EventLog Class

For programmers to need to analyze windows event logs by python,this tested source code is useful.

Output is python dictionary format selecting from picks up EventID and Level,TimeCreated,EventData,Data from Event Log.

Output sample is following.

{‘EventID’: ‘4624’, ‘EventID_Qualifiers’: ”, ‘EventID_detail’: ‘An account was successfully logged on’, ‘Level’: ‘0’, ‘Level_detail’: ‘LogAlways : This value indicates that not filtering on the level is done during the event publishing.’, ‘SystemTime’: ‘2023-03-06 08:44:59.487074’, ‘SystemTime_datetimeobj’: datetime.datetime(2023, 3, 6, 8, 44, 59, 487074), ‘EventData’: [], ‘SubjectUserSid’: ‘S-1-5-18’, ‘SubjectUserName’: ‘DESKTOP-UOQP98N$’, ‘SubjectDomainName’: ‘WORKGROUP’, ‘SubjectLogonId’: ‘0x00000000000003e7’, ‘TargetUserSid’: ‘S-1-5-18’, ‘TargetUserName’: ‘SYSTEM’, ‘TargetDomainName’: ‘NT AUTHORITY’, ‘TargetLogonId’: ‘0x00000000000003e7’, ‘LogonType’: ‘5’, ‘LogonProcessName’: ‘Advapi ‘, ‘AuthenticationPackageName’: ‘Negotiate’, ‘WorkstationName’: ‘-‘, ‘LogonGuid’: ‘{00000000-0000-0000-0000-000000000000}’, ‘TransmittedServices’: ‘-‘, ‘LmPackageName’: ‘-‘, ‘KeyLength’: ‘0’, ‘ProcessId’: ‘0x0000000000000148’, ‘ProcessName’: ‘C:\Windows\System32\services.exe’, ‘IpAddress’: ‘-‘, ‘IpPort’: ‘-‘, ‘ImpersonationLevel’: ‘%%1833’, ‘RestrictedAdminMode’: ‘-‘, ‘TargetOutboundUserName’: ‘-‘, ‘TargetOutboundDomainName’: ‘-‘, ‘VirtualAccount’: ‘%%1843’, ‘TargetLinkedLogonId’: ‘0x0000000000000000’, ‘ElevatedToken’: ‘%%1842’}

Specification

ID	STCD_0000000010
Language	Python
Steps	499
Purpose	Analyze windows event log .
Function	Analyze windows event log .
Environment	Ubuntu 20.04.4 LTS Anaconda3（Python 3.9.7） IDE : Visual Studio Code python-evtx
Restriction	free license You can use source code copy as owner . You can customize and distribute it freely.
Price	7 dollars or 700 yen (Pay with PayPal)
References	https://github.com/williballenthin/python-evtx https://www.microsoft.com/en-us/download/details.aspx?id=50034 – Regarding windows event log https://learn.microsoft.com/ja-jp/dotnet/api/system.diagnostics.eventing.reader.standardeventlevel?view=dotnet-plat-ext-7.0 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ – Regarding XPATH https://magazine.techacademy.jp/magazine/32429 http://www.errorcode-search.com/ http://www.errorcode-search.com/Windows/eventid/_list.html http://www.errorcode-search.com/internet/http-response-code/HTTP-error.html https://answers.microsoft.com/ja-jp/windows/forum/all/%E3%82%A4%E3%83%99%E3%83%B3%E3%83%88id16953/fd249f34-4232-43bc-821c-355c5ac1a623

Source Code

Test Result

NO	test case	result
01	application log of event log. – analyze application log	OK
02	security log of event log. – analyze security log	OK
03	setup log of event log. – analyze setup log	OK
04	system log of event log. – analyze system log	OK

Test Code

*) Modify “path” along your PC environment.

History

7/3/2023 created

Provider Profile

Nick name is “Dead Fish” employed as an engineer in Japan.
I am grad if you need my code.
Thanks !

Download

Get download password

Following files and data are zipped.

├── EventLogClass.py
└── evtlog
    ├── Application.evtx
    ├── Security.evtx
    ├── Setup.evtx
    └── System.evtx

Remarks

None