hmm.py divide by zero encountered while uploading evtx/xml file

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Other

2.7k stars 442 forks source link

hmm.py divide by zero encountered while uploading evtx/xml file #37

Open LaBonave opened 5 years ago

LaBonave commented 5 years ago

Hi, I'm getting this error while parsing small, big, evtx or xml files from my personal workstation Same error by GUI or by CLI :

python3 logontracer.py --delete -x ../xxxx.xml -z +2 -u neo4j -p neo5j -s localhost [] Script start. 2018/10/05 15:46:14 [] Delete all nodes and relationships from this Neo4j database. [] Time zone is 2. [] Last record number is 208. [] Start parsing the EVTX file. [] Parse the EVTX file ../xxxxx.xml. [] Now loading 200 records. [] Load finished. [] Total Event log is 208. [] Calculate ChangeFinder. [] Calculate Hidden Markov Model. /usr/local/lib/python3.6/dist-packages/hmmlearn/hmm.py:405: RuntimeWarning: divide by zero encountered in log return np.log(self.emissionprob_)[:, np.concatenate(X)].T [] Calculate PageRank. [] Creating a graph data. [] Creation of a graph data finished. [*] Script end. 2018/10/05 15:46:14

All dependencies and code were freshly installed today.

shu-tom commented 5 years ago

This is a known warning message does not affect the operation of LogonTracer.

LaBonave commented 5 years ago

Hi, thanks. It seems, when uploading large event log (multiple thousands of logs) that this error ends the parsing :

[] Now loading 200 records. [] Now loading 300 records./usr/local/lib/python3.6/dist-packages/hmmlearn/hmm.py:405: RuntimeWarning: divide by zero encountered in log return np.log(self.emissionprob_)[:, np.concatenate(X)].T [] Load finished [] Total Event log is 305. [] Calculate ChangeFinder. [] Calculate Hidden Markov Model. [] Calculate PageRank. [] Creating a graph data. [] Creation of a graph data finished. [] Script end. 2018/10/05 17:50:45

We can have the visualisation in LogonTracer, but it only shows the 305 first records, in that case.

shu-tom commented 5 years ago

In this message, the number of records in the log is written as 305, is it more? Is the log broken?

LaBonave commented 5 years ago

The log contained much more events, and was generated by the standard Event Viewer with a custom view for 7 days. It contains roughly 1.5 million events of the IDs recognized by Logon Tracer (4624, 4625, 4768,4769,4776,4672).

shu-tom commented 5 years ago

Can you share the event log to me in order to resolve this issue? If you can share it please send to logontracer.help (at) gmail.com

sbmandava commented 5 years ago

Got the same exact error. Is it still a known warning issue.

/usr/local/lib/python3.5/dist-packages/hmmlearn/hmm.py:412: RuntimeWarning: divide by zero encountered in log return np.log(self.emissionprob_)[:, np.concatenate(X)].T.

Starting : [*] Last record number is 510267.

[] Load finished. [] Total Event log is 510376. [*] Calculate ChangeFinder. ...

shu-tom commented 5 years ago

If you can share it please send to logontracer.help (at) gmail.com

lowkeygit commented 5 years ago

I also have this problem...