def update_bookmark(self, event):
# See https://docs.microsoft.com/en-us/windows/win32/wes/bookmarking-events
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtupdatebookmark
# http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtUpdateBookmark_meth.html
win32evtlog.EvtUpdateBookmark(self._bookmark_handle, event)
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender
# http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtRender_meth.html
bookmark_xml = win32evtlog.EvtRender(self._bookmark_handle, win32evtlog.EvtRenderBookmark)
self.write_persistent_cache('bookmark', bookmark_xml)
def log_event(self, event):
render_context = win32evtlog.EvtCreateRenderContext(
win32evtlog.EvtRenderContextSystem)
vals = self.GetFormattedEventAsDict(render_context, event)
provider = "not-specified"
if "ProviderName" in vals:
provider = vals["ProviderName"]
if "ProviderGuid" in vals:
vals["ProviderGuid"] = six.text_type(vals["ProviderGuid"])
if "ActivityId" in vals:
vals["ActivityId"] = six.text_type(vals["ActivityId"])
if "RelatedActivityId" in vals:
vals["RelatedActivityId"] = six.text_type(
vals["RelatedActivityId"])
if "TimeCreated" in vals:
time_format = "%Y-%m-%d %H:%M:%SZ"
vals["TimeCreated"] = time.strftime(
time_format, time.gmtime(int(vals["TimeCreated"])))
if "Keywords" in vals:
if isinstance(vals["Keywords"], list):
vals["Keywords"] = ",".join(vals["Keywords"])
else:
vals["Keywords"] = six.text_type(vals["Keywords"])
if "UserId" in vals:
user_id = six.text_type(vals["UserId"])
if user_id.startswith("PySID:"):
user_id = user_id[6:]
vals["UserId"] = user_id
self._logger.emit_value("EventLog", provider, extra_fields=vals)
self.__bookmark_lock.acquire()
try:
if "Channel" in vals:
channel = vals["Channel"]
bookmark = None
if channel not in self.__bookmarks:
self.__bookmarks[channel] = win32evtlog.EvtCreateBookmark(
None)
bookmark = self.__bookmarks[channel]
win32evtlog.EvtUpdateBookmark(bookmark, event)
finally:
self.__bookmark_lock.release()
def log_event(self, event):
render_context = win32evtlog.EvtCreateRenderContext(
win32evtlog.EvtRenderContextSystem)
vals = self.GetFormattedEventAsDict(render_context, event)
provider = 'not-specified'
if 'ProviderName' in vals:
provider = vals['ProviderName']
if 'ProviderGuid' in vals:
vals['ProviderGuid'] = str(vals['ProviderGuid'])
if 'ActivityId' in vals:
vals['ActivityId'] = str(vals['ActivityId'])
if 'RelatedActivityId' in vals:
vals['RelatedActivityId'] = str(vals['RelatedActivityId'])
if 'TimeCreated' in vals:
time_format = "%Y-%m-%d %H:%M:%SZ"
vals['TimeCreated'] = time.strftime(
time_format, time.gmtime(int(vals['TimeCreated'])))
if 'Keywords' in vals:
if isinstance(vals['Keywords'], list):
vals['Keywords'] = ','.join(vals['Keywords'])
else:
vals['Keywords'] = str(vals['Keywords'])
if 'UserId' in vals:
user_id = str(vals['UserId'])
if user_id.startswith("PySID:"):
user_id = user_id[6:]
vals['UserId'] = user_id
self._logger.emit_value("EventLog", provider, extra_fields=vals)
self.__bookmark_lock.acquire()
try:
if 'Channel' in vals:
channel = vals['Channel']
bookmark = None
if channel not in self.__bookmarks:
self.__bookmarks[channel] = win32evtlog.EvtCreateBookmark(
None)
bookmark = self.__bookmarks[channel]
win32evtlog.EvtUpdateBookmark(bookmark, event)
finally:
self.__bookmark_lock.release()