def handle_new_event(): """ Called when a Aanew security event is registered in the Domain Controller (localhost). Goes over the latest events, and check for a valid logon event. If found, calls 'check_logon' to check the events on the remote server. Return Value (NoneType): None """ log_handle = win32evtlog.OpenEventLog(SERVER, SOURCE_TYPE) # Open the log file to view the latest event events = win32evtlog.ReadEventLog(log_handle, FLAGS, READ_EVENT_LOG_OFFSET) # Read the events from the log file time_index = events[0].TimeGenerated # Time of latest event for event in events: if(event.TimeGenerated != time_index): # Only check new events - return if(event.EventID != LOGON_EVENT_ID): continue account_name = event.StringInserts[5] logonType = event.StringInserts[8] account_domain = event.StringInserts[18] if(account_name == HOSTNAME or account_domain == EMPTY_EVENT_ATTRIBUTE_SIGN): continue logger.info(f'{account_name} logged on to {account_domain}. Logon Type: {logonType}. Checking logon in remote computer...') threading.Thread(target=handle_remote_actions, args=(account_domain, account_name)).start()
def __read_from_event_log( self, source, event_types ): event_log = win32evtlog.OpenEventLog( self.__server, source ) if not event_log: self._logger.error( "Unknown error opening event log for '%s'" % source ) return #we read events in reverse from the end of the log to avoid problems when #seeking directly to a record in a large log file flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ offset = 0 #use the checkpoint if it exists if source in self.__checkpoints: offset = self.__checkpoints[source] #a list of events that we haven't yet seen event_list = [] try: events = True while events: events = win32evtlog.ReadEventLog( event_log, flags, offset ) for event in events: #if we encounter our last seen record, then we are done if offset == event.RecordNumber or len( event_list ) >= self.__maximum_records: events = False break else: # add the event to our list of interested events # if it is one we are interested in if event.EventType in event_types: event_list.append( event ) except Exception, error: self._logger.error( "Error reading from event log: %s", str( error ), limit_once_per_x_secs=self.__error_repeat_interval, limit_key="EventLogError" )
def get_event_log(server, log_type='system'): log_handle = win32evtlog.OpenEventLog(server, log_type) total_num_records = win32evtlog.GetNumberOfEventLogRecords(log_handle) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ print "There are %d records" % total_num_records events = 1 while events: events = win32evtlog.ReadEventLog(log_handle, flags, 0) for event in events: if is_common_event_id(event.EventID): print event.EventID print event.EventCategory print event.TimeGenerated.Format() # print event.TimeWritten # <type 'time'> print event.EventType # win32evtlog.EVENTLOG_ERROR_TYPE, print event.ComputerName print event.SourceName print win32evtlogutil.SafeFormatMessage(event, log_type) # Event Description # print event.StringInserts print event.Sid if event.Sid is not None: try: domain, user, typ = win32security.LookupAccountSid(server, event.Sid) sidDesc = "%s/%s" % (domain, user) except win32security.error: # from pywintypes import error sidDesc = str(event.Sid) user_desc = "Event associated with user %s" % (sidDesc,) else: user_desc = None print user_desc win32evtlog.CloseEventLog(log_handle)
