是否可以在python中实时获取windows日志?

【问题标题】:Is it possible to get windows logs in real time in python?是否可以在python中实时获取windows日志?
【发布时间】:2020-06-15 14:47:01
【问题描述】:

我希望实时获取 Windows 日志以进行分析。谷歌搜索了一些东西并想出了这个。

import win32evtlog # requires pywin32 pre-installed

 server = 'localhost' # name of the target computer to get event logs
logtype = 'System' # 'Application' # 'Security' System
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)

while True:
     events = win32evtlog.ReadEventLog(hand, flags,0)
     if events:
          for event in events: 
                print 'Event Category:', event.EventCategory
                print 'Time Generated:', event.TimeGenerated
                print 'Source Name:', event.SourceName
                print 'Event ID:', event.EventID
                print 'Event Type:', event.EventType
                data = event.StringInserts
                if data:
                    print 'Event Data:'
                    for msg in data:
                        print msg\n

它的作用是打印从开始到代码运行那一刻的所有日志。是否可以在有更新时持续监控并打印日志?

【问题讨论】:

  • 这个方法可能是你想要的:github.com/wuxc/pywin32doc/blob/master/md/…(我通过help(win32evtlog)发现了它并寻找与订阅/注册事件等相关的东西)
  • @nitzel 你能详细说明你的陈述吗?我对这个领域比较陌生。
  • 您调用该方法,其中一个参数是回调,这是一个函数,在记录新事件时调用。您必须自己弄清楚确切的参数或使用该方法查找示例。
  • 这里有更多关于实际 windows 功能的信息:docs.microsoft.com/en-us/windows/win32/api/winevt/… 表示要结束订阅,您需要调用EvtClose,返回值为EvtSubscribe

标签: python windows logging


【解决方案1】:

python 文档是 here,但它们并没有太大帮助,所以我还查看了 Microsoft C++ Docs,它有一个 sample

我不知道如何通过事件获取您从win32evtlog.ReadEventLog 收到的对象,但该库允许呈现为 XML,因此使用 XML 解析器您应该能够提取您需要的所有信息:

import win32evtlog
import pprint
import sys

# Subscribes to and logs 'application' events
# To manually fire a new event, open an admin console and type: (replace 125 with any other ID that suits you)
#   eventcreate.exe /L "application" /t warning /id 125 /d "This is a test warning"

# event_context can be `None` if not required, this is just to demonstrate how it works
event_context = { "info": "this object is always passed to your callback" }
# Event log source to listen to
event_source = 'application'

def new_logs_event_handler(reason, context, evt):
  """
  Called when new events are logged.

  reason - reason the event was logged?
  context - context the event handler was registered with
  evt - event handle
  """
  # Just print some information about the event
  print ('reason', reason, 'context', context, 'event handle', evt)

  # Render event to xml, maybe there's a way of getting an object but I didn't find it
  print('Rendered event:', win32evtlog.EvtRender(evt, win32evtlog.EvtRenderEventXml))

  # empty line to separate logs
  print(' - ')

  # Make sure all printed text is actually printed to the console now
  sys.stdout.flush()

  return 0

# Subscribe to future events
subscription = win32evtlog.EvtSubscribe(event_source, win32evtlog.EvtSubscribeToFutureEvents, None, Callback=new_logs_event_handler, Context=event_context, Query=None)

输出

reason 1 context {'info': 'this object is always passed to your callback'} event handle 1
Rendered event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='EventCreate'/><EventID Qualifiers='0'>125</EventID><Level>3</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2020-03-03T15:23:11.150209500Z'/><EventRecordID>1</EventRecordID><Channel>Application</Channel><Computer>mypc</Computer><Security UserID='guid'/></System><EventData><Data>This is a test warning</Data></EventData></Event>
 -
reason 1 context {'info': 'this object is always passed to your callback'} event handle 1
Rendered event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='EventCreate'/><EventID Qualifiers='0'>125</EventID><Level>3</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2020-03-03T15:23:17.876041700Z'/><EventRecordID>2</EventRecordID><Channel>Application</Channel><Computer>mypc</Computer><Security UserID='guid'/></System><EventData><Data>This is a test warning 2</Data></EventData></Event>
 -
reason 1 context {'info': 'this object is always passed to your callback'} event handle 1
Rendered event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='EventCreate'/><EventID Qualifiers='0'>125</EventID><Level>3</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2020-03-03T15:23:20.476312800Z'/><EventRecordID>3</EventRecordID><Channel>Application</Channel><Computer>mypc</Computer><Security UserID='guid'/></System><EventData><Data>This is a test warning 3</Data></EventData></Event>
 -

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2012-07-06
    • 1970-01-01
    • 2018-08-03
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2021-10-09
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode