evtx2sql/evtx2sql-convert2sql.php

#!/bin/php
<?php

global $xmlelement;
global $isevent;
global $edataarray;
global $edataelement;
global $emeta;
global $infile;
global $configfile;
global $argv;
global $argc;
global $debug;

class EventMeta {
	public $eventrecordid;
	public $time;
	public $eventid;
	public $task;
	public $level;
	public $keywords;
	public $computer;
	public $server;
	public $username;
	public $domainname;
	public $servicename;
	public $data;
	public $status;
	public $result; 
	function Clear() {
		$this->eventrecordid = 0;
		$this->time = 0;
		$this->eventid = 0;
		$this->task = "";
		$this->level = "";
		$this->keywords = "";
		$this->computer = "";
		$this->server = "";
		$this->username = "";
		$this->domainname = "";
		$this->servicename = "";
		$this->data = "";
		$this->status = "";
		$this->result= 0;
	}
}

class EventData {
	public $name;
	public $value;
	function Clear() {
		$this->name = "";
		$this->value = "";
	}
}

$xmlelement = "";
$isevent = false;
$edataelement = new EventData();
$edataarray = array();
$emeta = new EventMeta();
$infile = "";
$debug = false;


function sql_addmeta ($data, $darray) {
	global $debug;
	$data->status = 0;
	$data->result = 0;

	if ($data->eventid == 0) {
		// do something
		if ($debug == true) {
			printf ("Ignore EventID==0: eventrecordid:'%s','%s',eventid:'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s');\n",
				$data->eventrecordid,
				$data->time,
				$data->eventid,
				$data->task,
				$data->level,
				substr($data->keywords, 0, 32),
				substr($data->computer, 0, 64),
				substr($data->server, 0, 64),
				substr($data->username, 0, 64),
				substr($data->domainname, 0, 64),
				substr($data->servicename, 0, 64),
				substr($data->data, 0, 64),
				substr($data->status, 0, 16)
			);
		}
	}
	else {
		// default
		if (isset ($darray['WorkstationName'])) {
			if ($darray['WorkstationName'] != '-') 
				$data->server = $darray['WorkstationName'];
		}
		else if (isset ($darray['Workstation'])) {
			if ($darray['Workstation'] != '-')	
				$data->server = $darray['Workstation'];
		}
		if (isset ($darray['IpAddress'])) {
			if (strlen($data->server) > 0) $data->server = $data->server." [".$darray['IpAddress']."]";
			else  $data->server = $darray['IpAddress'];
		}
		if (isset ($darray['TargetUserName'])) $data->username = $darray['TargetUserName'];
		if (isset ($darray['SubjectUserName']))	{
			if ($darray['SubjectUserName'] != '-')
				$data->username = $data->username."[".$darray['SubjectUserName']."]";
		}
		if (isset ($darray['TargetDomainName'])) $data->domainname = $darray['TargetDomainName'];
		if (isset ($darray['SubjectDomainName'])) {
			if ($darray['SubjectDomainName'] != '-')
				$data->domainname = $data->domainname."[".$darray['SubjectDomainName']."]";
		}
		if (isset ($darray['ServiceName'])) $data->servicename = $darray['ServiceName'];
		if (isset ($darray['Status'])) $data->status = $darray['Status'];
		if (isset ($darray['ProcessName'])) $data->data = $darray['ProcessName'];
		
		printf ("INSERT INTO tbl_EventMeta (eventrecordid, time, eventid, task, level, keywords, computer, server, username, domainname, servicename, data, status) VALUES('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s');\n",
		 	$data->eventrecordid, 
			$data->time,
			$data->eventid, 
			$data->task, 
			$data->level, 
			substr($data->keywords, 0, 32),
			substr($data->computer, 0, 64),
			substr($data->server, 0, 64),
			substr($data->username, 0, 64),
			substr($data->domainname, 0, 64),
			substr($data->servicename, 0, 64),
			substr($data->data, 0, 64),
			substr($data->status, 0, 16)
		);
	}
	$data->Clear();
};


function xmlstarthandler($parser, $name, $attribs) {
	global $xmlelement;
	global $edataelement;
	global $emeta;
	
