Windows日志 模块安装
pip install python-evtx
Windows日志 解析源码
源码
import mmap
import contextlib
from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view
from xml.dom import minidom
def log_get(evtxpath):
with open(evtxpath, 'r') as f:
with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
content_dict = {}
fh = FileHeader(buf, 0)
# 遍历每条日志信息
for xml, record in evtx_file_xml_view(fh):
content_dict = {}
domtree = minidom.parseString(xml)
# 获取事件标准信息(System)
content_dict['Channel'] = domtree.getElementsByTagName('Channel')[0].childNodes[0].data
content_dict['SystemTime'] = domtree.getElementsByTagName('TimeCreated')[0].getAttribute('SystemTime')[:-7]
content_dict['EventID'] = domtree.getElementsByTagName('EventID')[0].childNodes[0].data
content_dict['Level'] = domtree.getElementsByTagName('Level')[0].childNodes[0].data
content_dict['UserID'] = domtree.getElementsByTagName('Security')[0].getAttribute('UserID')
content_dict['ProcessID'] = domtree.getElementsByTagName('Execution')[0].getAttribute('ProcessID')
content_dict['Computer'] = domtree.getElementsByTagName('Computer')[0].childNodes[0].data
# 获取事件详情信息(EventData)
for data in domtree.getElementsByTagName('Data'):
if len(data.childNodes):
content_dict['EventData_' + data.getAttribute('Name')] = data.childNodes[0].data
# 获取用户数据信息(UserData)
userdata_dict = {'ServerName', 'UserName', 'Param1'}
for userdata in userdata_dict:
if len(domtree.getElementsByTagName(userdata)):
content_dict['UserData_' + userdata] = domtree.getElementsByTagName(userdata)[0].childNodes[0].data
content_list.append(content_dict)
f.close()
log_get('./evt/Security.evtx')
解析
代码中的每个部分与事件查看器中xml形式的内容都是一一对应的,如下图所示:
