def run(self):
self.hand = win32evtlog.OpenEventLog(self.server, self.logtype)
global time_limit
flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEEK_READ
prevNumOfRecs = win32evtlog.GetNumberOfEventLogRecords(self.hand)
evnthndl = CreateEvent(None, True, False, None)
win32evtlog.NotifyChangeEventLog(self.hand, evnthndl)
levels_dict = {1: 'ERROR', 2: 'WARNING', 4: 'INFO'}
while True:
print('hi')
evntsgnld = WaitForSingleObject(evnthndl, 10000)
if evntsgnld == WAIT_OBJECT_0:
print('New event: \n')
numOfRec = win32evtlog.GetNumberOfEventLogRecords(self.hand)
NumOfNewRecs = numOfRec - prevNumOfRecs
offset = numOfRec - NumOfNewRecs
events = win32evtlog.ReadEventLog(self.hand, flags, offset + 1)
for event in events:
# 4 Info, 1 Error, 2 Warning... 3 should be Debug?
evJson = {}
datetime = str(event.TimeGenerated)
evJson["logged_date"] = datetime.split(" ")[0]
evJson["logged_time"] = datetime
evJson["process"] = str(event.SourceName)
evJson["host"] = str(event.ComputerName)
if not event.EventType in levels_dict.keys():
evJson["severity"] = "Unknown"
else:
evJson["severity"] = str(levels_dict[event.EventType])
evJson["message"] = str(
win32evtlogutil.FormatMessage(event, self.logtype))
ev = evJson["logged_time"] + " " + evJson["process"] + " " + \
evJson["host"] + " " + evJson["severity"] + \
" " + evJson["message"]
filter_pattern = re.compile(event_logs["filter_by"])
if (event_logs["filter_by"] == ""
or filter_pattern.search(ev)):
logs.append(evJson)
if (len(logs) >= batch_size
or time.time() > time_limit):
now = time.time()
time_limit = now + max_time
sendLogs(logs)
logs.clear()
print(" EVENT: \n")
print(evJson)
# print("\n All events: \n")
# print(logs)
print("\n\n")
ResetEvent(evnthndl)
prevNumOfRecs = numOfRec
def test_event_log_clear_with_save(self):
log_name = "Internet Explorer"
source_name = "_winsys-%s" % uuid.uuid1()
source = event_logs.EventSource.create(source_name, log_name)
log = event_logs.event_log(log_name)
hLog = win32evtlog.OpenEventLog(None, log_name)
try:
log.log_event(source, message="hello")
self.assertNotEquals(win32evtlog.GetNumberOfEventLogRecords(hLog),
0)
log.clear()
self.assertEqual(win32evtlog.GetNumberOfEventLogRecords(hLog), 0)
finally:
win32evtlog.CloseEventLog(hLog)
source.delete()
def ParseEvents(eventtype, limit=None, server=None):
server = None
hand = win32evtlog.OpenEventLog(server,eventtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
events = 1
count = 0
while events:
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
count += 1
if count <= 500:
if interestingEvent(event,whitelist):
time = "date_time=\"" + str(event.TimeGenerated) + "\""
cat = "type=\"" + str(event.SourceName) + "\""
eventID = "eventid=\"" + str(event.EventID & 0x1FFFFFFF) + "\""
strings = "data=\"" + str(event.StringInserts).replace("\\\\","\\").replace("u'","'").replace("%%","") + "\""
result = []
result.append((time, cat, eventID, strings))
yield result
else:
break
def ReadLog(computer, logType="Application", dumpEachRecord = 0):
# read the entire log back.
h=win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
# print "There are %d records" % numRecords
num=0
while 1:
objects = win32evtlog.ReadEventLog(h, win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not objects:
break
for object in objects:
# get it for testing purposes, but dont print it.
msg = SafeFormatMessage(object, logType).encode("mbcs")
if object.Sid is not None:
try:
domain, user, typ = win32security.LookupAccountSid(computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc,)
else:
user_desc = None
if dumpEachRecord:
if user_desc:
print user_desc
print msg
num = num + len(objects)
if numRecords == num:
print "Successfully read all", numRecords, "records"
else:
print "Couldn't get all records - reported %d, but found %d" % (numRecords, num)
print "(Note that some other app may have written records while we were running!)"
win32evtlog.CloseEventLog(h)
def getEventLogs(self, server, logtype, logPath):
"""
Get the event logs from the specified machine according to the
logtype (Example: Application) and save it to the appropriately
named log file
"""
print("Logging %s events" % logtype)
log = codecs.open(logPath, encoding='utf-8', mode='w')
line_break = '-' * 80
log.write("\n%s Log of %s Events\n" % (server, logtype))
log.write("Created: %s\n\n" % time.ctime())
log.write("\n" + line_break + "\n")
hand = win32evtlog.OpenEventLog(server, logtype)
total = win32evtlog.GetNumberOfEventLogRecords(hand)
print("Total events in %s = %s" % (logtype, total))
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
events = win32evtlog.ReadEventLog(hand, flags, 0)
evt_dict = {
win32con.EVENTLOG_AUDIT_FAILURE: 'EVENTLOG_AUDIT_FAILURE',
win32con.EVENTLOG_AUDIT_SUCCESS: 'EVENTLOG_AUDIT_SUCCESS',
win32con.EVENTLOG_INFORMATION_TYPE: 'EVENTLOG_INFORMATION_TYPE',
win32con.EVENTLOG_WARNING_TYPE: 'EVENTLOG_WARNING_TYPE',
win32con.EVENTLOG_ERROR_TYPE: 'EVENTLOG_ERROR_TYPE'
}
try:
events = 1
while events:
events = win32evtlog.ReadEventLog(hand, flags, 0)
for ev_obj in events:
the_time = ev_obj.TimeGenerated.Format(
) #'12/23/99 15:54:09'
evt_id = str(winerror.HRESULT_CODE(ev_obj.EventID))
computer = str(ev_obj.ComputerName)
cat = ev_obj.EventCategory
record = ev_obj.RecordNumber
msg = win32evtlogutil.SafeFormatMessage(ev_obj, logtype)
source = str(ev_obj.SourceName)
if not ev_obj.EventType in evt_dict.keys():
evt_type = "unknown"
else:
evt_type = str(evt_dict[ev_obj.EventType])
log.write("Event Date/Time: %s\n" % the_time)
log.write("Event ID / Type: %s / %s\n" %
(evt_id, evt_type))
log.write("Currently Active User(s): %s\n" %
self.currentUsers)
log.write("Record #%s\n" % record)
log.write("Source: %s\n\n" % source)
log.write(msg)
log.write("\n\n")
log.write(line_break)
log.write("\n\n")
except:
print(traceback.print_exc(sys.exc_info()))
print("Log creation finished. Location of log is %s" % logPath)
def _list_evt_xp(self, server, logtype):
"""Retrieves the contents of the event log for Windows XP"""
self.logger.info('Exporting logs for : ' + logtype)
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
sum_evt = 0
while True:
events = win32evtlog.ReadEventLog(hand, flags, 0)
sum_evt += len(events)
if events:
for event in events:
data = event.StringInserts
date = datetime.datetime(event.TimeGenerated.year, event.TimeGenerated.month,
event.TimeGenerated.day, event.TimeGenerated.hour,
event.TimeGenerated.minute, event.TimeGenerated.second).strftime(
'%d/%m/%Y %H:%M:%S')
# print date + ' : ' + log_type + ' -> ' + log_data
if data:
yield unicode(event.EventCategory), unicode(event.SourceName), unicode(event.EventID), unicode(
event.EventType), date, list(data)
else:
yield unicode(event.EventCategory), unicode(event.SourceName), unicode(event.EventID), unicode(
event.EventType), date, []
if sum_evt >= total:
break
def get_event_log(server, log_type='system'):
log_handle = win32evtlog.OpenEventLog(server, log_type)
total_num_records = win32evtlog.GetNumberOfEventLogRecords(log_handle)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
print "There are %d records" % total_num_records
events = 1
while events:
events = win32evtlog.ReadEventLog(log_handle, flags, 0)
for event in events:
if is_common_event_id(event.EventID):
print event.EventID
print event.EventCategory
print event.TimeGenerated.Format()
# print event.TimeWritten # <type 'time'>
print event.EventType # win32evtlog.EVENTLOG_ERROR_TYPE,
print event.ComputerName
print event.SourceName
print win32evtlogutil.SafeFormatMessage(event, log_type) # Event Description
# print event.StringInserts
print event.Sid
if event.Sid is not None:
try:
domain, user, typ = win32security.LookupAccountSid(server, event.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error: # from pywintypes import error
sidDesc = str(event.Sid)
user_desc = "Event associated with user %s" % (sidDesc,)
else:
user_desc = None
print user_desc
win32evtlog.CloseEventLog(log_handle)
def BackupClearLog(logType):
datePrefix = time.strftime("%Y%m%d", time.localtime(time.time()))
fileExists = 1
retry = 0
while fileExists:
if retry == 0:
index = ""
else:
index = "-%d" % retry
try:
fname = os.path.join(
win32api.GetTempPath(),
"%s%s-%s" % (datePrefix, index, logType) + ".evt")
os.stat(fname)
except os.error:
fileExists = 0
retry = retry + 1
# OK - have unique file name.
try:
hlog = win32evtlog.OpenEventLog(None, logType)
except win32evtlogutil.error as details:
print("Could not open the event log", details)
return
try:
if win32evtlog.GetNumberOfEventLogRecords(hlog) == 0:
print("No records in event log %s - not backed up" % logType)
return
win32evtlog.ClearEventLog(hlog, fname)
print("Backed up %s log to %s" % (logType, fname))
finally:
win32evtlog.CloseEventLog(hlog)
def RetrieveEvent(self):
Datmsg = ''
hand = win32evtlog.OpenEventLog('localhost',self.LogType)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
ev = 0
while ev != int(self.NumEvt):
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
if (event.EventID == int(self.EvntID) or event.EventID == int(self.EvntIdII)) and (event.SourceName == self.EvtSourceName or event.SourceName == self.EvtSourceNameII):
self.Datapayload["EvtSourceName"] = event.SourceName
self.Datapayload["EvntID"]= self.EvntID
self.Datapayload['TimeGenerated']= str(event.TimeGenerated)
#print(self.Datapayload)
data = event.StringInserts
if data:
for msg in data:
Datmsg = Datmsg + msg
#print(msg)
self.Datapayload["EventData"]= Datmsg
ev += 1
else:
ev += 1
self.Datapayload['UserName'] = self.UserName
self.Datapayload['ComputerName'] = os.environ['COMPUTERNAME']
return self.Datapayload
def readEventLog(server, log_type):
# Reads the log_type (e.g. "Application" or "System" from the Windows event viewer on the specified server
try:
# Open the log file and sort array on Event ID's
log_handle = win32evtlog.OpenEventLog(server, log_type)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(log_handle)
print("Scanning through {} events on {} in {}".format(
total, server, log_type))
# As long as there are events, keep reading
readEvent_count = 1
readEvents = 1
events = []
while readEvents:
readEvents = win32evtlog.ReadEventLog(log_handle, flags, 1)
for event in readEvents:
events.append(event)
readEvent_count += 1
win32evtlog.CloseEventLog(log_handle)
return events
except:
print("I can't read yar bastard")
try:
print(traceback.print_exc(sys.exc_info()))
except:
print("Exception whilst printing traceback")
def get_last_record(logtype):
try:
with eventlog(logtype) as log_handle:
oldest = win32evtlog.GetOldestEventLogRecord(log_handle)
total = win32evtlog.GetNumberOfEventLogRecords(log_handle)
result = oldest + total - 1
return result if result >= 0 else 0
except Exception:
return 0
def get_last_record(logtype):
try:
with eventlog(logtype) as log_handle:
oldest = win32evtlog.GetOldestEventLogRecord(log_handle) # pylint: disable=c-extension-no-member
total = win32evtlog.GetNumberOfEventLogRecords(log_handle) # pylint: disable=c-extension-no-member
result = oldest + total - 1
