def get_logout_event(index,logonid,timestamp,maxtstamp,screen):
"""
Look for the logoff event belonging to the given logon id or a shutdown event.
"""
conn = connections.get_connection()
# workaround to fix time presition issues
timestamp = timestamp - 999
logoff = get_dsl_logoff_query(screen)
q = [ \
Q('match',data_type='windows:evtx:record') , \
Q('match',xml_string=logonid) , \
logoff \
]
s = Search(using=conn, index=index).query(Q('bool',must=q)).filter('range',datetime={'gte':timestamp,'lte':maxtstamp}).sort('-datetime')
res = s.execute()
try:
evt = res[0]
except:
evt = None
if evt is None:
q = [ Q('match',event_identifier=config.EVENT_SHUTDOWN) ]
s = Search(using=conn, index=index).query(Q('bool',must=q)).filter('range',datetime={'gte':timestamp,'lte':maxtstamp}).sort('-datetime')
res = s.execute()
try:
evt = res[0]
except:
evt = None
return evt
评论列表
文章目录