def fun(): server = 'localhost' # name of the target computer to get event logs logtype = 'System' # 'Application' # 'Security' flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ #total = win32evtlog.GetNumberOfEventLogRecords(hand) hand = win32evtlog.OpenEventLog(server,logtype) begin_sec = time.time() begin_time = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(begin_sec)) print(begin_sec) time.sleep(30) events = win32evtlog.ReadEventLog(hand, flags,0) if events: for event in events: #print(event.TimeGenerated) datetime_object = datetime.strptime(str(event.TimeGenerated), '%Y-%m-%d %H:%M:%S') seconds = time.mktime(datetime_object.timetuple()) if(begin_sec<=seconds): #print(begin_sec) #print(seconds) print('Time Generated:', event.TimeGenerated) print('Source Name:', event.SourceName) print('Event Type:', event.EventType) print('String inserts', event.StringInserts) writeLog(event.EventType, event.TimeGenerated, event.SourceName)
def _list_evt_xp(self, server, logtype): """Retrieves the contents of the event log for Windows XP""" self.logger.info('Exporting logs for : ' + logtype) hand = win32evtlog.OpenEventLog(server, logtype) flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ total = win32evtlog.GetNumberOfEventLogRecords(hand) sum_evt = 0 while True: events = win32evtlog.ReadEventLog(hand, flags, 0) sum_evt += len(events) if events: for event in events: data = event.StringInserts date = datetime.datetime(event.TimeGenerated.year, event.TimeGenerated.month, event.TimeGenerated.day, event.TimeGenerated.hour, event.TimeGenerated.minute, event.TimeGenerated.second).strftime( '%d/%m/%Y %H:%M:%S') # print date + ' : ' + log_type + ' -> ' + log_data if data: yield unicode(event.EventCategory), unicode(event.SourceName), unicode(event.EventID), unicode( event.EventType), date, list(data) else: yield unicode(event.EventCategory), unicode(event.SourceName), unicode(event.EventID), unicode( event.EventType), date, [] if sum_evt >= total: break
def justWokeUp(): justWokeUp = False # crack open the windows event logs and see if we woke up less than X minutes ago server = 'localhost' logtype = 'System' log = win32evtlog.OpenEventLog(server, logtype) foundPowerEvent = False readFlags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ # read backwards in order wakeTime = "" # get most recent power event while (not (foundPowerEvent)): events = win32evtlog.ReadEventLog( log, readFlags, 0) # 0 is the offset, don't bother with it for event in events: if (event.SourceName == "Microsoft-Windows-Power-Troubleshooter"): wakeTime = event.TimeGenerated foundPowerEvent = True break niceWakeTime = datetime.datetime.strptime(str(wakeTime), "%Y-%m-%d %H:%M:%S") timeNow = datetime.datetime.today() timeDifference = timeNow - niceWakeTime timeDifference = timeDifference.total_seconds() print(timeDifference) if (timeDifference < 300): # you've got five minutes to do your job, pal justWokeUp = True return justWokeUp
def RetrieveEvent(self): Datmsg = '' hand = win32evtlog.OpenEventLog('localhost',self.LogType) flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ total = win32evtlog.GetNumberOfEventLogRecords(hand) ev = 0 while ev != int(self.NumEvt): events = win32evtlog.ReadEventLog(hand, flags,0) if events: for event in events: if (event.EventID == int(self.EvntID) or event.EventID == int(self.EvntIdII)) and (event.SourceName == self.EvtSourceName or event.SourceName == self.EvtSourceNameII): self.Datapayload["EvtSourceName"] = event.SourceName self.Datapayload["EvntID"]= self.EvntID self.Datapayload['TimeGenerated']= str(event.TimeGenerated) #print(self.Datapayload) data = event.StringInserts if data: for msg in data: Datmsg = Datmsg + msg #print(msg) self.Datapayload["EventData"]= Datmsg ev += 1 else: ev += 1 self.Datapayload['UserName'] = self.UserName self.Datapayload['ComputerName'] = os.environ['COMPUTERNAME'] return self.Datapayload