return result if result >= 0 else 0
except Exception:
return 0
def event_logs(server="localhost", source="System"):
# type: (str, str) -> Iterator[dict]
"""
EventType: severity level
EVENTLOG_ERROR_TYPE 0x0001
EVENTLOG_WARNING_TYPE 0x0002
EVENTLOG_INFORMATION_TYPE 0x0004
EVENTLOG_AUDIT_SUCCESS 0x0008
EVENTLOG_AUDIT_FAILURE 0x0010
EventID: same for same class of messages, stringinserts are provides to template belonging to eventid
"""
fields = {
"Reserved", "RecordNumber", "TimeGenerated", "TimeWritten", "EventID",
"EventType", "EventCategory", "ReservedFlags", "ClosingRecordNumber",
"SourceName", "StringInserts", "Sid", "Data", "ComputerName"
}
fields = {
"Reserved", "RecordNumber", "TimeGenerated", "TimeWritten", "EventID",
"EventType", "EventCategory", "ReservedFlags", "ClosingRecordNumber",
"SourceName", "StringInserts", "ComputerName"
}
# missing: "Sid", "Data"
handle = win32evtlog.OpenEventLog(server, source)
flags = win32evtlog.EVENTLOG_SEQUENTIAL_READ | win32evtlog.EVENTLOG_FORWARDS_READ
logger.debug("Preparing to read {} events".format(
win32evtlog.GetNumberOfEventLogRecords(handle)))
try:
while True:
events = win32evtlog.ReadEventLog(handle, flags, 0)
if events:
for event in events:
ret = {f: getattr(event, f) for f in fields}
# does that work for different time zones?
ret["TimeGenerated"] = datetime.fromtimestamp(
event.TimeGenerated.timestamp())
ret["TimeWritten"] = datetime.fromtimestamp(
event.TimeWritten.timestamp())
if ret["StringInserts"]:
ret["StringInserts"] = ", ".join(
ret["StringInserts"]).replace("\r\n", "\n")
if not ret["StringInserts"]:
ret["StringInserts"] = None
ret["EventID"] = winerror.HRESULT_CODE(ret["EventID"])
#print(ret)
yield ret
else:
break
finally:
win32evtlog.CloseEventLog(handle)
def getLogs(self):
for log in self.log_holder.keys():
hand = win32evtlog.OpenEventLog(self.computer, log)
numRecords = win32evtlog.GetNumberOfEventLogRecords(hand)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
while 1:
events = win32evtlog.ReadEventLog(hand, flags, 0)
if not events:
break
for event in events:
self.log_holder[log].append(event)
def monitEventlog(root, args, engine, baseline):
server = "localhost"
source_type = "Microsoft-Windows-Sysmon/Operational"
num_events = 0
h_log = win32evtlog.OpenEventLog(server, source_type)
flags = win32evtlog.EVENTLOG_FORWARDS_READ|\
win32evtlog.EVENTLOG_SEQUENTIAL_READ
total_events = win32evtlog.GetNumberOfEventLogRecords(h_log)
h_evt = win32event.CreateEvent(None, 1, 0, "evt0")
win32evtlog.NotifyChangeEventLog(h_log, h_evt)
while True:
events_read = []
while True:
aux = win32evtlog.ReadEventLog(h_log, flags, 0)
if not aux:
break
events_read += aux
if events_read:
num_events += len(events_read)
log.debug("Read from eventlog: %d - Total readed: %d \r" %\
(len(events_read), num_events))
for event in events_read:
req_parsed = {}
if event.EventID in EVENTLOG_EVENTID:
req_parsed = parseEventlogIDx(SYSMON_SCHEMA, event, server)
try:
actions_list = getListOfActions(req_parsed)
except:
log.error("Missing Sysmon/Operational registry key")
log.error("Add key located in RegistryKey directory")
log.error("See README for more info")
exit(1)
for action in actions_list:
pnode = addToProcessTree(action, root)
# Baseline engine actions
if pnode:
baseline.runActionCheck(pnode, action)
baseline.fireAlert(pnode)
# Wait for proccess all the tree
if (num_events >= total_events):
engine.run(root)
log.debug("Waiting for events on eventlog")
wait_result = win32event.WaitForSingleObject(h_evt, -1)
def ReadLog(computer, logType="Application", dumpEachRecord=0):
