473,386 Members | 1,606 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > python > questions > faq or howto on windows event logs

Join Bytes to post your question to a community of 473,386 software developers and data experts.

FAQ or HOWTO on windows event logs


I would like to develop some tools to better understand/analyze
windows event logs. What I've done is export the event log as a
delimited file, then try to use awk or python to parse the info.
There must be an easier way... The format of the event changes with
the event, so it seems impossible to write a generalized parser.

I guess i'm look for tricks -- recommendations on what others have
found to be effective ways to deal with windows events log data. My
goal would be to get the data in a format where I can run correlations
on events. For example, I would like to see when a system event (a
dcom buffer overflow) occurs and then see if an event in the
application log like a crashed ocx occurred at the same
time.. Obviously this is for intrusion analysis...

Any advice?
Jul 18 '05 #1
1 3719
David Bear wrote:
I would like to develop some tools to better understand/analyze
windows event logs. What I've done is export the event log as a
delimited file, then try to use awk or python to parse the info.
There must be an easier way... The format of the event changes with
the event, so it seems impossible to write a generalized parser.

I guess i'm look for tricks -- recommendations on what others have
found to be effective ways to deal with windows events log data. My
goal would be to get the data in a format where I can run correlations
on events. For example, I would like to see when a system event (a
dcom buffer overflow) occurs and then see if an event in the
application log like a crashed ocx occurred at the same
time.. Obviously this is for intrusion analysis...

Any advice?

Have you had a look at Mark Hammond's Win32all? There is a module called
win32evtlog that you can use to dump the windows eventlogs. You already
have the data in a comfortable format there.
Here's an example:

import win32evtlog, win32security
from win32evtlogutil import *

def ReadLog(computer, logType="Application", dumpEachRecord = 0):
# read the entire log back.
h=win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
print "There are %d records" % numRecords

num=0
while 1:
objects = win32evtlog.ReadEventLog(h,
win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EV ENTLOG_SEQUENTIAL_READ, 0)
if not objects:
break
for object in objects:
# get it for testing purposes, but dont print it.
msg = SafeFormatMessage(object, logType).encode("mbcs")
if object.Sid is not None:
try:
domain, user, typ =
win32security.LookupAccountSid(computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc,)
else:
user_desc = None
if dumpEachRecord:
if user_desc:
print user_desc
print msg
num = num + len(objects)

if numRecords == num:
print "Successfully read all", numRecords, "records"
else:
print "Couldn't get all records - reported %d, but found %d" %
(numRecords, num)
print "(Note that some other app may have written records while
we were running!)"
win32evtlog.CloseEventLog(h)
logType = "Application"
computer = None # use local machine
verbose = 1
ReadLog(computer, logType, verbose > 0)
Jul 18 '05 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
parsing windows event files
by: David Bear | last post by:
I did a cursory look at google but couldn't seem to find what I wanted. I need a script that can parse and create a proper record structure for windows event logs that are saved as tab delimited...
Python
7
windows service... when do we need installer
by: sidd | last post by:
Hi All, i have some doubts on .net windows services.. please see if some one could help me understand this.. 1)is it possible to install a windows service which does not have a installer added...
.NET Framework
5
Monitoring windows service
by: Wally | last post by:
Hi Hi need to monitoring my windows service written in VB NET. How can my monitor application "feel" that my service has made something? Is the only way a polling (for example on a Db table)?...
.NET Framework
11
Howto obfuscate OBJECT code (and not source code)?
by: Matt | last post by:
I have object/machine code in static library (written and compiled using C++) that I wish to make difficult to reverse-engineer. I am told by others that some could reverse-engineer this...
C / C++
5
Windows Services
by: Eric | last post by:
Hi I built a service that watch file in a directory. I use a simple filewatcher and add a handler to do something when a file is created. I have the following problem. I can build it, I can...
Visual Basic .NET
27
Windows Service - Event Log
by: pisquem | last post by:
I am building an windows service that is to be deployed on a windows server 2003 and I want to have activity written to the event log, I want its own log called ('CustomLog') Below is what I...
C# / C Sharp
7
PHP in Windows. Can I read from the Event Log?
by: sergio-p | last post by:
I had no luck in my google search for this answer. Does anyone know if it's possible to read the entries in the Windows Event Log of the server running my PHP page? I'm trying to create an itranet...
PHP
3
How to start/stop windows service on a remote machine?
by: Goran Djuranovic | last post by:
Hi all, I have a web app running on a local PC that can start and stop windows service on a remote machine, but only when I browse to it locally. If I browse to it from my other PC and try to...
ASP.NET
2
EventLog class / Windows event logs
by: Zytan | last post by:
What's a Window event log? EventLog documentation basically assumes the reader knows what it is. It says the following: http://msdn2.microsoft.com/en-us/library/system.diagnostics.eventlog.aspx...
C# / C Sharp
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!