dissect.target.plugins.os.windows.iis#

Module Contents#

Classes#

IISLogsPlugin

IIS 7 (and above) logs plugin.

Functions#

replace_dash_with_none

Replace "-" placeholder in dict values with None

normalise_field_name

Replace all character that are not allowed in the field name by flow.record

Attributes#

dissect.target.plugins.os.windows.iis.LOG_RECORD_NAME = 'filesystem/windows/iis/logs'#
dissect.target.plugins.os.windows.iis.BASIC_RECORD_FIELDS = [('string', 'log_file'), ('string', 'log_format'), ('datetime', 'ts'), ('net.ipaddress',...#
dissect.target.plugins.os.windows.iis.BasicRecordDescriptor#
dissect.target.plugins.os.windows.iis.FIELD_NAME_INVALID_CHARS_RE#
class dissect.target.plugins.os.windows.iis.IISLogsPlugin(target)#

Bases: dissect.target.plugin.Plugin

IIS 7 (and above) logs plugin.

References

APPLICATION_HOST_CONFIG = 'sysvol/windows/system32/inetsrv/config/applicationHost.config'#
__namespace__ = 'iis'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_log_dirs() List[Tuple[str, str]]#
iter_log_format_path_pairs() List[Tuple[str, str]]#
parse_iis_format_log(path: pathlib.Path) Generator[dissect.target.helpers.record.TargetRecordDescriptor, None, None]#

Parse log file in IIS format and stream log records.

References

parse_w3c_format_log(path: pathlib.Path) Generator[dissect.target.helpers.record.TargetRecordDescriptor, None, None]#

Parse log file in W3C format and stream log records.

References

iter_log_paths(log_dir: str) Generator[pathlib.Path, None, None]#
logs() Generator[dissect.target.helpers.record.TargetRecordDescriptor, None, None]#

Return contents of IIS (v7 and above) log files.

Internet Information Services (IIS) for Windows Server is a manageable web server for hosting anything on the web. Logs files might, for example, contain traces that indicate that the web server has been exploited. Supported log formats: IIS, W3C.

dissect.target.plugins.os.windows.iis.replace_dash_with_none(data: dict) dict#

Replace “-” placeholder in dict values with None

dissect.target.plugins.os.windows.iis.normalise_field_name(field: str) str#

Replace all character that are not allowed in the field name by flow.record with _, and strip all hanging _ from start / end of the string.