2019-2020-2 20,165,325 Lidong Jun graduation fourth weekly summary
table of Contents
This week the completion of daily tasks &
Progress & task has been solved
The problem to be solved next week & plan
Code trusteeship
This week the completion of daily tasks &
| on Monday | on Tuesday | on Wednesday | Thursday | Friday | on Saturday | Zhou |
|---|---|---|---|---|---|---|
|
Solve the problem alone evtx read
|
Complete the core program reads the database log files
|
Solve the problem alone evtx read
|
Solve the problem alone evtx read
|
Renderings
|
Solve the problem alone evtx read
|
Summary
writing a blog managed code |
Progress & task has been solved
Solve the problem alone evtx read
Can read the specified file evtx is whether the critical operating system log read is completed. Introduced before, due to the cross-machine read, my design ideas are shared in this business server to log server log files, log server reads the log file share, to write data provided in the data center server's log Finally, to show auditors in Web front-end.
Accordingly, the present module kernel should be packaged as: an input path to the log file to be read & filename, file output log information (such as eventId, RecordNumber, EventType, EventTime, EventCategory etc.).
After practice, it java find difficult to solve this problem. Because java basically did not leave the interface in this area, a comprehensive reference information online and found that java call Advapi32Util only finished reading the log files of the functions of this machine, its input is the type of log file: Application or Security, or System;
Advapi32Util.EventLogIterator iter = new Advapi32Util.EventLogIterator("Application"); //或Security或System
Calling the method described above, as their implementation is the machine reading the log file, reads the file path can not be specified (for example, designated C: \ Users \ 24771 \ Desktop \ test4.evtx); this may been attempts to read:
Advapi32Util.EventLogIterator iter = new Advapi32Util.EventLogIterator("C:\\Users\\24771\\Desktop\\test4.evtx");
But it is! Do not! Row! of! Do not! Row! of! Do not! Row! of!
Program will indeed read out something, but you carefully control the contents of the log file you will find the contents of the documents do not correspond; look closely you will find: program to read the contents of the Application log!
Tell me what you junior partner, I may be limited level. If Advapi32Util can solve this problem, be sure to give me some message! Thank you! ! ! !
--------------------------Dividing line---------------------- ----
After many failures, I sought the advice of a surname Zhao chiefs. I learned Python can be used to solve this problem, the code:
import mmap
import contextlib
import re
from Evtx.Evtx import FileHeader
from Evtx.Views import evtx_file_xml_view
def MyFun():
longlat_list = []
with open('route.txt', 'r', encoding='utf-8-sig') as f:
for eachline in f:
if eachline != '' and eachline != '\n':
longlat = eachline.split('\t')[0].split()[0]
longlat_list.append(longlat)
f.close()
EvtxPath = str(longlat_list[0]) #日志文件的路径
with open(EvtxPath,'r') as f:
with contextlib.closing(mmap.mmap(f.fileno(),0,access=mmap.ACCESS_READ)) as buf:
fh = FileHeader(buf,0)
# 构建一个xml文件,根元素是Events
print ("")
print ("")
# 遍历事件
for xml, record in evtx_file_xml_view(fh):
print (xml)
with open(str(longlat_list[1]), 'a', encoding='utf-8') as f:
f.write(str(xml))
f.write('\n')
print ("")
if __name__ == '__main__':
MyFun()
Programs compiled as an exe, read his own file and route.txt same path, the path and enter the file containing the program evtx final output txt file path, the log file this exe file specified write txt, to the xml format.
Here is where a log of the output effect:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-LoadPerf" Guid="{122ee297-bb47-41ae-b265-1ca8d1886d40}"></Provider>
<EventID Qualifiers="">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-02-23 09:40:28.540165"></TimeCreated>
<EventRecordID>267</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="1400" ThreadID="1676"></Execution>
<Channel>Application</Channel>
<Computer>WIN-9GT205KDAUT</Computer>
<Security UserID="S-1-5-18"></Security>
</System>
<UserData><EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="LoadPerf"><param1>WmiApRpl</param1>
<param2>WmiApRpl</param2>
<binaryDataSize>12</binaryDataSize>
<binaryData>fhUAAH8VAAA0BwAA</binaryData>
</EventXML>
</UserData>
</Event>
Last Modified route.txt java and start exe file to obtain the above data, the next step needs to be done is to extract, process in which useful information.
Complete the core program reads the database log files
The so-called core module of the program, the database server is able to GeneralLog, ErrorLog, SlowQueryLog acquisition & processing & read to the database server's log;
Because each time you refresh the log are read from the same log file from scratch, in order to avoid repetition written, I calculated the SM3 set up a log Hash algorithm as the primary key; details as shown:
Renderings
Translated paper:
The problem to be solved next week & plan
The problem to be solved
weblogic environmental collapse, the night returned to liberation.
evtx file reading can already do, and not processing data.
The main task next week
- evtx file read and process the data
- Weblogic debugging environment
Code trusteeship
Code documentation submission process & the amount of code screenshots
