jpcertcc / logontracer Goto Github PK

when i use docker,access http://192.168.80.156:7687/ address ,the waring:http://192.168.80.156:7687/,can access port:7474;can't access port 8080.

Traceback (most recent call last):
File "logontracer.py", line 70, in
app = Flask(name)
NameError: name 'Flask' is not defined

Hello, once I restart the container the service with port 8080 is not listening.

bash-4.3# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:7687            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:7473            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:7474            0.0.0.0:*               LISTEN      
tcp        0      1 172.17.0.2:39696        10.150.14.151:7474      SYN_SENT    
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ]         STREAM     CONNECTED      32671 
unix  3      [ ]         STREAM     CONNECTED      36351 
unix  2      [ ]         STREAM     CONNECTED      32708 
unix  3      [ ]         STREAM     CONNECTED      36350 
bash-4.3# 

How can i fix this? If you can not find a solution: Where are the logs uploaded?
Thank you very much

I got it successfully working installed onto a debian box, but I hit some snags that weren't covered.

I've written a gist that should take people from a blank VM to a working install.

Feel free to include any steps in your project ;)

Nepobef

System appears up and running receiving 200 OK's on the server. Log looks to process with a couple of warnings at the end. Data doesn't load after uploading the log. Tried multiple times with multiple log sets, including the provided sample data. Also tried loading via local python in terminal and receive the same final error 'py:308: RuntimeWarning: Mean of empty slice.'. Page refreshes don't present data. Modified neo4j to have a longer timeout as well. Google Chrome shows nothing. Firefox shows 'Warning search failed!'.

Weblog file below:

[] Script start. 2018/07/17 11:24:33 [] Delete all nodes and relationships from this Neo4j database. [] Time zone is -5. [] Last record number is 23783. [] Start parsing the EVTX file. [] Parse the EVTX file Security.evtx. [] Now loading 100 records. [] Now loading 200 records. [] Now loading 300 records. [] Now loading 400 records. [] Now loading 500 records. [] Now loading 600 records. [] Now loading 700 records. [] Now loading 800 records. [] Now loading 900 records. [] Now loading 1000 records. [] Now loading 1100 records. [] Now loading 1200 records. [] Now loading 1300 records. [] Now loading 1400 records. [] Now loading 1500 records. [] Now loading 1600 records. [] Now loading 1700 records. [] Now loading 1800 records. [] Now loading 1900 records. [] Now loading 2000 records. [] Now loading 2100 records. [] Now loading 2200 records. [] Now loading 2300 records. [] Now loading 2400 records. [] Now loading 2500 records. [] Now loading 2600 records. [] Now loading 2700 records. [] Now loading 2800 records. [] Now loading 2900 records. [] Now loading 3000 records. [] Now loading 3100 records. [] Now loading 3200 records. [] Now loading 3300 records. [] Now loading 3400 records. [] Now loading 3500 records. [] Now loading 3600 records. [] Now loading 3700 records. [] Now loading 3800 records. [] Now loading 3900 records. [] Now loading 4000 records. [] Now loading 4100 records. [] Now loading 4200 records. [] Now loading 4300 records. [] Now loading 4400 records. [] Now loading 4500 records. [] Now loading 4600 records. [] Now loading 4700 records. [] Now loading 4800 records. [] Now loading 4900 records. [] Now loading 5000 records. [] Now loading 5100 records. [] Now loading 5200 records. [] Now loading 5300 records. [] Now loading 5400 records. [] Now loading 5500 records. [] Now loading 5600 records. [] Now loading 5700 records. [] Now loading 5800 records. [] Now loading 5900 records. [] Now loading 6000 records. [] Now loading 6100 records. [] Now loading 6200 records. [] Now loading 6300 records. [] Now loading 6400 records. [] Now loading 6500 records. [] Now loading 6600 records. [] Now loading 6700 records. [] Now loading 6800 records. [] Now loading 6900 records. [] Now loading 7000 records. [] Now loading 7100 records. [] Now loading 7200 records. [] Now loading 7300 records. [] Now loading 7400 records. [] Now loading 7500 records. [] Now loading 7600 records. [] Now loading 7700 records. [] Now loading 7800 records. [] Now loading 7900 records. [] Now loading 8000 records. [] Now loading 8100 records. [] Now loading 8200 records. [] Now loading 8300 records. [] Now loading 8400 records. [] Now loading 8500 records. [] Now loading 8600 records. [] Now loading 8700 records. [] Now loading 8800 records. [] Now loading 8900 records. [] Now loading 9000 records. [] Now loading 9100 records. [] Now loading 9200 records. [] Now loading 9300 records. [] Now loading 9400 records. [] Now loading 9500 records. [] Now loading 9600 records. [] Now loading 9700 records. [] Now loading 9800 records. [] Now loading 9900 records. [] Now loading 10000 records. [] Now loading 10100 records. [] Now loading 10200 records. [] Now loading 10300 records. [] Now loading 10400 records. [] Now loading 10500 records. [] Now loading 10600 records. [] Now loading 10700 records. [] Now loading 10800 records. [] Now loading 10900 records. [] Now loading 11000 records. [] Now loading 11100 records. [] Now loading 11200 records. [] Now loading 11300 records. [] Now loading 11400 records. [] Now loading 11500 records. [] Now loading 11600 records. [] Now loading 11700 records. [] Now loading 11800 records. [] Now loading 11900 records. [] Now loading 12000 records. [] Now loading 12100 records. [] Now loading 12200 records. [] Now loading 12300 records. [] Now loading 12400 records. [] Now loading 12500 records. [] Now loading 12600 records. [] Now loading 12700 records. [] Now loading 12800 records. [] Now loading 12900 records. [] Now loading 13000 records. [] Now loading 13100 records. [] Now loading 13200 records. [] Now loading 13300 records. [] Now loading 13400 records. [] Now loading 13500 records. [] Now loading 13600 records. [] Now loading 13700 records. [] Now loading 13800 records. [] Now loading 13900 records. [] Now loading 14000 records. [] Now loading 14100 records. [] Now loading 14200 records. [] Now loading 14300 records. [] Now loading 14400 records. [] Now loading 14500 records. [] Now loading 14600 records. [] Now loading 14700 records. [] Now loading 14800 records. [] Now loading 14900 records. [] Now loading 15000 records. [] Now loading 15100 records. [] Now loading 15200 records. [] Now loading 15300 records. [] Now loading 15400 records. [] Now loading 15500 records. [] Now loading 15600 records. [] Now loading 15700 records. [] Now loading 15800 records. [] Now loading 15900 records. [] Now loading 16000 records. [] Now loading 16100 records. [] Now loading 16200 records. [] Now loading 16300 records. [] Now loading 16400 records. [] Now loading 16500 records. [] Now loading 16600 records. [] Now loading 16700 records. [] Now loading 16800 records. [] Now loading 16900 records. [] Now loading 17000 records. [] Now loading 17100 records. [] Now loading 17200 records. [] Now loading 17300 records. [] Now loading 17400 records. [] Now loading 17500 records. [] Now loading 17600 records. [] Now loading 17700 records. [] Now loading 17800 records. [] Now loading 17900 records. [] Now loading 18000 records. [] Now loading 18100 records. [] Now loading 18200 records. [] Now loading 18300 records. [] Now loading 18400 records. [] Now loading 18500 records. [] Now loading 18600 records. [] Now loading 18700 records. [] Now loading 18800 records. [] Now loading 18900 records. [] Now loading 19000 records. [] Now loading 19100 records. [] Now loading 19200 records. [] Now loading 19300 records. [] Now loading 19400 records. [] Now loading 19500 records. [] Now loading 19600 records. [] Now loading 19700 records. [] Now loading 19800 records. [] Now loading 19900 records. [] Now loading 20000 records. [] Now loading 20100 records. [] Now loading 20200 records. [] Now loading 20300 records. [] Now loading 20400 records. [] Now loading 20500 records. [] Now loading 20600 records. [] Now loading 20700 records. [] Now loading 20800 records. [] Now loading 20900 records. [] Now loading 21000 records. [] Now loading 21100 records. [] Now loading 21200 records. [] Now loading 21300 records. [] Now loading 21400 records. [] Now loading 21500 records. [] Now loading 21600 records. [] Now loading 21700 records. [] Now loading 21800 records. [] Now loading 21900 records. [] Now loading 22000 records. [] Now loading 22100 records. [] Now loading 22200 records. [] Now loading 22300 records. [] Now loading 22400 records. [] Now loading 22500 records. [] Now loading 22600 records. [] Now loading 22700 records. [] Now loading 22800 records. [] Now loading 22900 records. [] Now loading 23000 records. [] Now loading 23100 records. [] Now loading 23200 records. [] Now loading 23300 records. [] Now loading 23400 records. [] Now loading 23500 records. [] Now loading 23600 records. [] Now loading 23700 records. [] Now loading 23800 records. [] Now loading 23900 records. [] Now loading 24000 records. [] Now loading 24100 records. [] Now loading 24200 records. [] Now loading 24300 records.logontracer.py:308: RuntimeWarning: Mean of empty slice. count_average = count_sum.mean(axis=0) /home/brock/.local/lib/python3.5/site-packages/numpy/core/_methods.py:73: RuntimeWarning: invalid value encountered in true_divide ret, rcount, out=ret, casting='unsafe', subok=False) [] Load finished. [] Total Event log is 24363. [] Calculate PageRank. [] Calculate ChangeFinder. [] Creating a graph data. [] Creation of a graph data finished. [] Script end. 2018/07/17 11:28:10

