Errror when importing evtx file

zKai1127 commented 2 years ago

2022-04-01 10:21:51,526 INFO supervisord started with pid 7 2022-04-01 10:21:52,528 INFO spawned: 'logontracer' with pid 111 2022-04-01 10:21:52,530 INFO spawned: 'neo4j' with pid 112 2022-04-01 10:21:54,060 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:21:54,060 INFO success: neo4j entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:21:55,828 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 10:21:56,665 INFO spawned: 'logontracer' with pid 246 2022-04-01 10:21:57,666 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:21:58,718 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 10:21:59,515 INFO spawned: 'logontracer' with pid 366 2022-04-01 10:22:00,516 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:37:10,527 WARN received SIGTERM indicating exit request 2022-04-01 10:37:10,527 INFO waiting for logontracer, neo4j to die 2022-04-01 10:37:13,532 INFO waiting for logontracer, neo4j to die 2022-04-01 10:37:15,702 INFO stopped: neo4j (exit status 0) 2022-04-01 10:37:16,703 INFO stopped: logontracer (terminated by SIGTERM) 2022-04-01 10:37:18,001 INFO supervisord started with pid 7 2022-04-01 10:37:19,003 INFO spawned: 'logontracer' with pid 111 2022-04-01 10:37:19,004 INFO spawned: 'neo4j' with pid 112 2022-04-01 10:37:20,197 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:37:20,197 INFO success: neo4j entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:37:21,027 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 10:37:21,059 INFO spawned: 'logontracer' with pid 240 2022-04-01 10:37:22,060 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:37:22,856 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 10:37:23,137 INFO spawned: 'logontracer' with pid 256 2022-04-01 10:37:24,139 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 10:37:24,906 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 10:37:25,562 INFO spawned: 'logontracer' with pid 289 2022-04-01 10:37:26,563 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:22:55,654 WARN received SIGTERM indicating exit request 2022-04-01 13:22:55,654 INFO waiting for logontracer, neo4j to die 2022-04-01 13:22:58,659 INFO waiting for logontracer, neo4j to die 2022-04-01 13:23:00,809 INFO stopped: neo4j (exit status 0) 2022-04-01 13:23:01,810 INFO stopped: logontracer (terminated by SIGTERM) 2022-04-01 13:23:02,461 INFO supervisord started with pid 8 2022-04-01 13:23:03,463 INFO spawned: 'logontracer' with pid 112 2022-04-01 13:23:03,465 INFO spawned: 'neo4j' with pid 113 2022-04-01 13:23:04,628 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:23:04,628 INFO success: neo4j entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:23:05,879 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 13:23:06,881 INFO spawned: 'logontracer' with pid 249 2022-04-01 13:23:08,410 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:23:08,650 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 13:23:08,712 INFO spawned: 'logontracer' with pid 272 2022-04-01 13:23:09,955 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:39:31,926 WARN received SIGTERM indicating exit request 2022-04-01 13:39:31,926 INFO waiting for logontracer, neo4j to die 2022-04-01 13:39:34,931 INFO waiting for logontracer, neo4j to die 2022-04-01 13:39:37,066 INFO stopped: neo4j (exit status 0) 2022-04-01 13:39:38,068 INFO stopped: logontracer (terminated by SIGTERM) 2022-04-01 13:39:38,742 INFO supervisord started with pid 7 2022-04-01 13:39:39,745 INFO spawned: 'logontracer' with pid 111 2022-04-01 13:39:39,747 INFO spawned: 'neo4j' with pid 112 2022-04-01 13:39:40,906 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:39:40,906 INFO success: neo4j entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:39:41,613 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 13:39:41,834 INFO spawned: 'logontracer' with pid 241 2022-04-01 13:39:42,835 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:39:43,854 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 13:39:44,046 INFO spawned: 'logontracer' with pid 256 2022-04-01 13:39:45,048 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2022-04-01 13:39:45,924 INFO exited: logontracer (exit status 1; not expected) 2022-04-01 13:39:46,558 INFO spawned: 'logontracer' with pid 293 2022-04-01 13:39:47,560 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

zKai1127 commented 2 years ago

It seems to have been abnormally withdrawn. Could you help me? Thank you very much

shu-tom commented 2 years ago

What kind of event log did you upload to LogonTracer? LogonTracer only supports the Security Audit event log of ActiveDirectory.

The log file (XML or EVTX) must include the following Event IDs.

4624: Successful logon
4625: Logon failure
4768: Kerberos Authentication (TGT Request)
4769: Kerberos Service Ticket (ST Request)
4776: NTLM Authentication
4672: Assign special privileges

giacomoconti1978 commented 1 year ago

can i upload and parse Security.evtx of a windows computer not connected to activeDirectory?

giacomoconti1978 commented 1 year ago

Hi, i have another problem with importing evtx, post log:

python3 logontracer.py -e sample/Security.evtx -z +1 -u neo4j -p Polposta -s localhost
[+] Script start. 2023/04/19 07:43:25
[+] Neo4j Kernel 5.6.0 (Enterprise)
[+] Time zone is 1.
[+] Last record number is 62031.
[+] Start parsing the EVTX file.
[+] Parse the EVTX file sample/Security.evtx.
[+] Now loading 2500 records.Traceback (most recent call last):
  File "/home/postale/LogonTracer/logontracer.py", line 2883, in <module>
    main()
  File "/home/postale/LogonTracer/logontracer.py", line 2867, in main
    parse_evtx(args.evtx, case)
  File "/home/postale/LogonTracer/logontracer.py", line 1962, in parse_evtx
    event_set = event_set.append(event_series, ignore_index=True)
  File "/usr/local/lib/python3.10/dist-packages/pandas/core/generic.py", line 5989, in __getattr__
    return object.__getattribute__(self, name)
AttributeError: 'DataFrame' object has no attribute 'append'. Did you mean: '_append'?

certxlm commented 11 months ago

Hello,

The error is linked to the deprecation of the append method and its removal in 2.0, see:

https://pandas.pydata.org/docs/whatsnew/v2.0.0.html#removal-of-prior-version-deprecations-changes

Changing the logontracer.py script as in the attached patch seems to work, but is not recommended as it uses a private function which might break in the futur. We tried using concat as an inplace replacement, but the script fails further in the creation of event_series = pd.Series.

ps: Potential related issue:

https://github.com/JPCERTCC/LogonTracer/issues/67

logontracer.patch

shu-tom commented 10 months ago

Same issue #135

JPCERTCC / LogonTracer

Errror when importing evtx file #120