#! c:\perl\bin\perl.exe
#---------------------------------------------------------
# dumpevt.pl
# Retrieves audit information from NT/2K systems, as well
# as EventLog entries; dumps to STDOUT in .csv format
#
# usage: dumpevt.pl [host] [> evt.csv]
#
# Copyright 2000/2001 H. Carvey keydet89@yahoo.com
#---------------------------------------------------------
use Win32::Lanman;
use Win32::Perms;

my $server = shift || Win32::NodeName;
Win32::Perms::LookupDC(0);

\&auditPol($server);
\&GetEvents($server,"Security");
\&GetEvents($server,"Application");
\&GetEvents($server,"System");

sub GetEvents {
	my($server,$evtlog) = @_;
	my(@events,$event,$desc);
	my %types = (1 => "(Error)",
	             4 => "(Information)",
	             8 => "(Success Audit)",
	             16 => "(Failure Audit)");
	             
	my %category = (0 => "(None)",
									1 => "(System Event)",
									2 => "(Logon/Logoff)",
									3 => "(Object Access)",
									4 => "(Privilege Use)");             
	             
	if(Win32::Lanman::ReadEventLog("\\\\$server", $evtlog, 0xffffffff, 0, \@events)) {
		foreach $event (@events) {			
  		my $id = (${$event}{eventid} & 0xffff);

  		if (Win32::Lanman::GetEventDescription("\\\\$server", $event)) {
				$desc = ${$event}{eventdescription};
				$desc =~ s/\t/ /g;
				$desc =~ s/\s{2,}/ /g;
			}
			else {
				my $strings = ${$event}{strings};
				$desc = join("+",@$strings) if ($strings);
 			}	

			print "${$event}{computername},$category{${$event}{eventcategory}},$id,";
			print "$types{${$event}{eventtype}},${$event}{source},${$event}{sourcename},";
			print localtime(${$event}{timegenerated}).",".localtime(${$event}{timewritten}).",";
			print Win32::Perms::ResolveAccount(${$event}{usersid}).",$desc\n";
			
		}	
	}
	else {
		my $err = Win32::FormatMessage Win32::Lanman::GetLastError();
  	$err = Win32::Lanman::GetLastError() if ($err eq "");
  	print "$server:  ReadEventLog error: $err.\n";
	}
}

#---------------------------------------------------------
# sub auditPol()
# Retrieves audit policy from $server
#---------------------------------------------------------
sub auditPol {
	my ($server) = $_[0];
	my(%hash) = ("AuditCategoryLogon" => "Logon and Logoff",
							"AuditCategoryObjectAccess" => "File and Object Access",
							"AuditCategoryPrivilegeUse" => "Use of User Rights",
						  "AuditCategoryAccountManagement" => "User/Group Mgmt",
							"AuditCategoryPolicyChange" => "Security Policy Changes",
							"AuditCategorySystem" => "Restart and Shutdown System",
							"AuditCategoryDetailedTracking" => "Process Tracking");
							
	my %info;
	my @settings = ("None","Success","Failure","Success & Failure");
	
	if(Win32::Lanman::LsaQueryAuditEventsPolicy("\\\\$server", \%info)) {
		
		if ($info{auditingmode} == 0) {
			print "Auditing NOT enabled.\n";
		}
		else {		
			if($info{maximumauditeventcount} > 0) {
				my $options = $info{eventauditingoptions};
				foreach my $key (keys %hash) {
					print "$key,$hash{$key},".$settings[$$options[&$key]]."\n";
				}
			}
		}
	}
	else {
		my $err = Win32::FormatMessage Win32::Lanman::GetLastError();
  	$err = Win32::Lanman::GetLastError() if ($err eq "");
  	print "$server:  LsaQueryAuditEventsPolicy error: $err.\n";
  }
 
}