Everytime I uploaded evtx files, small one or bigger one, came out with message ERROR: logontracer.log status = 500, sometimes if bigger one message keep waiting, never ending status

Hi,

When uploading large XML files we are getting a memory failure when the file is startign to process itself. I checked if the python was 64bit and it was. For references I attached the log file.

static/logontracer.log

[] Script start. 2018/11/13 13:46:22
[] Delete all nodes and relationships from this Neo4j database.
[*] Time zone is 1.
Traceback (most recent call last):
File "/home/user/LogonTracer/logontracer.py", line 1022, in
main()
File "/home/user/LogonTracer/logontracer.py", line 1016, in main
parse_evtx(args.xmls)
File "/home/user/LogonTracer/logontracer.py", line 616, in parse_evtx
fb_data = fb.read()
File "/usr/lib/python3.6/codecs.py", line 321, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
MemoryError

Hello

Currently having an issue where I am unable to import EVTX via either the web interface or by script.
I'm receiving the following error;
[] Script start. 2018/01/30 16:39:53
[] Time zone is 8.
Traceback (most recent call last):
File "logontracer.py", line 526, in
main()
File "logontracer.py", line 521, in main
parse_evtx(args.evtx, GRAPH)
File "logontracer.py", line 320, in parse_evtx
last_chunk = list(evtx.chunks())[chunk]
IndexError: list index out of range

I have tried on two different systems with multiple evtx files, the installations are both fresh.

Thanks in advance.

Hi, is there option to put some kind of login? i don`t want to be public avalaible ...

Hi,
I'm getting this error while parsing small, big, evtx or xml files from my personal workstation
Same error by GUI or by CLI :

python3 logontracer.py --delete -x ../xxxx.xml -z +2 -u neo4j -p neo5j -s localhost
[] Script start. 2018/10/05 15:46:14
[] Delete all nodes and relationships from this Neo4j database.
[] Time zone is 2.
[] Last record number is 208.
[] Start parsing the EVTX file.
[] Parse the EVTX file ../xxxxx.xml.
[] Now loading 200 records.
[] Load finished.
[] Total Event log is 208.
[] Calculate ChangeFinder.
[] Calculate Hidden Markov Model.
/usr/local/lib/python3.6/dist-packages/hmmlearn/hmm.py:405: RuntimeWarning: divide by zero encountered in log
return np.log(self.emissionprob_)[:, np.concatenate(X)].T
[] Calculate PageRank.
[] Creating a graph data.
[] Creation of a graph data finished.
[*] Script end. 2018/10/05 15:46:14

All dependencies and code were freshly installed today.

Parsing does not end when the evtx file is imported, log indicates :
Now loading 30900 records.Traceback (most recent call last): File "logontracer.py", line 810, in main() File "logontracer.py", line 799, in main parse_evtx(args.evtx) File "logontracer.py", line 657, in parse_evtx tohours = int((endtime - starttime).total_seconds() / 3600) TypeError: unsupported operand type(s) for -: 'NoneType' and 'NoneType'
But when import xml file, the process end succesfully.

