使用来自Pywin32的win32evtlog在Python中出现异常的event.EventID号，例如-2147481364 [英] Unusual event.EventID numbers like -2147481364 in Python using win32evtlog from Pywin32

问题描述

我编写了一个python(3.2)脚本来禁止Windows 2008服务器上事件日志中的某些事件的ips，并且我试图测试它是否会禁止sql暴力强制尝试中的ips.不幸的是，到目前为止，它并没有到达代码的那部分，因为它一直在寻找的事件ID永远不会出现(尽管它应该像在日志文件中一样).

I wrote a python(3.2) script to ban ips on certain events from the event logs on a Windows 2008 server and I was trying to test if it would ban ips from sql brute forcing attempts properly. Unfortunately so far it's not getting to that part of the code because the event ID it is looking for never appears (although it should as it's in the log file).

def run_script_application_log():
    eventIds = [18456] #look for these events to process for possible ip bans 18456 = failed login
    server = 'localhost' # name of the target computer to get event logs from
    logtype = 'Application' # 'Application' or 'Security' etc...
    hand = win32evtlog.OpenEventLog(server,logtype)
    ipsToBan = look_for_ips_to_ban(hand,flags,eventIds)

def look_for_ips_to_ban(hand, flag, eventIds):
    ...some code....
    events=1
    while events:
        events=win32evtlog.ReadEventLog(hand,flag,0)
        for event in events:
            the_time=event.TimeGenerated.Format()
            seconds=date2sec(the_time)
            #if seconds < begin_sec - time_in_seconds: break
            if event.EventID in eventIds:

我插入了一个简单的打印语句，以查看事件的发生情况.EventID及其获得的数字至少可以说很奇怪.事件日志上升到33090，但是返回的ID绝大多数与以下类似: 1073750020 1073754112 -1073741823 -2147481364

I inserted a simple print statement to see what was going on with the event.EventID and the numbers it was obtaining were odd to say the least. The event log goes up to 33090 but the vast majority of IDs being returned are similar to these: 1073750020 1073754112 -1073741823 -2147481364

我对发生的事情有0的想法.它可以与安全日志一起正常工作，但是应用程序日志似乎不可行.

I have 0 idea what's going on. It works fine with the security log, but application log seems to be a no go.

我查看了一些数据，除了eventID以外，其他所有数据似乎都正确报告了.

I went through some data and it all seems to report correctly except for the eventID.

例如，该日志中的所有记录都是正确的，只是它显示事件ID为1073742726而不是18456.

For instance this record from the log is all correct except it shows the event ID as 1073742726 instead of 18456.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQLSERVER" /> 
<EventID Qualifiers="49152">18456</EventID> 
<Level>0</Level> 
<Task>4</Task> 
<Keywords>0x90000000000000</Keywords> 
<TimeCreated SystemTime="2012-12-08T18:01:32.000000000Z" /> 
<EventRecordID>4532</EventRecordID> 
<Channel>Application</Channel> 
<Computer>windowsmachine</Computer> 
<Security /> 
</System>
<EventData>
<Data>username</Data> 
<Data>Reason: Password did not match that for the login provided.</Data> 
<Data>[CLIENT: <local machine>]</Data
<Binary>184800000E0000000A000000570049004E004D00430041005000460058000000070000006D00610073007400650072000000</Binary> 
</EventData>
</Event>

推荐答案

如果您对它进行二进制检查，则该功能可以正常工作，它只是添加了您不需要的1位(或更多位，实际上并未对其进行检查). 尝试像这样通过"AND"给出答案:

if you check it binary the function works fine, it just added 1 bit (or more, didn't really check it) that you don't need. try to put the answer through "AND" like this:

answer = event.EventID& 0x1FFFFFFF

answer=event.EventID & 0x1FFFFFFF

这篇关于使用来自Pywin32的win32evtlog在Python中出现异常的event.EventID号，例如-2147481364的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！