search

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log
Other
2.7k stars 442 forks source link

Event log import error #20

Open etmouse opened 6 years ago

etmouse commented 6 years ago

hi,when i import my event log ,i got these errors.but the sample Securyty.evtx is good,why?

$ sudo python3 logontracer.py --delete -e ./security.evtx -z +8 -u neo4j -p passwrod -s 192.168.1.69 [] Script start. 2018/06/11 09:03:54 [] Delete all nodes and relationships from this Neo4j database. [] Time zone is 8. [] Last record number is 14480. [] Start parsing the EVTX file. [] Parse the EVTX file ./security.evtx. [] Now loading 14400 records. [] Load finished. [] Total Event log is 14480. [] Calculate PageRank. [] Calculate ChangeFinder. [] Creating a graph data. Traceback (most recent call last): File "logontracer.py", line 803, in main() File "logontracer.py", line 792, in main parse_evtx(args.evtx, GRAPH) File "logontracer.py", line 745, in parse_evtx tx.process() File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1050, in process self._post() File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1293, in _post self._sync() File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1282, in _sync connection.send() File "/usr/local/lib/python3.6/dist-packages/py2neo/packages/neo4j/v1/bolt.py", line 310, in send self.channel.send() File "/usr/local/lib/python3.6/dist-packages/py2neo/packages/neo4j/v1/bolt.py", line 141, in send self.socket.sendall(data) ConnectionResetError: [Errno 104] Connection reset by peer

shu-tom commented 6 years ago

Your neo4j server may have timeout. I changed to connect to neo4j server just before uploading data. Please try the fixed version.

etmouse commented 6 years ago

after update,the problem is still there

$ sudo git pull remote: Counting objects: 3, done. remote: Compressing objects: 100% (1/1), done. remote: Total 3 (delta 2), reused 3 (delta 2), pack-reused 0 Unpacking objects: 100% (3/3), done. From https://github.com/JPCERTCC/LogonTracer 72278fb..5a2eb5d master -> origin/master Updating 72278fb..5a2eb5d Fast-forward logontracer.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) $ sudo python3 logontracer.py --delete -e ./security.evtx -z +8 -u neo4j -p password -s 192.168.1.69 [] Script start. 2018/06/11 14:38:48 [] Delete all nodes and relationships from this Neo4j database. [] Time zone is 8. [] Last record number is 14480. [] Start parsing the EVTX file. [] Parse the EVTX file ./security.evtx. [] Now loading 14400 records. [] Load finished. [] Total Event log is 14480. [] Calculate PageRank. [] Calculate ChangeFinder. [] Creating a graph data. Traceback (most recent call last): File "logontracer.py", line 810, in main() File "logontracer.py", line 799, in main parse_evtx(args.evtx) File "logontracer.py", line 752, in parse_evtx tx.process() File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1050, in process self._post() File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1293, in _post self._sync() File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1282, in _sync connection.send() File "/usr/local/lib/python3.6/dist-packages/py2neo/packages/neo4j/v1/bolt.py", line 310, in send self.channel.send() File "/usr/local/lib/python3.6/dist-packages/py2neo/packages/neo4j/v1/bolt.py", line 141, in send self.socket.sendall(data) ConnectionResetError: [Errno 104] Connection reset by peer

but the sample security log file can be imported.

$ sudo python3 logontracer.py --delete -e ./sample/Security.evtx -z +8 -u neo4j -p password -s 192.168.1.69 [] Script start. 2018/06/12 03:40:00 [] Delete all nodes and relationships from this Neo4j database. [] Time zone is 8. [] Last record number is 62031. [] Start parsing the EVTX file. [] Parse the EVTX file ./sample/Security.evtx. [] Now loading 62000 records. [] Load finished. [] Total Event log is 62031. [] Calculate PageRank. [] Calculate ChangeFinder. [] Creating a graph data. [] Creation of a graph data finished. [] Script end. 2018/06/12 03:47:08

shu-tom commented 6 years ago

Can you share the event log to me in order to resolve this issue? If you can share it please send to logontracer.help (at) gmail.com

redkris commented 6 years ago

these problem also happened to me cam you share how to fix this also ? this tool is so promising if user can operate "user friendly"

wadeiam commented 2 years ago

Same issue: Error: Upload Failed! Clicking the "Log" button shows this: Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

netlol commented 2 years ago

I run Logontracer under k8s, and it show "Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application." I don't yet import logs, just press log button.