I wrote a python(3.2) script to ban ips on certain events from the event logs on a Windows 2008 server and I was trying to test if it would ban ips from sql brute forcing attempts properly. Unfortunately so far it's not getting to that part of the code because the event ID it is looking for never appears (although it should as it's in the log file).
def run_script_application_log():
eventIds = [18456] #look for these events to process for possible ip bans 18456 = failed login
server = 'localhost' # name of the target computer to get event logs from
logtype = 'Application' # 'Application' or 'Security' etc...
hand = win32evtlog.OpenEventLog(server,logtype)
ipsToBan = look_for_ips_to_ban(hand,flags,eventIds)
def look_for_ips_to_ban(hand, flag, eventIds):
...some code....
events=1
while events:
events=win32evtlog.ReadEventLog(hand,flag,0)
for event in events:
the_time=event.TimeGenerated.Format()
seconds=date2sec(the_time)
#if seconds < begin_sec - time_in_seconds: break
if event.EventID in eventIds:
I inserted a simple print statement to see what was going on with the event.EventID and the numbers it was obtaining were odd to say the least. The event log goes up to 33090 but the vast majority of IDs being returned are similar to these: 1073750020 1073754112 -1073741823 -2147481364
I have 0 idea what's going on. It works fine with the security log, but application log seems to be a no go.
I went through some data and it all seems to report correctly except for the eventID.
For instance this record from the log is all correct except it shows the event ID as 1073742726 instead of 18456.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQLSERVER" />
<EventID Qualifiers="49152">18456</EventID>
<Level>0</Level>
<Task>4</Task>
<Keywords>0x90000000000000</Keywords>
<TimeCreated SystemTime="2012-12-08T18:01:32.000000000Z" />
<EventRecordID>4532</EventRecordID>
<Channel>Application</Channel>
<Computer>windowsmachine</Computer>
<Security />
</System>
<EventData>
<Data>username</Data>
<Data>Reason: Password did not match that for the login provided.</Data>
<Data>[CLIENT: <local machine>]</Data
<Binary>184800000E0000000A000000570049004E004D00430041005000460058000000070000006D00610073007400650072000000</Binary>
</EventData>
</Event>
if you check it binary the function works fine, it just added 1 bit (or more, didn't really check it) that you don't need. try to put the answer through "AND" like this:
answer=event.EventID & 0x1FFFFFFF