FAQ or HOWTO on windows event logs

[David Bear]

I would like to develop some tools to better understand/analyze
windows event logs. What I've done is export the event log as a
delimited file, then try to use awk or python to parse the info.
There must be an easier way... The format of the event changes with
the event, so it seems impossible to write a generalized parser.

I guess i'm look for tricks -- recommendations on what others have
found to be effective ways to deal with windows events log data. My
goal would be to get the data in a format where I can run correlations
on events. For example, I would like to see when a system event (a
dcom buffer overflow) occurs and then see if an event in the
application log like a crashed ocx occurred at the same
time.. Obviously this is for intrusion analysis...

Any advice?

 

[Rudy Schockaert]

I would like to develop some tools to better understand/analyze
windows event logs. What I've done is export the event log as a
delimited file, then try to use awk or python to parse the info.
There must be an easier way... The format of the event changes with
the event, so it seems impossible to write a generalized parser.

I guess i'm look for tricks -- recommendations on what others have
found to be effective ways to deal with windows events log data. My
goal would be to get the data in a format where I can run correlations
on events. For example, I would like to see when a system event (a
dcom buffer overflow) occurs and then see if an event in the
application log like a crashed ocx occurred at the same
time.. Obviously this is for intrusion analysis...

Any advice?

Have you had a look at Mark Hammond's Win32all? There is a module called
win32evtlog that you can use to dump the windows eventlogs. You already
have the data in a comfortable format there.
Here's an example:

import win32evtlog, win32security
from win32evtlogutil import *

def ReadLog(computer, logType="Application", dumpEachRecord = 0):
# read the entire log back.
h=win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
print "There are %d records" % numRecords

num=0
while 1:
objects = win32evtlog.ReadEventLog(h,
win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not objects:
break
for object in objects:
# get it for testing purposes, but dont print it.
msg = SafeFormatMessage(object, logType).encode("mbcs")
if object.Sid is not None:
try:
domain, user, typ =
win32security.LookupAccountSid(computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc,)
else:
user_desc = None
if dumpEachRecord:
if user_desc:
print user_desc
print msg
num = num + len(objects)

if numRecords == num:
print "Successfully read all", numRecords, "records"
else:
print "Couldn't get all records - reported %d, but found %d" %
(numRecords, num)
print "(Note that some other app may have written records while
we were running!)"
win32evtlog.CloseEventLog(h)


logType = "Application"
computer = None # use local machine
verbose = 1
ReadLog(computer, logType, verbose > 0)