def get_power_of_records(self) -> Iterable[dict]:
server = "localhost"
for logtype in ["System", "Application", "Security"]:
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
events = win32evtlog.ReadEventLog(hand, flags, 0)
try:
events = 1
while events:
events = win32evtlog.ReadEventLog(hand, flags, 0)
for ev_obj in events:
infoTemp = {}
if winerror.HRESULT_CODE(ev_obj.EventID) == 6005:
infoTemp["time"] = ev_obj.TimeGenerated.Format()
infoTemp["event"] = "power on"
infoTemp["user"] = str(ev_obj.ComputerName)
elif winerror.HRESULT_CODE(ev_obj.EventID) == 6006:
infoTemp["time"] = ev_obj.TimeGenerated.Format()
infoTemp["event"] = "power off"
infoTemp["user"] = str(ev_obj.ComputerName)
elif winerror.HRESULT_CODE(ev_obj.EventID) == 6008:
infoTemp["time"] = ev_obj.TimeGenerated.Format()
infoTemp["event"] = "power off"
infoTemp["user"] = str(ev_obj.ComputerName)
else:
continue
yield infoTemp
except:
print(traceback.print_exc(sys.exc_info()))
def getEventLogs(self, server, logtype, logPath):
"""
Get the event logs from the specified machine according to the
logtype (Example: Application) and save it to the appropriately
named log file
"""
print("Logging %s events" % logtype)
log = codecs.open(logPath, encoding='utf-8', mode='w')
line_break = '-' * 80
log.write("\n%s Log of %s Events\n" % (server, logtype))
log.write("Created: %s\n\n" % time.ctime())
log.write("\n" + line_break + "\n")
hand = win32evtlog.OpenEventLog(server, logtype)
total = win32evtlog.GetNumberOfEventLogRecords(hand)
print("Total events in %s = %s" % (logtype, total))
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
events = win32evtlog.ReadEventLog(hand, flags, 0)
evt_dict = {
win32con.EVENTLOG_AUDIT_FAILURE: 'EVENTLOG_AUDIT_FAILURE',
win32con.EVENTLOG_AUDIT_SUCCESS: 'EVENTLOG_AUDIT_SUCCESS',
win32con.EVENTLOG_INFORMATION_TYPE: 'EVENTLOG_INFORMATION_TYPE',
win32con.EVENTLOG_WARNING_TYPE: 'EVENTLOG_WARNING_TYPE',
win32con.EVENTLOG_ERROR_TYPE: 'EVENTLOG_ERROR_TYPE'
}
try:
events = 1
while events:
events = win32evtlog.ReadEventLog(hand, flags, 0)
for ev_obj in events:
the_time = ev_obj.TimeGenerated.Format(
) #'12/23/99 15:54:09'
evt_id = str(winerror.HRESULT_CODE(ev_obj.EventID))
computer = str(ev_obj.ComputerName)
cat = ev_obj.EventCategory
record = ev_obj.RecordNumber
msg = win32evtlogutil.SafeFormatMessage(ev_obj, logtype)
source = str(ev_obj.SourceName)
if not ev_obj.EventType in evt_dict.keys():
evt_type = "unknown"
else:
evt_type = str(evt_dict[ev_obj.EventType])
log.write("Event Date/Time: %s\n" % the_time)
log.write("Event ID / Type: %s / %s\n" %
(evt_id, evt_type))
log.write("Currently Active User(s): %s\n" %
self.currentUsers)
log.write("Record #%s\n" % record)
log.write("Source: %s\n\n" % source)
log.write(msg)
log.write("\n\n")
log.write(line_break)
log.write("\n\n")
except:
print(traceback.print_exc(sys.exc_info()))
print("Log creation finished. Location of log is %s" % logPath)
def getEventLogs(server, logtype, logPath):
log = codecs.open(logPath, encoding='utf-8', mode='w')
begin_sec = time.time()
begin_time = time.strftime('%H:%M:%S ', time.localtime(begin_sec))
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
events = win32evtlog.ReadEventLog(hand, flags, 0)
evt_dict = {
win32con.EVENTLOG_AUDIT_FAILURE: 'EVENTLOG_AUDIT_FAILURE',
win32con.EVENTLOG_AUDIT_SUCCESS: 'EVENTLOG_AUDIT_SUCCESS',
win32con.EVENTLOG_INFORMATION_TYPE: 'EVENTLOG_INFORMATION_TYPE',
win32con.EVENTLOG_WARNING_TYPE: 'EVENTLOG_WARNING_TYPE',
win32con.EVENTLOG_ERROR_TYPE: 'EVENTLOG_ERROR_TYPE'
}
try:
events = 1
while events:
events = win32evtlog.ReadEventLog(hand, flags, 0)
for ev_obj in events:
the_time = ev_obj.TimeGenerated.Format() # '12/23/99 15:54:09'
seconds = date2sec(the_time)
if seconds < begin_sec - 15: break
evt_id = str(winerror.HRESULT_CODE(ev_obj.EventID))
event_list = [
event for event in events if event.EventID == "27035"
]
if event_list:
print 'Event Category:', event_list[0].EventCategory
computer = str(ev_obj.ComputerName)
cat = ev_obj.EventCategory
record = ev_obj.RecordNumber
msg = win32evtlogutil.SafeFormatMessage(ev_obj, logtype)
source = str(ev_obj.SourceName)
if not ev_obj.EventType in evt_dict.keys():
evt_type = "unknown"
else:
evt_type = str(evt_dict[ev_obj.EventType])
# logging.info("Event Date/Time: %s\n" % the_time)
# logging.info("Event ID / Type: %s / %s\n" % (evt_id, evt_type))
if evt_id in ['4625']: # An account failed to log on
print "XXXXXXXXXXXXXXXXxxxxxxxxx--------FAILED LOGIN!!!"
begin_sec = time.time()
the_time = ev_obj.TimeGenerated.Format()
seconds = date2sec(the_time)
os.startfile(os.getcwd() + '\\dist\\capture_me.exe')
logging.info("Record #%s" % record)
logging.info("Source: %s" % source)
logging.info(msg)
logging.info('-' * 80)
except:
message = traceback.print_exc(sys.exc_info())
logging.error(message)
def __read_from_event_log( self, source, event_types ):
event_log = win32evtlog.OpenEventLog( self.__server, source )
if not event_log:
self._logger.error( "Unknown error opening event log for '%s'" % source )
return
#we read events in reverse from the end of the log to avoid problems when
#seeking directly to a record in a large log file
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
offset = 0
#use the checkpoint if it exists
if source in self.__checkpoints:
offset = self.__checkpoints[source]
#a list of events that we haven't yet seen
event_list = []
try:
events = True
while events:
events = win32evtlog.ReadEventLog( event_log, flags, offset )
for event in events:
#if we encounter our last seen record, then we are done
if offset == event.RecordNumber or len( event_list ) >= self.__maximum_records:
events = False
break
else:
# add the event to our list of interested events
# if it is one we are interested in
if event.EventType in event_types:
event_list.append( event )
except Exception, error:
self._logger.error( "Error reading from event log: %s", str( error ), limit_once_per_x_secs=self.__error_repeat_interval, limit_key="EventLogError" )
def handle_new_event():
"""
Called when a Aanew security event is registered in the Domain Controller (localhost).
Goes over the latest events, and check for a valid logon event. If found, calls 'check_logon'
to check the events on the remote server.
Return Value (NoneType): None
"""
log_handle = win32evtlog.OpenEventLog(SERVER, SOURCE_TYPE) # Open the log file to view the latest event
events = win32evtlog.ReadEventLog(log_handle, FLAGS, READ_EVENT_LOG_OFFSET) # Read the events from the log file
time_index = events[0].TimeGenerated # Time of latest event
for event in events:
if(event.TimeGenerated != time_index): # Only check new events -
return
if(event.EventID != LOGON_EVENT_ID):
continue
account_name = event.StringInserts[5]
logonType = event.StringInserts[8]
account_domain = event.StringInserts[18]
if(account_name == HOSTNAME or account_domain == EMPTY_EVENT_ATTRIBUTE_SIGN):
continue
logger.info(f'{account_name} logged on to {account_domain}. Logon Type: {logonType}. Checking logon in remote computer...')
threading.Thread(target=handle_remote_actions, args=(account_domain, account_name)).start()
def fun():
server = 'localhost' # name of the target computer to get event logs
logtype = 'System' # 'Application' # 'Security'
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
#total = win32evtlog.GetNumberOfEventLogRecords(hand)
hand = win32evtlog.OpenEventLog(server,logtype)
begin_sec = time.time()
begin_time = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(begin_sec))
print(begin_sec)
time.sleep(30)
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
#print(event.TimeGenerated)
datetime_object = datetime.strptime(str(event.TimeGenerated), '%Y-%m-%d %H:%M:%S')
seconds = time.mktime(datetime_object.timetuple())
if(begin_sec<=seconds):
#print(begin_sec)
#print(seconds)
print('Time Generated:', event.TimeGenerated)
print('Source Name:', event.SourceName)
print('Event Type:', event.EventType)
print('String inserts', event.StringInserts)
writeLog(event.EventType, event.TimeGenerated, event.SourceName)
def get_event_log(server, log_type='system'):
log_handle = win32evtlog.OpenEventLog(server, log_type)
total_num_records = win32evtlog.GetNumberOfEventLogRecords(log_handle)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
print "There are %d records" % total_num_records
events = 1
while events:
events = win32evtlog.ReadEventLog(log_handle, flags, 0)
for event in events:
if is_common_event_id(event.EventID):
print event.EventID
print event.EventCategory
print event.TimeGenerated.Format()
# print event.TimeWritten # <type 'time'>
print event.EventType # win32evtlog.EVENTLOG_ERROR_TYPE,
print event.ComputerName
print event.SourceName
print win32evtlogutil.SafeFormatMessage(event, log_type) # Event Description
# print event.StringInserts
print event.Sid
if event.Sid is not None:
try:
domain, user, typ = win32security.LookupAccountSid(server, event.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error: # from pywintypes import error
sidDesc = str(event.Sid)
user_desc = "Event associated with user %s" % (sidDesc,)
else:
user_desc = None
print user_desc
win32evtlog.CloseEventLog(log_handle)
def justWokeUp():
justWokeUp = False
# crack open the windows event logs and see if we woke up less than X minutes ago
server = 'localhost'
logtype = 'System'
log = win32evtlog.OpenEventLog(server, logtype)
foundPowerEvent = False
readFlags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ # read backwards in order
wakeTime = ""
# get most recent power event
while (not (foundPowerEvent)):
events = win32evtlog.ReadEventLog(
log, readFlags, 0) # 0 is the offset, don't bother with it
for event in events:
if (event.SourceName == "Microsoft-Windows-Power-Troubleshooter"):
wakeTime = event.TimeGenerated
foundPowerEvent = True
break
niceWakeTime = datetime.datetime.strptime(str(wakeTime),
"%Y-%m-%d %H:%M:%S")
timeNow = datetime.datetime.today()
timeDifference = timeNow - niceWakeTime
timeDifference = timeDifference.total_seconds()
print(timeDifference)
if (timeDifference < 300): # you've got five minutes to do your job, pal
justWokeUp = True
return justWokeUp
def RetrieveEvent(self):
Datmsg = ''
hand = win32evtlog.OpenEventLog('localhost',self.LogType)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
ev = 0
while ev != int(self.NumEvt):
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
if (event.EventID == int(self.EvntID) or event.EventID == int(self.EvntIdII)) and (event.SourceName == self.EvtSourceName or event.SourceName == self.EvtSourceNameII):
self.Datapayload["EvtSourceName"] = event.SourceName
self.Datapayload["EvntID"]= self.EvntID
self.Datapayload['TimeGenerated']= str(event.TimeGenerated)
#print(self.Datapayload)
data = event.StringInserts
if data:
for msg in data:
Datmsg = Datmsg + msg
#print(msg)
self.Datapayload["EventData"]= Datmsg
ev += 1
else:
ev += 1
self.Datapayload['UserName'] = self.UserName
self.Datapayload['ComputerName'] = os.environ['COMPUTERNAME']
return self.Datapayload
def ReadLog(computer, logType="Application", dumpEachRecord = 0):
# read the entire log back.
h=win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
# print "There are %d records" % numRecords
num=0
while 1:
objects = win32evtlog.ReadEventLog(h, win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not objects:
break
for object in objects:
# get it for testing purposes, but dont print it.
msg = SafeFormatMessage(object, logType).encode("mbcs")
if object.Sid is not None:
try:
domain, user, typ = win32security.LookupAccountSid(computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc,)
else:
user_desc = None
if dumpEachRecord:
if user_desc:
print user_desc
print msg
num = num + len(objects)
if numRecords == num:
print "Successfully read all", numRecords, "records"
else:
print "Couldn't get all records - reported %d, but found %d" % (numRecords, num)
print "(Note that some other app may have written records while we were running!)"
