CODE
-----------------------------------------------------------------
-- Name: check_event_log.lua
-- Author: Robert Aronsson, Intellipool AB
-- Required INM version: 3.4
-- Version: 1.0
-- Date: 2009-03-11
-- Description: This is an example of how to query the Windows event log
-- using WMI and Lua. It is not to be seen as a complete script, but a starting
-- point for a specialized event log monitor
--
-----------------------------------------------------------------
function OnEnumerate(sFieldToEnum)
-- The variable returned must be called "Enum" so INM can find it.
Enum = LuaScriptEnumResult()
-- Second argument
if sFieldToEnum == "Event Type" then
Enum:Add("Error","1")
Enum:Add("Warning","2")
Enum:Add("Informational","3")
Enum:Add("Audit success","4")
Enum:Add("Audit failure","5")
end
-- Second argument
if sFieldToEnum == "Event Log" then
Enum:Add("System")
Enum:Add("Application")
Enum:Add("Security")
Enum:Add("Directory Service")
Enum:Add("DNS Server")
end
return Enum
end
-- This function is called by INM to retrieve a script configuration
function OnConfigure()
-- The variable returned must be called "Config" so INM can find it.
Config = LuaScriptConfigurator()
-- Author.
Config:SetAuthor("Robert Aronsson")
-- Description.
Config:SetDescription("Example Lua script to query a Windows event log using WMI");
-- Minimum build version of INM, set to zero for if no specific build version is required.
Config:SetMinBuildVersion(0)
-- Script version (major/minor)
Config:SetScriptVersion(1,0)
-- Event ID
Config:AddArgument("Event ID","Event ID to trigger on, separate multiple numbers with a comma. To include all event ids, leave the field blank.",LuaScriptConfigurator.CHECK_NOTHING)
-- Event type
Config:AddArgument("Event Type","Select the type of event to look for",LuaScriptConfigurator.ENUM_AVAIL + LuaScriptConfigurator.CHECK_NOT_EMPTY)
-- Event type
Config:AddArgument("Event Log","Select the log file to search",LuaScriptConfigurator.ENUM_AVAIL + LuaScriptConfigurator.CHECK_NOT_EMPTY)
-- Set the entry point, this is the function called by INM
Config:SetEntryPoint("main")
-- Done with configuration, return the object
return Config
end
-- Global table to hold the messages extracted
vMessagesTable = {}
-- The function that makes the query
function QueryEventLog(sEventLog,sEventID,_sEventType)
Query = TLuaWMIQuery:new();
QueryString = "SELECT * FROM Win32_NTLogEvent"
-- Sorry about this.......
sEventType = "1";
if _sEventType == "Warning" then
sEventType = "2"
end
if _sEventType == "Informational" then
sEventType = "3"
end
if _sEventType == "Audit success" then
sEventType = "4"
end
if _sEventType == "Audit failure" then
sEventType = "5"
end
-- Format the query string
QueryString = QueryString .. " WHERE LogFile=\'"..sEventLog.."\' AND EventIdentifier="..sEventID.." AND EventType="..sEventType
print(QueryString)
if Query:Execute(QueryString) == false then
print(Query:GetErrorDescription());
Query:delete()
return
end
-- Now, for each entry returned, get the message property field from each
while (Query:NextInstance()) do
sMessage = ""
bOk,sMessage = Query:GetProperty("Message",sMessage)
if bOk == true then
print(sMessage)
table.insert(vMessagesTable,sMessage)
print(sStatus)
end
end
Query:delete()
end
function PrintResult(iResultNum)
sTemp = "Message# "..iResultNum.." "..vMessagesTable[iResultNum]
print(sTemp)
print("")
end
function main()
-- Extract the arguments
sEventID = GetArgument(0)
sEventType = GetArgument(1)
sEventLog = GetArgument(2)
-- Do the query
QueryEventLog(sEventLog,sEventID,sEventType)
-- Print Messages
table.foreach(vMessagesTable,PrintResult)
-- Done
SetExitStatus("OK",true)
end
-- Name: check_event_log.lua
-- Author: Robert Aronsson, Intellipool AB
-- Required INM version: 3.4
-- Version: 1.0
-- Date: 2009-03-11
-- Description: This is an example of how to query the Windows event log
-- using WMI and Lua. It is not to be seen as a complete script, but a starting
-- point for a specialized event log monitor
--
-----------------------------------------------------------------
function OnEnumerate(sFieldToEnum)
-- The variable returned must be called "Enum" so INM can find it.