My upload was successful but I get only warning message if I click on any field like "All users"

records. [] Now loading 34200 records. [] Now loading 34300 records. [] Now loading 34400 records. [] Now loading 34500 records. [] Now loading 34600 records. [] Now loading 34700 records. [] Now loading 34800 records. [] Now loading 34900 records. [] Now loading 35000 records. [] Now loading 35100 records. [] Now loading 35200 records. [] Now loading 35300 records. [] Now loading 35400 records. [] Now loading 35500 records. [] Now loading 35600 records. [] Now loading 35700 records. [] Now loading 35800 records. [] ### Load finished. [] **Total Event log is 35898. [] Calculate ChangeFinder. [] Calculate Hidden Markov Model. [] Calculate PageRank. [] Creating a graph data. [] Creation of a graph data finished. [*] Script end. 2019/04/01 10:53:26**

Hello team jpcertcc, I am not able to connect to logon tracer pulled from docker.
In firefox i receive the following error : SSL_ERROR_RX_RECORD_TOO_LONG

i can't see the web page

I am seeing events that aren't being parsed in the Security log. One particular account lists >10,000 4625 events, but the graph does not capture any of those. There were no errors in the log and it said "SUCCESSFUL" after parsing. I have attached a scrubbed version of the log file we have seen this with, but there have been multiple files I have seen the same issue with.

I have tried uploading as EVTX and XML with no change in results. Let me know if you need any additional details.

Thanks!
Security_redacted.zip

Hi guys,
I've setup the environment using the docker image, everything works well with the sample that was provided.
I've attempted uploading my own event log and the upload&parsing was successful according to the log yet nothing was displayed in the page after the page refresh.

[*] Script start. 2018/05/31 08:02:44 [*] Delete all nodes and relationships from this Neo4j database. [*] Time zone is 2. [*] Last record number is 558790. [*] Start parsing the EVTX file. [*] Parse the EVTX file Security.evtx. [*] Now loading 100 records. [*] Now loading 200 records. [*] Now loading 300 records. [*] Now loading 400 records. [*] Now loading 500 records. [*] Now loading 600 records. [*] Now loading 700 records. [*] Now loading 800 records. [*] Now loading 900 records. [*] Now loading 1000 records. [*] Now loading 1100 records. [*] Now loading 1200 records. [*] Now loading 1300 records. [*] Now loading 1400 records. [*] Now loading 1500 records. [*] Now loading 1600 records. [*] Now loading 1700 records. [*] Now loading 1800 records. [*] Now loading 1900 records. [*] Now loading 2000 records. [*] Now loading 2100 records. [*] Now loading 2200 records. [*] Now loading 2300 records. [*] Now loading 2400 records. [*] Now loading 2500 records. [*] Now loading 2600 records. [*] Now loading 2700 records. [*] Now loading 2800 records. [*] Now loading 2900 records. [*] Now loading 3000 records. [*] Now loading 3100 records. [*] Now loading 3200 records. [*] Now loading 3300 records. [*] Now loading 3400 records. [*] Now loading 3500 records. [*] Now loading 3600 records. [*] Now loading 3700 records. [*] Now loading 3800 records. [*] Now loading 3900 records. [*] Now loading 4000 records. [*] Now loading 4100 records. [*] Now loading 4200 records. [*] Now loading 4300 records. [*] Now loading 4400 records. [*] Now loading 4500 records. [*] Now loading 4600 records. [*] Now loading 4700 records. [*] Now loading 4800 records. [*] Now loading 4900 records. [*] Now loading 5000 records. [*] Now loading 5100 records. [*] Now loading 5200 records. [*] Now loading 5300 records. [*] Now loading 5400 records. [*] Now loading 5500 records. [*] Now loading 5600 records. [*] Now loading 5700 records. [*] Now loading 5800 records. [*] Now loading 5900 records. [*] Now loading 6000 records. [*] Now loading 6100 records. [*] Now loading 6200 records. [*] Now loading 6300 records. [*] Now loading 6400 records. [*] Now loading 6500 records. [*] Now loading 6600 records. [*] Now loading 6700 records. [*] Now loading 6800 records. [*] Now loading 6900 records. [*] Now loading 7000 records. [*] Now loading 7100 records. [*] Now loading 7200 records. [*] Now loading 7300 records. [*] Now loading 7400 records. [*] Now loading 7500 records. [*] Now loading 7600 records. [*] Now loading 7700 records. [*] Now loading 7800 records. [*] Now loading 7900 records. [*] Now loading 8000 records. [*] Now loading 8100 records. [*] Now loading 8200 records. [*] Now loading 8300 records. [*] Now loading 8400 records. [*] Now loading 8500 records. [*] Now loading 8600 records. [*] Now loading 8700 records. [*] Now loading 8800 records. [*] Now loading 8900 records. [*] Now loading 9000 records. [*] Now loading 9100 records. [*] Now loading 9200 records. [*] Now loading 9300 records. [*] Now loading 9400 records. [*] Now loading 9500 records. [*] Now loading 9600 records. [*] Now loading 9700 records. [*] Now loading 9800 records. [*] Now loading 9900 records. [*] Now loading 10000 records. [*] Now loading 10100 records. [*] Now loading 10200 records. [*] Now loading 10300 records. [*] Now loading 10400 records. [*] Now loading 10500 records. [*] Now loading 10600 records. [*] Now loading 10700 records. [*] Now loading 10800 records. [*] Now loading 10900 records. [*] Now loading 11000 records. [*] Now loading 11100 records. [*] Now loading 11200 records. [*] Now loading 11300 records. [*] Now loading 11400 records. [*] Now loading 11500 records. [*] Now loading 11600 records. [*] Now loading 11700 records. [*] Now loading 11800 records. [*] Now loading 11900 records. [*] Now loading 12000 records. [*] Now loading 12100 records. [*] Now loading 12200 records. [*] Now loading 12300 records. [*] Now loading 12400 records. [*] Now loading 12500 records. [*] Now loading 12600 records. [*] Now loading 12700 records. [*] Now loading 12800 records. [*] Now loading 12900 records. [*] Now loading 13000 records. [*] Now loading 13100 records. [*] Now loading 13200 records. [*] Now loading 13300 records. [*] Now loading 13400 records. [*] Now loading 13500 records. [*] Now loading 13600 records. [*] Now loading 13700 records. [*] Now loading 13800 records. [*] Now loading 13900 records. [*] Now loading 14000 records. [*] Now loading 14100 records. [*] Now loading 14200 records. [*] Now loading 14300 records. [*] Now loading 14400 records. [*] Now loading 14500 records. [*] Now loading 14600 records. [*] Now loading 14700 records. [*] Now loading 14800 records. [*] Now loading 14900 records. [*] Now loading 15000 records. [*] Now loading 15100 records. [*] Now loading 15200 records. [*] Now loading 15300 records. [*] Now loading 15400 records. [*] Now loading 15500 records. [*] Now loading 15600 records. [*] Now loading 15700 records. [*] Now loading 15800 records. [*] Now loading 15900 records. [*] Now loading 16000 records. [*] Now loading 16100 records. [*] Now loading 16200 records. [*] Now loading 16300 records. [*] Now loading 16400 records. [*] Now loading 16500 records. [*] Now loading 16600 records. [*] Now loading 16700 records. [*] Now loading 16800 records. [*] Now loading 16900 records. [*] Now loading 17000 records. [*] Now loading 17100 records. [*] Now loading 17200 records. [*] Now loading 17300 records. [*] Now loading 17400 records. [*] Now loading 17500 records. [*] Now loading 17600 records. [*] Now loading 17700 records. [*] Now loading 17800 records. [*] Now loading 17900 records. [*] Now loading 18000 records. [*] Now loading 18100 records. [*] Now loading 18200 records. [*] Now loading 18300 records. [*] Now loading 18400 records. [*] Now loading 18500 records. [*] Now loading 18600 records. [*] Now loading 18700 records. [*] Now loading 18800 records. [*] Now loading 18900 records. [*] Now loading 19000 records. [*] Now loading 19100 records. [*] Now loading 19200 records. [*] Now loading 19300 records. [*] Now loading 19400 records. [*] Now loading 19500 records. [*] Now loading 19600 records. [*] Now loading 19700 records. [*] Now loading 19800 records. [*] Now loading 19900 records. [*] Now loading 20000 records. [*] Now loading 20100 records. [*] Now loading 20200 records. [*] Now loading 20300 records. [*] Now loading 20400 records. [*] Now loading 20500 records. [*] Now loading 20600 records. [*] Now loading 20700 records. [*] Now loading 20800 records. [*] Now loading 20900 records. [*] Now loading 21000 records. [*] Now loading 21100 records. [*] Now loading 21200 records. [*] Now loading 21300 records. [*] Now loading 21400 records. [*] Now loading 21500 records. [*] Now loading 21600 records. [*] Now loading 21700 records. [*] Now loading 21800 records. [*] Now loading 21900 records. [*] Now loading 22000 records. [*] Now loading 22100 records. [*] Now loading 22200 records. [*] Now loading 22300 records. [*] Now loading 22400 records. [*] Now loading 22500 records. [*] Now loading 22600 records. [*] Now loading 22700 records. [*] Now loading 22800 records. [*] Now loading 22900 records. [*] Now loading 23000 records. [*] Now loading 23100 records. [*] Now loading 23200 records. [*] Now loading 23300 records. [*] Now loading 23400 records. [*] Now loading 23500 records. [*] Now loading 23600 records. [*] Now loading 23700 records. [*] Now loading 23800 records. [*] Now loading 23900 records. [*] Now loading 24000 records. [*] Now loading 24100 records. [*] Now loading 24200 records. [*] Now loading 24300 records. [*] Now loading 24400 records. [*] Now loading 24500 records. [*] Now loading 24600 records. [*] Now loading 24700 records. [*] Now loading 24800 records. [*] Now loading 24900 records. [*] Now loading 25000 records. [*] Now loading 25100 records. [*] Now loading 25200 records. [*] Now loading 25300 records. [*] Now loading 25400 records. [*] Now loading 25500 records. [*] Now loading 25600 records. [*] Now loading 25700 records. [*] Now loading 25800 records. [*] Now loading 25900 records. [*] Now loading 26000 records. [*] Now loading 26100 records./usr/local/lib/python3.6/site-packages/statsmodels/compat/pandas.py:56: FutureWarning: The pandas.core.datetools module is deprecated and will be removed in a future version. Please use the pandas.tseries module instead. from pandas.core import datetools logontracer.py:223: RuntimeWarning: Mean of empty slice. count_average = count_sum.mean(axis=0) [*] Load finished. [*] Total Event log is 26159. [*] Calculate PageRank. [*] Calculate ChangeFinder. [*] Creating a graph data. [*] Creation of a graph data finished. [*] Script end. 2018/05/31 08:05:12