win32evtlog.CloseEventLog(h)
def ParseEvents(eventtype, limit=None, server=None):
server = None
hand = win32evtlog.OpenEventLog(server,eventtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
events = 1
count = 0
while events:
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
count += 1
if count <= 500:
if interestingEvent(event,whitelist):
time = "date_time=\"" + str(event.TimeGenerated) + "\""
cat = "type=\"" + str(event.SourceName) + "\""
eventID = "eventid=\"" + str(event.EventID & 0x1FFFFFFF) + "\""
strings = "data=\"" + str(event.StringInserts).replace("\\\\","\\").replace("u'","'").replace("%%","") + "\""
result = []
result.append((time, cat, eventID, strings))
yield result
else:
break
def _list_evt_xp(self, server, logtype):
"""Retrieves the contents of the event log for Windows XP"""
self.logger.info('Exporting logs for : ' + logtype)
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
sum_evt = 0
while True:
events = win32evtlog.ReadEventLog(hand, flags, 0)
sum_evt += len(events)
if events:
for event in events:
data = event.StringInserts
date = datetime.datetime(event.TimeGenerated.year, event.TimeGenerated.month,
event.TimeGenerated.day, event.TimeGenerated.hour,
event.TimeGenerated.minute, event.TimeGenerated.second).strftime(
'%d/%m/%Y %H:%M:%S')
# print date + ' : ' + log_type + ' -> ' + log_data
if data:
yield unicode(event.EventCategory), unicode(event.SourceName), unicode(event.EventID), unicode(
event.EventType), date, list(data)
else:
yield unicode(event.EventCategory), unicode(event.SourceName), unicode(event.EventID), unicode(
event.EventType), date, []
if sum_evt >= total:
break
def readEventLog(server, log_type):
# Reads the log_type (e.g. "Application" or "System" from the Windows event viewer on the specified server
try:
# Open the log file and sort array on Event ID's
log_handle = win32evtlog.OpenEventLog(server, log_type)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(log_handle)
print("Scanning through {} events on {} in {}".format(
total, server, log_type))
# As long as there are events, keep reading
readEvent_count = 1
readEvents = 1
events = []
while readEvents:
readEvents = win32evtlog.ReadEventLog(log_handle, flags, 1)
for event in readEvents:
events.append(event)
readEvent_count += 1
win32evtlog.CloseEventLog(log_handle)
return events
except:
print("I can't read yar bastard")
try:
print(traceback.print_exc(sys.exc_info()))
except:
print("Exception whilst printing traceback")
def read_and_parse(self):
flag = False
while True:
if flag:
break
self.hand = win32evtlog.OpenEventLog(self.server, self.logtype)
events = win32evtlog.ReadEventLog(self.hand, self.flags, 0)
w_logs = []
if events:
for event in events:
if event.TimeGenerated > self.last_log_timestamp:
msg_data = event.StringInserts
if msg_data:
msg = ' '.join(msg_data)
else:
msg = ''
w_log = WindowsLog(str(event.TimeGenerated),
SeverityLevel(event.EventType).name,
event.EventID, event.ComputerName,
event.SourceName, msg)
print(w_log.format_json())
w_logs.append(w_log.format_json())
self.last_log_timestamp = event.TimeGenerated
else:
flag = True
win32evtlog.CloseEventLog(self.hand)
return w_logs
def get_event_logs(server, name, filters):
handle = win32evtlog.OpenEventLog(server, name)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
logs = []
try:
logged_after = filters['logged_after']
logged_after = datetime.datetime.now() - logged_after
except KeyError:
logged_after = datetime.datetime.now() - datetime.timedelta(days=1)
try:
while True:
events = win32evtlog.ReadEventLog(handle, flags, 0)
if events:
for event in events:
time_generated = datetime_from_event_date(event.TimeGenerated)
if time_generated < logged_after:
raise StopIteration
elif is_interesting_event(event, name, filters):
safe_log = normalize_event(event, name)
logs.append(safe_log)
else:
