trying to make an Event Log filter, need some help

nnCron and nnCron LITE discussion

trying to make an Event Log filter, need some help

Postby LuckMan212 » Mon, 04 Jul 2005, 12:34

hello again,

this time I am trying to make the following Task that relates to the Event Log Watcher. It works like this:
  • 1) You have a text file, let's say in my case it will be named "filtered_events.txt"
  • 2) This text file will contain lines with simple format, the "Event Source (evSourceName) and the Event ID (evEventID). They are separated by comma. Each line contains only these 2 strings. like for example:
    Code: Select all
    Tcpip,4226
    3wareDrv,3
    DCOM,10005
  • 3) The Task will monitor a specific area of the Event Log (in my case "System") and when new events appear, it will scan this filtered_events.txt" file and try to match the new event with one of the entries, if it does Match, then do some action (maybe show an alert, a balloon, or execute some file, etc)

so really I have not made much progress :cry: I have got some very basic thing here, but I need help to split the lines that are read from the file into the two strings (separated by comma). And also help with comparing these to the "incoming" event.

and here is a preliminary (not really working) Task entry:
Code: Select all
#( EventLog_Filter
VARIABLE event_list
CREATE myFilterFile 256 ALLOT
CREATE evtInstance 256 ALLOT
S" filtered_events.txt" myFilterFile PLACE
WatchEventLog: "System"
Rule: FILE-EXIST: "%myFilterFile COUNT%" FILE-EMPTY: "%myFilterFile COUNT%" NOT AND
Action:
FOR-NEW-EVENTS
    S" filtered_events.txt" R/O OPEN-FILE-SHARED THROW event_list !
    BEGIN curNtpSrv 1+ 255 event_list @ READ-LINE THROW WHILE
    curEvtString C!

    IF FOUND-EVENT evSourceName curEvtString MATCH   \\ not real SP-FORTH!!
    ." EventLog : " FOUND-EVENT evSourceName ASCIIZ> TYPE ." ," FOUND-EVENT evEventID W@ . CR
    THEN
    REPEAT
    DROP
   
;FOR-NEW-EVENTS
)#


if anyone can help I would be very grateful!! :D
LuckMan212
 
Posts: 133
Joined: Mon, 04 Jul 2005, 11:19

Postby Nicholas_Nemtsev » Tue, 05 Jul 2005, 15:53

1. You should split every line of filtered_events.txt to two part. It's difficult and I suggest write this parts as separate lines
Code: Select all
Tcpip
4226
3wareDrv
3
DCOM
10005
and read these lines by pair.
2.
Code: Select all
FOUND-EVENT evSourceName ASCIIZ> curEvtSource COUNT MATCH
FOUND-EVENT evEventID W@  curEvtID @ = AND
IF ...
Nicholas Nemtsev
User avatar
Nicholas_Nemtsev
Site Admin
 
Posts: 857
Joined: Thu, 01 Jul 2004, 22:25
Location: Псков

Postby LuckMan212 » Wed, 06 Jul 2005, 10:43

OK well I tried this as you suggest:
Code: Select all
FOUND-EVENT evSourceName ASCIIZ> curEvtSource COUNT MATCH

but I got a ERROR IN CRONTAB warning message when I applied it.

So I just decided to throw away the external file idea for now and I am using this horrible code:
Code: Select all
#( EventLog_Filter
WatchEventLog: "System"
SingleInstance
Action:
FOR-NEW-EVENTS
    ." EventLog : " FOUND-EVENT evSourceName ASCIIZ> TYPE ." ," FOUND-EVENT evEventID W@ . CR
    S" Tcpip" FOUND-EVENT evSourceName ASCIIZ> WC-COMPARE
    FOUND-EVENT evEventID W@ 4226 = AND
    IF
        2 BalloonIcon !
        BALLOON: "TCP/IP Warning" "An application has triggered TCP throttling."
        EXIT
    THEN
    S" 3wareDrv" FOUND-EVENT evSourceName ASCIIZ> WC-COMPARE
    FOUND-EVENT evEventID W@ 3 = AND
    IF
        3 BalloonIcon !
        BALLOON: "3ware Driver Alert" "The 3ware driver has reported an error."
        EXIT
    THEN
    S" DCOM" FOUND-EVENT evSourceName ASCIIZ> WC-COMPARE
   FOUND-EVENT evEventID W@ 10005 = AND
   IF
       3 BalloonIcon !
       BALLOON: "DCOM" "A request to start a service failed, because the service is disabled or has no devices associated with it."
       EXIT
    THEN
;FOR-NEW-EVENTS
)#


I wish there was a more elegant way to do this via an external file, and this really should be in a LOOP WITH ... REPEAT type function but I am too stupid in SP-FORTH to make it I guess. :cry:
LuckMan212
 
Posts: 133
Joined: Mon, 04 Jul 2005, 11:19

Postby Nicholas_Nemtsev » Wed, 06 Jul 2005, 13:01

Completely working task:
Code: Select all
#( EventLog_Filter
WatchEventLog: "System"

VARIABLE event_list
CREATE myFilterFile 256 ALLOT S" filtered_events.txt" myFilterFile ZPLACE
CREATE filterSource 256 ALLOT
CREATE filterLine 256 ALLOT
VARIABLE filterID

Rule: FILE-EXIST: "%myFilterFile ASCIIZ>%" FILE-EMPTY: "%myFilterFile ASCIIZ>%" NOT AND ;

: EVALUATE-WITH ( ( i*x c-addr u xt -- j*x )
  SOURCE-ID >R TIB >R #TIB @ >R >IN @ >R
  -1 TO SOURCE-ID
  SWAP #TIB ! SWAP TO TIB >IN 0!
  ( ['] INTERPRET) CATCH
  R> >IN ! R> #TIB ! R> TO TIB R> TO SOURCE-ID
  THROW ;
: parse-evt-line [CHAR] , PARSE filterSource ZPLACE 1 PARSE S>NUM filterID ! ;
Action:
FOR-NEW-EVENTS
    myFilterFile ASCIIZ> R/O OPEN-FILE-SHARED THROW event_list !
    BEGIN filterLine 255 event_list @ READ-LINE THROW WHILE
      filterLine SWAP ['] parse-evt-line EVALUATE-WITH
      FOUND-EVENT evSourceName ASCIIZ> filterSource ASCIIZ> WC-MATCH
      FOUND-EVENT evEventID W@ filterID @ = AND
      IF   
          ." EventLog : " FOUND-EVENT evSourceName ASCIIZ> TYPE ." ," FOUND-EVENT evEventID W@ . CR
      THEN
    REPEAT
    DROP
    event_list @ CLOSE-FILE DROP
;FOR-NEW-EVENTS
)#

Format of filtered_events.txt:
Code: Select all
Service Control Manager,7035
W32Time,36
Nicholas Nemtsev
User avatar
Nicholas_Nemtsev
Site Admin
 
Posts: 857
Joined: Thu, 01 Jul 2004, 22:25
Location: Псков

Postby LuckMan212 » Wed, 06 Jul 2005, 14:21

INCREDIBLE!!
this is great work, it looks very complex, it will surely take me weeks to decipher this! :shock:

but I did try it and it works great. I changed it slightly to show balloons as well as log to the console.

this is truly a great thing you have done
thank you Nicholas! :D
LuckMan212
 
Posts: 133
Joined: Mon, 04 Jul 2005, 11:19


Return to nnCron forum (English)

Who is online

Users browsing this forum: Baidu [Spider] and 1 guest