import html
from xml.dom import minidom
import Evtx.Evtx as evtx
path = r"C:\Windows\Sysnative\winevt\Logs\Security.evtx"
with evtx.Evtx(path) as log:
for record in log.records():
timestamp = record.timestamp().timestamp()
r = {}
xml_doc = minidom.parseString(record.xml())
# 事件ID 例如 4624登录成功,4625登录失败
id_ = xml_doc.getElementsByTagName('EventID')[0].childNodes[0].data
data = xml_doc.getElementsByTagName('Data')
for d in data:
name = d.getAttribute('Name')
value = html.unescape(d.childNodes[0].data)
日志比较多,可以先筛选过滤Windows Security.evtx 安全日志:
wevtutil epl Security D:\Security_01.evtx /q:"*[System[(Level=4) and (EventID=4624) and TimeCreated[timediff(@SystemTime) <= 43200000]]]"
将Security路径下,所有消息D:\Security_01.evtx(Level=4),EventID=1001,并且在一个小时内产生的windows事件日志导出到:D:\1001.evtx
注意,上面有个Application可以换成Security,Setup,System等日志路径。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)