Menu
I want to open a specific log to the Windows Event Log, named "Microsoft-Windows-TerminalServices-LocalSessionManager". I used this code:
import win32evtlog
server = 'localhost' # name of the target computer to get event logs
logtype = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Microsoft-Windows-TerminalServices-LocalSessionManager'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_SEQUENTIAL_READ|win32evtlog.EVENTLOG_FORWARDS_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
while True:
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
print('Event Category:', event.EventCategory)
print ('Time Generated:', event.TimeGenerated)
print ('Source Name:', event.SourceName)
print ('Event ID:', event.EventID)
print ('Event Type:', event.EventType)
data = event.StringInserts
if data:
print('Event Data:')
for msg in data:
print(msg)
But it doesn't work, this code open "System" log, instead "Microsoft-Windows-TerminalServices-LocalSessionManager". Why it doesn't work? And if it is not a bug, but a feature, what is the way to read this log?
Thanks to your answer
658
With the Event View window open, expand the Windows Logs option. Then, right-click Application and click on Filter Current Log. In the newly opened window, you'll see options you can use to filter the log.
GetNumberOfEventLogRecords Retrieves the number of records in the specified event log. GetOldestEventLogRecord Retrieves the absolute record number of the oldest record in the specified event log. NotifyChangeEventLog Enables an application to receive notification when an event is written to the specified event log.
Open Event Viewer. In the console tree, expand Windows Logs, and then click Security. The results pane lists individual security events. If you want to see more details about a specific event, in the results pane, click the event.
evtx is the extension for Windows Eventlog files. It contains data in a special binary format designed by Microsoft so you cannot simply open it in a text editor. The are open source tools to read . evtx and the NXLog EE can also read .
How to Read the Event Log - Python Programming On Win32 [Book] This functionality is easy to demonstrate. Let’s open the Event Log and read the first few records: >>> import win32evtlog >>> h=win32evtlog.OpenEventLog (None, "Application") You’ve now opened the application Event Log.
Inside the while loop, we use a for loop to iterate over the events and extract the event ID, record number, event message, event source and a few other tidbits. We log it and then we exit the for loop and the while loop calls the win32evtlog.ReadEventLog again.
passed to win32evtlog::EvtNext to obtain the events. int = GetNumberOfEventLogRecords (handle) Returns the number of event log records. Handle to the event log to query. int = GetOldestEventLogRecord () Returns the number of event log records. The result is the absolute record number of the oldest record in the given event log.
The function generally follows the outline of the pseudo code. We open the event log using the PyWin32 function win32evtlog.OpenEventLog (server, log_type). This gives us a handle that we can use to get more information.
You can only use first level subkeys like Application, HardwareEvents, Internet Explorer, System etc..
sourceName specifies the name of the source that the returned handle will reference. The source name must be a subkey of a logfile entry under the EventLog key in the registry. win32evtlog.OpenEventLog
If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file. OpenEventLogA function (winbase.h)
However you can use win32evtlog.EvtQuery function for fetching events.
Note: If you get Access Denied error, try to run with Run as Administrator
import win32evtlog
import xml.etree.ElementTree as ET
# open event file
query_handle = win32evtlog.EvtQuery(
'C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx',
win32evtlog.EvtQueryFilePath)
read_count = 0
while True:
# read 100 records
events = win32evtlog.EvtNext(query_handle, 100)
read_count += len(events)
# if there is no record break the loop
if len(events) == 0:
break
for event in events:
xml_content = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
# print(xml_content)
# parse xml content
xml = ET.fromstring(xml_content)
# xml namespace, root element has a xmlns definition, so we have to use the namespace
ns = '{http://schemas.microsoft.com/win/2004/08/events/event}'
event_id = xml.find(f'.//{ns}EventID').text
level = xml.find(f'.//{ns}Level').text
channel = xml.find(f'.//{ns}Channel').text
execution = xml.find(f'.//{ns}Execution')
process_id = execution.get('ProcessID')
thread_id = execution.get('ThreadID')
time_created = xml.find(f'.//{ns}TimeCreated').get('SystemTime')
print(f'Time: {time_created}, Level: {level} Event Id: {event_id}, Channel: {channel}, Process Id: {process_id}, Thread Id: {thread_id}')
user_data = xml.find(f'.//{ns}UserData')
# user_data has possible any data
print(f'Read {read_count} records')
Output:
Time: 2020-12-20T10:47:53.3790439Z, Level: 4 Event Id: 32, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1496
Time: 2020-12-20T10:47:57.5636553Z, Level: 4 Event Id: 41, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1504
Time: 2020-12-20T10:47:57.5662431Z, Level: 4 Event Id: 42, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1504
Time: 2020-12-20T10:48:26.9395585Z, Level: 4 Event Id: 21, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 1512
Time: 2020-12-20T10:48:27.0466986Z, Level: 4 Event Id: 22, Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Process Id: 1476, Thread Id: 10212
Read 823 records
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
