| skipped 1276 lines |
1277 | 1277 | | |
1278 | 1278 | | if eventid in EVENT_ID: |
1279 | 1279 | | logtime = hit["@timestamp"].replace("T", " ").split(".")[0] |
1280 | | - | etime = datetime.datetime.strptime(logtime, "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1280 | + | try: |
| 1281 | + | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1282 | + | except: |
| 1283 | + | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1284 | + | |
1281 | 1285 | | stime = datetime.datetime(*etime.timetuple()[:4]) |
1282 | 1286 | | |
1283 | 1287 | | if starttime is None: |
| skipped 191 lines |
1475 | 1479 | | if eventid == 1102: |
1476 | 1480 | | logtime = hit["@timestamp"] |
1477 | 1481 | | try: |
1478 | | - | etime = datetime.datetime.strptime(logtime, "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1482 | + | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
1479 | 1483 | | except: |
1480 | | - | etime = datetime.datetime.strptime(logtime, "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1484 | + | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) |
1481 | 1485 | | deletelog.append(etime.strftime("%Y-%m-%d %H:%M:%S")) |
1482 | 1486 | | |
1483 | | - | if hasattr(event.event_data, "SubjectUserName"): |
1484 | | - | username = event.event_data.SubjectUserName.split("@")[0] |
| 1487 | + | if hasattr(event.user_data, "SubjectUserName"): |
| 1488 | + | username = event.user_data.SubjectUserName.split("@")[0] |
1485 | 1489 | | if username[-1:] not in "$": |
1486 | 1490 | | deletelog.append(username.lower()) |
1487 | 1491 | | else: |
| skipped 1 lines |
1489 | 1493 | | else: |
1490 | 1494 | | deletelog.append("-") |
1491 | 1495 | | |
1492 | | - | if hasattr(event.event_data, "SubjectDomainName"): |
1493 | | - | deletelog.append(event.event_data.SubjectDomainName) |
| 1496 | + | if hasattr(event.user_data, "SubjectDomainName"): |
| 1497 | + | deletelog.append(event.user_data.SubjectDomainName) |
1494 | 1498 | | else: |
1495 | 1499 | | deletelog.append("-") |
1496 | 1500 | | |
| skipped 217 lines |