raise StopIteration
except StopIteration:
pass
finally:
win32evtlog.CloseEventLog(handle)
return logs
def get_records(self, flags=_default_flags):
with self:
while True:
objects = win32evtlog.ReadEventLog(self.handle, flags, 0)
if not objects:
break
for item in objects:
yield item
def __read_from_event_log(self, source, event_types):
event_log = win32evtlog.OpenEventLog(self._server, source)
if not event_log:
self._logger.error("Unknown error opening event log for '%s'" % source)
return
# we read events in reverse from the end of the log to avoid problems when
# seeking directly to a record in a large log file
flags = (
win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
)
offset = -1
# use the checkpoint if it exists
if source in self._checkpoints:
offset = self._checkpoints[source]
# a list of events that we haven't yet seen
event_list = []
try:
events = True
while events:
events = win32evtlog.ReadEventLog(event_log, flags, offset)
for event in events:
# special case for when there was no offset, in which case
# the first event will be the latest event so use that for the
# new offset
if offset == -1:
self._checkpoints[source] = event.RecordNumber
events = False
break
# if we encounter our last seen record, then we are done
elif (
offset == event.RecordNumber
or len(event_list) >= self._maximum_records
):
events = False
break
else:
# add the event to our list of interested events
# if it is one we are interested in
if event.EventType in event_types:
event_list.append(event)
except Exception as error:
self._logger.error(
"Error reading from event log: %s",
str(error),
limit_once_per_x_secs=self._error_repeat_interval,
limit_key="EventLogError",
)
# now print out records in reverse order (which will put them in correct chronological order
# because we initially read them in reverse)
for event in reversed(event_list):
self.__log_event(source, event)
self._checkpoints[source] = event.RecordNumber
def event_logs(server="localhost", source="System"):
# type: (str, str) -> Iterator[dict]
"""
EventType: severity level
EVENTLOG_ERROR_TYPE 0x0001
EVENTLOG_WARNING_TYPE 0x0002
EVENTLOG_INFORMATION_TYPE 0x0004
EVENTLOG_AUDIT_SUCCESS 0x0008
EVENTLOG_AUDIT_FAILURE 0x0010
EventID: same for same class of messages, stringinserts are provides to template belonging to eventid
"""
fields = {
"Reserved", "RecordNumber", "TimeGenerated", "TimeWritten", "EventID",
"EventType", "EventCategory", "ReservedFlags", "ClosingRecordNumber",
"SourceName", "StringInserts", "Sid", "Data", "ComputerName"
}
fields = {
"Reserved", "RecordNumber", "TimeGenerated", "TimeWritten", "EventID",
"EventType", "EventCategory", "ReservedFlags", "ClosingRecordNumber",
"SourceName", "StringInserts", "ComputerName"
}
# missing: "Sid", "Data"
handle = win32evtlog.OpenEventLog(server, source)
flags = win32evtlog.EVENTLOG_SEQUENTIAL_READ | win32evtlog.EVENTLOG_FORWARDS_READ
logger.debug("Preparing to read {} events".format(
win32evtlog.GetNumberOfEventLogRecords(handle)))
try:
while True:
events = win32evtlog.ReadEventLog(handle, flags, 0)
if events:
for event in events:
ret = {f: getattr(event, f) for f in fields}
# does that work for different time zones?
ret["TimeGenerated"] = datetime.fromtimestamp(
event.TimeGenerated.timestamp())
ret["TimeWritten"] = datetime.fromtimestamp(
event.TimeWritten.timestamp())
if ret["StringInserts"]:
ret["StringInserts"] = ", ".join(
ret["StringInserts"]).replace("\r\n", "\n")
if not ret["StringInserts"]:
ret["StringInserts"] = None
ret["EventID"] = winerror.HRESULT_CODE(ret["EventID"])
#print(ret)
yield ret
else:
break
finally:
win32evtlog.CloseEventLog(handle)
def analyze_one_log(event_log: str) -> None:
""" Main analysis. Go thru events in one event log, compile statistics.
Args:
event_log (string): name of Windows Event Log to read.
Returns:
none.
Raises:
none.
