大家有谁知道如何在C:\ Windows \ System32 \ winevt \ Logs中读取事件日志文件,扩展名为.evtx? 我已经尝试使用记事本打开它并使用python读取但记事本表示访问被拒绝... 有谁知道怎么做?提前谢谢..
答案 0 :(得分:1)
这是您从事件查看器中读取文件“转发的事件”的方式。您需要管理员访问权限,所以我会以管理员身份运行它,但如果您不这样做,我会提示您输入密码。
import win32evtlog
import xml.etree.ElementTree as ET
import ctypes
import sys
def is_admin():
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
if is_admin():
# open event file
query_handle = win32evtlog.EvtQuery(
'C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx',
win32evtlog.EvtQueryFilePath)
read_count = 0
a = 1
while a == 1:
a += 1
# read 1 record(s)
events = win32evtlog.EvtNext(query_handle, 1)
read_count += len(events)
# if there is no record break the loop
if len(events) == 0:
break
for event in events:
xml_content = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
# parse xml content
xml = ET.fromstring(xml_content)
# xml namespace, root element has a xmlns definition, so we have to use the namespace
ns = '{http://schemas.microsoft.com/win/2004/08/events/event}'
substatus = xml[1][9].text
event_id = xml.find(f'.//{ns}EventID').text
computer = xml.find(f'.//{ns}Computer').text
channel = xml.find(f'.//{ns}Channel').text
execution = xml.find(f'.//{ns}Execution')
process_id = execution.get('ProcessID')
thread_id = execution.get('ThreadID')
time_created = xml.find(f'.//{ns}TimeCreated').get('SystemTime')
#data_name = xml.findall('.//EventData')
#substatus = data_name.get('Data')
#print(substatus)
event_data = f'Time: {time_created}, Computer: {computer}, Substatus: {substatus}, Event Id: {event_id}, Channel: {channel}, Process Id: {process_id}, Thread Id: {thread_id}'
print(event_data)
user_data = xml.find(f'.//{ns}UserData')
# user_data has possible any data
else:
ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, " ".join(sys.argv), None, 1)
input()
答案 1 :(得分:0)
// Check if the form has been sent or if the page was accessed using the GET method.
if( filter_input( INPUT_SERVER, "REQUEST_METHOD" ) !== "GET" ) {
die();
}
$search = filter_input( INPUT_GET, "search" );
// Check if the searh input has been correctly fill
if( !isset( $search ) ) {
die();
}
// Let's return here to prevent open an empty file
if( filesize( $file ) <= 0 ) {
return;
}
$openedFile = fopen( $file, "r" );
// I was using the here document option, echo <<<END END; but it didn't work due to my text editor...
echo "
<table style=\"width: 50%; border-width: 1px;\">
<thead>
<tr>
<th> </th>
<th>vardas</th>
<th>nikas</th>
<th>pranesimas</th>
</tr>
</thead>
<tbody>
";
// Let's save in buffer the current line and then navigate through all of them
while( ( $buffer = fgets( $openedFile, 4096 ) ) !== false ) {
// Here we check if the line has the searched word
if( strpos( $buffer, $search ) !== false ) {
$part = explode( "|", $buffer );
echo "
<tr>
<td>" . $part[0] . "</td>
<td>" . $part[1] . "</td>
<td>" . $part[2] . "</td>
<td>" . $part[3] . "</td>
</tr>
";
}//.if
}//.while
echo "
</tbody>
</table>
";
是Windows Eventlog文件的扩展名。它包含Microsoft设计的特殊二进制格式的数据,因此您不能简单地在文本编辑器中打开它。
是用于读取.evtx的开源工具,而NXLog EE也可以读取.evtx文件。 (免责声明:我与后者有关联。)