Howdy.

I replied offline to the author earlier in my day about what might be the 
problem he is running into (I was in digest mode until today and couldnt just 
reply to the thread - apologies), but played around with this script a little 
today and seem to have something that can pass credentials to a call for 
eventlogs and wanted to share with the list (now that I had a working sample).

Based on the API that was available for running searches on remote computers, I 
had to output the data into XML and did not parse the XML (a task which I leave 
to the original author of this thread -- using something like lxml).

However, Hopefully this helps the original author see how he might be able to 
inject credentials into their script to get what they need.

It is worthy of note that the original poster's script worked fine on my test 
systems (with Remote Scripting UAC disabled) which might suggest that there's a 
problem with how the remote server is configured and maybe "Allowing Remote 
Scripts to Bypass UAC" is the solution to their whole problem...  See here:

    
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction

Kudos to the pywin32 maintainers and the members of this list for their input.  
I hope this minor script helps someone.

# -------------------------------
# tested using python 3.6.3 on W10x64 with domain admin credentials tested in 
the script

import win32evtlog # requires pywin32 pre-installed
import time

user = "someuser" # your windows username
domain = "SOMEDOMAIN" # your windows domain name (or possibly computername)
passwd = "reallysecurepassword" # your unencrypted password
server = 'IP_OR_FQDN' # name of the target computer to get event logs

try:
    logtype = 'System' # 'Application' # 'Security'
    sess_handle = win32evtlog.EvtOpenSession(Login=(server, user, domain, 
passwd, win32evtlog.EvtRpcLoginAuthDefault),
                                    Timeout=0,
                                    Flags=0)

    query_flags = win32evtlog.EvtQueryReverseDirection | 
win32evtlog.EvtQueryChannelPath

    # while I get "*" (all the logs), this thread seems to suggest you could 
limit it..  however, their syntax didn't work for me
    # 
https://stackoverflow.com/questions/29827769/get-an-event-object-from-win32evtlog-evtquery-results
    log_handle = win32evtlog.EvtQuery(logtype, query_flags, "*", sess_handle)

    x = 0
    count = 10   # get x events per query
    events = win32evtlog.EvtNext(ResultSet=log_handle, Count=count,Timeout=0, 
Flags=0)
    while events:
        for event in events:
            x += 1
            print(f'b4 render: {x} --> {event}')
            print (f'Event Data: {win32evtlog.EvtRender(event, 
Flags=win32evtlog.EvtRenderEventXml)}')

        events = win32evtlog.EvtNext(ResultSet=log_handle, 
Count=count,Timeout=0, Flags=0)
        time.sleep(5)

except Exception as e:
    print(f"Excepted with: {e}")


####################
# minor excerpt of output:
b4 render: 240 --> <PyEVT_HANDLE:22>
Event Data: <Event 
xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider 
Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' 
EventSourceName='Service Control Manager'/><EventID 
Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
 
SystemTime='2021-09-16T21:02:15.383021500Z'/><EventRecordID>296223</EventRecordID><Correlation/><Execution
 ProcessID='688' 
ThreadID='3724'/><Channel>System</Channel><Computer>somecomuter.somewhere.com</Computer><Security/></System><EventData><Data
 Name='param1'>WMI Performance Adapter</Data><Data 
Name='param2'>stopped</Data><Binary>77006D006900410070005300720076002F0031000000</Binary></EventData></Event>
_______________________________________________
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Reply via email to