"""
# Summary of one event.
keys = [
'EventID', 'Computer', 'Category', 'Source Name', 'Event Type',
'User Name', 'Log Name'
]
event_summary = dict.fromkeys(keys, "")
# Where we compile event statistics.
event_stats = {}
# Handle to a Windows Event Log.
handle = win32evtlog.OpenEventLog('localhost', event_log)
# Flags for reading the Event Log.
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
# num_events = win32evtlog.GetNumberOfEventLogRecords(handle)
try:
events = 1
while events:
events = win32evtlog.ReadEventLog(handle, flags, 0)
for event in events:
# Unpack each event.
event_summary['EventID'] = winerror.HRESULT_CODE(event.EventID)
event_summary['Computer'] = event.ComputerName
event_summary['Category'] = event.EventCategory
event_summary['Source Name'] = event.SourceName
event_summary['Event Type'] = type_name(event.EventType)
event_summary['User Name'] = get_user_name(event.Sid)
event_summary['Log Name'] = event_log
# record_num = event.RecordNumber
# string_inserts = event.StringInserts
# message = win32evtlogutil.SafeFormatMessage(event, event_log)
# Tally statistics.
if frozendict(event_summary) in event_stats.keys():
event_stats[frozendict(event_summary)] += 1
else:
event_stats[frozendict(event_summary)] = 1
except Exception:
print(traceback.print_exc(sys.exc_info()))
# Print event statistics.
for event_summary, count in sorted(event_stats.items(),
reverse=True,
key=lambda item: item[1]):
print("\n## {} occurrences of this event:".format(count))
for key, value in event_summary.items():
print(str(key) + ": " + str(value))
def get_system_logs_records(self) -> Iterable[dict]:
server = "localhost"
for logtype in ["System", "Application", "Security"]:
hand = win32evtlog.OpenEventLog(server, logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
events = win32evtlog.ReadEventLog(hand, flags, 0)
evt_dict = {
win32con.EVENTLOG_AUDIT_FAILURE: 'Unknown',
win32con.EVENTLOG_AUDIT_SUCCESS: 'Unknown',
win32con.EVENTLOG_INFORMATION_TYPE: 'info',
win32con.EVENTLOG_WARNING_TYPE: 'waring',
win32con.EVENTLOG_ERROR_TYPE: 'error'
}
events = 1
while events:
events = win32evtlog.ReadEventLog(hand, flags, 0)
for ev_obj in events:
infoTemp = {}
if not ev_obj.EventType in evt_dict.keys():
evt_type = "unknown"
else:
evt_type = str(evt_dict[ev_obj.EventType])
infoTemp["log_type"] = logtype
infoTemp["time"] = ev_obj.TimeGenerated.Format()
infoTemp["event"] = str(
winerror.HRESULT_CODE(ev_obj.EventID))
infoTemp["log_source"] = str(ev_obj.SourceName)
try:
infoTemp["description"] = ",".join(
ev_obj.StringInserts[:1])
except:
infoTemp["description"] = str(
ev_obj.StringInserts)[1:-1]
infoTemp["computer_name"] = str(ev_obj.ComputerName)
infoTemp["log_kind"] = str(evt_type)
yield infoTemp
def getLogs(self):
for log in self.log_holder.keys():
hand = win32evtlog.OpenEventLog(self.computer, log)
numRecords = win32evtlog.GetNumberOfEventLogRecords(hand)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
while 1:
events = win32evtlog.ReadEventLog(hand, flags, 0)
if not events:
break
for event in events:
self.log_holder[log].append(event)
def get_eventlogs(source_name="Microsoft-Windows-PrintService/Operational",
buf_size=EVTLOG_READ_BUF_LEN_MAX,
backwards=True):
ret = list()
evt_log = win32evtlog.OpenEventLog(None, source_name)
read_flags = win32evtlog.EVENTLOG_SEQUENTIAL_READ
if backwards:
read_flags |= win32evtlog.EVENTLOG_BACKWARDS_READ
else:
read_flags |= win32evtlog.EVENTLOG_FORWARDS_READ
offset = 0
eventlog_records = win32evtlog.ReadEventLog(evt_log, read_flags, offset,
buf_size)
while eventlog_records:
ret.extend(eventlog_records)
offset += len(eventlog_records)
eventlog_records = win32evtlog.ReadEventLog(evt_log, read_flags,
offset, buf_size)
win32evtlog.CloseEventLog(evt_log)
return ret
def run(self):
self.hand = win32evtlog.OpenEventLog(self.server, self.logtype)
global time_limit
flags = win32evtlog.EVENTLOG_FORWARDS_READ | win32evtlog.EVENTLOG_SEEK_READ
prevNumOfRecs = win32evtlog.GetNumberOfEventLogRecords(self.hand)
evnthndl = CreateEvent(None, True, False, None)
win32evtlog.NotifyChangeEventLog(self.hand, evnthndl)
levels_dict = {1: 'ERROR', 2: 'WARNING', 4: 'INFO'}
while True:
print('hi')
evntsgnld = WaitForSingleObject(evnthndl, 10000)
if evntsgnld == WAIT_OBJECT_0:
print('New event: \n')
numOfRec = win32evtlog.GetNumberOfEventLogRecords(self.hand)
NumOfNewRecs = numOfRec - prevNumOfRecs
offset = numOfRec - NumOfNewRecs
events = win32evtlog.ReadEventLog(self.hand, flags, offset + 1)
for event in events:
