dissect.target.plugins.apps.webserver.nginx

Module Contents

Classes

NginxPlugin

NGINX webserver plugin.

Functions

parse_json_line

Attempt to parse a default NGINX JSON log line.

Attributes

RE_ACCESS_LOG
RE_ERROR_LOG
RE_ACCESS_LOG_DIRECTIVE
RE_ERROR_LOG_DIRECTIVE
RE_INCLUDE_DIRECTIVE

dissect.target.plugins.apps.webserver.nginx.RE_ACCESS_LOG

dissect.target.plugins.apps.webserver.nginx.RE_ERROR_LOG

dissect.target.plugins.apps.webserver.nginx.RE_ACCESS_LOG_DIRECTIVE

dissect.target.plugins.apps.webserver.nginx.RE_ERROR_LOG_DIRECTIVE

dissect.target.plugins.apps.webserver.nginx.RE_INCLUDE_DIRECTIVE

class dissect.target.plugins.apps.webserver.nginx.NginxPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugins.apps.webserver.webserver.WebserverPlugin

NGINX webserver plugin.

__namespace__ = 'nginx'

Defines the plugin namespace.

DEFAULT_LOG_DIRS = ('/var/log/nginx', '/var/log')

ACCESS_LOG_NAMES = ('access.log',)

ERROR_LOG_NAMES = ('error.log',)

DEFAULT_CONFIG_PATHS = ('/etc/nginx/nginx.conf', '/etc/nginx/sites-available/*.conf', '/etc/nginx/sites-enabled/*.conf')

access_paths

error_paths

host_paths

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

find_logs() → None

parse_config(path: pathlib.Path, seen: set[pathlib.Path] | None = None) → None

Parse the given NGINX .conf file for access_log, error_log and include directives.

access() → collections.abc.Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverAccessLogRecord]

Return contents of NGINX access log files in unified WebserverAccessLogRecord format.

References

• https://docs.nginx.com/nginx/admin-guide/monitoring/logging/#access_log

• http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format

error() → collections.abc.Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverErrorLogRecord]

Return contents of NGINX error log files in unified WebserverErrorLogRecord format.

References

• https://nginx.org/en/docs/ngx_core_module.html#error_log

• https://github.com/nginx/nginx/blob/master/src/core/ngx_log.c

hosts() → collections.abc.Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverHostRecord]

Return found server directives in the NGINX configuration.

References

• https://nginx.org/en/docs/http/ngx_http_core_module.html#server

dissect.target.plugins.apps.webserver.nginx.parse_json_line(line: str) → dict[str, str] | None

Attempt to parse a default NGINX JSON log line.

We assume the custom log_format uses the following default NGINX field names:

time_local, time, remote_addr, remote_ip, remote_user, request_method, request,
response, status, body_bytes_sent, request_time, http_referrer, referrer,
http_user_agent, agent

Unfortunately NGINX has no official default naming convention for JSON access logs, users can configure the JSON log_format as they see fit.

References

• https://nginx.org/en/docs/http/ngx_http_log_module.html

• https://github.com/elastic/examples/blob/master/Common%20Data%20Formats/nginx_json_logs/README.md