search

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Other
2.7k stars 441 forks source link

DataFrame Object Error on Parsing XML File #108

Closed GenericUser450 closed 3 years ago

GenericUser450 commented 3 years ago

Hiya,

I was parsing some EVTX files converted to XML and everything was going well, but then the remainder of the files started to kick out errors and failed. They were all converted via the same method, so it's odd that most seemed fine while this last batch failed. I also tested on the original EVTX file and experienced the same issue. The error is as follows:

[+] Script start. 2021/03/27 16:06:54
[+] Neo4j Kernel version: 4.2.4
[+] Load cashe files.
[+] Time zone is 1.
[+] Last record number is 4999.
[+] Start parsing the EVTX file.
[+] Parse the EVTX file /datadrive/LogonTracer/converted/EvtxECmd_LogonTracer_20210326_015851_85.xml.
Traceback (most recent call last):
  File "/datadrive/LogonTracer/logontracer.py", line 1857, in <module>
    main()
  File "/datadrive/LogonTracer/logontracer.py", line 1848, in main
    parse_evtx(args.xmls)
  File "/datadrive/LogonTracer/logontracer.py", line 1024, in parse_evtx
    event_series = pd.Series([eventid, ipaddress, username, logintype, status, authname, int(stime.strftime("%s"))], index=event_set.columns)
  File "/home/logontracer/.local/lib/python3.6/site-packages/pandas/core/generic.py", line 5063, in __getattr__
    return object.__getattribute__(self, name)
  File "pandas/_libs/properties.pyx", line 65, in pandas._libs.properties.AxisProperty.__get__
  File "/home/logontracer/.local/lib/python3.6/site-packages/pandas/core/generic.py", line 5063, in __getattr__
    return object.__getattribute__(self, name)
AttributeError: 'DataFrame' object has no attribute '_data'

And the command being run is:

python3 /datadrive/LogonTracer/logontracer.py -x /datadrive/LogonTracer/converted/EvtxECmd_LogonTracer_20210326_015851_85.xml -z 1 -u neo4j -p -s localhost --add

I'm running the latest version of LogonTracer on Ubuntu 18.04. Any help with this is appreciated!

shu-tom commented 3 years ago

Did you upload the security event log of domain controller?

giacomoconti1978 commented 1 year ago

Have you resolve problem? I have this: [+] Script start. 2023/04/05 06:31:00 [+] Neo4j Kernel 5.6.0 (Enterprise) [+] Time zone is 1. [+] Last record number is 62031. [+] Start parsing the EVTX file. [+] Parse the EVTX file sample/Security.evtx. [+] Now loading 2500 records.Traceback (most recent call last): File "/LogonTracer/logontracer.py", line 2883, in main() File "/LogonTracer/logontracer.py", line 2867, in main parse_evtx(args.evtx, case) File "/LogonTracer/logontracer.py", line 1962, in parse_evtx event_set = event_set.append(event_series, ignore_index=True) File "/usr/local/lib/python3.10/dist-packages/pandas/core/generic.py", line 5989, in getattr return object.getattribute(self, name) AttributeError: 'DataFrame' object has no attribute 'append'. Did you mean: '_append'?