通过NXlog将Windows事件日志保存为json格式文件,然后在Python中使用json.loads()进行处理。
NXlog在将Windows事件日志保存为json格式文件,文件中带入了BOM编码格式,所以需要使用decode("utf-8-sig")先对源数据进行处理,否则json.loads()会提示 "No JSON object could be decoded" 错误
文件中每一条事件日志包含有中文、 字符,所以在通过json.loads()处理时需要注意转换:
import struct,os,json file='E:\logtest\sec_PC-L_20160518153838.json' with open(file,'rb') as fo: for f in fo: fj = json.loads(f.decode("utf-8-sig"),strict=False) print fj['Message'].encode('u8') #print fj['Message'].encode('gbk')
json.loads(f.decode("utf-8-sig"),strict=False,encoding='u8')
utf-8和utf-8-sig区别:
UTF-8以字节为编码单元,它的字节顺序在所有系统中都是一様的,没有字节序的问题,也因此它实际上并不需要BOM(“ByteOrder Mark”)。但是UTF-8 with BOM即utf-8-sig需要提供BOM。
sec_PC-L_20160518153838.json文件内容如下:
{"EventTime":"2016-05-13 08:51:01","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":1053242,"ProcessID":776,"ThreadID":20412,"Channel":"Security","Message":"已注销帐户。
使用者:
安全 ID: S-1-5-21-3510791965-1333398612-533843580-1003
帐户名: taskuser
帐户域: PC-L
登录 ID: 0x2305C35
登录类型: 4
在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中,登录 ID 是唯一的。","Category":"注销","Opcode":"信息","TargetUserSid":"S-1-5-21-3510791965-1333398612-533843580-1003","TargetUserName":"taskuser","TargetDomainName":"PC-L","TargetLogonId":"0x2305c35","LogonType":"4","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}
{"EventTime":"2016-05-13 08:51:20","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4648,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12544,"OpcodeValue":0,"RecordNumber":1053243,"ActivityID":"{105E3485-AC11-0003-9734-5E1011ACD101}","ProcessID":776,"ThreadID":19588,"Channel":"Security","Message":"试图使用显式凭据登录。
使用者:
安全 ID: S-1-5-21-3510791965-1333398612-533843580-500
帐户名: Administrator
帐户域: PC-L
登录 ID: 0x56C28
登录 GUID: {00000000-0000-0000-0000-000000000000}
使用了哪个帐户的凭据:
帐户名: liuyan1
帐户域: uxin
登录 GUID: {00000000-0000-0000-0000-000000000000}
目标服务器:
目标服务器名: ILX-IDC-ExFE02.uxin.youxinpai.com
附加信息: ILX-IDC-ExFE02.uxin.youxinpai.com
进程信息:
进程 ID: 0x13c0
进程名: C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
网络信息:
网络地址: -
端口: -
在进程尝试通过显式指定帐户的凭据来登录该帐户时生成此事件。这通常发生在批量类型的配置中(例如计划任务) 或者使用 RUNAS 命令时。","Category":"登录","Opcode":"信息","SubjectUserSid":"S-1-5-21-3510791965-1333398612-533843580-500","SubjectUserName":"Administrator","SubjectDomainName":"PC-L","SubjectLogonId":"0x56c28","LogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetUserName":"liuyan1","TargetDomainName":"uxin","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetServerName":"ILX-IDC-ExFE02.uxin.youxinpai.com","TargetInfo":"ILX-IDC-ExFE02.uxin.youxinpai.com","ProcessName":"C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE","IpAddress":"-","IpPort":"-","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}