Query data in MongoDB using PHP

I am now querying data from MongoDB using PHP, but there are some problems I did not how to fix it.

Firstly, I list documents that I follow MongoDB PHP Library: https://docs.mongodb.com/php-library/v1.2/tutorial/install-php-library/. And then I follow its tutorial to query data, it works correctly.

The problem is when I import Windows Event Logs, which export from Powershell then convert to JSON. But I can not query find() function to find data in MongoDB as the same way I did successful with sample data.

So, how can I do it?

PHP script:

$this->check("192_168_223_136_old", "Application", ['MachineName'=>'Client1 ']);

and:

$this->check("192_168_223_136_old", "Application", ["MachineName" => "Client1.evilzone.h4niz"]);

Check function:

public function check($db, $col, $filter)   {
    $collection = (new MongoDB\Client)->$db->$col;

    $rs = $collection->find($filter);

    foreach ($rs as $r) {
        # code...
        print_r(var_dump($r) . "<br>");
    }
}

Powershell script to get winevt logs:

#Get WntEvt
function GetEventLog
{
    param([String]$path)


    "[+] - Getting Windows Eventlog ..." | Out-File -Append -FilePath $path\Status.txt
    $log = foreach ($tmp in (Get-EventLog -List)){if ($tmp.Entries.Count -gt 0){$tmp}}
    $i = 1
    $lCount = $log.Count
    while ($i -le $lCount)
    {   
        if (![String]::IsNullOrEmpty($log[$i].Log)) {[String] $s = $path + '\' + $log[$i].Log + '.json'}
        $log[$i].Entries | ConvertTo-Json -Compress | Out-File -FilePath $s -Encoding ascii
        $i++
    }

    "[v] -"+$log[$i].Log+".json-wrote completed!" | Out-File -Append -FilePath $dest\Status.txt
}

GetEventLog $path

My flow:

1. Using PS script to get my own winevtlog.
2. Import it into MongoDB
3. Query check() to get data.

Dir tree data in MongoDb look like that:

    {
        "0": {
            "MachineName": "Client1 ",
            "Data": [{
                "$numberInt": "77"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "83"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "68"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "84"
            }, {
                "$numberInt": "0"
            }, {
                "$numberInt": "67"
            }, {
                "$numberInt": "0"
            }],
            "Index": {
                "$numberInt": "509"
            },
            "Category": "(1)",
            "CategoryNumber": {
                "$numberInt": "1"
            },
            "EventID": {
                "$numberInt": "4111"
            },
            "EntryType": {
                "$numberInt": "4"
            },
            "Message": "The description for Event ID '1073745935' in Source 'MSDTC' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:",
            "Source": "MSDTC",
            "ReplacementStrings": [],
            "InstanceId": {
                "$numberInt": "1073745935"
            },
            "TimeGenerated": "/Date(1584345755000)/",
            "TimeWritten": "/Date(1584345755000)/",
            "UserName": null,
            "Site": null,
            "Container": null
        },
        "1": {
            "MachineName": "Client1 ",
            "Data": [],
            "Index": {
                "$numberInt": "510"
            },
            "Category": "General",
            "CategoryNumber": {
                "$numberInt": "1"
            },
            "EventID": {
                "$numberInt": "327"
            },
            "EntryType": {
                "$numberInt": "4"
            },
            "Message": "svchost (1032) The database engine detached a database (1, C:\\Windows\\system32\\LogFiles\\Sum\\Current.mdb). (Time=0 seconds)\r\n\r\n\r\n\r\nInternal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8]
    0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000.\r\n\r\nRevived Cache: 0 0",
            "Source": "ESENT",
            "ReplacementStrings": ["svchost", "1032", "", "1", "C:\\Windows\\system32\\LogFiles\\Sum\\Current.mdb", "0", "[1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8]
    0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000.", "0 0"],
            "InstanceId": {
                "$numberInt": "327"
            },
            "TimeGenerated": "/Date(1584345756000)/",
            "TimeWritten": "/Date(1584345756000)/",
            "UserName": null,
            "Site": null,
            "Container": null
        },
//truncated
 "183": {
        "MachineName": "Client1.evilzone.h4niz",
        "Data": [],
        "Index": {
            "$numberInt": "692"
        },
        "Category": "(0)",
        "CategoryNumber": {
            "$numberInt": "0"
        },
        "EventID": {
            "$numberInt": "1003"
        },
        "EntryType": {
            "$numberInt": "4"
        },
        "Message": "The Software Protection service has completed licensing status check.\r\nApplication Id=55c92734-d682-4d71-983e-d6ec3f16059f\r\nLicensing Status=\n1: 4fc45a88-26b5-4cf9-9eef-769ee3f0a016, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/hwid/4.0 0x00000000 0)(?)( 9 0x00000000 180 259048)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )]\n2: 9d0bb49b-21a1-4354-9981-ec5dd9393961, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n",
        "Source": "Software Protection Platform Service",
        "ReplacementStrings": ["55c92734-d682-4d71-983e-d6ec3f16059f", "\n1: 4fc45a88-26b5-4cf9-9eef-769ee3f0a016, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/hwid/4.0 0x00000000 0)(?)( 9 0x00000000 180 259048)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )]\n2: 9d0bb49b-21a1-4354-9981-ec5dd9393961, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n"],
        "InstanceId": {
            "$numberInt": "1073742827"
        },
        "TimeGenerated": "/Date(1584355522000)/",
        "TimeWritten": "/Date(1584355522000)/",
        "UserName": null,
        "Site": null,
        "Container": null
    },
//truncated
}

And this is var_dump($rs) with $rs = $collection->find($filter); in check() function which I list above.

object(MongoDB\Driver\Cursor)#6 (10) { ["database"]=> string(19) "192_168_223_136_old" ["collection"]=> string(11) "Application" ["query"]=> object(MongoDB\Driver\Query)#7 (3) { ["filter"]=> object(stdClass)#9 (1) { ["MachineName"]=> string(22) "Client1.evilzone.h4niz" } ["options"]=> object(stdClass)#13 (0) { } ["readConcern"]=> NULL } ["command"]=> NULL ["readPreference"]=> object(MongoDB\Driver\ReadPreference)#11 (1) { ["mode"]=> string(7) "primary" } ["session"]=> NULL ["isDead"]=> bool(true) ["currentIndex"]=> int(0) ["currentDocument"]=> NULL ["server"]=> object(MongoDB\Driver\Server)#8 (10) { ["host"]=> string(9) "127.0.0.1" ["port"]=> int(27017) ["type"]=> int(1) ["is_primary"]=> bool(false) ["is_secondary"]=> bool(false) ["is_arbiter"]=> bool(false) ["is_hidden"]=> bool(false) ["is_passive"]=> bool(false) ["last_is_master"]=> array(11) { ["ismaster"]=> bool(true) ["maxBsonObjectSize"]=> int(16777216) ["maxMessageSizeBytes"]=> int(48000000) ["maxWriteBatchSize"]=> int(100000) ["localTime"]=> object(MongoDB\BSON\UTCDateTime)#13 (1) { ["milliseconds"]=> string(13) "1585731874914" } ["logicalSessionTimeoutMinutes"]=> int(30) ["connectionId"]=> int(1313) ["minWireVersion"]=> int(0) ["maxWireVersion"]=> int(8) ["readOnly"]=> bool(false) ["ok"]=> float(1) } ["round_trip_time"]=> int(0) } } 

Thanks for your reading!

My solutions:

I fixed them by using find() function with passing nothing then handler their return data in PHP.