Query data in MongoDB using PHP

I am now quering data from MongoDB using PHP, but there are some problems I did not how to fix it.

Firstly, I list documents that I follow MongoDB PHP Library: https://docs.mongodb.com/php-library/v1.2/tutorial/install-php-library/. And then I follow its tutorial to query data, it works correctly.

The problem is when I import Windows Event Logs, which export from Powershell then convert to JSON. But I can not query find() function to find data in MongoDB as the same way I did successful with sample data.
So, how can I do it?

PHP script:

$this->check("192_168_223_136_old", "Application", ['MachineName'=>'Client1 ']);

and:

$this->check("192_168_223_136_old", "Application", ["MachineName" => "Client1.evilzone.h4niz"]);

Check function:

public function check($db, $col, $filter)	{
	$collection = (new MongoDB\Client)->$db->$col;
	
	$rs = $collection->find($filter);

	foreach ($rs as $r) {
		# code...
		print_r(var_dump($r) . "<br>");
	}
}

Powershell script to get winevt logs:

#Get WntEvt
function GetEventLog
{
    param([String]$path)


    "[+] - Getting Windows Eventlog ..." | Out-File -Append -FilePath $path\Status.txt
    $log = foreach ($tmp in (Get-EventLog -List)){if ($tmp.Entries.Count -gt 0){$tmp}}
    $i = 1
    $lCount = $log.Count
    while ($i -le $lCount)
    {   
        if (![String]::IsNullOrEmpty($log[$i].Log)) {[String] $s = $path + '\' + $log[$i].Log + '.json'}
        $log[$i].Entries | ConvertTo-Json -Compress | Out-File -FilePath $s -Encoding ascii
        $i++
    }

    "[v] -"+$log[$i].Log+".json-wrote completed!" | Out-File -Append -FilePath $dest\Status.txt
}

GetEventLog $path

My flow:

  1. Using PS script to get my own winevtlog.
  1. Import it into MongoDB
  1. Query check() to get data.

Dir tree data in MongoDb look like that:

    {
        "0": {
            "MachineName": "Client1 ",
            "Data": [{
                "$numberInt": "77"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "83"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "68"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "84"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "67"
            }, {
                "$numberInt": "0"
            }],
            "Index": {
                "$numberInt": "509"
            },
            "Category": "(1)",
            "CategoryNumber": {
                "$numberInt": "1"
            },
            "EventID": {
                "$numberInt": "4111"
            },
            "EntryType": {
                "$numberInt": "4"
            },
            "Message": "The description for Event ID '1073745935' in Source 'MSDTC' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:",
            "Source": "MSDTC",
            "ReplacementStrings": [],
            "InstanceId": {
                "$numberInt": "1073745935"
            },
            "TimeGenerated": "/Date(1584345755000)/",
            "TimeWritten": "/Date(1584345755000)/",
            "UserName": null,
            "Site": null,
            "Container": null
        },
        "1": {
            "MachineName": "Client1 ",
            "Data": [],
            "Index": {
                "$numberInt": "510"
            },
            "Category": "General",
            "CategoryNumber": {
                "$numberInt": "1"
            },
            "EventID": {
                "$numberInt": "327"
            },
            "EntryType": {
                "$numberInt": "4"
            },
            "Message": "svchost (1032) The database engine detached a database (1, C:\\Windows\\system32\\LogFiles\\Sum\\Current.mdb). (Time=0 seconds)\r\n\r\n\r\n\r\nInternal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8]
    0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000.\r\n\r\nRevived Cache: 0 0",
            "Source": "ESENT",
            "ReplacementStrings": ["svchost", "1032", "", "1", "C:\\Windows\\system32\\LogFiles\\Sum\\Current.mdb", "0", "[1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8]
    0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000.", "0 0"],
            "InstanceId": {
                "$numberInt": "327"
            },
            "TimeGenerated": "/Date(1584345756000)/",
            "TimeWritten": "/Date(1584345756000)/",
            "UserName": null,
            "Site": null,
            "Container": null
        },
//truncated
 "183": {
        "MachineName": "Client1.evilzone.h4niz",
        "Data": [],
        "Index": {
            "$numberInt": "692"
        },
        "Category": "(0)",
        "CategoryNumber": {
            "$numberInt": "0"
        },
        "EventID": {
            "$numberInt": "1003"
        },
        "EntryType": {
            "$numberInt": "4"
        },
        "Message": "The Software Protection service has completed licensing status check.\r\nApplication Id=55c92734-d682-4d71-983e-d6ec3f16059f\r\nLicensing Status=\n1: 4fc45a88-26b5-4cf9-9eef-769ee3f0a016, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/hwid/4.0 0x00000000 0)(?)( 9 0x00000000 180 259048)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )]\n2: 9d0bb49b-21a1-4354-9981-ec5dd9393961, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n",
        "Source": "Software Protection Platform Service",
        "ReplacementStrings": ["55c92734-d682-4d71-983e-d6ec3f16059f", "\n1: 4fc45a88-26b5-4cf9-9eef-769ee3f0a016, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/hwid/4.0 0x00000000 0)(?)( 9 0x00000000 180 259048)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )]\n2: 9d0bb49b-21a1-4354-9981-ec5dd9393961, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n"],
        "InstanceId": {
            "$numberInt": "1073742827"
        },
        "TimeGenerated": "/Date(1584355522000)/",
        "TimeWritten": "/Date(1584355522000)/",
        "UserName": null,
        "Site": null,
        "Container": null
    },
//truncated
}

