winevt
winevt copied to clipboard
Published
20 hours ago •
bannsec
bannsec
Doesn't work from Ubuntu 16.10
Hello
As there's a doc to query event from a remote location, I tried from my Ubuntu 17.04 to query logs from one of our Windows 2012 R2. Which doesn't work : query = EventLog.Query("Security","*",server="10.200.1.103, domain="company.com",username="administrator", password="*********")
Output
WARNING:winevt:Looks like you didn't successfully compile your own out-of-line pyd. Falling back to in-ine mode. This is going to be less efficient and it's recommended you compile your own. To fix this, do the following:
1) Check this page and install the correct compiler for your version of python: https://blogs.msdn.microsoft.com/pythonengineering/2016/04/11/unable-to-find-vcvarsall-bat/
2) Re-install winevt (pip install -U winevt)
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/winevt/__init__.py", line 17, in <module>
from ._winevt import ffi, lib as evtapi
ImportError: No module named 'winevt._winevt'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/cffi/cparser.py", line 269, in _parse
ast = _get_parser().parse(csource)
File "/usr/local/lib/python3.5/dist-packages/pycparser/c_parser.py", line 152, in parse
debug=debuglevel)
File "/usr/local/lib/python3.5/dist-packages/pycparser/ply/yacc.py", line 331, in parse
return self.parseopt_notrack(input, lexer, debug, tracking, tokenfunc)
File "/usr/local/lib/python3.5/dist-packages/pycparser/ply/yacc.py", line 1199, in parseopt_notrack
tok = call_errorfunc(self.errorfunc, errtoken, self)
File "/usr/local/lib/python3.5/dist-packages/pycparser/ply/yacc.py", line 193, in call_errorfunc
r = errorfunc(token)
File "/usr/local/lib/python3.5/dist-packages/pycparser/c_parser.py", line 1761, in p_error
column=self.clex.find_tok_column(p)))
File "/usr/local/lib/python3.5/dist-packages/pycparser/plyparser.py", line 66, in _parse_error
raise ParseError("%s: %s" % (coord, msg))
pycparser.plyparser.ParseError: :5:16: before: EVT_HANDLE
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "winevent_to_snmptrap.py", line 4, in <module>
from winevt import EventLog
File "/usr/local/lib/python3.5/dist-packages/winevt/__init__.py", line 27, in <module>
ffi = ffibuilder()
File "/usr/local/lib/python3.5/dist-packages/winevt/winevt_build.py", line 199, in ffibuilder
ffi.cdef(re.sub(r"\b(_In_|_Inout_|_Out_|_Outptr_)(opt_)?\b", " ",cdef))
File "/usr/local/lib/python3.5/dist-packages/cffi/api.py", line 106, in cdef
self._cdef(csource, override=override, packed=packed)
File "/usr/local/lib/python3.5/dist-packages/cffi/api.py", line 120, in _cdef
self._parser.parse(csource, override=override, **options)
File "/usr/local/lib/python3.5/dist-packages/cffi/cparser.py", line 308, in parse
self._internal_parse(csource)
File "/usr/local/lib/python3.5/dist-packages/cffi/cparser.py", line 313, in _internal_parse
ast, macros, csource = self._parse(csource)
File "/usr/local/lib/python3.5/dist-packages/cffi/cparser.py", line 271, in _parse
self.convert_pycparser_error(e, csource)
File "/usr/local/lib/python3.5/dist-packages/cffi/cparser.py", line 300, in convert_pycparser_error
raise CDefError(msg)
cffi.error.CDefError: cannot parse "typedef HANDLE EVT_HANDLE;"
:5:16: before: EVT_HANDLE
Ah, yeah this library won't run on Linux as it utilizes Windows API calls to achieve the querying. I'll keep this open until I add a check into the installer for platform that it is being installed onto.