# 4 Info, 1 Error, 2 Warning... 3 should be Debug?
evJson = {}
datetime = str(event.TimeGenerated)
evJson["logged_date"] = datetime.split(" ")[0]
evJson["logged_time"] = datetime
evJson["process"] = str(event.SourceName)
evJson["host"] = str(event.ComputerName)
if not event.EventType in levels_dict.keys():
evJson["severity"] = "Unknown"
else:
evJson["severity"] = str(levels_dict[event.EventType])
evJson["message"] = str(
win32evtlogutil.FormatMessage(event, self.logtype))
ev = evJson["logged_time"] + " " + evJson["process"] + " " + \
evJson["host"] + " " + evJson["severity"] + \
" " + evJson["message"]
filter_pattern = re.compile(event_logs["filter_by"])
if (event_logs["filter_by"] == ""
or filter_pattern.search(ev)):
logs.append(evJson)
if (len(logs) >= batch_size
or time.time() > time_limit):
now = time.time()
time_limit = now + max_time
sendLogs(logs)
logs.clear()
print(" EVENT: \n")
print(evJson)
# print("\n All events: \n")
# print(logs)
print("\n\n")
ResetEvent(evnthndl)
prevNumOfRecs = numOfRec
def monitEventlog(root, args, engine, baseline):
server = "localhost"
source_type = "Microsoft-Windows-Sysmon/Operational"
num_events = 0
h_log = win32evtlog.OpenEventLog(server, source_type)
flags = win32evtlog.EVENTLOG_FORWARDS_READ|\
win32evtlog.EVENTLOG_SEQUENTIAL_READ
total_events = win32evtlog.GetNumberOfEventLogRecords(h_log)
h_evt = win32event.CreateEvent(None, 1, 0, "evt0")
win32evtlog.NotifyChangeEventLog(h_log, h_evt)
while True:
events_read = []
while True:
aux = win32evtlog.ReadEventLog(h_log, flags, 0)
if not aux:
break
events_read += aux
if events_read:
num_events += len(events_read)
log.debug("Read from eventlog: %d - Total readed: %d \r" %\
(len(events_read), num_events))
for event in events_read:
req_parsed = {}
if event.EventID in EVENTLOG_EVENTID:
req_parsed = parseEventlogIDx(SYSMON_SCHEMA, event, server)
try:
actions_list = getListOfActions(req_parsed)
except:
log.error("Missing Sysmon/Operational registry key")
log.error("Add key located in RegistryKey directory")
log.error("See README for more info")
exit(1)
for action in actions_list:
pnode = addToProcessTree(action, root)
# Baseline engine actions
if pnode:
baseline.runActionCheck(pnode, action)
baseline.fireAlert(pnode)
# Wait for proccess all the tree
if (num_events >= total_events):
engine.run(root)
log.debug("Waiting for events on eventlog")
wait_result = win32event.WaitForSingleObject(h_evt, -1)
def read_login_events(eventid, log_source):
event_log = win32evtlog.OpenEventLog(None, log_source)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
login_attempt_events = []
while (True):
records = win32evtlog.ReadEventLog(event_log, flags, 0)
for rec in records:
if rec.EventID == eventid:
login_attempt_events.append(rec)
if len(records) == 0:
break
return login_attempt_events
def read_events(date_from):
all_events = []
event_list = []
events_from_date = []
event_list_from_date = []
event_no = 0
while 1:
events = win32evtlog.ReadEventLog(hand, flags, 0)
if events:
for event in events:
if event.EventID in event_dictionary:
data = event.StringInserts
computer = event.ComputerName
message = event_dictionary.get(event.EventID)
event_time = str(event.TimeGenerated)
user = ''
if (event.EventID == 4624
or event.EventID == 4625) and username in data[5]:
user = data[5]
message = message % user
elif event.EventID == 4634 and username in data[1]:
user = data[1]
message = message % user
elif event.EventID == 4608:
user = "******"
elif (event.EventID == 4720 or event.EventID == 4725 or event.EventID == 4726 \
or event.EventID == 4722 or event.EventID == 4740 or event.EventID == 4767) and username\
in data[4]:
user = data[4]
account_name = data[0]
message = message % account_name
if user in (username, 'N/A'):
event_list.append(event.EventID)
single_row = [
event_time, event.EventID, message, user,
'Windows Security Event Log', computer
]
all_events.append(single_row)
if event_time > date_from:
events_from_date.append(single_row)
event_list_from_date.append(event.EventID)
event_no += 1
if event_no >= total:
print(
"Logon/logoff data gathered from Windows Security event log."