LogonTracer-master>python logontracer.py -e Security.evtx -z 5
[] Script start. 2019/01/13 04:25:25
[] Time zone is 5.
[] Last record number is 11398.
[] Start parsing the EVTX file.
[] Parse the EVTX file Security.evtx.
[] Now loading 11300 records.
[] Load finished.
[] Total Event log is 11398.
[] Calculate ChangeFinder.
[] Calculate Hidden Markov Model.
[] Calculate PageRank.
[] Creating a graph data.
Traceback (most recent call last):
File "logontracer.py", line 1028, in
main()
File "logontracer.py", line 1016, in main
parse_evtx(args.evtx)
File "logontracer.py", line 897, in parse_evtx
tx.append(statement_ip, {"IP": ipaddress, "rank": ranks[ipaddress], "hostname": hostname})
AttributeError: 'Transaction' object has no attribute 'append'

Running the logontracer.py on anaconda prompt just gave me this error.Whats the solution to this?

I installed docker as described here: https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/quick-start-windows-server
After that i used - docker pull jpcertcc/docker-logontracer
and got the message: image operating system "linux" cannot be used on this platform

Should it work with windows as described in the wiki?

I tried many version of python, but all failed on different part.
3.7.0 failed on install hmmlearn
3.5.2 failed on numpy.dtype size changed, after uploaded EVTX file
3.5.0 failed on numpy.dtype size changed, after uploaded EVTX file
3.6.6 failed on numpy.dtype size changed, after uploaded EVTX file
RuntimeWarning: invalid value encountered in true_divide

So, have any suggested version of python?
Thanks.

The colors for anomaly detection score are not showing for the sample/Security.evtx

Hi,

Does previously uploaded event logs get deleted?

E.g After uploading 19 Feb evtx, 18 feb is missing when charting timeline.

download menu for function of timeline is hide.
timeline can not download.

I use some Log to test.Find one Log have error.give the result as follows:
loading 28800 records./usr/local/src/LogonTracer/logontracer.py:327: RuntimeWarning: Mean of empty slice. count_average = count_sum.mean(axis=0) [*] Load finished. [*] Total Event log is 28881. [*] Calculate ChangeFinder. [*] Calculate Hidden Markov Model. [*] Calculate PageRank. Traceback (most recent call last): File "/usr/local/src/LogonTracer/logontracer.py", line 955, in main() File "/usr/local/src/LogonTracer/logontracer.py", line 944, in main parse_evtx(args.evtx) File "/usr/local/src/LogonTracer/logontracer.py", line 813, in parse_evtx ranks = pagerank(event_set, admins, detect_hmm, detect_cf, ntmlauth) File "/usr/local/src/LogonTracer/logontracer.py", line 405, in pagerank max_v = max(ranks.values()) ValueError: max() arg is an empty sequence

Can you give a mail? I will give you the log of problem.

Hi Team,

We are trying to load a evtx file of size 801 MB on Centos 7 server 64 bit .

python3 logontracer.py -e test11.evtx -z +8 -u neo4j -p XXXXXXX -s localhost

error:
[root@localhost LogonTracer-master]# python3 logontracer.py -e test11.evtx -z +8 -u neo4j -p -s localhost
[] Script start. 2018/12/05 16:57:45
[] Time zone is 8.
[] Last record number is 239409.
[] Start parsing the EVTX file.
[*] Parse the EVTX file test11.evtx.
Traceback (most recent call last):
File "logontracer.py", line 1028, in
main()
File "logontracer.py", line 1016, in main
parse_evtx(args.evtx)
File "logontracer.py", line 636, in parse_evtx
for node, err in xml_records(evtx_file):
File "logontracer.py", line 526, in xml_records
for xml, record in evtx_file_xml_view(evtx.get_file_header()):
File "/usr/lib/python3.4/site-packages/Evtx/Views.py", line 240, in evtx_file_xml_view
record_str = evtx_record_xml_view(record)
File "/usr/lib/python3.4/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "/usr/lib/python3.4/site-packages/Evtx/Views.py", line 182, in render_root_node
for sub in root_node.substitutions():
File "/usr/lib/python3.4/site-packages/Evtx/BinaryParser.py", line 64, in call
cache[key] = self.func(*args, **kw)
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 1001, in substitutions
ofs = self.tag_and_children_length()
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 962, in tag_and_children_length
for child in self.children():
File "/usr/lib/python3.4/site-packages/Evtx/BinaryParser.py", line 64, in call
cache[key] = self.func(*args, **kw)
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 952, in children
return self._children(end_tokens=[SYSTEM_TOKENS.EndOfStreamToken])
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 159, in _children
ofs += child.length()
File "/usr/lib/python3.4/site-packages/Evtx/BinaryParser.py", line 64, in call
cache[key] = self.func(*args, **kw)
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 177, in length
for child in self.children():
File "/usr/lib/python3.4/site-packages/Evtx/BinaryParser.py", line 64, in call
cache[key] = self.func(*args, **kw)
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 334, in children
SYSTEM_TOKENS.CloseEmptyElementToken])
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 162, in _children
if child.find_end_of_stream():
File "/usr/lib/python3.4/site-packages/Evtx/BinaryParser.py", line 64, in call
cache[key] = self.func(*args, **kw)
File "/usr/lib/python3.4/site-packages/Evtx/Nodes.py", line 186, in find_end_of_stream
ret = child.find_end_of_stream()
AttributeError: 'NullTypeNode' object has no attribute 'find_end_of_stream'

Thankyou....

An error happens when importing XML file with -x option.
The error is caused by line 501 in logontracer.py.
It works when you replace \' to \".

line 501)
xml_list = fixdata.split("<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'>")

fixed)
xml_list = fixdata.split("<Event xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\">")

Trying to install LogonTracer in Debian 9.5 adn having an issue when running the logontracer.py. My command is as follows:
python3 logontracer.py -r -o 8080 -u xxxx -p xxxx -s 127.0.0.1

One thing I've noticed is that there is no clear direction on where the git clone should be run from. I've installed to /etc/LogonTracer as well as the root /LogonTracer.

If I run the requirements.txt again, it states all are satisfied including hmmlearn.

What am I missing in this Debian install.

Thank you

[] Script start. 2018/08/22 15:58:12
[] Delete all nodes and relationships from this Neo4j database.
[] Time zone is 9.
[] Last record number is 897.
[] Start parsing the EVTX file.
[] Parse the EVTX file /Users/l1nk3r/Desktop/3.evtx.
[*] Now loading 800 records.Traceback (most recent call last):
File "logontracer.py", line 949, in
main()
File "logontracer.py", line 938, in main
parse_evtx(args.evtx)
File "logontracer.py", line 779, in parse_evtx
tohours = int((endtime - starttime).total_seconds() / 3600)
TypeError: unsupported operand type(s) for -: 'NoneType' and 'NoneType'

Error
[*] Script start. 2017/12/08 16:20:49
[!] Can't runnning web application.
when running python3 logontracer.py -r -o 8080 -u neo4j -p password -s localhost

Attempting to parse log but logontracer upload just hangs after all records imported. Same issue with xml and evtx. Log below. I'm using docker instance.

