LogonTracer icon indicating copy to clipboard operation
LogonTracer copied to clipboard

Published 20 hours ago verified publisher icon JPCERTCC

hmm.py divide by zero encountered while uploading evtx/xml file

Open LaBonave opened this issue 6 years ago • 8 comments

Hi, I'm getting this error while parsing small, big, evtx or xml files from my personal workstation Same error by GUI or by CLI :

python3 logontracer.py --delete -x ../xxxx.xml -z +2 -u neo4j -p neo5j -s localhost [] Script start. 2018/10/05 15:46:14 [] Delete all nodes and relationships from this Neo4j database. [] Time zone is 2. [] Last record number is 208. [] Start parsing the EVTX file. [] Parse the EVTX file ../xxxxx.xml. [] Now loading 200 records. [] Load finished. [] Total Event log is 208. [] Calculate ChangeFinder. [] Calculate Hidden Markov Model. /usr/local/lib/python3.6/dist-packages/hmmlearn/hmm.py:405: RuntimeWarning: divide by zero encountered in log return np.log(self.emissionprob_)[:, np.concatenate(X)].T [] Calculate PageRank. [] Creating a graph data. [] Creation of a graph data finished. [*] Script end. 2018/10/05 15:46:14

All dependencies and code were freshly installed today.

LaBonave avatar Oct 05 '18 14:10 LaBonave

This is a known warning message does not affect the operation of LogonTracer.

shu-tom avatar Oct 06 '18 13:10 shu-tom

Hi, thanks. It seems, when uploading large event log (multiple thousands of logs) that this error ends the parsing :

[] Now loading 200 records. [] Now loading 300 records./usr/local/lib/python3.6/dist-packages**/hmmlearn/hmm.py:405: RuntimeWarning: divide by zero encountered in log return np.log(self.emissionprob_)[:, np.concatenate(X)].**T [] Load finished [] Total Event log is 305. [] Calculate ChangeFinder. [] Calculate Hidden Markov Model. [] Calculate PageRank. [] Creating a graph data. [] Creation of a graph data finished. [] Script end. 2018/10/05 17:50:45

We can have the visualisation in LogonTracer, but it only shows the 305 first records, in that case.

LaBonave avatar Oct 09 '18 09:10 LaBonave

In this message, the number of records in the log is written as 305, is it more? Is the log broken?

shu-tom avatar Oct 09 '18 11:10 shu-tom

The log contained much more events, and was generated by the standard Event Viewer with a custom view for 7 days. It contains roughly 1.5 million events of the IDs recognized by Logon Tracer (4624, 4625, 4768,4769,4776,4672).

LaBonave avatar Oct 10 '18 20:10 LaBonave

Can you share the event log to me in order to resolve this issue? If you can share it please send to logontracer.help (at) gmail.com

shu-tom avatar Oct 10 '18 22:10 shu-tom

Got the same exact error. Is it still a known warning issue.

/usr/local/lib/python3.5/dist-packages/hmmlearn/hmm.py:412: RuntimeWarning: divide by zero encountered in log return np.log(self.emissionprob_)[:, np.concatenate(X)].T.

Starting : [*] Last record number is 510267.

[] Load finished. [] Total Event log is 510376. [*] Calculate ChangeFinder. ...

sbmandava avatar Mar 13 '19 15:03 sbmandava

If you can share it please send to logontracer.help (at) gmail.com

shu-tom avatar Mar 13 '19 22:03 shu-tom

I also have this problem...

lowkeygit avatar Jun 19 '19 01:06 lowkeygit