# read the entire log back.
h = win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
# print "There are %d records" % numRecords
num = 0
while 1:
objects = win32evtlog.ReadEventLog(
h,
win32evtlog.EVENTLOG_BACKWARDS_READ
| win32evtlog.EVENTLOG_SEQUENTIAL_READ,
0,
)
if not objects:
break
for object in objects:
# get it for testing purposes, but dont print it.
msg = win32evtlogutil.SafeFormatMessage(object, logType)
if object.Sid is not None:
try:
domain, user, typ = win32security.LookupAccountSid(
computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc, )
else:
user_desc = None
if dumpEachRecord:
print("Event record from %r generated at %s" %
(object.SourceName, object.TimeGenerated.Format()))
if user_desc:
print(user_desc)
try:
print(msg)
except UnicodeError:
print(
"(unicode error printing message: repr() follows...)")
print(repr(msg))
num = num + len(objects)
if numRecords == num:
print("Successfully read all", numRecords, "records")
else:
print("Couldn't get all records - reported %d, but found %d" %
(numRecords, num))
print(
"(Note that some other app may have written records while we were running!)"
)
win32evtlog.CloseEventLog(h)
def read_logs(api_url, regex):
server = 'localhost'
logtype = 'Security'
filehandler = win32evtlog.OpenEventLog(server, logtype)
eventhandler = win32event.CreateEvent(None, 1, 0, 'wait')
flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
win32evtlog.NotifyChangeEventLog(filehandler, eventhandler)
cursorlog = win32evtlog.GetNumberOfEventLogRecords(filehandler)
new_logs = skip_old_logs(cursorlog, filehandler, flags)
map(lambda e: handle_event(e, api_url, regex), new_logs)
while True:
result = win32event.WaitForSingleObject(eventhandler, 1)
if not result:
cursorlog = win32evtlog.GetNumberOfEventLogRecords(filehandler)
while True:
readlog = win32evtlog.ReadEventLog(filehandler, flags,
cursorlog)
if len(readlog) == 0:
break
for event in readlog:
handle_event(event, api_url, regex)
def todays_events(server,logtype,ids=[4648]):
import datetime
from vyperlogix import misc
from vyperlogix.misc import _utils
from vyperlogix.hash.lists import HashedLists
from vyperlogix.classes.SmartObject import SmartObject
import win32evtlog
#logon_event_ids = [id for id in [int(e.id) for e in events_by_tokens.get('logon',[])] if (id > 999)]
logon_event_ids = ids if (misc.isList(ids)) else [4648]
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
now = _utils.today_localtime()
seconds_in_day = 24*60*60
__todays_events__ = []
__running__ = True
while (__running__):
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
if (event.EventID in logon_event_ids):
#print 'Event Category:', event.EventCategory
#print 'Time Generated:', event.TimeGenerated
dt = _utils.getFromDateTimeStr(event.TimeGenerated.Format(),format='%m/%d/%y %H:%M:%S')
delta = max(now,dt) - min(now,dt)
#print 'delta.total_seconds()=%s' % (delta.total_seconds())
if (delta.total_seconds() < seconds_in_day):
__todays_events__.append(event)
else:
__running__ = False
break
#print 'Source Name:', event.SourceName
#print 'Event ID:', event.EventID
#print 'Event Type:', event.EventType
#data = event.StringInserts
#if data:
#print 'Event Data:'
#for msg in data:
#print msg
#print '='*40
else:
break
return __todays_events__
def GetEvents(self, evtmgr, log_type,stub):
self.clearEvt(log_type)
hand = win32evtlog.OpenEventLog("localhost", log_type) # Handle the connection to EventViewer
flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
