74 lines
2.3 KiB
Python
74 lines
2.3 KiB
Python
from __future__ import absolute_import
|
|
import win32evtlog
|
|
import win32con
|
|
import win32evtlogutil
|
|
import winerror
|
|
import datetime
|
|
import random
|
|
import string
|
|
|
|
|
|
def get_eventlog(logtype, last_n_days):
|
|
|
|
start_time = datetime.datetime.now() - datetime.timedelta(days=last_n_days)
|
|
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
|
|
|
|
status_dict = {
|
|
win32con.EVENTLOG_AUDIT_FAILURE: "AUDIT_FAILURE",
|
|
win32con.EVENTLOG_AUDIT_SUCCESS: "AUDIT_SUCCESS",
|
|
win32con.EVENTLOG_INFORMATION_TYPE: "INFO",
|
|
win32con.EVENTLOG_WARNING_TYPE: "WARNING",
|
|
win32con.EVENTLOG_ERROR_TYPE: "ERROR",
|
|
0: "INFO",
|
|
}
|
|
|
|
computer = "localhost"
|
|
hand = win32evtlog.OpenEventLog(computer, logtype)
|
|
log = []
|
|
|
|
try:
|
|
events = 1
|
|
while events:
|
|
events = win32evtlog.ReadEventLog(hand, flags, 0)
|
|
for ev_obj in events:
|
|
|
|
the_time = ev_obj.TimeGenerated.Format()
|
|
time_obj = datetime.datetime.strptime(the_time, "%c")
|
|
if time_obj < start_time:
|
|
break
|
|
computer = str(ev_obj.ComputerName)
|
|
src = str(ev_obj.SourceName)
|
|
evt_type = str(status_dict[ev_obj.EventType])
|
|
evt_id = str(winerror.HRESULT_CODE(ev_obj.EventID))
|
|
evt_category = str(ev_obj.EventCategory)
|
|
record = str(ev_obj.RecordNumber)
|
|
msg = str(win32evtlogutil.SafeFormatMessage(ev_obj, logtype))
|
|
|
|
event_dict = {
|
|
"computer": computer,
|
|
"source": src,
|
|
"eventType": evt_type,
|
|
"eventID": evt_id,
|
|
"eventCategory": evt_category,
|
|
"message": msg,
|
|
"time": the_time,
|
|
"record": record,
|
|
"uid": "".join(
|
|
[
|
|
random.choice(string.ascii_letters + string.digits)
|
|
for n in range(60)
|
|
]
|
|
),
|
|
}
|
|
|
|
log.append(event_dict)
|
|
|
|
if time_obj < start_time:
|
|
break
|
|
|
|
except Exception as e:
|
|
pass
|
|
|
|
win32evtlog.CloseEventLog(hand)
|
|
return log
|