#!/bin/bash DEBUG=0 EXITCODE=0 EXITSTRING="" LASTSTR="" MARCOLIST="ITEMCOUNT,LASTSTR" ERROR_EVENTTYPE="" E_SUCCESS="0" E_WARNING="1" E_CRITICAL="2" E_UNKNOWN="3" ## TMP directory where wmic outputs TMPDIR=/tmp ## WMIC binary WMIC=/bin/wmic ## Custom exit test , can be set as an argumenten in command line as -O ,-W ,-C, -U CUSTOM_EXIT_STR[$E_SUCCESS]="" CUSTOM_EXIT_STR[$E_WARNING]="" CUSTOM_EXIT_STR[$E_CRITICAL]="" CUSTOM_EXIT_STR[$E_UNKNOWN]="" ## E_STR[0]="OK" E_STR[1]="WARNING" E_STR[2]="CRITICAL" E_STR[3]="UNKNOWN" ETYPE[1]="Error" ETYPE[2]="Warning" ETYPE[3]="Information" ETYPE[4]="Security Audit Success" ETYPE[5]="Security Audit Failure" while getopts "hH:u:p:l:t:e:s:Sw:c:m:W:C:O:U:dv" OPTION do case $OPTION in H) HOST=$OPTARG ;; u) USER=$OPTARG ;; p) PASSWD=$OPTARG ;; l) LOGFILE="$OPTARG" ;; esac done function WQL_Constructor { local WS=$1 local WS_FIELD=$2 local WS_TYPE=$3 if [ -n "$WS" ] then local WS_WQL=" ( " INDEX=0 IFS=', ' read -a WS_ARRAY <<< "$WS" for WS_ELEMENT in ${WS_ARRAY[@]} do ((INDEX++)) if [[ $WS_TYPE == "like" ]] then WS_WQL+=$WS_FIELD' like "%'$WS_ELEMENT'%"' else WS_WQL+=$WS_FIELD' = "'$WS_ELEMENT'"' fi if [ $INDEX -lt "${#WS_ARRAY[@]}" ] then WS_WQL+=" or " else WS_WQL+=" ) and " fi done fi echo $WS_WQL } EXTRA_WQL=" "$(WQL_Constructor "$LOGFILE" "Logfile" "" ) echo $EXTRA_WQL WQL='Select EventCode,EventIdentifier,EventType,SourceName from Win32_NTLogEvent where '$EXTRA_WQL' TimeGenerated > "'$NOW'"' ##WQL='Select EventCode,EventIdentifier,EventType from Win32_NTLogEvent where logfile="'$LOGFILE'" and eventcode='$EVENTID' and TimeGenerated > "'$NOW'" '$EXTRA_WQL echo "$WMIC --namespace root/cimv2 -U $USER%$PASSWD //$HOST '--delimiter=\"|\"' '"$WQL"'"