-
Notifications
You must be signed in to change notification settings - Fork 0
/
windows_log_parse.py
83 lines (67 loc) · 2.99 KB
/
windows_log_parse.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# windows日志分析
'''
author: rocky chen
公众号:可转债量化分析
'''
import mmap
import contextlib
from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view
from xml.dom import minidom
from ip_convertor import IP
import re
class WindowsLogger():
def __init__(self, path):
self.path = path
self.formator = 'Date:{:10}\tIP:{}\tPort:{}\tlocation:{:20}\tUser:{:15}\tProcess:{}'
def read_file(self):
with open(self.path, 'r') as f:
with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
fh = FileHeader(buf, 0)
return fh
return None
def parse_log_detail(self, filteID):
with open(self.path, 'r') as f:
with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
fh = FileHeader(buf, 0)
for xml, record in evtx_file_xml_view(fh):
# 只输出事件ID为4624的内容
# InterestEvent(xml,4624)
for time_create,IpAddress, ip, IpPort,targetUsername, ProcessName in self.filter_event(xml, filteID):
self.printer(
time_create,IpAddress, IpPort,ip, targetUsername, ProcessName)
def printer(self, time_create,IpAddress, ip, IpPort,targetUsername, ProcessName):
print(self.formator.format(time_create,IpAddress, ip, IpPort,targetUsername, ProcessName))
# 过滤掉不需要的事件,输出感兴趣的事件
def filter_event(self, xml, EventID, use_filter=True):
xmldoc = minidom.parseString(xml)
collections = xmldoc.documentElement
events = xmldoc.getElementsByTagName('Event')
for evt in events:
eventId = evt.getElementsByTagName('EventID')[0].childNodes[0].data
time_create = evt.getElementsByTagName(
'TimeCreated')[0].getAttribute('SystemTime')
eventData = evt.getElementsByTagName('EventData')[0]
for data in eventData.getElementsByTagName('Data'):
if data.getAttribute('Name') == 'IpAddress':
IpAddress = data.childNodes[0].data
if data.getAttribute('Name') == 'IpPort':
IpPort = data.childNodes[0].data
if data.getAttribute('Name') == 'TargetUserName':
targetUsername = data.childNodes[0].data
if data.getAttribute('Name') == 'ProcessName':
ProcessName = data.childNodes[0].data
if use_filter is True and eventId == EventID:
ip = ''
if re.search('^\d+', IpAddress):
ip = IP(IpAddress).ip_address
yield time_create,IpAddress, ip, IpPort,targetUsername, ProcessName
def main():
# evtx file path
path = r'D:\share\failed.evtx'
# filter idd
filter_id = '4625'
app = WindowsLogger(path)
app.parse_log_detail(filter_id)
if __name__ == '__main__':
main()