def ReadLog(computer, logType="Application", dumpEachRecord = 0): # read the entire log back. h=win32evtlog.OpenEventLog(computer, logType) numRecords = win32evtlog.GetNumberOfEventLogRecords(h) # print "There are %d records" % numRecords num=0 while 1: objects = win32evtlog.ReadEventLog(h, win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0) if not objects: break for object in objects: # get it for testing purposes, but dont print it. msg = SafeFormatMessage(object, logType).encode("mbcs") if object.Sid is not None: try: domain, user, typ = win32security.LookupAccountSid(computer, object.Sid) sidDesc = "%s/%s" % (domain, user) except win32security.error: sidDesc = str(object.Sid) user_desc = "Event associated with user %s" % (sidDesc,) else: user_desc = None if dumpEachRecord: if user_desc: print user_desc print msg num = num + len(objects) if numRecords == num: print "Successfully read all", numRecords, "records" else: print "Couldn't get all records - reported %d, but found %d" % (numRecords, num) print "(Note that some other app may have written records while we were running!)" win32evtlog.CloseEventLog(h)
def clean_event_logs(): lognames = ['Application', 'Security', 'System'] machine = None for logname in lognames: h = win32evtlog.OpenEventLog(machine, logname) win32evtlog.ClearEventLog(h, None) win32evtlog.CloseEventLog(h)
def BackupClearLog(logType): datePrefix = time.strftime("%Y%m%d", time.localtime(time.time())) fileExists = 1 retry = 0 while fileExists: if retry == 0: index = "" else: index = "-%d" % retry try: fname = os.path.join( win32api.GetTempPath(), "%s%s-%s" % (datePrefix, index, logType) + ".evt") os.stat(fname) except os.error: fileExists = 0 retry = retry + 1 # OK - have unique file name. try: hlog = win32evtlog.OpenEventLog(None, logType) except win32evtlogutil.error as details: print("Could not open the event log", details) return try: if win32evtlog.GetNumberOfEventLogRecords(hlog) == 0: print("No records in event log %s - not backed up" % logType) return win32evtlog.ClearEventLog(hlog, fname) print("Backed up %s log to %s" % (logType, fname)) finally: win32evtlog.CloseEventLog(hlog)
def read_and_parse(self): flag = False while True: if flag: break self.hand = win32evtlog.OpenEventLog(self.server, self.logtype) events = win32evtlog.ReadEventLog(self.hand, self.flags, 0) w_logs = [] if events: for event in events: if event.TimeGenerated > self.last_log_timestamp: msg_data = event.StringInserts if msg_data: msg = ' '.join(msg_data) else: msg = '' w_log = WindowsLog(str(event.TimeGenerated), SeverityLevel(event.EventType).name, event.EventID, event.ComputerName, event.SourceName, msg) print(w_log.format_json()) w_logs.append(w_log.format_json()) self.last_log_timestamp = event.TimeGenerated else: flag = True win32evtlog.CloseEventLog(self.hand) return w_logs
def readEventLog(server, log_type): # Reads the log_type (e.g. "Application" or "System" from the Windows event viewer on the specified server try: # Open the log file and sort array on Event ID's log_handle = win32evtlog.OpenEventLog(server, log_type) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ total = win32evtlog.GetNumberOfEventLogRecords(log_handle) print("Scanning through {} events on {} in {}".format( total, server, log_type)) # As long as there are events, keep reading readEvent_count = 1 readEvents = 1 events = [] while readEvents: readEvents = win32evtlog.ReadEventLog(log_handle, flags, 1) for event in readEvents: events.append(event) readEvent_count += 1 win32evtlog.CloseEventLog(log_handle) return events except: print("I can't read yar bastard") try: print(traceback.print_exc(sys.exc_info())) except: print("Exception whilst printing traceback")
def getEventLogs(self, server, logtype, logPath): """ Get the event logs from the specified machine according to the logtype (Example: Application) and save it to the appropriately named log file """ print("Logging %s events" % logtype) log = codecs.open(logPath, encoding='utf-8', mode='w') line_break = '-' * 80 log.write("\n%s Log of %s Events\n" % (server, logtype)) log.write("Created: %s\n\n" % time.ctime()) log.write("\n" + line_break + "\n") hand = win32evtlog.OpenEventLog(server, logtype) total = win32evtlog.GetNumberOfEventLogRecords(hand) print("Total events in %s = %s" % (logtype, total)) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ events = win32evtlog.ReadEventLog(hand, flags, 0) evt_dict = { win32con.EVENTLOG_AUDIT_FAILURE: 'EVENTLOG_AUDIT_FAILURE', win32con.EVENTLOG_AUDIT_SUCCESS: 'EVENTLOG_AUDIT_SUCCESS', win32con.EVENTLOG_INFORMATION_TYPE: 'EVENTLOG_INFORMATION_TYPE', win32con.EVENTLOG_WARNING_TYPE: 'EVENTLOG_WARNING_TYPE', win32con.EVENTLOG_ERROR_TYPE: 'EVENTLOG_ERROR_TYPE' } try: events = 1 while events: events = win32evtlog.ReadEventLog(hand, flags, 0) for ev_obj in events: the_time = ev_obj.TimeGenerated.Format( ) #'12/23/99 15:54:09' evt_id = str(winerror.HRESULT_CODE(ev_obj.EventID)) computer = str(ev_obj.ComputerName) cat = ev_obj.EventCategory record = ev_obj.RecordNumber msg = win32evtlogutil.SafeFormatMessage(ev_obj, logtype) source = str(ev_obj.SourceName) if not ev_obj.EventType in evt_dict.keys(): evt_type = "unknown" else: evt_type = str(evt_dict[ev_obj.EventType]) log.write("Event Date/Time: %s\n" % the_time) log.write("Event ID / Type: %s / %s\n" % (evt_id, evt_type)) log.write("Currently Active User(s): %s\n" % self.currentUsers) log.write("Record #%s\n" % record) log.write("Source: %s\n\n" % source) log.write(msg) log.write("\n\n") log.write(line_break) log.write("\n\n") except: print(traceback.print_exc(sys.exc_info())) print("Log creation finished. Location of log is %s" % logPath)
def get_event_logs(server, name, filters): handle = win32evtlog.OpenEventLog(server, name) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ logs = [] try: logged_after = filters['logged_after'] logged_after = datetime.datetime.now() - logged_after except KeyError: logged_after = datetime.datetime.now() - datetime.timedelta(days=1) try: while True: events = win32evtlog.ReadEventLog(handle, flags, 0) if events: for event in events: time_generated = datetime_from_event_date(event.TimeGenerated) if time_generated < logged_after: raise StopIteration elif is_interesting_event(event, name, filters): safe_log = normalize_event(event, name) logs.append(safe_log) else: raise StopIteration except StopIteration: pass finally: win32evtlog.CloseEventLog(handle) return logs
def ParseEvents(eventtype, limit=None, server=None): server = None hand = win32evtlog.OpenEventLog(server,eventtype) flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ total = win32evtlog.GetNumberOfEventLogRecords(hand) events = 1 count = 0 while events: events = win32evtlog.ReadEventLog(hand, flags,0) if events: for event in events: count += 1 if count <= 500: if interestingEvent(event,whitelist): time = "date_time=\"" + str(event.TimeGenerated) + "\"" cat = "type=\"" + str(event.SourceName) + "\"" eventID = "eventid=\"" + str(event.EventID & 0x1FFFFFFF) + "\"" strings = "data=\"" + str(event.StringInserts).replace("\\\\","\\").replace("u'","'").replace("%%","") + "\"" result = [] result.append((time, cat, eventID, strings)) yield result else: break
def get_power_of_records(self) -> Iterable[dict]: server = "localhost" for logtype in ["System", "Application", "Security"]: hand = win32evtlog.OpenEventLog(server, logtype) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ events = win32evtlog.ReadEventLog(hand, flags, 0) try: events = 1 while events: events = win32evtlog.ReadEventLog(hand, flags, 0) for ev_obj in events: infoTemp = {} if winerror.HRESULT_CODE(ev_obj.EventID) == 6005: infoTemp["time"] = ev_obj.TimeGenerated.Format() infoTemp["event"] = "power on" infoTemp["user"] = str(ev_obj.ComputerName) elif winerror.HRESULT_CODE(ev_obj.EventID) == 6006: infoTemp["time"] = ev_obj.TimeGenerated.Format() infoTemp["event"] = "power off" infoTemp["user"] = str(ev_obj.ComputerName) elif winerror.HRESULT_CODE(ev_obj.EventID) == 6008: infoTemp["time"] = ev_obj.TimeGenerated.Format() infoTemp["event"] = "power off" infoTemp["user"] = str(ev_obj.ComputerName) else: continue yield infoTemp except: print(traceback.print_exc(sys.exc_info()))