And this is var_dump($rs) with $rs = $collection->find($filter); in check() function which I list above.

object(MongoDB\Driver\Cursor)#6 (10) { ["database"]=> string(19) "192_168_223_136_old" ["collection"]=> string(11) "Application" ["query"]=> object(MongoDB\Driver\Query)#7 (3) { ["filter"]=> object(stdClass)#9 (1) { ["MachineName"]=> string(22) "Client1.evilzone.h4niz" } ["options"]=> object(stdClass)#13 (0) { } ["readConcern"]=> NULL } ["command"]=> NULL ["readPreference"]=> object(MongoDB\Driver\ReadPreference)#11 (1) { ["mode"]=> string(7) "primary" } ["session"]=> NULL ["isDead"]=> bool(true) ["currentIndex"]=> int(0) ["currentDocument"]=> NULL ["server"]=> object(MongoDB\Driver\Server)#8 (10) { ["host"]=> string(9) "127.0.0.1" ["port"]=> int(27017) ["type"]=> int(1) ["is_primary"]=> bool(false) ["is_secondary"]=> bool(false) ["is_arbiter"]=> bool(false) ["is_hidden"]=> bool(false) ["is_passive"]=> bool(false) ["last_is_master"]=> array(11) { ["ismaster"]=> bool(true) ["maxBsonObjectSize"]=> int(16777216) ["maxMessageSizeBytes"]=> int(48000000) ["maxWriteBatchSize"]=> int(100000) ["localTime"]=> object(MongoDB\BSON\UTCDateTime)#13 (1) { ["milliseconds"]=> string(13) "1585731874914" } ["logicalSessionTimeoutMinutes"]=> int(30) ["connectionId"]=> int(1313) ["minWireVersion"]=> int(0) ["maxWireVersion"]=> int(8) ["readOnly"]=> bool(false) ["ok"]=> float(1) } ["round_trip_time"]=> int(0) } } 

Thanks for your reading!

Hi @Quoc_Anh_Nguyen_Le,

Could you elaborate the problem that you are having ? i.e. find() not returning any result, or perhaps find() returns all data, etc.

I’m not sure what do you mean by dir tree data here, but perhaps you stored all of this within a single document in MongoDB ? Based on your query, I think you meant to store each of these array document into separate documents in the collection. That way, you should be able to find a particular machine based on the MachineName field easily.

Regards,
Wan.