steffen
/
evtx2sql
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

wrong check for end of EVENT data also the fallback data will now be more complete.

Browse Source
master
Steffen Pohle 4 years ago
parent d4ea11243d
commit 5640b45390
1 changed files with 29 additions and 5 deletions
Show Stats Download Patch File Download Diff File

32
evtx2sql-convert2sql.php
Unescape View File

@ -47,6 +47,10 @@ class EventMeta {
class EventData { class EventData {
public $name; public $name;
public $value; public $value;
function Clear() {
$this->name = "";
$this->value = "";
}
} }
$xmlelement = ""; $xmlelement = "";
@ -66,11 +70,31 @@ function sql_addmeta ($data, $darray) {
} }
else { else {
// default // default
if (isset ($darray['IpAddress'])) $data->server = $darray['IpAddress']; if (isset ($darray['WorkstationName'])) {
if ($darray['WorkstationName'] != '-')
$data->server = $darray['WorkstationName'];
}
else if (isset ($darray['Workstation'])) {
if ($darray['Workstation'] != '-')
$data->server = $darray['Workstation'];
}
if (isset ($darray['IpAddress'])) {
if (strlen($data->server) > 0) $data->server = $data->server." [".$darray['IpAddress']."]";
else $data->server = $darray['IpAddress'];
}
if (isset ($darray['TargetUserName'])) $data->username = $darray['TargetUserName']; if (isset ($darray['TargetUserName'])) $data->username = $darray['TargetUserName'];
if (isset ($darray['SubjectUserName'])) {
if ($darray['SubjectUserName'] != '-')
$data->username = $data->username."[".$darray['SubjectUserName']."]";
}
if (isset ($darray['TargetDomainName'])) $data->domainname = $darray['TargetDomainName']; if (isset ($darray['TargetDomainName'])) $data->domainname = $darray['TargetDomainName'];
if (isset ($darray['SubjectDomainName'])) {
if ($darray['SubjectDomainName'] != '-')
$data->domainname = $data->domainname."[".$darray['SubjectDomainName']."]";
}
if (isset ($darray['ServiceName'])) $data->servicename = $darray['ServiceName']; if (isset ($darray['ServiceName'])) $data->servicename = $darray['ServiceName'];
if (isset ($darray['Status'])) $data->status = $darray['Status']; if (isset ($darray['Status'])) $data->status = $darray['Status'];
if (isset ($darray['ProcessName'])) $data->data = $darray['ProcessName'];
} }
printf ("INSERT INTO tbl_EventMeta (eventrecordid, time, eventid, task, level, keywords, computer, server, username, domainname, servicename, data, status) VALUES('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s');\n", printf ("INSERT INTO tbl_EventMeta (eventrecordid, time, eventid, task, level, keywords, computer, server, username, domainname, servicename, data, status) VALUES('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s');\n",
@ -120,14 +144,14 @@ function xmlendhandler($parser, $name) {
global $edataelement; global $edataelement;
global $edataarray; global $edataarray;
if (strstr($xmlelement, "EVENT\tSYSTEM") <> false && strstr($name, "SYSTEM") <> false) { if (strstr($xmlelement, "\tEVENT") <> false && strcmp($name, "EVENT") == 0) {
sql_addmeta ($emeta, $edataarray); sql_addmeta ($emeta, $edataarray);
$edataarray = array(); $edataarray = array();
$emata = new EventMeta(); $emata = new EventMeta();
} }
if (strstr($xmlelement, "EVENT\tEVENTDATA\tDATA") <> false && strstr($name, "DATA") <> false) { if (strstr($xmlelement, "\tEVENT\tEVENTDATA\tDATA") <> false && strstr($name, "DATA") <> false) {
printf ("******************* %s %s %s\n", $name, $edataelement->name, $edataelement->value);
$edataarray[$edataelement->name] = $edataelement->value; $edataarray[$edataelement->name] = $edataelement->value;
$edataelement->Clear();
} }
$pos = strrpos ($xmlelement, "\t"); $pos = strrpos ($xmlelement, "\t");

Write Preview
Loading…
Cancel
Save