-
Notifications
You must be signed in to change notification settings - Fork 0
/
evtxrpt.pl
126 lines (98 loc) · 4.05 KB
/
evtxrpt.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------------------------
# evtxrpt.pl
# Perl script obtain statistics from EVTX files
# Should provide an output similar to H.Carvey evtrpt.pl
#
# usage: evtxrpt.pl <path to EVTX file>
#
# NOTE: Requires the use of Microsoft LogParser (in PATH)
#
# copyright 2012 F.Picasso, [email protected]
#-----------------------------------------------------------------------------
use strict;
#-----------------------------------------------------------------------------
my $VERSION = "20120331";
print "EVenTX RePorT version $VERSION\n";
print "using Microsoft LogParser, summarize EVTX files\n";
print "copyright 2012 Francesco Picasso\n";
my $infile = shift || die "You must enter a filename.\n";
die "$infile not found.\n" unless (-e $infile);
my $data;
my @lines;
my $line;
#-----------------------------------------------------------------------------
my $PIPE = "|";
my $BASE_CMD = "LogParser -i:evt -o:CSV ";
my $SELECT_STAT = "\"SELECT SourceName,EventID,COUNT(*) FROM \"$infile\" ";
$SELECT_STAT .= "GROUP BY EventID,SourceName ORDER BY SourceName,EventID\"";
my $SELECT_RANGE1 = "\"SELECT TOP 1 TO_UTCTIME(TimeGenerated) as TimeGen FROM ";
$SELECT_RANGE1 .= "\"$infile\" ORDER BY TimeGen ASC \"";
my $SELECT_RANGE2 = "\"SELECT TOP 1 TO_UTCTIME(TimeGenerated) as TimeGen FROM ";
$SELECT_RANGE2 .= "\"$infile\" ORDER BY TimeGen DESC \"";
my $SELECT_TIMELINE = "\"SELECT TO_STRING(TO_UTCTIME(TimeGenerated),'yyyy') as Year, ";
$SELECT_TIMELINE .= "TO_STRING(TO_UTCTIME(TimeGenerated),'MM') as Month from ";
$SELECT_TIMELINE .= "\"$infile\" ORDER BY Year,Month\"";
#-----------------------------------------------------------------------------
$data = fystem( $BASE_CMD.$SELECT_STAT.$PIPE );
@lines = map { "$_\n" } split /\n/, $data;
shift(@lines);
print "\n";
printf( "%-48s %-8s %s\n", 'Source Name', 'Event ID', 'Count' );
printf( "%-48s %-8s %s\n", '-----------', '--------', '-----' );
foreach $line (@lines) {
my @fields = split( /,/, $line );
last unless (@fields == 3 );
printf( "%-48s %-8s %u\n", $fields[0], $fields[1], $fields[2] );
}
#-----------------------------------------------------------------------------
printf( "\n-------------------- Data Range (UTC) ------------------\n");
$data = fystem( $BASE_CMD.$SELECT_RANGE1.$PIPE );
@lines = map { "$_\n" } split /\n/, $data;
shift(@lines);
my $oldest = shift(@lines);
$data = fystem( $BASE_CMD.$SELECT_RANGE2.$PIPE );
my @lines = map { "$_\n" } split /\n/, $data;
shift(@lines);
my $newest = shift(@lines);
print "$oldest"."to\n"."$newest";
#-----------------------------------------------------------------------------
printf( "\n--------- Year/Month distribution -------------\n" );
$data = fystem( $BASE_CMD.$SELECT_TIMELINE.$PIPE );
@lines = map { "$_\n" } split /\n/, $data;
shift(@lines);
my %hoh;
foreach $line (@lines) {
local $/ = "\r\n";
chomp( $line );
my @fields = split( /,/, $line );
last unless ( @fields == 2 );
if ( not defined $hoh{$fields[0]} ) {
$hoh{$fields[0]}{'01'} = 0; $hoh{$fields[0]}{'02'} = 0; $hoh{$fields[0]}{'03'} = 0;
$hoh{$fields[0]}{'04'} = 0; $hoh{$fields[0]}{'05'} = 0; $hoh{$fields[0]}{'06'} = 0;
$hoh{$fields[0]}{'07'} = 0; $hoh{$fields[0]}{'08'} = 0; $hoh{$fields[0]}{'09'} = 0;
$hoh{$fields[0]}{'10'} = 0; $hoh{$fields[0]}{'11'} = 0; $hoh{$fields[0]}{'12'} = 0;
}
$hoh{$fields[0]}{$fields[1]} += 1;
}
print "\nYear Month Count\n";
for my $year ( sort keys %hoh ) {
print "$year\n";
for my $month ( sort keys %{ $hoh{$year} } ) {
print " $month $hoh{$year}{$month}\n";
}
print "\n";
}
#-----------------------------------------------------------------------------
sub fystem
{
my $cmd = shift;
my $data = '';
open(ICAT, $cmd) or die "can't fork: $!";
binmode(ICAT);
while(<ICAT>) { $data .= $_; }
close ICAT or die "error executing command '$cmd': [$!] [$?]";
return $data;
}
#-----------------------------------------------------------------------------
1;