last_check = win32evtlog.GetNumberOfEventLogRecords(hand)
self.send_report(stub,"Information Message", "Thread "+log_type + " start to run")
evtmgr.hostname = self._station_name_ # Using Socket we can know the PC name
evtmgr.username = getpass.getuser() # Using getpass we can know what user is current using
evtmgr.os = platform.system() # Using platform to get OS brand
evtmgr.ip_add = socket.gethostbyname(evtmgr.hostname) # Get the IP Address from socket
evtmgr.mac_add = get_mac_address(ip=(socket.gethostbyname(evtmgr.hostname))) # Get the MAC_Address
# ! Important: This while must stop when service is stopped ! #
while self.keepAlive():
curr_check = win32evtlog.GetNumberOfEventLogRecords(hand)
if curr_check > last_check:
events = win32evtlog.ReadEventLog(hand, flags, curr_check)
for event in events:
evtmgr.id = str(event.EventID)
evtmgr.time.FromDatetime(event.TimeGenerated)
evtmgr.type = str(event.EventType)
evtmgr.src = event.SourceName
evtmgr.cat = str(event.EventCategory)
data = event.StringInserts
data_list = evtmgr.dataList
if data:
for msg in data:
data_list.append(msg)
# Push log return true if completed
if(stub.PushLog(evtmgr)): # Debug in gRPC to return value
last_check = curr_check
else:
self.send_report(stub, "Error Message",
"Thread " + log_type + " fail to push from device")
def __init__(self, regex_filter=None, interval=None, kind='Security'):
if os.name != 'nt':
raise OSException('This parser works only on Windows machine!')
self.regex_filter = regex_filter
self.interval = interval
# ova dva bih mogao citati iz configa isto
# ili mozda ipak ni ne treba
self.server = 'localhost' # name of the target computer to get event logs
self.logtype = kind
self.hand = win32evtlog.OpenEventLog(self.server, self.logtype)
self.flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
self.total = win32evtlog.GetNumberOfEventLogRecords(self.hand)
Thread.__init__(self)
self.last_log_timestamp = datetime.now()
def ParseEvents(eventtype, server):
try:
hand = win32evtlog.OpenEventLog(server, eventtype)
except pywintypes.error as e:
SetColor(FOREGROUND_RED | FOREGROUND_INTENSITY)
print e[2]
SetColor(FOREGROUND_WHITE)
os._exit(0)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
events = 1
count = 0
result = []
results = result.append
while events:
events = win32evtlog.ReadEventLog(hand, flags, 0)
if events:
for event in events:
count += 1
time = "date_time= %s" % str(event.TimeGenerated)
cat = "type= %s" % str(event.SourceName)
eventID = "eventid= %s" % str(event.EventID & 0x1FFFFFFF)
strings = "data= %s" % str(event.StringInserts).replace(
"\\\\", "\\").replace("u'", "'").replace("%%", "")
results((time, cat, eventID, strings))
bar_len = 55
filled_len = int(round(bar_len * count / float(total)))
percents = round(100.0 * count / float(total), 1)
bar = '=' * filled_len + '-' * (bar_len - filled_len)
sys.stdout.write('[%s] %s%s %s/%s \r' %
(bar, percents, '%', count, total))
sys.stdout.flush()
yield result
if total == count:
SetColor(FOREGROUND_AQUA | FOREGROUND_INTENSITY)
print
print "Successfully read all", total, "records"
print
else:
SetColor(FOREGROUND_RED | FOREGROUND_INTENSITY)
print
print "Couldn't get all records - reported %d, but found %d" % (total,
count)
print "(Note that some other app may have written records while we were running!)"
print
win32evtlog.CloseEventLog(hand)
def readEventLog(server, log_type):
'''
Reads the log_type (e.g., "Application" or "System") Windows events from the
specified server.
