EventCentral gathers each night event logs from Windows' network neighbourhood computers. These logs are then displayed in a web GUI.
Event logs are stored in a MySQL database.
Computers are automagically discovered, and can be filtered according to your needs.
Screenshots
You can also :
- Acknowledge an event by checking the corresponding checkbox, and associate a comment with it.
- Search for an event on external web sites, by clicking on severity icon.
- Search for all events that occured some minutes around a given event, by clicking on time.
- Search for all events of same source, the same day, by clicking on source.
- Search for all events from the same computer, the same day (all logs being searched), by clicking on the computer name.
- Advanced search.
Visited logs are shown as visited in your browser, showing were you've been through so far.
Gimme
Server prerequisites
- Windows server O.S. (2000/2003 have been tested so far)
- Web server, Apache is the one I use.
- Perl interpreter, Active Perl is mine.
- Database server, MySQL version 4.0.0 or more. Nope, neither SQL server, MSDE nor Access are supported.
Client prerequisites
EventCentral was successfully tested with Firefox 2.x and Internet Explorer 7.
Compatibility
Windows 2003, Windows 2000 and Windows NT event logs are supported. Maybe XP et Vista, too, but they haven't been tested yet.
Download
EventCentral is distributed under Gnu General Public License, version 2.
EventCentral45.zip (roughly 175 Ko) holds all necessary files.
You can also find it on
There is no automatic setup, please read carefully installation instructions or update instructions.
Update
If you use remote collecting, don't forget to update remote servers, — except for database updates.
Version 3 to version 4
Sorry, no update is possible from version 3 to version 4.
Version 4.0.x to version 4.1
Replace directory c:\program files\EventCentral content with the one from the archive. Keep config.inc.
Version 4.0.x or 4.1 to version 4.2
Database schema changed with version 4.2. Data will be kept.
- Replace directory c:\program files\EventCentral content with the one from the archive. Keep config.inc.
- Run SQL update script update.sql. If your database name isn't the default "eventcentral", replace it first in this script.
mysql -u root -p
<password>
mysql> source update.sql;
mysql> exit; - Delete file update.sql.
Version 4.x to version 4.3
Database schema changed with version 4.3. Data will be kept.
- Replace directory c:\program files\EventCentral content with the one from the archive. Keep config.inc.
- If your previous version was <= 4.1, Run first SQL update script update_4x_42.sql. If your database name isn't the default "eventcentral", replace it first in this script. Your database is now in version 4.2.
- Run SQL update script update_42_43.sql. Database name change still apply. Your database is now in version 4.3.
mysql -u root -p
<password>
mysql> source update_4x_42.sql;
mysql> source update_42_43.sql;
mysql> exit; - Delete files update*.sql.
Version 4.x to version 4.3.1
Database schema changed with version 4.3.1. Data will be kept.
- Replace directory c:\program files\EventCentral content with the one from the archive.
- Navigate to administration page, it should state that updates are available.
- Input your configuration. Yes, you just overwrote your configuration file.
- Back on home page, click on "run update". Check which updates should be run, according to your previous version. Files are named update_<previous version>_<new version> (run order does not matter).
- Done.
Version 4.3.1 to version 4.4
No database schema change.
- Replace directory c:\program files\EventCentral content with the one from the archive. Keep config.inc.
Version 4.4 to version 4.5
No database schema change.
- Replace directory c:\program files\EventCentral content with the one from the archive. Keep config.inc.
Installation
Let's call your server SERVEUR_CENTRAL.
Prerequisites
On SERVEUR_CENTRAL :
- Grab prerequisite software
- Install Apache (or IIS, at your own risk)
- Install MySQL v4.0.0 or more ("essential" package, "typical" installation) and configure it (write down root password)
- Install Active Perl (full install)
- Add Perl package DBD::mysql using PPM:
[set HTTP_proxy=http://yout.internal.proxy:8080]
If you encounter any problem, see this discussion.
ppm install DBD::mysql
Other mandatory Perl packages are:- Win32::NetAdmin
- Win32::TieRegistry
- Win32::NetResource
- HTTP::Date
- DBI
- CGI
- Time::HiRes
- Locale::Maketext
- XML::Simple
- FindBin
Installing EventCentral
Unzip EventCentral archive on SERVEUR_CENTRAL, in C:\Program Files\EventCentral.
In each Perl script *.pl, change if necessary on first line the path to Perl interpreter. Active Perl's standard installation drops it by default to #!c:\perl\bin\perl ; if you did not change it, no editing is required.
Make sure Apache will run Perl scripts it finds in EventCentral directory. Add to Apache configuration file httpd.conf the following lines:
Alias /eventcentral/ "C:/Program Files/eventcentral/html/"
<Directory "C:/Program Files/eventcentral/html/">
AddHandler cgi-script .pl
Options Indexes FollowSymLinks -MultiViews +ExecCGI
AllowOverride all
Order allow,deny
Allow from all
</Directory>
Restart Apache.
Configuration
Open your browser at this location: http://localhost/eventcentral/admin.pl.
Fill in the parameters in "Configuration" section (default values should be OK, except for MySQL password). Save.
Note: the Windows user running Apache must have write access to C:\Program Files\EventCentral\html, where configuration file is saved.
Fill in the parameters in section "Database creation" (MySQL root account) and click Create.
Once you will have collected some events (see below), they will be displayed at location http://localhost/eventcentral/.
Collecting Event Logs
Scheduling
Create on SERVEUR_CENTRAL a Scheduled Task (see Microsoft documentation, if don't know how), running every day after midnight. Exact time is not important, just choose a moment of low activity for your servers and network. The task should run Perl collecting script dumpel.pl. The script accepts command line parameters, to list them type:
C:
cd "\Program Files\EventCentral"
perl dumpel.pl
dumpel.pl has to be run from its installation directory, otherwise Perl won"t find package EventLog.pm and will complain like this:
Can't locate EventLog.pm in @INC (@INC contains: ./html C:/Perl/site/lib C:/Perl/lib .)
at C:\Program Files\EventCentral\dumpel.pl ...
So if for example you want to collect event logs from all servers of Windows domain named DOMAINE, your scheduled task looks like this:
c:\perl\bin\perl.exe "C:\Program Files\EventCentral\dumpel.pl" DOMAINE
it will run in directory C:\Program Files\EventCentral.
The task must run as a user that can:
- access network (LocalSystem is not a good candidate)
- write to C:\Program Files\EventCentral\tmp (where temporary dump files live)
- and to avoid problems, have Administrator rights on DOMAINE.
If you don't have Administrator rights on DOMAINE, you still can use remote collection, or give dumpel.pl additionnal parameters: login and password to use upon connection to computers to that domain:
c:\perl\bin\perl.exe "C:\Program Files\EventCentral\dumpel.pl" \
DOMAINE,DOMAINE\user,password
You can repeat as many domains as you need, separated by a white space:
c:\perl\bin\perl.exe "C:\Program Files\EventCentral\dumpel.pl" \
DOMAINE1 DOMAINE2,user,password DOMAINE3,user,password
Warning! Since Microsoft now holds PsLogList.exe, you have to run it at least once by hand, so you can accept the licence agreement popup window. From then on, you can use it in a script.
Filtering servers
EventCentral by default looks in network neighbourhood for server-type OS (see function get_serveurs in dumpel.pl). Saying it in Perl:
if (!Win32::NetAdmin::GetServers(undef,$domaine,0x8018,\@machines)) {
warn "Impossible de voir le voisinage reseau de $domaine\n";
} else {
foreach (@machines) { push @resultat, "$_.${domaine}${userPassword}"; };
}
Did you notice red hexadecimal code? It's the sum of 0x8000 (meaning NT/2000 server), 0x8 (domain controllers), and 0x10 (secondary domain controllers). All available codes are listed at the end of dumpel.pl.
You can code smarter filters, e.g. all computers whose name begins with 'S' and ends neither with 'M' nor with 'I' (why not?). It would be something like:
if (!Win32::NetAdmin::GetServers(undef,$domaine,0xFFFFFFFF,\@machines)) {
warn "Impossible de voir le voisinage reseau de $domaine\n";
} else {
foreach (@machines) { /^S.*[^MI]$/i && do { push @resultat, "$_.${domaine}${userPassword}";}};
}
You got the point, now you can code your own.
Remote collecting
Events can be collected on one server, stored on a second and displayed on a third. We are going to use this to collect events in a domain with no trust relation with the one where we installed EventCentral. All we need is a remote collection server, and a MySQL link to SERVEUR_CENTRAL.
First, install EventCentral on SERVEUR_CENTRAL as described here. Install it also on remote server — let's call it SERVEUR_DISTANT — excluding MySQL and Apache. That is:
- Install Perl and DBD::mysql package, according to this procedure
- Unzip EventCentral archive in c:\program files on SERVEUR_DISTANT
- Edit configuration file html\config.inc, to give MySQL server name:
$db_host = "SERVEUR_CENTRAL";
Also edit other $db_* parameters to reflect SERVEUR_CENTRAL's configuration (database name, mysql user and password). Warning: if collection is done on many servers, parameters $db_purge should be the same for all. For purging is done after each collection, so the shortest retention delay will "win". - Schedule event logs collection this way. You may prefer to give a different collection time for each server, so that MySQL won't be overloaded.
Advanced search
When you type something in the Search field (top-right of web page) and press enter key, it will search by default for computers whose name contains the given string.
You can also search for other columns, using the following syntax:
keyword=valueYou can use multiple keyword/value pairs, separating them with commas:
keyword1=value1,keyword2=value2,...
Here are the known keywords:
| Keyword | Value | Search for... |
|---|---|---|
| DA | date | DATE: in MySQL format: yyyy-mm-dd. If no date is given, all database is searched. |
| CO | string | COMPUTER: computer name contains that string |
| LO | System Application Security Directory Service DNS Server ... |
LOG: log type |
| TY | ERROR WARNING INFORMATION ACK AUDIT DUMPERROR EMPTY UNDEF |
TYPE: event type |
| DO | string | DOMAIN: domain name contains that string |
| SO | string | SOURCE: source name contains that string |
| US | string | USER: user name contains that string (this field is not shown in event list) |
| ST | string | STRINGS: event description contains that string |
| ID | integer | EVENTID: event id |
For example, searching for july the 4th 2008 errors concerning all computers named DC_someting would be:
DA=2008-07-04,TY=ERROR,CO=DC_
Securing Management Page
To restrict access to Management Page, or whatever page you want, ue Apache's ".htaccess" file. Create .htaccess file in "html" directory of EventCentral. Windows Explorer won't let you create a file with no name and just a extension, you'll have to do it with command prompt:
c:
cd "\program files\eventcentral"
echo.>.htaccess
Edit the file:
<FilesMatch admin.pl>
AuthName "EventCentral"
AuthType Basic
AuthUserFile "c:/program files/eventcentral/.htpasswd"
require valid-user
</FilesMatch>
now create the file holding authorized login/passwords:
cd ..
c:\program files\Apache Software Foundation\Apache2.2\bin\htpasswd -c .htpasswd <login>
<password>
Todo
- Customize eventcentral.css.
- Translate EventCentral in your language. See EventLog/I18N/en.pm, and Perl documentation on MakeText.
Thanks
- to Mark Russinovich, for "psloglist"
- to David Vignoni for Nuvola icon set.
- to www.webelix.net for javascript infobulle2.
- to Jason Cranford Teague, in "DHTML and CSS: Advanced Visual QuickPro Guide", for javascript popup.