python读取windows日志_windows使用python原生组件包获取系统日志信息

#coding=utf8

import sys

import traceback

import win32con

import win32evtlog

import win32evtlogutil

import winerror

try:

from _utils.patrol2 import run_cmd, data_format, report_format

except:

print 'no module _utils'

import platform

import datetime,psutil

def getAllEvents(server, logtypes,time_flag):

"""

"""

if not server:

serverName = "localhost"

else:

serverName = server

for logtype in logtypes:

result=getEventLogs(server, logtype,time_flag)

return result

# ----------------------------------------------------------------------

def getEventLogs(server, logtype, time_flag,logPath=None):

"""

Get the event logs from the specified machine according to the

logtype (Example: Application) and save it to the appropriately

named log file

"""

print "Logging %s events" % logtype

# log = codecs.open(logPath, encoding='utf-8', mode='w')

# line_break = '-' * 80

#

# log.write("\n%s Log of %s Events\n" % (server, logtype))

# log.write("Created: %s\n\n" % time.ctime())

# log.write("\n" + line_break + "\n")

# 读取本机的,system系统日志

hand = win32evtlog.OpenEventLog(server, logtype)

# 获取system日志的总行数

total = win32evtlog.GetNumberOfEventLogRecords(hand)

print "Total events in %s = %s" % (logtype, total)

flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ

events = win32evtlog.ReadEventLog(hand, flags, 0)

# 错误级别类型

evt_dict = {win32con.EVENTLOG_AUDIT_FAILURE: 'EVENTLOG_AUDIT_FAILURE',

win32con.EVENTLOG_AUDIT_SUCCESS: 'EVENTLOG_AUDIT_SUCCESS',

win32con.EVENTLOG_INFORMATION_TYPE: 'EVENTLOG_INFORMATION_TYPE',

win32con.EVENTLOG_WARNING_TYPE: 'EVENTLOG_WARNING_TYPE',

win32con.EVENTLOG_ERROR_TYPE: 'EVENTLOG_ERROR_TYPE'}

try:

events = 1

count=0

while events:

events = win32evtlog.ReadEventLog(hand, flags, 0)

for ev_obj in events:

the_time = ev_obj.TimeGenerated.Format() # '12/23/99 15:54:09'

the_time=datetime.datetime.strptime(the_time, "%m/%d/%y %H:%M:%S")

if the_time < time_flag:

continue

evt_id = str(winerror.HRESULT_CODE(ev_obj.EventID))

computer = str(ev_obj.ComputerName)

cat = ev_obj.EventCategory

## seconds=date2sec(the_time)

record = ev_obj.RecordNumber

msg = win32evtlogutil.SafeFormatMessage(ev_obj, logtype)

source = str(ev_obj.SourceName)

if not ev_obj.EventType in evt_dict.keys():

evt_type = "unknown"

else:

evt_type = str(evt_dict[ev_obj.EventType])

if evt_id=='4625':

count+=1

# log.write("Event Date/Time: %s\n" % the_time)

# log.write("Event ID / Type: %s / %s\n" % (evt_id, evt_type))

# log.write("Record #%s\n" % record)

# log.write("Source: %s\n\n" % source)

# log.write(msg)

# log.write("\n\n")

# log.write(line_break)

# log.write("\n\n")

return count

except:

print traceback.print_exc(sys.exc_info())

sys.exit(1)

def get_start_time():

dt = datetime.datetime.fromtimestamp(psutil.boot_time())

return dt

if __name__ == "__main__":

time_flag= get_start_time()

print time_flag

server = None # None = local machine

logTypes = ["Security"]#"System", "Application",

result=getAllEvents(server, logTypes,time_flag)

if result==0:

alert=0

else:

alert = 1

hostname=platform.node()

report=data_format('登录失败次数',result,alert)

reports=report_format(hostname,report,is_json=True)

print reports