FAQ or HOWTO on windows event logs
Rudy Schockaert
rudy.schockaert at pandoraSTOPSPAM.be
Sat Dec 6 12:17:28 EST 2003
David Bear wrote:
> I would like to develop some tools to better understand/analyze
> windows event logs. What I've done is export the event log as a
> delimited file, then try to use awk or python to parse the info.
> There must be an easier way... The format of the event changes with
> the event, so it seems impossible to write a generalized parser.
>
> I guess i'm look for tricks -- recommendations on what others have
> found to be effective ways to deal with windows events log data. My
> goal would be to get the data in a format where I can run correlations
> on events. For example, I would like to see when a system event (a
> dcom buffer overflow) occurs and then see if an event in the
> application log like a crashed ocx occurred at the same
> time.. Obviously this is for intrusion analysis...
>
> Any advice?
Have you had a look at Mark Hammond's Win32all? There is a module called
win32evtlog that you can use to dump the windows eventlogs. You already
have the data in a comfortable format there.
Here's an example:
import win32evtlog, win32security
from win32evtlogutil import *
def ReadLog(computer, logType="Application", dumpEachRecord = 0):
# read the entire log back.
h=win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
print "There are %d records" % numRecords
num=0
while 1:
objects = win32evtlog.ReadEventLog(h,
win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not objects:
break
for object in objects:
# get it for testing purposes, but dont print it.
msg = SafeFormatMessage(object, logType).encode("mbcs")
if object.Sid is not None:
try:
domain, user, typ =
win32security.LookupAccountSid(computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc,)
else:
user_desc = None
if dumpEachRecord:
if user_desc:
print user_desc
print msg
num = num + len(objects)
if numRecords == num:
print "Successfully read all", numRecords, "records"
else:
print "Couldn't get all records - reported %d, but found %d" %
(numRecords, num)
print "(Note that some other app may have written records while
we were running!)"
win32evtlog.CloseEventLog(h)
logType = "Application"
computer = None # use local machine
verbose = 1
ReadLog(computer, logType, verbose > 0)
More information about the Python-list
mailing list