def __init__(self, server, eventid, log_type="Security"): self.server = server self.log_type = log_type self.flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ #self.flags = win32evtlog.EVENTLOG_BACKWARDS_READ| win32evtlog.EVENTLOG_SEQUENTIAL_READ self.logged_users = [] self.eventid = eventid self.log_handle = win32evtlog.OpenEventLog(self.server, self.log_type)
def __read_from_event_log(self, source, event_types): event_log = win32evtlog.OpenEventLog(self._server, source) if not event_log: self._logger.error("Unknown error opening event log for '%s'" % source) return # we read events in reverse from the end of the log to avoid problems when # seeking directly to a record in a large log file flags = ( win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ ) offset = -1 # use the checkpoint if it exists if source in self._checkpoints: offset = self._checkpoints[source] # a list of events that we haven't yet seen event_list = [] try: events = True while events: events = win32evtlog.ReadEventLog(event_log, flags, offset) for event in events: # special case for when there was no offset, in which case # the first event will be the latest event so use that for the # new offset if offset == -1: self._checkpoints[source] = event.RecordNumber events = False break # if we encounter our last seen record, then we are done elif ( offset == event.RecordNumber or len(event_list) >= self._maximum_records ): events = False break else: # add the event to our list of interested events # if it is one we are interested in if event.EventType in event_types: event_list.append(event) except Exception as error: self._logger.error( "Error reading from event log: %s", str(error), limit_once_per_x_secs=self._error_repeat_interval, limit_key="EventLogError", ) # now print out records in reverse order (which will put them in correct chronological order # because we initially read them in reverse) for event in reversed(event_list): self.__log_event(source, event) self._checkpoints[source] = event.RecordNumber
def event_logs(server="localhost", source="System"): # type: (str, str) -> Iterator[dict] """ EventType: severity level EVENTLOG_ERROR_TYPE 0x0001 EVENTLOG_WARNING_TYPE 0x0002 EVENTLOG_INFORMATION_TYPE 0x0004 EVENTLOG_AUDIT_SUCCESS 0x0008 EVENTLOG_AUDIT_FAILURE 0x0010 EventID: same for same class of messages, stringinserts are provides to template belonging to eventid """ fields = { "Reserved", "RecordNumber", "TimeGenerated", "TimeWritten", "EventID", "EventType", "EventCategory", "ReservedFlags", "ClosingRecordNumber", "SourceName", "StringInserts", "Sid", "Data", "ComputerName" } fields = { "Reserved", "RecordNumber", "TimeGenerated", "TimeWritten", "EventID", "EventType", "EventCategory", "ReservedFlags", "ClosingRecordNumber", "SourceName", "StringInserts", "ComputerName" } # missing: "Sid", "Data" handle = win32evtlog.OpenEventLog(server, source) flags = win32evtlog.EVENTLOG_SEQUENTIAL_READ | win32evtlog.EVENTLOG_FORWARDS_READ logger.debug("Preparing to read {} events".format( win32evtlog.GetNumberOfEventLogRecords(handle))) try: while True: events = win32evtlog.ReadEventLog(handle, flags, 0) if events: for event in events: ret = {f: getattr(event, f) for f in fields} # does that work for different time zones? ret["TimeGenerated"] = datetime.fromtimestamp( event.TimeGenerated.timestamp()) ret["TimeWritten"] = datetime.fromtimestamp( event.TimeWritten.timestamp()) if ret["StringInserts"]: ret["StringInserts"] = ", ".join( ret["StringInserts"]).replace("\r\n", "\n") if not ret["StringInserts"]: ret["StringInserts"] = None ret["EventID"] = winerror.HRESULT_CODE(ret["EventID"]) #print(ret) yield ret else: break finally: win32evtlog.CloseEventLog(handle)
