碼上快樂

相關內容    簡體    繁體

Python處理Windows事件日志(json)

本文轉載自   查看原文   2016-05-18 17:32   1920    json/ Python

通過NXlog將Windows事件日志保存為json格式文件,然后在Python中使用json.loads()進行處理。

NXlog在將Windows事件日志保存為json格式文件,文件中帶入了BOM編碼格式,所以需要使用decode("utf-8-sig")先對源數據進行處理,否則json.loads()會提示 "No JSON object could be decoded" 錯誤

文件中每一條事件日志包含有中文、\r\n\t字符,所以在通過json.loads()處理時需要注意轉換:

import struct,os,json
file='E:\\logtest\\sec_PC-L_20160518153838.json'

with open(file,'rb') as fo:
    for f in fo:
        fj = json.loads(f.decode("utf-8-sig"),strict=False)
        print fj['Message'].encode('u8')
        #print fj['Message'].encode('gbk')

json.loads(f.decode("utf-8-sig"),strict=False,encoding='u8')

utf-8和utf-8-sig區別:

UTF-8以字節為編碼單元,它的字節順序在所有系統中都是一様的,沒有字節序的問題,也因此它實際上並不需要BOM(“ByteOrder Mark”)。但是UTF-8 with BOM即utf-8-sig需要提供BOM。

 

sec_PC-L_20160518153838.json文件內容如下:

{"EventTime":"2016-05-13 08:51:01","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":1053242,"ProcessID":776,"ThreadID":20412,"Channel":"Security","Message":"已注銷帳戶。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-21-3510791965-1333398612-533843580-1003\r\n\t帳戶名:\t\ttaskuser\r\n\t帳戶域:\t\tPC-L\r\n\t登錄 ID:\t\t0x2305C35\r\n\r\n登錄類型:\t\t\t4\r\n\r\n在登錄會話被破壞時生成此事件。可以使用登錄 ID 值將它和一個登錄事件准確關聯起來。在同一台計算機上重新啟動的區間中,登錄 ID 是唯一的。","Category":"注銷","Opcode":"信息","TargetUserSid":"S-1-5-21-3510791965-1333398612-533843580-1003","TargetUserName":"taskuser","TargetDomainName":"PC-L","TargetLogonId":"0x2305c35","LogonType":"4","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}
{"EventTime":"2016-05-13 08:51:20","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4648,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12544,"OpcodeValue":0,"RecordNumber":1053243,"ActivityID":"{105E3485-AC11-0003-9734-5E1011ACD101}","ProcessID":776,"ThreadID":19588,"Channel":"Security","Message":"試圖使用顯式憑據登錄。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-21-3510791965-1333398612-533843580-500\r\n\t帳戶名:\t\tAdministrator\r\n\t帳戶域:\t\tPC-L\r\n\t登錄 ID:\t\t0x56C28\r\n\t登錄 GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\n使用了哪個帳戶的憑據:\r\n\t帳戶名:\t\tliuyan1\r\n\t帳戶域:\t\tuxin\r\n\t登錄 GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\n目標服務器:\r\n\t目標服務器名:\tILX-IDC-ExFE02.uxin.youxinpai.com\r\n\t附加信息:\tILX-IDC-ExFE02.uxin.youxinpai.com\r\n\r\n進程信息:\r\n\t進程 ID:\t\t0x13c0\r\n\t進程名:\t\tC:\\Program Files (x86)\\Microsoft Office\\Office15\\OUTLOOK.EXE\r\n\r\n網絡信息:\r\n\t網絡地址:\t-\r\n\t端口:\t\t\t-\r\n\r\n在進程嘗試通過顯式指定帳戶的憑據來登錄該帳戶時生成此事件。這通常發生在批量類型的配置中(例如計划任務) 或者使用 RUNAS 命令時。","Category":"登錄","Opcode":"信息","SubjectUserSid":"S-1-5-21-3510791965-1333398612-533843580-500","SubjectUserName":"Administrator","SubjectDomainName":"PC-L","SubjectLogonId":"0x56c28","LogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetUserName":"liuyan1","TargetDomainName":"uxin","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetServerName":"ILX-IDC-ExFE02.uxin.youxinpai.com","TargetInfo":"ILX-IDC-ExFE02.uxin.youxinpai.com","ProcessName":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\OUTLOOK.EXE","IpAddress":"-","IpPort":"-","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 python處理日志文件 用Python優雅的處理日志 Python——處理json文件 Python處理JSON Logstash處理json格式日志文件 結合 AOP 輕松處理事件發布處理日志 python - 日志處理(logging模塊) python處理json(json轉字典) python處理json(json轉字典)(轉) python ----json數據處理
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM