FAQ or HOWTO on windows event logs

Rudy Schockaert rudy.schockaert at pandoraSTOPSPAM.be
Sat Dec 6 12:17:28 EST 2003 

David Bear wrote:
> I would like to develop some tools to better understand/analyze
> windows event logs.  What I've done is export the event log as a
> delimited file, then try to use awk or python to parse the info.
> There must be an easier way...  The format of the event changes with
> the event, so it seems impossible to write a generalized parser.
> 
> I guess i'm look for tricks -- recommendations on what others have
> found to be effective ways to deal with windows events log data.  My
> goal would be to get the data in a format where I can run correlations
> on events.  For example, I would like to see when a system event (a
> dcom buffer overflow) occurs and then see if an event in the
> application log like a crashed ocx occurred at the same
> time.. Obviously this is for intrusion analysis... 
> 
> Any advice?
Have you had a look at Mark Hammond's Win32all? There is a module called 
win32evtlog that you can use to dump the windows eventlogs. You already 
have the data in a comfortable format there.
Here's an example:

import win32evtlog, win32security
from win32evtlogutil import *

def ReadLog(computer, logType="Application", dumpEachRecord = 0):
     # read the entire log back.
     h=win32evtlog.OpenEventLog(computer, logType)
     numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
     print "There are %d records" % numRecords

     num=0
     while 1:
         objects = win32evtlog.ReadEventLog(h, 
win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
         if not objects:
             break
         for object in objects:
             # get it for testing purposes, but dont print it.
             msg = SafeFormatMessage(object, logType).encode("mbcs")
             if object.Sid is not None:
                 try:
                     domain, user, typ = 
win32security.LookupAccountSid(computer, object.Sid)
                     sidDesc = "%s/%s" % (domain, user)
                 except win32security.error:
                     sidDesc = str(object.Sid)
                 user_desc = "Event associated with user %s" % (sidDesc,)
             else:
                 user_desc = None
             if dumpEachRecord:
                 if user_desc:
                     print user_desc
                 print msg
         num = num + len(objects)

     if numRecords == num:
         print "Successfully read all", numRecords, "records"
     else:
         print "Couldn't get all records - reported %d, but found %d" % 
(numRecords, num)
         print "(Note that some other app may have written records while 
we were running!)"
     win32evtlog.CloseEventLog(h)


logType = "Application"
computer = None # use local machine
verbose = 1
ReadLog(computer, logType, verbose > 0)

More information about the Python-list mailing list