Created
April 19, 2018 05:36
-
-
Save kenzauros/27a532942d9150c0910376acc03cec1d to your computer and use it in GitHub Desktop.
複数の Windows イベントログファイル (evtx) をまとめて検索する XML 作成スクリプト
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| import codecs | |
| import glob | |
| import re | |
| import os | |
| # 上限ファイル数 (適宜変更) | |
| limit = 3 | |
| # 対象にする EventID のリスト (適宜変更) | |
| event_id_list = [4624, 4634, 4625, 4648] | |
| # EventData/Data の検索値のリスト (適宜変更) | |
| data_value_list = ['hogehoge', 'fugafuga', 'momimomi'] | |
| # ---------------------------------------------------------------------- | |
| # 抽出条件式に変換 | |
| event_id = " or ".join(["(EventID=" + str(i) + ")" for i in event_id_list]) | |
| event_data = " or ".join(["(Data='" + v + "')" for v in data_value_list]) | |
| condition = "*[System[" + event_id + "] and EventData[" + event_data + "]]" | |
| # ファイル番号 | |
| n = 0 | |
| # 出力ファイル | |
| output_file = codecs.open("query_list.xml", "w", "utf-8") | |
| output_file.write("<QueryList>\n") | |
| output_file.write(" <Query Id=\"0\">\n") | |
| for filename in glob.glob("*.evtx"): | |
| print(filename) | |
| path = os.path.abspath(filename) | |
| output_file.write(" <Select Path=\"file://" + path + "\">" + condition + "</Select>\n") | |
| n += 1 | |
| if n >= limit: break | |
| output_file.write(" </Query>\n") | |
| output_file.write("</QueryList>\n") | |
| output_file.close |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment