| skipped 692 lines |
693 | 693 | | yield xml, e |
694 | 694 | | |
695 | 695 | | |
| 696 | + | def convert_logtime(logtime, tzone): |
| 697 | + | tzless = re.sub('[^0-9-:\s]', '', logtime.split(".")[0]).strip() |
| 698 | + | try: |
| 699 | + | return datetime.datetime.strptime(tzless, "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
| 700 | + | except: |
| 701 | + | return datetime.datetime.strptime(tzless, "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) |
| 702 | + | |
| 703 | + | |
696 | 704 | | # Parse the EVTX file |
697 | 705 | | def parse_evtx(evtx_list): |
698 | 706 | | cache_dir = os.path.join(FPATH, 'cache') |
| skipped 131 lines |
830 | 838 | | |
831 | 839 | | if eventid in EVENT_ID: |
832 | 840 | | logtime = node.xpath("/Event/System/TimeCreated")[0].get("SystemTime") |
833 | | - | try: |
834 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
835 | | - | except: |
836 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) |
| 841 | + | etime = convert_logtime(logtime, tzone) |
837 | 842 | | stime = datetime.datetime(*etime.timetuple()[:4]) |
838 | 843 | | if args.fromdate or args.todate: |
839 | 844 | | if args.fromdate and fdatetime > etime: |
| skipped 212 lines |
1052 | 1057 | | ### |
1053 | 1058 | | if eventid == 1102: |
1054 | 1059 | | logtime = node.xpath("/Event/System/TimeCreated")[0].get("SystemTime") |
1055 | | - | try: |
1056 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
1057 | | - | except: |
1058 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1060 | + | etime = convert_logtime(logtime, tzone) |
1059 | 1061 | | deletelog.append(etime.strftime("%Y-%m-%d %H:%M:%S")) |
1060 | 1062 | | |
1061 | 1063 | | namespace = "http://manifests.microsoft.com/win/2004/08/windows/eventlog" |
| skipped 339 lines |
1401 | 1403 | | |
1402 | 1404 | | if eventid in EVENT_ID: |
1403 | 1405 | | logtime = hit["@timestamp"].replace("T", " ").split(".")[0] |
1404 | | - | try: |
1405 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
1406 | | - | except: |
1407 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1406 | + | etime = convert_logtime(logtime, tzone) |
1408 | 1407 | | |
1409 | 1408 | | stime = datetime.datetime(*etime.timetuple()[:4]) |
1410 | 1409 | | |
| skipped 192 lines |
1603 | 1602 | | ### |
1604 | 1603 | | if eventid == 1102: |
1605 | 1604 | | logtime = hit["@timestamp"] |
1606 | | - | try: |
1607 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%d %H:%M:%S") + datetime.timedelta(hours=tzone) |
1608 | | - | except: |
1609 | | - | etime = datetime.datetime.strptime(logtime.split(".")[0], "%Y-%m-%dT%H:%M:%S") + datetime.timedelta(hours=tzone) |
| 1605 | + | etime = convert_logtime(logtime, tzone) |
1610 | 1606 | | deletelog.append(etime.strftime("%Y-%m-%d %H:%M:%S")) |
1611 | 1607 | | |
1612 | 1608 | | if hasattr(event.user_data, "SubjectUserName"): |
| skipped 250 lines |