Python处理Windows事件日志（json）

通过NXlog将Windows事件日志保存为json格式文件，然后在Python中使用json.loads()进行处理。

NXlog在将Windows事件日志保存为json格式文件，文件中带入了BOM编码格式，所以需要使用decode("utf-8-sig")先对源数据进行处理，否则json.loads()会提示 "No JSON object could be decoded" 错误

文件中每一条事件日志包含有中文、\r\n\t字符，所以在通过json.loads()处理时需要注意转换：

import struct,os,json
file='E:\\logtest\\sec_PC-L_20160518153838.json'

with open(file,'rb') as fo:
    for f in fo:
        fj = json.loads(f.decode("utf-8-sig"),strict=False)
        print fj['Message'].encode('u8')
        #print fj['Message'].encode('gbk')

json.loads(f.decode("utf-8-sig"),strict=False,encoding='u8')

utf-8和utf-8-sig区别：

UTF-8以字节为编码单元，它的字节顺序在所有系统中都是一様的，没有字节序的问题，也因此它实际上并不需要BOM(“ByteOrder Mark”)。但是UTF-8 with BOM即utf-8-sig需要提供BOM。

sec_PC-L_20160518153838.json文件内容如下：

{"EventTime":"2016-05-13 08:51:01","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":1053242,"ProcessID":776,"ThreadID":20412,"Channel":"Security","Message":"已注销帐户。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-21-3510791965-1333398612-533843580-1003\r\n\t帐户名:\t\ttaskuser\r\n\t帐户域:\t\tPC-L\r\n\t登录 ID:\t\t0x2305C35\r\n\r\n登录类型:\t\t\t4\r\n\r\n在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中，登录 ID 是唯一的。","Category":"注销","Opcode":"信息","TargetUserSid":"S-1-5-21-3510791965-1333398612-533843580-1003","TargetUserName":"taskuser","TargetDomainName":"PC-L","TargetLogonId":"0x2305c35","LogonType":"4","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}
{"EventTime":"2016-05-13 08:51:20","Hostname":"PC-L","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4648,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12544,"OpcodeValue":0,"RecordNumber":1053243,"ActivityID":"{105E3485-AC11-0003-9734-5E1011ACD101}","ProcessID":776,"ThreadID":19588,"Channel":"Security","Message":"试图使用显式凭据登录。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-21-3510791965-1333398612-533843580-500\r\n\t帐户名:\t\tAdministrator\r\n\t帐户域:\t\tPC-L\r\n\t登录 ID:\t\t0x56C28\r\n\t登录 GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\n使用了哪个帐户的凭据:\r\n\t帐户名:\t\tliuyan1\r\n\t帐户域:\t\tuxin\r\n\t登录 GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\n目标服务器:\r\n\t目标服务器名:\tILX-IDC-ExFE02.uxin.youxinpai.com\r\n\t附加信息:\tILX-IDC-ExFE02.uxin.youxinpai.com\r\n\r\n进程信息:\r\n\t进程 ID:\t\t0x13c0\r\n\t进程名:\t\tC:\\Program Files (x86)\\Microsoft Office\\Office15\\OUTLOOK.EXE\r\n\r\n网络信息:\r\n\t网络地址:\t-\r\n\t端口:\t\t\t-\r\n\r\n在进程尝试通过显式指定帐户的凭据来登录该帐户时生成此事件。这通常发生在批量类型的配置中(例如计划任务) 或者使用 RUNAS 命令时。","Category":"登录","Opcode":"信息","SubjectUserSid":"S-1-5-21-3510791965-1333398612-533843580-500","SubjectUserName":"Administrator","SubjectDomainName":"PC-L","SubjectLogonId":"0x56c28","LogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetUserName":"liuyan1","TargetDomainName":"uxin","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetServerName":"ILX-IDC-ExFE02.uxin.youxinpai.com","TargetInfo":"ILX-IDC-ExFE02.uxin.youxinpai.com","ProcessName":"C:\\Program Files (x86)\\Microsoft Office\\Office15\\OUTLOOK.EXE","IpAddress":"-","IpPort":"-","EventReceivedTime":"2016-05-18 15:38:35","SourceModuleName":"secin","SourceModuleType":"im_msvistalog"}