| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111 |
- import win32evtlog
- import win32api
- import win32con
- import win32security # To translate NT Sids to account names.
- import win32evtlogutil
- def ReadLog(computer, logType="Application", dumpEachRecord = 0):
- # read the entire log back.
- h=win32evtlog.OpenEventLog(computer, logType)
- numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
- # print "There are %d records" % numRecords
- num=0
- while 1:
- objects = win32evtlog.ReadEventLog(h, win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
- if not objects:
- break
- for object in objects:
- # get it for testing purposes, but dont print it.
- msg = win32evtlogutil.SafeFormatMessage(object, logType)
- if object.Sid is not None:
- try:
- domain, user, typ = win32security.LookupAccountSid(computer, object.Sid)
- sidDesc = "%s/%s" % (domain, user)
- except win32security.error:
- sidDesc = str(object.Sid)
- user_desc = "Event associated with user %s" % (sidDesc,)
- else:
- user_desc = None
- if dumpEachRecord:
- print("Event record from %r generated at %s" % (object.SourceName, object.TimeGenerated.Format()))
- if user_desc:
- print(user_desc)
- try:
- print(msg)
- except UnicodeError:
- print("(unicode error printing message: repr() follows...)")
- print(repr(msg))
- num = num + len(objects)
- if numRecords == num:
- print("Successfully read all", numRecords, "records")
- else:
- print("Couldn't get all records - reported %d, but found %d" % (numRecords, num))
- print("(Note that some other app may have written records while we were running!)")
- win32evtlog.CloseEventLog(h)
- def usage():
- print("Writes an event to the event log.")
- print("-w : Dont write any test records.")
- print("-r : Dont read the event log")
- print("-c : computerName : Process the log on the specified computer")
- print("-v : Verbose")
- print("-t : LogType - Use the specified log - default = 'Application'")
- def test():
- # check if running on Windows NT, if not, display notice and terminate
- if win32api.GetVersion() & 0x80000000:
- print("This sample only runs on NT")
- return
- import sys, getopt
- opts, args = getopt.getopt(sys.argv[1:], "rwh?c:t:v")
- computer = None
- do_read = do_write = 1
- logType = "Application"
- verbose = 0
- if len(args)>0:
- print("Invalid args")
- usage()
- return 1
- for opt, val in opts:
- if opt == '-t':
- logType = val
- if opt == '-c':
- computer = val
- if opt in ['-h', '-?']:
- usage()
- return
- if opt=='-r':
- do_read = 0
- if opt=='-w':
- do_write = 0
- if opt=='-v':
- verbose = verbose + 1
- if do_write:
- ph=win32api.GetCurrentProcess()
- th = win32security.OpenProcessToken(ph,win32con.TOKEN_READ)
- my_sid = win32security.GetTokenInformation(th,win32security.TokenUser)[0]
- win32evtlogutil.ReportEvent(logType, 2,
- strings=["The message text for event 2","Another insert"],
- data = "Raw\0Data".encode("ascii"), sid = my_sid)
- win32evtlogutil.ReportEvent(logType, 1, eventType=win32evtlog.EVENTLOG_WARNING_TYPE,
- strings=["A warning","An even more dire warning"],
- data = "Raw\0Data".encode("ascii"), sid = my_sid)
- win32evtlogutil.ReportEvent(logType, 1, eventType=win32evtlog.EVENTLOG_INFORMATION_TYPE,
- strings=["An info","Too much info"],
- data = "Raw\0Data".encode("ascii"), sid = my_sid)
- print("Successfully wrote 3 records to the log")
- if do_read:
- ReadLog(computer, logType, verbose > 0)
- if __name__=='__main__':
- test()
|