[] Script start. 2018/10/05 20:11:30 [] Delete all nodes and relationships from this Neo4j database. [] Time zone is -8. [] Last record number is 34800. [] Start parsing the EVTX file. [] Parse the EVTX file Security.xml. [] Now loading 100 records. [] Now loading 200 records. [] Now loading 300 records. [] Now loading 400 records. [] Now loading 500 records. [] Now loading 600 records. [] Now loading 700 records. [] Now loading 800 records. [] Now loading 900 records. [] Now loading 1000 records. [] Now loading 1100 records. [] Now loading 1200 records. [] Now loading 1300 records. [] Now loading 1400 records. [] Now loading 1500 records. [] Now loading 1600 records. [] Now loading 1700 records. [] Now loading 1800 records. [] Now loading 1900 records. [] Now loading 2000 records. [] Now loading 2100 records. [] Now loading 2200 records. [] Now loading 2300 records. [] Now loading 2400 records. [] Now loading 2500 records. [] Now loading 2600 records. [] Now loading 2700 records. [] Now loading 2800 records. [] Now loading 2900 records. [] Now loading 3000 records. [] Now loading 3100 records. [] Now loading 3200 records. [] Now loading 3300 records. [] Now loading 3400 records. [] Now loading 3500 records. [] Now loading 3600 records. [] Now loading 3700 records. [] Now loading 3800 records. [] Now loading 3900 records. [] Now loading 4000 records. [] Now loading 4100 records. [] Now loading 4200 records. [] Now loading 4300 records. [] Now loading 4400 records. [] Now loading 4500 records. [] Now loading 4600 records. [] Now loading 4700 records. [] Now loading 4800 records. [] Now loading 4900 records. [] Now loading 5000 records. [] Now loading 5100 records. [] Now loading 5200 records. [] Now loading 5300 records. [] Now loading 5400 records. [] Now loading 5500 records. [] Now loading 5600 records. [] Now loading 5700 records. [] Now loading 5800 records. [] Now loading 5900 records. [] Now loading 6000 records. [] Now loading 6100 records. [] Now loading 6200 records. [] Now loading 6300 records. [] Now loading 6400 records. [] Now loading 6500 records. [] Now loading 6600 records. [] Now loading 6700 records. [] Now loading 6800 records. [] Now loading 6900 records. [] Now loading 7000 records. [] Now loading 7100 records. [] Now loading 7200 records. [] Now loading 7300 records. [] Now loading 7400 records. [] Now loading 7500 records. [] Now loading 7600 records. [] Now loading 7700 records. [] Now loading 7800 records. [] Now loading 7900 records. [] Now loading 8000 records. [] Now loading 8100 records. [] Now loading 8200 records. [] Now loading 8300 records. [] Now loading 8400 records. [] Now loading 8500 records. [] Now loading 8600 records. [] Now loading 8700 records. [] Now loading 8800 records. [] Now loading 8900 records. [] Now loading 9000 records. [] Now loading 9100 records. [] Now loading 9200 records. [] Now loading 9300 records. [] Now loading 9400 records. [] Now loading 9500 records. [] Now loading 9600 records. [] Now loading 9700 records. [] Now loading 9800 records. [] Now loading 9900 records. [] Now loading 10000 records. [] Now loading 10100 records. [] Now loading 10200 records. [] Now loading 10300 records. [] Now loading 10400 records. [] Now loading 10500 records. [] Now loading 10600 records. [] Now loading 10700 records. [] Now loading 10800 records. [] Now loading 10900 records. [] Now loading 11000 records. [] Now loading 11100 records. [] Now loading 11200 records. [] Now loading 11300 records. [] Now loading 11400 records. [] Now loading 11500 records. [] Now loading 11600 records. [] Now loading 11700 records. [] Now loading 11800 records. [] Now loading 11900 records. [] Now loading 12000 records. [] Now loading 12100 records. [] Now loading 12200 records. [] Now loading 12300 records. [] Now loading 12400 records. [] Now loading 12500 records. [] Now loading 12600 records. [] Now loading 12700 records. [] Now loading 12800 records. [] Now loading 12900 records. [] Now loading 13000 records. [] Now loading 13100 records. [] Now loading 13200 records. [] Now loading 13300 records. [] Now loading 13400 records. [] Now loading 13500 records. [] Now loading 13600 records. [] Now loading 13700 records. [] Now loading 13800 records. [] Now loading 13900 records. [] Now loading 14000 records. [] Now loading 14100 records. [] Now loading 14200 records. [] Now loading 14300 records. [] Now loading 14400 records. [] Now loading 14500 records. [] Now loading 14600 records. [] Now loading 14700 records. [] Now loading 14800 records. [] Now loading 14900 records. [] Now loading 15000 records. [] Now loading 15100 records. [] Now loading 15200 records. [] Now loading 15300 records. [] Now loading 15400 records. [] Now loading 15500 records. [] Now loading 15600 records. [] Now loading 15700 records. [] Now loading 15800 records. [] Now loading 15900 records. [] Now loading 16000 records. [] Now loading 16100 records. [] Now loading 16200 records. [] Now loading 16300 records. [] Now loading 16400 records. [] Now loading 16500 records. [] Now loading 16600 records. [] Now loading 16700 records. [] Now loading 16800 records. [] Now loading 16900 records. [] Now loading 17000 records. [] Now loading 17100 records. [] Now loading 17200 records. [] Now loading 17300 records. [] Now loading 17400 records. [] Now loading 17500 records. [] Now loading 17600 records. [] Now loading 17700 records. [] Now loading 17800 records. [] Now loading 17900 records. [] Now loading 18000 records. [] Now loading 18100 records. [] Now loading 18200 records. [] Now loading 18300 records. [] Now loading 18400 records. [] Now loading 18500 records. [] Now loading 18600 records. [] Now loading 18700 records. [] Now loading 18800 records. [] Now loading 18900 records. [] Now loading 19000 records. [] Now loading 19100 records. [] Now loading 19200 records. [] Now loading 19300 records. [] Now loading 19400 records. [] Now loading 19500 records. [] Now loading 19600 records. [] Now loading 19700 records. [] Now loading 19800 records. [] Now loading 19900 records. [] Now loading 20000 records. [] Now loading 20100 records. [] Now loading 20200 records. [] Now loading 20300 records. [] Now loading 20400 records. [] Now loading 20500 records. [] Now loading 20600 records. [] Now loading 20700 records. [] Now loading 20800 records. [] Now loading 20900 records. [] Now loading 21000 records. [] Now loading 21100 records. [] Now loading 21200 records. [] Now loading 21300 records. [] Now loading 21400 records. [] Now loading 21500 records. [] Now loading 21600 records. [] Now loading 21700 records. [] Now loading 21800 records. [] Now loading 21900 records. [] Now loading 22000 records. [] Now loading 22100 records. [] Now loading 22200 records. [] Now loading 22300 records. [] Now loading 22400 records. [] Now loading 22500 records. [] Now loading 22600 records. [] Now loading 22700 records. [] Now loading 22800 records. [] Now loading 22900 records. [] Now loading 23000 records. [] Now loading 23100 records. [] Now loading 23200 records. [] Now loading 23300 records. [] Now loading 23400 records. [] Now loading 23500 records. [] Now loading 23600 records. [] Now loading 23700 records. [] Now loading 23800 records. [] Now loading 23900 records. [] Now loading 24000 records. [] Now loading 24100 records. [] Now loading 24200 records. [] Now loading 24300 records. [] Now loading 24400 records. [] Now loading 24500 records. [] Now loading 24600 records. [] Now loading 24700 records. [] Now loading 24800 records. [] Now loading 24900 records. [] Now loading 25000 records. [] Now loading 25100 records. [] Now loading 25200 records. [] Now loading 25300 records. [] Now loading 25400 records. [] Now loading 25500 records. [] Now loading 25600 records. [] Now loading 25700 records. [] Now loading 25800 records. [] Now loading 25900 records. [] Now loading 26000 records. [] Now loading 26100 records. [] Now loading 26200 records. [] Now loading 26300 records. [] Now loading 26400 records. [] Now loading 26500 records. [] Now loading 26600 records. [] Now loading 26700 records. [] Now loading 26800 records. [] Now loading 26900 records. [] Now loading 27000 records. [] Now loading 27100 records. [] Now loading 27200 records. [] Now loading 27300 records. [] Now loading 27400 records. [] Now loading 27500 records. [] Now loading 27600 records. [] Now loading 27700 records. [] Now loading 27800 records. [] Now loading 27900 records. [] Now loading 28000 records. [] Now loading 28100 records. [] Now loading 28200 records. [] Now loading 28300 records. [] Now loading 28400 records. [] Now loading 28500 records. [] Now loading 28600 records. [] Now loading 28700 records. [] Now loading 28800 records. [] Now loading 28900 records. [] Now loading 29000 records. [] Now loading 29100 records. [] Now loading 29200 records. [] Now loading 29300 records. [] Now loading 29400 records. [] Now loading 29500 records. [] Now loading 29600 records. [] Now loading 29700 records. [] Now loading 29800 records. [] Now loading 29900 records. [] Now loading 30000 records. [] Now loading 30100 records. [] Now loading 30200 records. [] Now loading 30300 records. [] Now loading 30400 records. [] Now loading 30500 records. [] Now loading 30600 records. [] Now loading 30700 records. [] Now loading 30800 records. [] Now loading 30900 records. [] Now loading 31000 records. [] Now loading 31100 records. [] Now loading 31200 records. [] Now loading 31300 records. [] Now loading 31400 records. [] Now loading 31500 records. [] Now loading 31600 records. [] Now loading 31700 records. [] Now loading 31800 records. [] Now loading 31900 records. [] Now loading 32000 records. [] Now loading 32100 records. [] Now loading 32200 records. [] Now loading 32300 records. [] Now loading 32400 records. [] Now loading 32500 records. [] Now loading 32600 records. [] Now loading 32700 records. [] Now loading 32800 records. [] Now loading 32900 records. [] Now loading 33000 records. [] Now loading 33100 records. [] Now loading 33200 records. [] Now loading 33300 records. [] Now loading 33400 records. [] Now loading 33500 records. [] Now loading 33600 records. [] Now loading 33700 records. [] Now loading 33800 records. [] Now loading 33900 records. [] Now loading 34000 records. [] Now loading 34100 records. [] Now loading 34200 records. [] Now loading 34300 records. [] Now loading 34400 records. [] Now loading 34500 records. [] Now loading 34600 records. [] Now loading 34700 records. [] Now loading 34800 records.

