Config:SetScriptVersion(1,0) -- Event ID Config:AddArgument("Event ID","Event ID to trigger on, separate multiple numbers with a comma. To include all event ids, leave the field blank.",LuaScriptConfigurator.CHECK_NOTHING) -- Event type Config:AddArgument("Event Type","Select the type of event to look for",LuaScriptConfigurator.ENUM_AVAIL + LuaScriptConfigurator.CHECK_NOT_EMPTY) -- Event type Config:AddArgument("Event Log","Select the log file to search",LuaScriptConfigurator.ENUM_AVAIL + LuaScriptConfigurator.CHECK_NOT_EMPTY) -- Set the entry point, this is the function called by INM Config:SetEntryPoint("main") -- Done with configuration, return the object return Config end -- Global table to hold the messages extracted vMessagesTable = {} -- The function that makes the query function QueryEventLog(sEventLog,sEventID,_sEventType) Query = TLuaWMIQuery:new(); QueryString = "SELECT * FROM Win32_NTLogEvent" -- Sorry about this....... sEventType = "1"; if _sEventType == "Warning" then sEventType = "2" end if _sEventType == "Informational" then sEventType = "3" end if _sEventType == "Audit success" then sEventType = "4" end if _sEventType == "Audit failure" then sEventType = "5" end -- Format the query string QueryString = QueryString .. " WHERE LogFile=\'"..sEventLog.."\' AND EventIdentifier="..sEventID.." AND EventType="..sEventType print(QueryString) if Query:Execute(QueryString) == false then print(Query:GetErrorDescription()); Query:delete() return end -- Now, for each entry returned, get the message property field from each while (Query:NextInstance()) do sMessage = "" bOk,sMessage = Query:GetProperty("Message",sMessage) if bOk == true then print(sMessage) table.insert(vMessagesTable,sMessage) print(sStatus) end end Query:delete() end function PrintResult(iResultNum) sTemp = "Message# "..iResultNum.." "..vMessagesTable[iResultNum] print(sTemp) print("") end function main() -- Extract the arguments sEventID = GetArgument(0) sEventType = GetArgument(1) sEventLog = GetArgument(2) -- Do the query QueryEventLog(sEventLog,sEventID,sEventType) -- Print Messages table.foreach(vMessagesTable,PrintResult) -- Done SetExitStatus("OK",true) end Win32_NTLogEvent class documentation -------------------- |
 |
 
|
|
|
Lo-Fi Version | Time is now: 10th September 2010 - 10:05 PM |