'''
begin_sec = time.time()
begin_time = time.strftime('%H:%M:%S ', time.localtime(begin_sec))
seconds_per_hour = 60 * 60
how_many_seconds_back_to_search = seconds_per_hour * 1
gathered_events = []
try:
log_handle = win32evtlog.OpenEventLog(server, log_type)
total = win32evtlog.GetNumberOfEventLogRecords(log_handle)
print("Scanning through {} events on {} in {}".format(
total, server, log_type))
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
event_count = 0
events = 1
while events:
events = win32evtlog.ReadEventLog(log_handle, flags, 0)
seconds = begin_sec
for event in events:
the_time = event.TimeGenerated.Format()
seconds = 1
if seconds < begin_sec - how_many_seconds_back_to_search: break
if event.EventType == win32con.EVENTLOG_ERROR_TYPE:
event_count += 1
gathered_events.append(event)
if seconds < begin_sec - how_many_seconds_back_to_search:
break # get out of while loop as well
win32evtlog.CloseEventLog(log_handle)
except:
try:
print(traceback.print_exc(sys.exc_info()))
except:
print('Exception while printing traceback')
return gathered_events
def display_logs(logtype):
global display, prin
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
x = 0
if prin == 1:
filename = folder_loc + "\\" + logtype + "_Logs" + ".txt"
file = open(filename, 'w')
while x <= int(num_of_logs):
events = win32evtlog.ReadEventLog(hand, flags, 0)
if events:
for event in events:
x += 1
if display == 1:
print("Record Number:", event.RecordNumber)
print('Event Category:', event.EventCategory)
print("Source Name:", event.SourceName)
print('Time Generated:', event.TimeGenerated)
print('Event ID:', event.EventID)
print('Event Type:', event.EventType)
data = event.StringInserts
if data:
print('Event Data:')
print(str(data))
#for msg in data:
# print(msg)
print("\n\n")
if prin == 1:
file.write("Record Number:" + str(event.RecordNumber))
file.write('\nEvent Category:' + str(event.EventCategory))
file.write("\nSource Name:" + event.SourceName)
file.write('\nTime Generated:' + str(event.TimeGenerated))
file.write('\nEvent ID:' + str(event.EventID))
file.write('\nEvent Type:' + str(event.EventType))
data = event.StringInserts
if data:
file.write('\nEvent Data:')
file.write(str(data))
#for msg in data:
# file.write("\n" + msg)
file.write("\n\n")
def get_number_of_events(log_name, target_computer=None):
'''
Gets the number of events in a log.
log_name
str
target_computer
None or str
return
int
'''
handler = _get_event_handler(log_name, target_computer)
number_of_events = win32evtlog.GetNumberOfEventLogRecords(handler)
_close_event_handler(handler)
return number_of_events
def read_log(self):
print("Opening : " + self.SourceName)
# http://timgolden.me.uk/pywin32-docs/win32evtlog__OpenEventLog_meth.html
# https://docs.microsoft.com/en-us/windows/win32/eventlog/querying-for-event-source-messages
# EventLog keys: https://docs.microsoft.com/en-us/windows/desktop/eventlog/eventlog-key
# reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
log_handle = win32evtlog.OpenEventLog(self.MachineName,
self.SourceName)
if log_handle is None:
return
# Path : str
# Event log name or Path of an export file
# Flags : int
# EvtOpenChannelPath (1) or EvtOpenFilePath (2)
# Session=None : PyEVT_HANDLE
# Handle to a remote session (see win32evtlog::EvtOpenSession), or None for local machine.
# win32evtlog.EvtOpenLog('ForwardedEvents', 1 , None)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(log_handle)
print("Total: %d" % total)
events = 1
while events:
# https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-readeventloga
events = win32evtlog.ReadEventLog(log_handle, flags, 0)
# http://timgolden.me.uk/pywin32-docs/PyEventLogRecord.html
for event in events:
if not event:
break
print("%s: %s %d" % (event.TimeWritten.Format(),
event.SourceName, event.EventID))
if event.StringInserts:
for string_insert in event.StringInserts:
print('\t' + string_insert)
print('')
win32evtlog.CloseEventLog(log_handle)
def readEventLog(self, server, log_type, eventArray):
'''
Reads the log_type (e.g., "Application" or "System") Windows events from the
specified server.