hello,

I run it within docker,logontracer start failed,returned errors as follows:

[rancher@rancher ~]$ docker logs -f logontracer
/usr/lib/python2.7/site-packages/supervisor/options.py:461: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
  'Supervisord is running as root and it is searching '
2018-05-22 16:41:45,714 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2018-05-22 16:41:45,716 INFO supervisord started with pid 1
2018-05-22 16:41:46,719 INFO spawned: 'logontracer' with pid 9
2018-05-22 16:41:46,720 INFO spawned: 'setup' with pid 10
2018-05-22 16:41:46,721 INFO spawned: 'neo4j' with pid 11
2018-05-22 16:41:48,502 INFO success: logontracer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-05-22 16:41:48,502 INFO success: setup entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-05-22 16:41:48,502 INFO success: neo4j entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2018-05-22 16:42:26,826 INFO exited: setup (exit status 0; expected)

how to solve above problem? Thanks!

I hate to say it, but importing does not work not for github version nor for docker.
I see that DB is populated with my data, but the web interface does display any data uploaded.

Hello.
I have tried LogonTracer and I have a couple questions.

1. Can I see an attacker ip who makes bruteforce attack on workstation (no DC) or workstation's ip who was under bruteforce attack?
2. After creating new privileged domain user microsoft event viewer hasn't events with information about creating new user. However I switched on all nessesary events in group policy editor.
3. After trying dcsync I also didn't see any special events.
4. After exploitation ms14-068 microsoft event viewer has contained event type 4769 but Logon Tracer didn't show information about that in "MS14-68 Exploit Failure" tab.

Hello
When I upload a event log, it show me "waiting" and then stuck.
So I checked the log and found following info.

/usr/local/lib/python3.6/site-packages/statsmodels/compat/pandas.py:56: FutureWarning: The pandas.core.datetools module is deprecated and will be removed in a future version. 
Please use the pandas.tseries module instead. from pandas.core import datetools usage: logontracer.py [-h] [-r] [-o PORT] [-s SERVER] [-u USERNAME] [-p PASSWORD] [-e [EVTX [EVTX ...]]] [-x [XML [XML ...]]] [-z UTC] [-f DATE] [-t DATE] [--delete] logontracer.py: error: argument -z/--timezone: invalid int value: 'Time'

How do I fixed it? Thx.

Can we use LogonTracer to monitor logs in a company that generates 1 Gbt (300k event) evtx file per hour?

Since issue #25 was closed, I'm adding my issue here which is similar yet different. I also had set my IP address to the IP of the NAT address 10.0.75.1 and never saw port 8080 when running netstat. After changing to localhost:8080, I see 0.0.0.0:8080 as well as 10.0.75.1:8080 multiple times but in these were in TIME_WAIT status. I waited a couple hours and when I came back I still couldn't access the LogonTracer website. I re-ran netstat and while 0.0.0.0:8080 is still listening, then others at 10.0.75.1 have disappeared. When I try to access the webiste, I get the ERR_EMPTY_RESPONSE message in the browser.
Any thoughts or ideas would be most welcome at this point.

While reviewing LogonTracer for the security tools database, I could not find a license. Can you add one to the project?

There is a performance issue with the function of creating a rank.

hi,when i import my event log ,i got these errors.but the sample Securyty.evtx is good,why?

$ sudo python3 logontracer.py --delete -e ./security.evtx -z +8 -u neo4j -p passwrod -s 192.168.1.69
[] Script start. 2018/06/11 09:03:54
[] Delete all nodes and relationships from this Neo4j database.
[] Time zone is 8.
[] Last record number is 14480.
[] Start parsing the EVTX file.
[] Parse the EVTX file ./security.evtx.
[] Now loading 14400 records.
[] Load finished.
[] Total Event log is 14480.
[] Calculate PageRank.
[] Calculate ChangeFinder.
[] Creating a graph data.
Traceback (most recent call last):
File "logontracer.py", line 803, in
main()
File "logontracer.py", line 792, in main
parse_evtx(args.evtx, GRAPH)
File "logontracer.py", line 745, in parse_evtx
tx.process()
File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1050, in process
self._post()
File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1293, in _post
self._sync()
File "/usr/local/lib/python3.6/dist-packages/py2neo/database/init.py", line 1282, in _sync
connection.send()
File "/usr/local/lib/python3.6/dist-packages/py2neo/packages/neo4j/v1/bolt.py", line 310, in send
self.channel.send()
File "/usr/local/lib/python3.6/dist-packages/py2neo/packages/neo4j/v1/bolt.py", line 141, in send
self.socket.sendall(data)
ConnectionResetError: [Errno 104] Connection reset by peer

Hello!

