Python处理Windows事件日志(json)
通过NXlog将Windows事件日志保存为json格式文件,然后在Python中使用json.loads()进行处理。
NXlog在将Windows事件日志保存为json格式文件,文件中带入了BOM编码格式,所以需要使用decode("utf-8-sig")先对源数据进行处理,否则json.loads()会提示 "No JSON object could be decoded" 错误
文件中每一条事件日志包含有中文、\r\n\t字符,所以在通过json.loads()处理时需要注意转换:
import struct,os,json file='E:\\logtest\\sec_PC-L_20160518153838.json' with open(file,'rb') as fo: for f in fo: fj = json.loads(f.decode("utf-8-sig"),strict=False) print fj['Message'].encode('u8') #print fj['Message'].encode('gbk')
json.loads(f.decode("utf-8-sig"),strict=False,encoding='u8')
utf-8和utf-8-sig区别:
UTF-8以字节为编码单元,它的字节顺序在所有系统中都是一様的,没有字节序的问题,也因此它实际上并不需要BOM(“ByteOrder Mark”)。但是UTF-8 with BOM即utf-8-sig需要提供BOM。
sec_PC-L_20160518153838.json文件内容如下:
{"EventTime":"2016-05-13 08:51:01","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":1053242,"ProcessID":776,"ThreadID":20412,"Channel":"Security","Message":"已注销帐户。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-21-3510791965-1333398612-533843580-1003\r\n\t帐户名:\t\ttaskuser\r\n\t帐户域:\t\tPC-L\r\n\t登录 ID:\t\t0x2305C35\r\n\r\n登录类型:\t\t\t4\r\n\r\n在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中,登录 ID 是唯一的。","Category":"注销","Opcode":"信息","TargetUserSid":"S-1-5-21-3510791965-1333398612-533843580-1003","TargetUserName":"taskuser","TargetDomainName":"PC-L","TargetLogonId":"0x2305c35","LogonType":"4","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}
{"EventTime":"2016-05-13 08:51:20","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4648,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12544,"OpcodeValue":0,"RecordNumber":1053243,"ActivityID":"{105E3485-AC11-0003-9734-5E1011ACD101}","ProcessID":776,"ThreadID":19588,"Channel":"Security","Message":"试图使用显式凭据登录。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-21-3510791965-1333398612-533843580-500\r\n\t帐户名:\t\tAdministrator\r\n\t帐户域:\t\tPC-L\r\n\t登录 ID:\t\t0x56C28\r\n\t登录 GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\n使用了哪个帐户的凭据:\r\n\t帐户名:\t\tliuyan1\r\n\t帐户域:\t\tuxin\r\n\t登录 GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\n目标服务器:\r\n\t目标服务器名:\tILX-IDC-ExFE02.uxin.youxinpai.com\r\n\t附加信息:\tILX-IDC-ExFE02.uxin.youxinpai.com\r\n\r\n进程信息:\r\n\t进程 ID:\t\t0x13c0\r\n\t进程名:\t\tC:\\Program Files (x86)\\Microsoft Office\\Office15\\OUTLOOK.EXE\r\n\r\n网络信息:\r\n\t网络地址:\t-\r\n\t端口:\t\t\t-\r\n\r\n在进程尝试通过显式指定帐户的凭据来登录该帐户时生成此事件。这通常发生在批量类型的配置中(例如计划任务) 或者使用 RUNAS 命令时。","Category":"登录","Opcode":"信息","SubjectUserSid":"S-1-5-21-3510791965-1333398612-533843580-500","SubjectUserName":"Administrator","SubjectDomainName":"PC-L","SubjectLogonId":"0x56c28","LogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetUserName":"liuyan1","TargetDomainName":"uxin","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetServerName":"ILX-IDC-ExFE02.uxin.youxinpai.com","TargetInfo":"ILX-IDC-ExFE02.uxin.youxinpai.com","ProcessName":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\OUTLOOK.EXE","IpAddress":"-","IpPort":"-","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
2015-05-18 批处理中的“%”