parm hostname,numdays=3,dist=secusers.data
#
# Author: Chris Bartram
# Name: SyslogR
# Last Updated: 03/16/2005
# Generate syslog report from console log records for the
# specified hostname and the last 'numdays' days
# Especially useful when you run Syslog/iX locally and
#  log events to the system console log:
#  -configure remote Unix/Linux systems to send their syslog events
#   to this host's syslog server
#  -install freeware like ev2nt on Windows systems to forward their
#   system event log entries to this host's syslog server
#  Execute this report daily to send a custom report for each
#  server of it's logged events to the system admin(s)
#
# Command file parameters:
# *hostname; we pull console records containing this host name
# *numdays; we pull records from the logs for this number of
#           days past (i.e. 3=last 3 days)
# *dist; name of file containing email addresses to send the
#       report to (for NetMail/3000, one addreess per line,
#       plain ascii text file)
#
# Uses VESoft's VEAudit to extract console log records
# Uses QUAD.UTIL.SYS for editing/formatting extracted file
# Uses the BACKDAYS.XEQ.SYS command file to generate date CIVars
# Uses SENDHTML.XEQ.SYS command file to email the resulting report
# Uses 'syslogp.data' file (if present) to add optional site-specific
#       strings to exclude from the report- which must be 'grep' compatible
#
# Operational note; note that quad editing batches are split into
# two batches, to avoid problems with workfile overflows when working
# with very large extract files.
#
setvar mylogon rtrim("!hpuser")+"."+rtrim("!hpaccount")+","+rtrim("!hpgroup")
#
# customize the following 'mydomain' civar to be the fully qualified domain
# name on your server
#
setvar mydomain "usmint.etreas.gov"
setvar _hostnameu ups("!hostname")
continue
purge secrpt00 > $NULL
build secrpt00;rec=-256,,f,ascii;disc=150000
file seclist=secrpt00,old;acc=append;dev=disc;NOCCTL
file secout=secrpt00,old;acc=append;dev=disc;NOCCTL
xeq backdays.xeq.sys !numdays
echo Start Time=!hphhmmssmmm
continue
xeq main.pub.vesoft &
'veaudit listlog console @.@;search=(message matches "@!hostname@" and date>=today-!numdays)' > *SECOUT
echo Extract Completed at Time=!hphhmmssmmm
continue
purge quadin > $NULL
continue
purge quadin,temp > $NULL
echo t secrpt00:u                              > quadin
echo find "!backdt4"                          >> quadin
echo d 1/*-1                                  >> quadin
echo deblank all                              >> quadin
echo keep;exit                                >> quadin
echo yes                                      >> quadin
run quad.util.sys < QUADIN
echo Time=!hphhmmssmmm

if finfo('syslogp.data','exists') then
  continue
  PURGE SYSLOGPX > $NULL
  continue
  PURGE SYSLOGPX,temp > $NULL
  setvar _syslogpeof finfo('SYSLOGP.DATA','eof')
  build syslogPX;rec=-80,,f,ascii;disc=!_syslogpeof
  file syslgpx=syslogpx,old;acc=append
  grep.hpbin.sys "-v '^#' ../DATA/SYSLOGP" > *SYSLGPX
  reset syslgpx
  setvar _syslogpeof finfo('SYSLOGPX','eof')
  if !_syslogpeof>0 then

    continue
    purge syslogxx > $NULL
    build syslogxx;rec=-80,,f,ascii;msg;disc=!_syslogpeof
    file syslogou=syslogxx,old;acc=append;dev=disc
    file syslogin=syslogxx,old;acc=in;dev=disc
    fcopy from=SYSLOGPX;to=*syslogou > $NULL
    continue
    PURGE SYSLOGPX > $NULL
    continue
    PURGE SYSLOGPX,TEMP > $NULL

    file secrpt=secrpt0x,old;acc=out
    while !_syslogpeof>0 do
      setvar _secdisc finfo('secrpt00','eof')+1
      input _syslogi  < *syslogin
#
# echo the input line back out and re-read it, so any mpe CIVars in
# the line get dereferenced
#
      echo !_syslogi > syslogxo
      input _syslogi < syslogxo
      continue
      purge syslogxo,temp > $NULL
      if lft("!_syslogi",1)<>"#" then
        setvar _syslogi rtrim('!_syslogi')
echo    egrep.hpbin.sys '-v "!_syslogi" ./SECRPT00'
        continue
        purge secrpt0x > $NULL
        build secrpt0x;rec=-256,,f,ascii;disc=!_secdisc
        egrep.hpbin.sys '-v "!_syslogi" ./SECRPT00' > *SECRPT
        setvar _before finfo("secrpt00","eof")
        setvar _after finfo("secrpt0X","eof")
        echo Filter: Number of records Before:!_before After:!_after
        deletevar _before
        deletevar _after
        purge secrpt00
        rename secrpt0x,secrpt00
      endif
      setvar _syslogpeof !_syslogpeof-1
      echo grep completed at Time=!hphhmmssmmm
    endwhile

    reset secrpt
  endif
  reset syslogin
  reset syslogou
  deletevar _syslogpeof
  deletevar _syslogi
  continue
  purge syslogxx > $NULL
endif

#
# final cleanup; remove hostname, mgr.syslog text
#
continue
purge quadin > $NULL
continue
purge quadin,temp > $NULL
echo t secrpt00:u                             >> quadin
echo c "MGR             PUB             SYSLOG","" a >> quadin
echo c "MGR             PUB             ","" a >> quadin
echo c "!hostname.!mydomain ","" a            >> quadin
echo c "    JSYSLOGD   ","" a                 >> quadin
echo keep                                     >> quadin
echo yes                                      >> quadin
echo t secrpt00:u                             >> quadin
echo deblank all                              >> quadin
echo c 10/25,"" a                             >> quadin
echo keep;exit                                >> quadin
echo yes                                      >> quadin
run quad.util.sys < QUADIN

echo Final cleanup completed at Time=!hphhmmssmmm
xeq backdays.xeq.sys 0
continue
purge secrpt00,temp > $NULL
if finfo("secrpt00","EOF")>0 then
  continue
  xeq sendhtml.xeq.sys ^!dist,,,secrpt00,&
  'Syslog Events from !hostname for !backdt2 (last !numdays days)'
endif

continue
purge quadin > $NULL
continue
purge quadin,temp > $NULL
purge secrpt00 > $NULL
deletevar _hostnameu
reset seclist
reset secout