I was trying out LogonTracer today, but kept these errors:

ReferenceError: neo4j is not defined

After looking at the source of index.html I noticed that the script source for the neo4j javascript driver was not up.
Example of script source in index.html: https://github.com/JPCERTCC/LogonTracer/blob/master/templates/index.html#L19

Googling cdn.rawgit.com it seems like they are shutting down their service:
https://twitter.com/rawgit/status/1049360165030567937

I am pretty sure this is the cause of my issue.

Thanks in advance and thanks for the cool tool! 👍

I am having an issue with the timeline feature. It opens a new tab but there is no data. It is completely blank.

Hi,

I always get invalid timezone when I select UTC.

logontracer.py: error: argument -z/--timezone: invalid int value: 'UTC'

Is this a known issue? It works if you select 0 as the timezone.

When I upload a Security EVTX I seem to get this error for a few samples that I looked at

File "./logontracer.py", line 693, in
main()
File "./logontracer.py", line 682, in main
parse_evtx(args.evtx, GRAPH)
File "./logontracer.py", line 401, in parse_evtx
for node, err in xml_records(evtx_file):
File "./logontracer.py", line 304, in xml_records
yield xml, e, fh
NameError: global name 'fh' is not defined

Hello, error upload event.evtx

#python3 logontracer.py -e /home/logon/Desktop/Security.evtx -z -3 -u neo4j -p password -s localhost
/home/logon/.local/lib/python3.5/site-packages/statsmodels/compat/pandas.py:56: FutureWarning: The pandas.core.datetools module is deprecated and will be removed in a future version. Please use the pandas.tseries module instead.
from pandas.core import datetools
[] Script start. 2018/04/24 17:28:42
[] Time zone is -3.
[] Last record number is 49147872.
[] Start parsing the EVTX file.
[] Parse the EVTX file /home/logon/Desktop/Security.evtx.
[] Now loading 242200 records.
[] Load finished.
[] Total Event log is 242213.
[] Calculate PageRank.
[] Calculate ChangeFinder.
Traceback (most recent call last):
File "logontracer.py", line 656, in
main()
File "logontracer.py", line 645, in main
parse_evtx(args.evtx, GRAPH)
File "logontracer.py", line 552, in parse_evtx
timelines, detects = adetection(count_set, username_set, ranks, starttime, tohours)
File "logontracer.py", line 233, in adetection
u = ranks[users[num]]
KeyError: 'hmemez'

Running the command in the setup guide fails. Not sure how to get past this. All steps prior went fine after I installed neo4j with brew.

→ sudo python3 logontracer.py -r -o 8080 -u neo4j -p password -s 127.0.0.1
Traceback (most recent call last):
File "logontracer.py", line 70, in <module>
app = Flask(__name__)
NameError: name 'Flask' is not defined

Just a small copy&paste error, I guess. Should probably be "has_numpy" ;)

I am using LogoTracer on Linux systems CentOS (Version 7.6.1810) and Python 2.7.5.
I uploaded the evtx file in LogonTracer Web interface, after that I have the error: WARNING: Search failed!
But in the web interface of neo4j I can see the data of the evtx file (see image).
Log:
[] Script start. 2019/05/01 12:00:18
[] Delete all nodes and relationships from this Neo4j database.
[] Time zone is 4. [] Last record number is 34330.
[] Start parsing the EVTX file.
[] Parse the EVTX file /usr/local/src/LogonTracer/upload/0.evtx.
[] Now loading 100 records.
.......
[] Now loading 34300 records.
[] Load finished.
[] Total Event log is 34330.
[] Calculate ChangeFinder.
[] Calculate Hidden Markov Model.
[] Calculate PageRank.
[] Creating a graph data.
[] Creation of a graph data finished.
[] Script end. 2019/05/01 12:12:32

Would it be possible to add support for importing CSV and XML formatted Windows Event Logs? Often I come across systems that I'm able to remotely administer and export events for, but not in EVTX format.

This is what i am getting when i am trying to import evtx on Windows 10.

python logontracer.py --delete -e C:\windows\System32\Winevt\Logs\Security.evtx -z +2 -u neo4j -p password -s 127.0.0.1
[] Script start. 2018/07/17 17:30:14
[] Delete all nodes and relationships from this Neo4j database.
[] Time zone is 2.
[] Last record number is 4639937.
[] Start parsing the EVTX file.
[] Parse the EVTX file C:\windows\System32\Winevt\Logs\Security.evtx.
[] Now loading 50600 records.
[] Load finished.
[] Total Event log is 50699.
[] Calculate PageRank.
[] Calculate ChangeFinder.
logontracer.py:308: RuntimeWarning: Mean of empty slice.
count_average = count_sum.mean(axis=0)
C:\Python37\lib\site-packages\numpy\core_methods.py:73: RuntimeWarning: invalid value encountered in true_divide
ret, rcount, out=ret, casting='unsafe', subok=False)
[] Creating a graph data.
Traceback (most recent call last):
File "logontracer.py", line 810, in
main()
File "logontracer.py", line 799, in main
parse_evtx(args.evtx)
File "logontracer.py", line 730, in parse_evtx
tx.append(statement_date, {"Daterange": "Daterange", "start": datetime.datetime(*starttime.timetuple()[:4]).strftime("%Y-%m-%d %H:%M:%S"),
AttributeError: 'Transaction' object has no attribute 'append'

Hello,
#python3 logontracer.py -e /home/logon/Downloads/Security3.evtx -z 3 -u neo4j -p password-s localhost
/home/logon/.local/lib/python3.5/site-packages/statsmodels/compat/pandas.py:56: FutureWarning: The pandas.core.datetools module is deprecated and will be removed in a future version. Please use the pandas.tseries module instead.
from pandas.core import datetools
[] Script start. 2018/05/15 11:35:05
[] Time zone is 3.
[] Last record number is 5169506801.
[] Start parsing the EVTX file.
[] Parse the EVTX file /home/logon/Downloads/Security3.evtx.
[] Now loading 25200 records.Traceback (most recent call last):
File "/home/logon/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 302, in unpack_word
return struct.unpack_from("<H", self._buf, o)[0]
struct.error: unpack_from requires a buffer of at least 2 bytes

When using Docker on Windows 10, trying to access localhost:8080 I receive:

This page isn’t working
localhost didn’t send any data.
ERR_EMPTY_RESPONSE