如何使用python读取.evtx文件?

时间:2017-03-24 16:54:47

标签: python logging event-log

大家有谁知道如何在C:\ Windows \ System32 \ winevt \ Logs中读取事件日志文件,扩展名为.evtx? 我已经尝试使用记事本打开它并使用python读取但记事本表示访问被拒绝... 有谁知道怎么做?提前谢谢..

2 个答案:

答案 0 :(得分:1)

这是您从事件查看器中读取文件“转发的事件”的方式。您需要管理员访问权限,所以我会以管理员身份运行它,但如果您不这样做,我会提示您输入密码。

import win32evtlog
import xml.etree.ElementTree as ET
import ctypes
import sys


def is_admin():
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
    except:
        return False

if is_admin():


    # open event file
    query_handle = win32evtlog.EvtQuery(
        'C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx',
        win32evtlog.EvtQueryFilePath)

    read_count = 0
    a = 1
    while a == 1:
        a += 1
        # read 1 record(s)
        events = win32evtlog.EvtNext(query_handle, 1)
        read_count += len(events)
        # if there is no record break the loop
        if len(events) == 0:
            break

        for event in events:
            xml_content = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
            # parse xml content
            xml = ET.fromstring(xml_content)


            # xml namespace, root element has a xmlns definition, so we have to use the namespace
            ns = '{http://schemas.microsoft.com/win/2004/08/events/event}'

            substatus = xml[1][9].text

            event_id = xml.find(f'.//{ns}EventID').text
            computer = xml.find(f'.//{ns}Computer').text
            channel = xml.find(f'.//{ns}Channel').text
            execution = xml.find(f'.//{ns}Execution')
            process_id = execution.get('ProcessID')
            thread_id = execution.get('ThreadID')
            time_created = xml.find(f'.//{ns}TimeCreated').get('SystemTime')
            #data_name = xml.findall('.//EventData')
            #substatus = data_name.get('Data')
            #print(substatus)

            event_data = f'Time: {time_created}, Computer: {computer}, Substatus: {substatus}, Event Id: {event_id}, Channel: {channel}, Process Id: {process_id}, Thread Id: {thread_id}'
            print(event_data)

            user_data = xml.find(f'.//{ns}UserData')
            # user_data has possible any data

      

else:
    ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, " ".join(sys.argv), None, 1)

input()

答案 1 :(得分:0)

// Check if the form has been sent or if the page was accessed using the GET method. if( filter_input( INPUT_SERVER, "REQUEST_METHOD" ) !== "GET" ) { die(); } $search = filter_input( INPUT_GET, "search" ); // Check if the searh input has been correctly fill if( !isset( $search ) ) { die(); } // Let's return here to prevent open an empty file if( filesize( $file ) <= 0 ) { return; } $openedFile = fopen( $file, "r" ); // I was using the here document option, echo <<<END END; but it didn't work due to my text editor... echo " <table style=\"width: 50%; border-width: 1px;\"> <thead> <tr> <th>&nbsp;</th> <th>vardas</th> <th>nikas</th> <th>pranesimas</th> </tr> </thead> <tbody> "; // Let's save in buffer the current line and then navigate through all of them while( ( $buffer = fgets( $openedFile, 4096 ) ) !== false ) { // Here we check if the line has the searched word if( strpos( $buffer, $search ) !== false ) { $part = explode( "|", $buffer ); echo " <tr> <td>" . $part[0] . "</td> <td>" . $part[1] . "</td> <td>" . $part[2] . "</td> <td>" . $part[3] . "</td> </tr> "; }//.if }//.while echo " </tbody> </table> "; 是Windows Eventlog文件的扩展名。它包含Microsoft设计的特殊二进制格式的数据,因此您不能简单地在文本编辑器中打开它。

是用于读取.evtx的开源工具,而NXLog EE也可以读取.evtx文件。 (免责声明:我与后者有关联。)