In order to parse the records generated by EventReporter, you need to know which fields it does contain. Here is a typical syslog message generated by EventReporter:
(Click here for a Perl example)
EvntSLog: [ERR] Thu Feb 15 14:00:58 2001: FMSRV/Wins (4102) - "The connection was aborted by the remote WINS. Remote WINS may not be configured to replicate with the server."
This identifier string can be used to select EventReporter generated messages for e.g. parsing purposes. Please note that it is terminated by a colon followed by a space.
This code is based on the NT Event Severity. It is always 3 characters enclosed by square brackets. Possible values are:
NT Severity | Code | Mapped to Syslog Priority |
Audit Success | [AUS] | LOG_NOTICE |
Audit Failure | [AUF] | LOG_WARNING |
Information | [INF] | LOG_NOTICE |
Warning | [WRN] | LOG_WARNING |
Error | [ERR] | LOG_ERR |
none | [NON] | LOG_NOTICE |
Please note that this code is more descriptive than the syslog priority, as we do not have matching priorities for all NT events. The “[NON]” code should never appear – it would point to an error in the event logging API. We have never seen this case and do not expect it, but we have included this identifier just in case…
The date the event was written to the event log of the NT machine (in standard RFC format).
The NT server name of the machine that event log entry is from.
The NT event source (as seen in NT Event Viewer).
The NT event ID (as seen in NT Event Viewer).
This is the actual message text expanded from the Windows NT / 2000 event log. It is delimited by quotes (“).