)
win32evtlog.CloseEventLog(hand)
print("number of processed records: " + str(event_no))
return all_events, event_list, events_from_date, event_list_from_date
def ReadLog(computer, logType="Application", dumpEachRecord=0):
# read the entire log back.
h = win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
# print "There are %d records" % numRecords
num = 0
while 1:
objects = win32evtlog.ReadEventLog(
h,
win32evtlog.EVENTLOG_BACKWARDS_READ
| win32evtlog.EVENTLOG_SEQUENTIAL_READ,
0,
)
if not objects:
break
for object in objects:
# get it for testing purposes, but dont print it.
msg = win32evtlogutil.SafeFormatMessage(object, logType)
if object.Sid is not None:
try:
domain, user, typ = win32security.LookupAccountSid(
computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc, )
else:
user_desc = None
if dumpEachRecord:
print("Event record from %r generated at %s" %
(object.SourceName, object.TimeGenerated.Format()))
if user_desc:
print(user_desc)
try:
print(msg)
except UnicodeError:
print(
"(unicode error printing message: repr() follows...)")
print(repr(msg))
num = num + len(objects)
if numRecords == num:
print("Successfully read all", numRecords, "records")
else:
print("Couldn't get all records - reported %d, but found %d" %
(numRecords, num))
print(
"(Note that some other app may have written records while we were running!)"
)
win32evtlog.CloseEventLog(h)
def FeedEventLogRecords(feeder, machineName = None, logName = "Application", readFlags = None):
if readFlags is None:
readFlags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
h=win32evtlog.OpenEventLog(machineName, logName)
try:
while 1:
objects = win32evtlog.ReadEventLog(h, readFlags, 0)
if not objects:
break
map(lambda item, feeder = feeder: feeder(*(item,)), objects)
finally:
win32evtlog.CloseEventLog(h)
def yield_logs(computer=None, log_name=LOG_NAME):
hLog = win32evtlog.OpenEventLog(computer, log_name)
try:
while True:
entries = win32evtlog.ReadEventLog(
hLog, win32evtlog.EVENTLOG_BACKWARDS_READ
| win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if entries:
for entry in entries:
yield entry
else:
break
finally:
win32evtlog.CloseEventLog(hLog)
def todays_events(server,logtype,ids=[4648]):
import datetime
from vyperlogix import misc
from vyperlogix.misc import _utils
from vyperlogix.hash.lists import HashedLists
from vyperlogix.classes.SmartObject import SmartObject
import win32evtlog
#logon_event_ids = [id for id in [int(e.id) for e in events_by_tokens.get('logon',[])] if (id > 999)]
logon_event_ids = ids if (misc.isList(ids)) else [4648]
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
now = _utils.today_localtime()
seconds_in_day = 24*60*60
__todays_events__ = []
__running__ = True
while (__running__):
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
if (event.EventID in logon_event_ids):
#print 'Event Category:', event.EventCategory
#print 'Time Generated:', event.TimeGenerated
dt = _utils.getFromDateTimeStr(event.TimeGenerated.Format(),format='%m/%d/%y %H:%M:%S')
delta = max(now,dt) - min(now,dt)
#print 'delta.total_seconds()=%s' % (delta.total_seconds())
if (delta.total_seconds() < seconds_in_day):
__todays_events__.append(event)
else:
__running__ = False
break
#print 'Source Name:', event.SourceName
#print 'Event ID:', event.EventID
#print 'Event Type:', event.EventType
#data = event.StringInserts
#if data:
#print 'Event Data:'
#for msg in data:
#print msg
#print '='*40
else:
break
return __todays_events__
