#! c:\perl\bin\perl.exe use strict; use Win32::Lanman; use Win32::Perms; use Win32::OLE; use Win32::OLE::Variant; use Win32::OLE::Const 'Microsoft Excel'; Win32::Perms::LookupDC(0); #my $server = shift || Win32::NodeName; # List of machines to get EventLogs from... my @servers = ("MUSASHI","MUSASHI","MUSASHI"); # Cursors to keep track of row in the spreadsheet my $app_cursor = 1; my $sec_cursor = 1; my $sys_cursor = 1; # Create and set up the spreadsheet my $class = "Excel.Application"; my $file = Win32::GetCwd."\\DumpEvt.xls"; unlink ($file) if (-e $file); my $Excel = Win32::OLE->GetActiveObject($class); if (!$Excel) { $Excel = new Win32::OLE($class,\&quitExcel) || die "Could not create an OLE '$class' object: $!\n"; } # Don't show the spreadsheet $Excel->{Visible} = 0; # Create one page for each EventLog $Excel->{SheetsInNewWorkbook} = 3; my $Workbook = $Excel->Workbooks->Add; my $Sec = $Workbook->Worksheets(1); $Sec->{Name} = "Security"; $Sec->Range("A1:J1")->{Value} = ["Computer","Category","EventID","Type", "S ource","SourceName","Time","Flags", "U ser", "Description"]; $sec_cursor++; my $Sys = $Workbook->Worksheets(2); $Sys->{Name} = "System"; $Sys->Range("A1:J1")->{Value} = ["Computer","Category","EventID","Type", "S ource","SourceName","Time","Flags", "U ser", "Description"]; $sys_cursor++; my $App = $Workbook->Worksheets(3); $App->{Name} = "Application"; $App->Range("A1:J1")->{Value} = ["Computer","Category","EventID","Type", "S ource","SourceName","Time","Flags", "U ser", "Description"]; $app_cursor++; foreach my $server (@servers) { print "Getting $server Security Logs...\n"; $sec_cursor = GetEvents($server,"Security",$Sec,$sec_cursor); print "Getting $server System Logs...\n"; $sys_cursor = GetEvents($server,"System",$Sys,$sys_cursor); print "Getting $server Application Logs...\n"; $app_cursor = GetEvents($server,"Application",$App,$app_cursor); } print "EventLogs collection complete.\n"; print "Saving spreadsheet...\n"; $Workbook->SaveAs($file); sub GetEvents { my($server,$evtlog,$sheet,$cursor) = @_; my(@events,$event,$desc); my %types = (1 => "(Error)", 4 => "(Information)", 8 => "(Success Audit)", 16 => "(Failure Audit)"); my %category = (0 => "(None)", 1 => "(System Event)", 2 => "(Logon/Logoff)", 3 => "(Object Access)", 4 => "(Privilege Use)", 6 => "(Policy Change)"); if(Win32::Lanman::ReadEventLog("\\\\$server", $evtlog, 0xffffffff, 0, \@events)) { foreach $event (@events) { my $id = ${$event}{eventid} & 0xffff; if (Win32::Lanman::GetEventDescription("\\\\$server", $event)) { $desc = ${$event}{eventdescription}; } else { my $strings = ${$event}{strings}; foreach (@$strings) { $_ =~ s/\s+//g; $_ = "+".$_; } $desc = join(";",@$strings); } my $time = "".localtime(${$event}{timegenerated}); $time =~ s/^.*?\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*)/$1 $2 $4 $3/; my $user = Win32::Perms::ResolveAccount(${$event}{usersid}); $sheet->Range("A$cursor:J$cursor")->{Value} = [ ${$event}{computername}, ${$event}{eventcategory}." ".$category{${$event}{eventcategory}}, $id, ${$event}{eventtype}." ".$types{${$event}{eventtype}}, ${$event}{source}, ${$event}{sourcename}, $time, ${$event}{reservedflags}, $user, $desc]; $cursor++; } } else { my $err = Win32::FormatMessage Win32::Lanman::GetLastError(); $err = Win32::Lanman::GetLastError() if ($err eq ""); print "$server: ReadEventLog error: $err.\n"; } undef @events; return $cursor; } sub quitExcel { my($obj) = @_; print "Closing ".$obj->{Name}."\n"; $obj->Quit(); }