`dissect.target.plugins.apps.webserver.iis`¶

Module Contents¶

Classes¶

IISLogsPlugin

IIS 7 (and above) logs plugin.

Functions¶

`parse_autodetect_format_log`
`parse_w3c_format_log`	Parse log file in W3C format and yield log records.
`parse_iis_format_log`	Parse log file in IIS format and stream log records.
`parse_iis_datetime`
`replace_dash_with_none`	Replace `-` placeholder in dictionary values with `None`.
`normalise_field_name`	Replace all character that are not allowed in the field name by flow.record

Attributes¶

`LOG_RECORD_NAME`
`BASIC_RECORD_FIELDS`
`BasicRecordDescriptor`
`FIELD_NAME_INVALID_CHARS_RE`

dissect.target.plugins.apps.webserver.iis.LOG_RECORD_NAME = 'filesystem/windows/iis/logs'¶

dissect.target.plugins.apps.webserver.iis.BASIC_RECORD_FIELDS = [('datetime', 'ts'), ('net.ipaddress', 'client_ip'), ('net.ipaddress', 'server_ip'), ('string',...¶

dissect.target.plugins.apps.webserver.iis.BasicRecordDescriptor¶

dissect.target.plugins.apps.webserver.iis.FIELD_NAME_INVALID_CHARS_RE¶

class dissect.target.plugins.apps.webserver.iis.IISLogsPlugin(target: dissect.target.target.Target)¶

Bases: dissect.target.plugins.apps.webserver.webserver.WebserverPlugin

IIS 7 (and above) logs plugin.

References

APPLICATION_HOST_CONFIG = '%windir%/system32/inetsrv/config/applicationHost.config'¶

DEFAULT_LOG_PATHS = ('%windir%\\System32\\LogFiles\\W3SVC*\\*.log',...¶

__namespace__ = 'iis'¶: Defines the plugin namespace.

config¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

property log_dirs: dict[str, set[pathlib.Path]]¶

logs() → collections.abc.Iterator[dissect.target.helpers.record.TargetRecordDescriptor]¶

Return contents of IIS (v7 and above) log files.

Internet Information Services (IIS) for Windows Server is a manageable web server for hosting anything on the web. Logs files might, for example, contain traces that indicate that the web server has been exploited.

Supported log formats: IIS, W3C.

access() → collections.abc.Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverAccessLogRecord]¶

Return contents of IIS (v7 and above) log files in unified WebserverAccessLogRecord format.

See function iis.logs for more information and more verbose IIS records.

dissect.target.plugins.apps.webserver.iis.parse_autodetect_format_log(target: dissect.target.target.Target, path: pathlib.Path) → collections.abc.Iterator[BasicRecordDescriptor]¶

dissect.target.plugins.apps.webserver.iis.parse_w3c_format_log(target: dissect.target.target.Target, path: pathlib.Path) → collections.abc.Iterator[dissect.target.helpers.record.TargetRecordDescriptor]¶

Parse log file in W3C format and yield log records.

This is the default logging format for IIS [^3].

References

dissect.target.plugins.apps.webserver.iis.parse_iis_format_log(target: dissect.target.target.Target, path: pathlib.Path) → collections.abc.Iterator[BasicRecordDescriptor]¶

Parse log file in IIS format and stream log records.

This format is not the default IIS log format.

References

dissect.target.plugins.apps.webserver.iis.parse_iis_datetime(date_str: str, time_str: str, tzinfo: datetime.timezone) → datetime.datetime¶

dissect.target.plugins.apps.webserver.iis.replace_dash_with_none(data: dict) → dict¶: Replace - placeholder in dictionary values with None.

dissect.target.plugins.apps.webserver.iis.normalise_field_name(field: str) → str¶: Replace all character that are not allowed in the field name by flow.record with _, and strip all hanging _ from start / end of the string.

dissect.target.plugins.apps.webserver.iis¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.plugins.apps.webserver.iis`¶