Enum = LuaScriptEnumResult()
-- Second argument
if sFieldToEnum == "Event Type" then
Enum:Add("Error","1")
Enum:Add("Warning","2")
Enum:Add("Informational","3")
Enum:Add("Audit success","4")
Enum:Add("Audit failure","5")
end
-- Second argument
if sFieldToEnum == "Event Log" then
Enum:Add("System")
Enum:Add("Application")
Enum:Add("Security")
Enum:Add("Directory Service")
Enum:Add("DNS Server")
end
return Enum
end
-- This function is called by INM to retrieve a script configuration
function OnConfigure()
-- The variable returned must be called "Config" so INM can find it.
Config = LuaScriptConfigurator()
-- Author.
Config:SetAuthor("Robert Aronsson")
-- Description.
Config:SetDescription("Example Lua script to query a Windows event log using WMI");
-- Minimum build version of INM, set to zero for if no specific build version is required.
Config:SetMinBuildVersion(0)
-- Script version (major/minor)
Config:SetScriptVersion(1,0)
-- Event ID
Config:AddArgument("Event ID","Event ID to trigger on, separate multiple numbers with a comma. To include all event ids, leave the field blank.",LuaScriptConfigurator.CHECK_NOTHING)
-- Event type
Config:AddArgument("Event Type","Select the type of event to look for",LuaScriptConfigurator.ENUM_AVAIL + LuaScriptConfigurator.CHECK_NOT_EMPTY)
-- Event type
Config:AddArgument("Event Log","Select the log file to search",LuaScriptConfigurator.ENUM_AVAIL + LuaScriptConfigurator.CHECK_NOT_EMPTY)
-- Set the entry point, this is the function called by INM
Config:SetEntryPoint("main")
-- Done with configuration, return the object
return Config
end
-- Global table to hold the messages extracted
vMessagesTable = {}
-- The function that makes the query
function QueryEventLog(sEventLog,sEventID,_sEventType)
Query = TLuaWMIQuery:new();
QueryString = "SELECT * FROM Win32_NTLogEvent"
-- Sorry about this.......
sEventType = "1";
if _sEventType == "Warning" then
sEventType = "2"
end
if _sEventType == "Informational" then
sEventType = "3"
end
if _sEventType == "Audit success" then
sEventType = "4"
end
if _sEventType == "Audit failure" then
sEventType = "5"
end
-- Format the query string
QueryString = QueryString .. " WHERE LogFile=\'"..sEventLog.."\' AND EventIdentifier="..sEventID.." AND EventType="..sEventType
print(QueryString)
if Query:Execute(QueryString) == false then
print(Query:GetErrorDescription());
Query:delete()
return
end
-- Now, for each entry returned, get the message property field from each
while (Query:NextInstance()) do
sMessage = ""
bOk,sMessage = Query:GetProperty("Message",sMessage)
if bOk == true then
print(sMessage)
table.insert(vMessagesTable,sMessage)
print(sStatus)
end
end
Query:delete()
end
function PrintResult(iResultNum)
sTemp = "Message# "..iResultNum.." "..vMessagesTable[iResultNum]
print(sTemp)
print("")
end
function main()
-- Extract the arguments
sEventID = GetArgument(0)
sEventType = GetArgument(1)
sEventLog = GetArgument(2)
-- Do the query
QueryEventLog(sEventLog,sEventID,sEventType)
-- Print Messages
table.foreach(vMessagesTable,PrintResult)
-- Done
SetExitStatus("OK",true)
end
Win32_NTLogEvent class documentation