:py:mod:`dissect.target.plugins.apps.webserver.iis` =================================================== .. py:module:: dissect.target.plugins.apps.webserver.iis Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.webserver.iis.IISLogsPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.apps.webserver.iis.replace_dash_with_none dissect.target.plugins.apps.webserver.iis.normalise_field_name Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.webserver.iis.LOG_RECORD_NAME dissect.target.plugins.apps.webserver.iis.BASIC_RECORD_FIELDS dissect.target.plugins.apps.webserver.iis.BasicRecordDescriptor dissect.target.plugins.apps.webserver.iis.FIELD_NAME_INVALID_CHARS_RE .. py:data:: LOG_RECORD_NAME :value: 'filesystem/windows/iis/logs' .. py:data:: BASIC_RECORD_FIELDS :value: [('datetime', 'ts'), ('net.ipaddress', 'client_ip'), ('net.ipaddress', 'server_ip'), ('string',... .. py:data:: BasicRecordDescriptor .. py:data:: FIELD_NAME_INVALID_CHARS_RE .. py:class:: IISLogsPlugin(target) Bases: :py:obj:`dissect.target.plugins.apps.webserver.webserver.WebserverPlugin` IIS 7 (and above) logs plugin. .. rubric:: References - https://docs.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/introduction-to-applicationhostconfig - https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807%28v=vs.90%29 .. py:attribute:: APPLICATION_HOST_CONFIG :value: 'sysvol/windows/system32/inetsrv/config/applicationHost.config' .. py:attribute:: DEFAULT_LOG_PATHS :value: ['sysvol\\Windows\\System32\\LogFiles\\W3SVC*\\*.log',... .. py:attribute:: __namespace__ :value: 'iis' Defines the plugin namespace. .. py:attribute:: config .. py:attribute:: log_dirs :value: [] .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: get_log_dirs() -> list[tuple[str, pathlib.Path]] .. py:method:: iter_log_format_path_pairs() -> list[tuple[str, str]] .. py:method:: parse_autodetect_format_log(path: pathlib.Path) -> Iterator[BasicRecordDescriptor] .. py:method:: parse_iis_format_log(path: pathlib.Path) -> Iterator[BasicRecordDescriptor] Parse log file in IIS format and stream log records. This format is not the default IIS log format. .. rubric:: References - https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807%28v=vs.90%29#iis-log-file-format - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc728311%28v=ws.10%29 - https://learn.microsoft.com/en-us/iis/configuration/system.applicationHost/sites/site/logFile .. py:method:: parse_w3c_format_log(path: pathlib.Path) -> Iterator[dissect.target.helpers.record.TargetRecordDescriptor] Parse log file in W3C format and stream log records. This is the default logging format for IIS [^3]. .. rubric:: References - https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807%28v=vs.90%29#w3c-extended-log-file-format - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786596%28v=ws.10%29 - https://learn.microsoft.com/en-us/iis/configuration/system.applicationHost/sites/site/logFile .. py:method:: logs() -> Iterator[dissect.target.helpers.record.TargetRecordDescriptor] Return contents of IIS (v7 and above) log files. Internet Information Services (IIS) for Windows Server is a manageable web server for hosting anything on the web. Logs files might, for example, contain traces that indicate that the web server has been exploited. Supported log formats: IIS, W3C. .. py:method:: access() -> Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverAccessLogRecord] Return contents of IIS (v7 and above) log files in unified WebserverAccessLogRecord format. See function ``iis.logs`` for more information and more verbose IIS records. .. py:function:: replace_dash_with_none(data: dict) -> dict Replace "-" placeholder in dict values with None .. py:function:: normalise_field_name(field: str) -> str Replace all character that are not allowed in the field name by flow.record with _, and strip all hanging _ from start / end of the string.