def getEventLogs(server, logtype, logPath): log = codecs.open(logPath, encoding='utf-8', mode='w') begin_sec = time.time() begin_time = time.strftime('%H:%M:%S ', time.localtime(begin_sec)) hand = win32evtlog.OpenEventLog(server, logtype) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ events = win32evtlog.ReadEventLog(hand, flags, 0) evt_dict = { win32con.EVENTLOG_AUDIT_FAILURE: 'EVENTLOG_AUDIT_FAILURE', win32con.EVENTLOG_AUDIT_SUCCESS: 'EVENTLOG_AUDIT_SUCCESS', win32con.EVENTLOG_INFORMATION_TYPE: 'EVENTLOG_INFORMATION_TYPE', win32con.EVENTLOG_WARNING_TYPE: 'EVENTLOG_WARNING_TYPE', win32con.EVENTLOG_ERROR_TYPE: 'EVENTLOG_ERROR_TYPE' } try: events = 1 while events: events = win32evtlog.ReadEventLog(hand, flags, 0) for ev_obj in events: the_time = ev_obj.TimeGenerated.Format() # '12/23/99 15:54:09' seconds = date2sec(the_time) if seconds < begin_sec - 15: break evt_id = str(winerror.HRESULT_CODE(ev_obj.EventID)) event_list = [ event for event in events if event.EventID == "27035" ] if event_list: print 'Event Category:', event_list[0].EventCategory computer = str(ev_obj.ComputerName) cat = ev_obj.EventCategory record = ev_obj.RecordNumber msg = win32evtlogutil.SafeFormatMessage(ev_obj, logtype) source = str(ev_obj.SourceName) if not ev_obj.EventType in evt_dict.keys(): evt_type = "unknown" else: evt_type = str(evt_dict[ev_obj.EventType]) # logging.info("Event Date/Time: %s\n" % the_time) # logging.info("Event ID / Type: %s / %s\n" % (evt_id, evt_type)) if evt_id in ['4625']: # An account failed to log on print "XXXXXXXXXXXXXXXXxxxxxxxxx--------FAILED LOGIN!!!" begin_sec = time.time() the_time = ev_obj.TimeGenerated.Format() seconds = date2sec(the_time) os.startfile(os.getcwd() + '\\dist\\capture_me.exe') logging.info("Record #%s" % record) logging.info("Source: %s" % source) logging.info(msg) logging.info('-' * 80) except: message = traceback.print_exc(sys.exc_info()) logging.error(message)
def analyze_one_log(event_log: str) -> None: """ Main analysis. Go thru events in one event log, compile statistics. Args: event_log (string): name of Windows Event Log to read. Returns: none. Raises: none. """ # Summary of one event. keys = [ 'EventID', 'Computer', 'Category', 'Source Name', 'Event Type', 'User Name', 'Log Name' ] event_summary = dict.fromkeys(keys, "") # Where we compile event statistics. event_stats = {} # Handle to a Windows Event Log. handle = win32evtlog.OpenEventLog('localhost', event_log) # Flags for reading the Event Log. flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ # num_events = win32evtlog.GetNumberOfEventLogRecords(handle) try: events = 1 while events: events = win32evtlog.ReadEventLog(handle, flags, 0) for event in events: # Unpack each event. event_summary['EventID'] = winerror.HRESULT_CODE(event.EventID) event_summary['Computer'] = event.ComputerName event_summary['Category'] = event.EventCategory event_summary['Source Name'] = event.SourceName event_summary['Event Type'] = type_name(event.EventType) event_summary['User Name'] = get_user_name(event.Sid) event_summary['Log Name'] = event_log # record_num = event.RecordNumber # string_inserts = event.StringInserts # message = win32evtlogutil.SafeFormatMessage(event, event_log) # Tally statistics. if frozendict(event_summary) in event_stats.keys(): event_stats[frozendict(event_summary)] += 1 else: event_stats[frozendict(event_summary)] = 1 except Exception: print(traceback.print_exc(sys.exc_info())) # Print event statistics. for event_summary, count in sorted(event_stats.items(), reverse=True, key=lambda item: item[1]): print("\n## {} occurrences of this event:".format(count)) for key, value in event_summary.items(): print(str(key) + ": " + str(value))
def ReadEvLog(logtype, source, log, start, end=None): # If any event is not 'INFO' => return 'ERR' # If the last event is not an 'INFO' => return 'WAR' (in fact when not event are present) # Else return 'OK' flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ try: hand = win32evtlog.OpenEventLog(None, logtype) # None for localhost except pywintypes.error, e: log.error('EventLog error %r', e) return 'ERR', u'EventLog error %r' % (e, )
def getLogs(self): for log in self.log_holder.keys(): hand = win32evtlog.OpenEventLog(self.computer, log) numRecords = win32evtlog.GetNumberOfEventLogRecords(hand) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ while 1: events = win32evtlog.ReadEventLog(hand, flags, 0) if not events: break for event in events: self.log_holder[log].append(event)
def run(self): self.hand = win32evtlog.OpenEventLog(self.server, self.logtype) global time_limit flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEEK_READ prevNumOfRecs = win32evtlog.GetNumberOfEventLogRecords(self.hand) evnthndl = CreateEvent(None, True, False, None) win32evtlog.NotifyChangeEventLog(self.hand, evnthndl) levels_dict = {1: 'ERROR', 2: 'WARNING', 4: 'INFO'} while True: print('hi') evntsgnld = WaitForSingleObject(evnthndl, 10000) if evntsgnld == WAIT_OBJECT_0: print('New event: \n') numOfRec = win32evtlog.GetNumberOfEventLogRecords(self.hand) NumOfNewRecs = numOfRec - prevNumOfRecs offset = numOfRec - NumOfNewRecs events = win32evtlog.ReadEventLog(self.hand, flags, offset + 1) for event in events: # 4 Info, 1 Error, 2 Warning... 3 should be Debug? evJson = {} datetime = str(event.TimeGenerated) evJson["logged_date"] = datetime.split(" ")[0] evJson["logged_time"] = datetime evJson["process"] = str(event.SourceName) evJson["host"] = str(event.ComputerName) if not event.EventType in levels_dict.keys(): evJson["severity"] = "Unknown" else: evJson["severity"] = str(levels_dict[event.EventType]) evJson["message"] = str( win32evtlogutil.FormatMessage(event, self.logtype)) ev = evJson["logged_time"] + " " + evJson["process"] + " " + \ evJson["host"] + " " + evJson["severity"] + \ " " + evJson["message"] filter_pattern = re.compile(event_logs["filter_by"]) if (event_logs["filter_by"] == "" or filter_pattern.search(ev)): logs.append(evJson) if (len(logs) >= batch_size or time.time() > time_limit): now = time.time() time_limit = now + max_time sendLogs(logs) logs.clear() print(" EVENT: \n") print(evJson) # print("\n All events: \n") # print(logs) print("\n\n") ResetEvent(evnthndl) prevNumOfRecs = numOfRec
def read_login_events(eventid, log_source): event_log = win32evtlog.OpenEventLog(None, log_source) flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ login_attempt_events = [] while (True): records = win32evtlog.ReadEventLog(event_log, flags, 0) for rec in records: if rec.EventID == eventid: login_attempt_events.append(rec) if len(records) == 0: break return login_attempt_events
def monitEventlog(root, args, engine, baseline): server = "localhost" source_type = "Microsoft-Windows-Sysmon/Operational" num_events = 0 h_log = win32evtlog.OpenEventLog(server, source_type) flags = win32evtlog.EVENTLOG_FORWARDS_READ|\ win32evtlog.EVENTLOG_SEQUENTIAL_READ total_events = win32evtlog.GetNumberOfEventLogRecords(h_log) h_evt = win32event.CreateEvent(None, 1, 0, "evt0") win32evtlog.NotifyChangeEventLog(h_log, h_evt) while True: events_read = [] while True: aux = win32evtlog.ReadEventLog(h_log, flags, 0) if not aux: break events_read += aux if events_read: num_events += len(events_read) log.debug("Read from eventlog: %d - Total readed: %d \r" %\ (len(events_read), num_events)) for event in events_read: req_parsed = {} if event.EventID in EVENTLOG_EVENTID: req_parsed = parseEventlogIDx(SYSMON_SCHEMA, event, server) try: actions_list = getListOfActions(req_parsed) except: log.error("Missing Sysmon/Operational registry key") log.error("Add key located in RegistryKey directory") log.error("See README for more info") exit(1) for action in actions_list: pnode = addToProcessTree(action, root) # Baseline engine actions if pnode: baseline.runActionCheck(pnode, action) baseline.fireAlert(pnode) # Wait for proccess all the tree if (num_events >= total_events): engine.run(root) log.debug("Waiting for events on eventlog") wait_result = win32event.WaitForSingleObject(h_evt, -1)
def ReadLog(computer, logType="Application", dumpEachRecord=0): # read the entire log back. h = win32evtlog.OpenEventLog(computer, logType) numRecords = win32evtlog.GetNumberOfEventLogRecords(h) # print "There are %d records" % numRecords num = 0 while 1: objects = win32evtlog.ReadEventLog( h, win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0, ) if not objects: break for object in objects: # get it for testing purposes, but dont print it. msg = win32evtlogutil.SafeFormatMessage(object, logType) if object.Sid is not None: try: domain, user, typ = win32security.LookupAccountSid( computer, object.Sid) sidDesc = "%s/%s" % (domain, user) except win32security.error: sidDesc = str(object.Sid) user_desc = "Event associated with user %s" % (sidDesc, ) else: user_desc = None if dumpEachRecord: print("Event record from %r generated at %s" % (object.SourceName, object.TimeGenerated.Format())) if user_desc: print(user_desc) try: print(msg) except UnicodeError: print( "(unicode error printing message: repr() follows...)") print(repr(msg)) num = num + len(objects) if numRecords == num: print("Successfully read all", numRecords, "records") else: print("Couldn't get all records - reported %d, but found %d" % (numRecords, num)) print( "(Note that some other app may have written records while we were running!)" ) win32evtlog.CloseEventLog(h)
def FeedEventLogRecords(feeder, machineName = None, logName = "Application", readFlags = None): if readFlags is None: readFlags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ h=win32evtlog.OpenEventLog(machineName, logName) try: while 1: objects = win32evtlog.ReadEventLog(h, readFlags, 0) if not objects: break map(lambda item, feeder = feeder: feeder(*(item,)), objects) finally: win32evtlog.CloseEventLog(h)
def yield_logs(computer=None, log_name=LOG_NAME): hLog = win32evtlog.OpenEventLog(computer, log_name) try: while True: entries = win32evtlog.ReadEventLog( hLog, win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0) if entries: for entry in entries: yield entry else: break finally: win32evtlog.CloseEventLog(hLog)
def todays_events(server,logtype,ids=[4648]): import datetime from vyperlogix import misc from vyperlogix.misc import _utils from vyperlogix.hash.lists import HashedLists from vyperlogix.classes.SmartObject import SmartObject import win32evtlog #logon_event_ids = [id for id in [int(e.id) for e in events_by_tokens.get('logon',[])] if (id > 999)] logon_event_ids = ids if (misc.isList(ids)) else [4648] hand = win32evtlog.OpenEventLog(server,logtype) flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ total = win32evtlog.GetNumberOfEventLogRecords(hand) now = _utils.today_localtime() seconds_in_day = 24*60*60 __todays_events__ = [] __running__ = True while (__running__): events = win32evtlog.ReadEventLog(hand, flags,0) if events: for event in events: if (event.EventID in logon_event_ids): #print 'Event Category:', event.EventCategory #print 'Time Generated:', event.TimeGenerated dt = _utils.getFromDateTimeStr(event.TimeGenerated.Format(),format='%m/%d/%y %H:%M:%S') delta = max(now,dt) - min(now,dt) #print 'delta.total_seconds()=%s' % (delta.total_seconds()) if (delta.total_seconds() < seconds_in_day): __todays_events__.append(event) else: __running__ = False break #print 'Source Name:', event.SourceName #print 'Event ID:', event.EventID #print 'Event Type:', event.EventType #data = event.StringInserts #if data: #print 'Event Data:' #for msg in data: #print msg #print '='*40 else: break return __todays_events__