	$xmlelement = $xmlelement . "\t" . $name;
	
	if (count($attribs)) {
		foreach ($attribs as $k => $v) {
			if (strstr($xmlelement, "EVENT\tEVENTDATA\tDATA") <> false && strstr($k, "NAME") <> false) {
				$edataelement->name = $v;
				$edataelement->value = "";
			}
			else if (strstr($xmlelement, "EVENT\tSYSTEM\tTIMECREATED") <> false && strstr($k, "SYSTEMTIME") <> false) {
				$v[strpos($v,'T')] = ' ';
				$v[strpos($v,'Z')] = ' ';
				$emeta->time = $v;
			}
    	}	
    }
};

function xmlendhandler($parser, $name) {
	global $xmlelement;
	global $emeta;
	global $edataelement;
	global $edataarray;

	if (strstr($xmlelement, "\tEVENT") <> false && strcmp($name, "EVENT") == 0) {
		sql_addmeta ($emeta, $edataarray);
		$edataarray = array();
		$emata = new EventMeta();
	}
	if (strstr($xmlelement, "\tEVENT\tEVENTDATA\tDATA") <> false && strstr($name, "DATA") <> false) {
		$edataarray[$edataelement->name] = $edataelement->value;
		$edataelement->Clear();
	}

	$pos = strrpos ($xmlelement, "\t");
	if ($pos == false) $xmlelement = "";
	else $xmlelement = substr($xmlelement, 0, $pos);
};


function filterunsafetext($text) {
	$tmp = "";
	$i = 0;
	for ($i = 0; $i < strlen($text); $i++) {
		if ($text[$i] == " " && strlen($tmp) > 0) $tmp = $tmp.$text[$i];
		else if ($text[$i] == "\n") $tmp = $tmp . " ";
		else if (($text[$i] >= "a" && $text[$i] <= "z") || 
				 ($text[$i] >= "A" && $text[$i] <= "Z") ||
				 ($text[$i] >= "0" && $text[$i] <= "9") ||
				  $text[$i] == "&" || $text[$i] == "%" ||  $text[$i] == "/" ||
				  $text[$i] == "{" || $text[$i] == "}" ||  $text[$i] == "#" ||
			 	  $text[$i] == "." || $text[$i] == "," ||  $text[$i] == "\\" ||
			 	  $text[$i] == "_" || $text[$i] == "*" ||  $text[$i] == ":" ||
				  $text[$i] == "&" || $text[$i] == "%" ||  $text[$i] == "@" ||
				  $text[$i] == "+" || $text[$i] == "-" ) $tmp = $tmp.$text[$i];
	}
	return $tmp;
};



function xmldefaulthandler($parser, $data) {
	global $emeta;
	global $edataelement;
	global $edataelement;
	global $xmlelement;
	
	if (strstr($xmlelement, "EVENT\tEVENTDATA\tDATA") <> false) {
		$edataelement->eventrecordid = $emeta->eventrecordid;
		$edataelement->value = $edataelement->value.filterunsafetext($data);
	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tEVENTID") <> false) {
		$emeta->eventid = $data;
	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tEVENTRECORDID") <> false) {
		$emeta->eventrecordid = $data;
	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tKEYWORDS") <> false) {
		$emeta->keywords = $data;
	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tLEVEL") <> false) {
		$emeta->level = $data;
	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tCOMPUTER") <> false) {
		$emeta->computer = $data;
	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tTASK") <> false) {
		$emeta->task = $data;
	}
};


function errorexit($text) {
	printf ("%s", $text);
	exit;
};


if (isset ($argv) && isset ($argc)) {
	global $infile;
	global $debug;

	$i = 0;

	for ($i = 0; $i < count($argv); $i++) {
		if (strstr($argv[$i], "-in") <> false) {
			$i++;
			if ($i >= $argc) ErrorExit ("filename missing\n");
			$infile = $argv[$i];
		}

		if (strstr($argv[$i], "-d") <> false) {
			$debug = true;
		}
	}
};

if ($infile == "") {
	printf ("Parameters:\n");
	printf ("  -in INPUTFILE\n");

    exit;
}

$stream = fopen($infile, 'r');
$parser = xml_parser_create();
xml_set_element_handler($parser, "xmlstarthandler", "xmlendhandler");
xml_set_default_handler($parser, "xmldefaulthandler");
while (($data = fread($stream, 16384))) {
    xml_parse($parser, $data); // parse the current chunk
}
xml_parse($parser, '', true); // finalize parsing
xml_parser_free($parser);
fclose($stream);