1. 系统Evtx日志的读取
import win32evtlog
import win32evtlogutil
def ReadLog(logType="Application"):
"""
:param computer:
:param logType: 例如:Application System
:param dumpEachRecord:
:return:
"""
py_handle = win32evtlog.OpenEventLog(None, logType) # 打开日志文件
numRecords = win32evtlog.GetNumberOfEventLogRecords(py_handle) # 日志记录的数量
while 1:
# 循环读取日志
data_list = win32evtlog.ReadEventLog(py_handle,
win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ,
0)
if not data_list:
break
for i in data_list:
eventid = i.EventID & 0xFFFF # 事件ID
msg = win32evtlogutil.SafeFormatMessage(i, logType) # 日志内容
event_time = i.TimeWritten # 日志事件事件
print(eventid, msg.strip(), event_time)
win32evtlog.CloseEventLog(py_handle) # 关闭句柄
ReadLog("System")
2. 导出、另存目标事件日志
import win32evtlog
import os
import time
def exportLog(path, save_path, event_id):
"""
导出、另存目标事件日志,获取所有条目
:param path: 源日志,如System、Application
:param save_path: 保存路径,evtx格式
:param event_id:事件ID
:return:
"""
win32evtlog.EvtExportLog(path, save_path, 1, "*[System[(Level=4) and (EventID={}})]]".format(event_id), None)
while 1:
if os.path.exists(save_path):
return
else:
time.sleep(1)
3. 读取自定义的日志文件
def readBackupLog(path):
"""
读取备份的日志文件
:param path: 自定义日志文件的路径
:return:
"""
py_handle = win32evtlog.OpenBackupEventLog(None, "{}".format(path)) # 打开日志文件
numRecords = win32evtlog.GetNumberOfEventLogRecords(py_handle) # 日志记录的数量
while 1:
# 循环读取日志
data_list = win32evtlog.ReadEventLog(py_handle,
win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ,
0)
if not data_list:
break
for i in data_list:
eventid = i.EventID & 0xFFFF # 事件ID
msg = win32evtlogutil.SafeFormatMessage(i, "System") # 日志内容,格式化输出消息
event_time = i.TimeWritten # 日志事件事件
print(eventid, msg.strip(), event_time)
win32evtlog.CloseEventLog(py_handle) # 关闭句柄
