コード例 #1
0
    def update_bookmark(self, event):
        # See https://docs.microsoft.com/en-us/windows/win32/wes/bookmarking-events

        # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtupdatebookmark
        # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtUpdateBookmark_meth.html
        win32evtlog.EvtUpdateBookmark(self._bookmark_handle, event)

        # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender
        # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtRender_meth.html
        bookmark_xml = win32evtlog.EvtRender(self._bookmark_handle, win32evtlog.EvtRenderBookmark)

        self.write_persistent_cache('bookmark', bookmark_xml)
コード例 #2
0
    def log_event(self, event):
        render_context = win32evtlog.EvtCreateRenderContext(
            win32evtlog.EvtRenderContextSystem)
        vals = self.GetFormattedEventAsDict(render_context, event)
        provider = "not-specified"
        if "ProviderName" in vals:
            provider = vals["ProviderName"]

        if "ProviderGuid" in vals:
            vals["ProviderGuid"] = six.text_type(vals["ProviderGuid"])

        if "ActivityId" in vals:
            vals["ActivityId"] = six.text_type(vals["ActivityId"])

        if "RelatedActivityId" in vals:
            vals["RelatedActivityId"] = six.text_type(
                vals["RelatedActivityId"])

        if "TimeCreated" in vals:
            time_format = "%Y-%m-%d %H:%M:%SZ"
            vals["TimeCreated"] = time.strftime(
                time_format, time.gmtime(int(vals["TimeCreated"])))

        if "Keywords" in vals:
            if isinstance(vals["Keywords"], list):
                vals["Keywords"] = ",".join(vals["Keywords"])
            else:
                vals["Keywords"] = six.text_type(vals["Keywords"])

        if "UserId" in vals:
            user_id = six.text_type(vals["UserId"])
            if user_id.startswith("PySID:"):
                user_id = user_id[6:]
            vals["UserId"] = user_id

        self._logger.emit_value("EventLog", provider, extra_fields=vals)

        self.__bookmark_lock.acquire()
        try:
            if "Channel" in vals:
                channel = vals["Channel"]
                bookmark = None
                if channel not in self.__bookmarks:
                    self.__bookmarks[channel] = win32evtlog.EvtCreateBookmark(
                        None)

                bookmark = self.__bookmarks[channel]
                win32evtlog.EvtUpdateBookmark(bookmark, event)
        finally:
            self.__bookmark_lock.release()
コード例 #3
0
    def log_event(self, event):
        render_context = win32evtlog.EvtCreateRenderContext(
            win32evtlog.EvtRenderContextSystem)
        vals = self.GetFormattedEventAsDict(render_context, event)
        provider = 'not-specified'
        if 'ProviderName' in vals:
            provider = vals['ProviderName']

        if 'ProviderGuid' in vals:
            vals['ProviderGuid'] = str(vals['ProviderGuid'])

        if 'ActivityId' in vals:
            vals['ActivityId'] = str(vals['ActivityId'])

        if 'RelatedActivityId' in vals:
            vals['RelatedActivityId'] = str(vals['RelatedActivityId'])

        if 'TimeCreated' in vals:
            time_format = "%Y-%m-%d %H:%M:%SZ"
            vals['TimeCreated'] = time.strftime(
                time_format, time.gmtime(int(vals['TimeCreated'])))

        if 'Keywords' in vals:
            if isinstance(vals['Keywords'], list):
                vals['Keywords'] = ','.join(vals['Keywords'])
            else:
                vals['Keywords'] = str(vals['Keywords'])

        if 'UserId' in vals:
            user_id = str(vals['UserId'])
            if user_id.startswith("PySID:"):
                user_id = user_id[6:]
            vals['UserId'] = user_id

        self._logger.emit_value("EventLog", provider, extra_fields=vals)

        self.__bookmark_lock.acquire()
        try:
            if 'Channel' in vals:
                channel = vals['Channel']
                bookmark = None
                if channel not in self.__bookmarks:
                    self.__bookmarks[channel] = win32evtlog.EvtCreateBookmark(
                        None)

                bookmark = self.__bookmarks[channel]
                win32evtlog.EvtUpdateBookmark(bookmark, event)
        finally:
            self.__bookmark_lock.release()