'''
try:
"""Open Log File and sort array on Event ID"""
log_handle = win32evtlog.OpenEventLog(server, log_type)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(log_handle)
try:
eventArray.sort(
key=lambda x:
(x.EventType or 0, x.EventID or 0, x.Sid or 0, x.SourceName
or '', x.StringInserts or '', x.EventCategory or 0, x.Data
or '', x.ComputerName or ''),
reverse=True)
except Exception as e:
print(e)
try:
logger.info(traceback.print_exc(sys.exc_info()))
except:
logger.info('Exception sort went wrong')
logger.info("Scanning through {} events on {} in {}".format(
total, server, log_type))
"""As long as there are events keep reading"""
readEvent_count = 0
readEvents = 1
while readEvents:
readEvents = win32evtlog.ReadEventLog(log_handle, flags, 0)
for readEvent in readEvents:
self.compareLogRecordWithList(eventArray, readEvent)
readEvent_count += 1
""""Close Log File"""
logger.info("Scanned through {} events on {} in {}".format(
readEvent_count, server, log_type))
win32evtlog.CloseEventLog(log_handle)
except:
logger.info("I cant read yar bastard")
try:
logger.info(traceback.print_exc(sys.exc_info()))
except:
logger.info('Exception while printing traceback')
def readevents(path):
logHandle = win32evtlog.OpenBackupEventLog(
None, path) # None=NULL means local host
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(logHandle)
LOGGER.info("Total number of records for {} is: {}".format(path, total))
# if "security" in path.lower():
# logType = "Security"
# elif "application" in path.lower():
# logType = "Application"
# elif "system" in path.lower():
# logType = "System"
# else:
# LOGGER.error("Unknown log type - put something in path")
# sys.exit(-1)
event_dict = None
while True:
events = win32evtlog.ReadEventLog(logHandle, flags, 0)
if events:
for event in events:
event_dict = {}
event_dict['TimeGenerated'] = time.strftime(
"%#c", time.localtime(int(event.TimeGenerated)))
event_dict['SourceName'] = event.SourceName
event_dict['Id'] = event.EventID
event_dict['EventType'] = event.EventType
event_dict['ComputerName'] = event.ComputerName
if event.StringInserts:
event_dict['data'] = "|".join(event.StringInserts)
description = expandString(event)
event_dict['Description'] = description
if description:
event_dict.update(description_to_fields(description))
first_line = description.split("\r\n")[0]
event_dict['Short Description'] = first_line
yield event_dict
else:
break
def isEvent(): elog = win32evtlog.OpenEventLog(None, "Application") nr = win32evtlog.GetNumberOfEventLogRecords(elog) if nr>0: events = win32evtlog.ReadEventLog(elog, win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ,0) if events: for event in events: if int(event.EventID) == 1000 and int(event.EventCategory) == 100: #Of course it's not enough but at least something data = event.StringInserts crash = CrashReport() crash.location = data[0] + "!" +data[3] crash.faultAddr = "UNKNOWN" crash.code = "UNKNOWN" crash.nearNull = True crash.type = data[6] crash.stack = "UNKNOWN" crash.info = "UNKNOWN" return crash return None
def get_ps():
server = 'localhost' # name of the target computer to get event logs
logtype = 'Windows PowerShell' # 'Application' # 'Security' # 'Windows PowerShell'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
while True:
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
data = event.StringInserts
if data:
for msg in data:
msg = msg.split("\n")
for i in msg :
if "HostApplication" in i:
path = i.split()[-1][1:len(i.split()[-1])-1]
if os.path.isabs(path):
inser_to_paths(path)
else:
break
def read_log():
server = 'localhost' # name of the target computer to get event logs
logtype = 'System' # 'Application' # 'Security'
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
while True:
events = win32evtlog.ReadEventLog(hand, flags, 0)
if events:
for event in events:
print('Event Category:', event.EventCategory)
print('Time Generated:', event.TimeGenerated)
print('Source Name:', event.SourceName)
print('Event ID:', event.EventID)
print('Event Type:', event.EventType)
data = event.StringInserts
if data:
print('Event Data:')
for msg in data:
print(msg)
print()