def EventlogTotal(filename): result = [] eventlog_count = 0 with evtx.Evtx(filename) as log: for i, rec in enumerate(log.records()): try: xml_str = rec.xml() except: continue root = XML.fromstring(xml_str) # Event Tag assert len(XML._namespaces(root)) == 2 ns = list(XML._namespaces(root)[1]) ns = '{%s}' % ns[0] if len(ns) > 0 else '' event_total_information = Eventlog_Total_Information() result.append(event_total_information) result[eventlog_count].event_id = root[0][1].text if 'TimeCreated' in root[0][5].tag: result[eventlog_count].time_created = root[0][5].get( 'SystemTime').replace(' ', 'T') + 'Z' else: result[eventlog_count].time_created = root[0][7].get( 'SystemTime').replace(' ', 'T') + 'Z' result[eventlog_count].user_sid = root[0][-1].get('UserID') result[eventlog_count].source = filename.split('/')[-1] result[eventlog_count].data = html.unescape(xml_str) eventlog_count = eventlog_count + 1 return result
def write(self, ns={}): file_dst = open(self._dst, "w") file_dst.write('{0}\n'.format(XMLNSParser.xml_declaration)) qnames, namespaces = ET._namespaces(self._root, self._encod, None) namespaces.update(Dictionary(ns).reverse()) serialize = ET._serialize[self._method] serialize(file_dst.write, self._root, self._encod, qnames, namespaces) file_dst.close()