使用 win32evtlog 打开特定事件日志 Python
Open Specific Event logs using win32evtlog Python
我想打开 Windows 事件日志的特定日志,名为 "Microsoft-Windows-TerminalServices-LocalSessionManager"。我使用了这段代码:
import win32evtlog
server = 'localhost' # name of the target computer to get event logs
logtype = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Microsoft-Windows-TerminalServices-LocalSessionManager'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_SEQUENTIAL_READ|win32evtlog.EVENTLOG_FORWARDS_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
while True:
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
print('Event Category:', event.EventCategory)
print ('Time Generated:', event.TimeGenerated)
print ('Source Name:', event.SourceName)
print ('Event ID:', event.EventID)
print ('Event Type:', event.EventType)
data = event.StringInserts
if data:
print('Event Data:')
for msg in data:
print(msg)
但它不起作用,此代码打开 "System" 日志,而不是 "Microsoft-Windows-TerminalServices-LocalSessionManager"。
为什么它不起作用?而如果不是bug,而是feature的话,这个日志的阅读方式是什么?
感谢您的回答
您只能使用一级子项,例如 Application、HardwareEvents、Internet Explorer、System 等。
sourceName specifies the name of the source that the returned handle will reference. The source name must be a subkey of a logfile entry under the EventLog key in the registry. win32evtlog.OpenEventLog
If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file. OpenEventLogA function (winbase.h)
但是您可以使用 win32evtlog.EvtQuery 函数来获取事件。
注意:如果出现 Access Denied 错误,请尝试 运行 和 Run as Administrator
import win32evtlog
import xml.etree.ElementTree as ET
# open event file
query_handle = win32evtlog.EvtQuery(
'C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx',
win32evtlog.EvtQueryFilePath)
read_count = 0
while True:
# read 100 records
events = win32evtlog.EvtNext(query_handle, 100)
read_count += len(events)
# if there is no record break the loop
if len(events) == 0:
break
for event in events:
xml_content = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
# print(xml_content)
# parse xml content
xml = ET.fromstring(xml_content)
# xml namespace, root element has a xmlns definition, so we have to use the namespace
ns = '{http://schemas.microsoft.com/win/2004/08/events/event}'
event_id = xml.find(f'.//{ns}EventID').text
level = xml.find(f'.//{ns}Level').text
channel = xml.find(f'.//{ns}Channel').text
execution = xml.find(f'.//{ns}Execution')
process_id = execution.get('ProcessID')
thread_id = execution.get('ThreadID')
time_created = xml.find(f'.//{ns}TimeCreated').get('SystemTime')
print(f'Time: {time_created}, Level: {level} Event Id: {event_id}, Channel: {channel}, Process Id: {process_id}, Thread Id: {thread_id}')
user_data = xml.find(f'.//{ns}UserData')
# user_data has possible any data
print(f'Read {read_count} records')
输出:
Time: 2020-12-20T10:47:53.3790439Z, Level: 4 Event Id: 32, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1496
Time: 2020-12-20T10:47:57.5636553Z, Level: 4 Event Id: 41, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1504
Time: 2020-12-20T10:47:57.5662431Z, Level: 4 Event Id: 42, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1504
Time: 2020-12-20T10:48:26.9395585Z, Level: 4 Event Id: 21, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1512
Time: 2020-12-20T10:48:27.0466986Z, Level: 4 Event Id: 22, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 10212
Read 823 records
我想打开 Windows 事件日志的特定日志,名为 "Microsoft-Windows-TerminalServices-LocalSessionManager"。我使用了这段代码:
import win32evtlog
server = 'localhost' # name of the target computer to get event logs
logtype = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Microsoft-Windows-TerminalServices-LocalSessionManager'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_SEQUENTIAL_READ|win32evtlog.EVENTLOG_FORWARDS_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
while True:
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
print('Event Category:', event.EventCategory)
print ('Time Generated:', event.TimeGenerated)
print ('Source Name:', event.SourceName)
print ('Event ID:', event.EventID)
print ('Event Type:', event.EventType)
data = event.StringInserts
if data:
print('Event Data:')
for msg in data:
print(msg)
但它不起作用,此代码打开 "System" 日志,而不是 "Microsoft-Windows-TerminalServices-LocalSessionManager"。 为什么它不起作用?而如果不是bug,而是feature的话,这个日志的阅读方式是什么?
感谢您的回答
您只能使用一级子项,例如 Application、HardwareEvents、Internet Explorer、System 等。
sourceName specifies the name of the source that the returned handle will reference. The source name must be a subkey of a logfile entry under the EventLog key in the registry. win32evtlog.OpenEventLog
If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file. OpenEventLogA function (winbase.h)
但是您可以使用 win32evtlog.EvtQuery 函数来获取事件。
注意:如果出现 Access Denied 错误,请尝试 运行 和 Run as Administrator
import win32evtlog
import xml.etree.ElementTree as ET
# open event file
query_handle = win32evtlog.EvtQuery(
'C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx',
win32evtlog.EvtQueryFilePath)
read_count = 0
while True:
# read 100 records
events = win32evtlog.EvtNext(query_handle, 100)
read_count += len(events)
# if there is no record break the loop
if len(events) == 0:
break
for event in events:
xml_content = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
# print(xml_content)
# parse xml content
xml = ET.fromstring(xml_content)
# xml namespace, root element has a xmlns definition, so we have to use the namespace
ns = '{http://schemas.microsoft.com/win/2004/08/events/event}'
event_id = xml.find(f'.//{ns}EventID').text
level = xml.find(f'.//{ns}Level').text
channel = xml.find(f'.//{ns}Channel').text
execution = xml.find(f'.//{ns}Execution')
process_id = execution.get('ProcessID')
thread_id = execution.get('ThreadID')
time_created = xml.find(f'.//{ns}TimeCreated').get('SystemTime')
print(f'Time: {time_created}, Level: {level} Event Id: {event_id}, Channel: {channel}, Process Id: {process_id}, Thread Id: {thread_id}')
user_data = xml.find(f'.//{ns}UserData')
# user_data has possible any data
print(f'Read {read_count} records')
输出:
Time: 2020-12-20T10:47:53.3790439Z, Level: 4 Event Id: 32, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1496
Time: 2020-12-20T10:47:57.5636553Z, Level: 4 Event Id: 41, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1504
Time: 2020-12-20T10:47:57.5662431Z, Level: 4 Event Id: 42, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1504
Time: 2020-12-20T10:48:26.9395585Z, Level: 4 Event Id: 21, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1512
Time: 2020-12-20T10:48:27.0466986Z, Level: 4 Event Id: 22, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 10212
Read 823 records