:py:mod:`dissect.target.plugins.apps.webserver.apache` ====================================================== .. py:module:: dissect.target.plugins.apps.webserver.apache Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.webserver.apache.LogFormat dissect.target.plugins.apps.webserver.apache.ApachePlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.apps.webserver.apache.apache_response_time_to_ms Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.webserver.apache.RE_CONFIG_CUSTOM_LOG_DIRECTIVE dissect.target.plugins.apps.webserver.apache.RE_CONFIG_ERRORLOG_DIRECTIVE dissect.target.plugins.apps.webserver.apache.RE_REMOTE_PATTERN dissect.target.plugins.apps.webserver.apache.RE_REFERER_USER_AGENT_PATTERN dissect.target.plugins.apps.webserver.apache.RE_RESPONSE_TIME_PATTERN dissect.target.plugins.apps.webserver.apache.RE_ACCESS_COMMON_PATTERN dissect.target.plugins.apps.webserver.apache.RE_ERROR_COMMON_PATTERN dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ACCESS_COMMON dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ACCESS_VHOST_COMBINED dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ACCESS_COMBINED dissect.target.plugins.apps.webserver.apache.LOG_FORMAT_ERROR_COMMON .. py:class:: LogFormat Bases: :py:obj:`NamedTuple` .. py:attribute:: name :type: str .. py:attribute:: pattern :type: re.Pattern .. py:data:: RE_CONFIG_CUSTOM_LOG_DIRECTIVE .. py:data:: RE_CONFIG_ERRORLOG_DIRECTIVE .. py:data:: RE_REMOTE_PATTERN :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ (?P.*?) # Client IP address of the request. \s (?P.*?) # Remote logname (from identd, if supplied). \s (?P.*?) # Remote user if the request was authenticated. """ .. raw:: html
.. py:data:: RE_REFERER_USER_AGENT_PATTERN :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ "(?P.*?)" # Value of the 'Referer' HTTP Header. \s "(?P.*?)" # Value of the 'User-Agent' HTTP Header. """ .. raw:: html
.. py:data:: RE_RESPONSE_TIME_PATTERN :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ ( " Time:\s (?P.*?) # Time taken to serve the response, including a unit of measurement. " ) """ .. raw:: html
.. py:data:: RE_ACCESS_COMMON_PATTERN :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ \[(?P[^\]]*)\] # Timestamp including milliseconds. \s (\[(?P[0-9]+)\]\s)? # The process ID of the child that serviced the request (optional). " (?P.*?) # The HTTP Method used for the request. \s (?P.*?) # The HTTP URI of the request. \s ?(?PHTTP\/.*?)? # The request protocol. " \s (?P\d{3}) # The HTTP Status Code of the response. \s (?P-|\d+) # Bytes sent, including headers. """ .. raw:: html
.. py:data:: RE_ERROR_COMMON_PATTERN :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ \[ (?P[^\]]*) # Timestamp including milliseconds. \] \s \[ (?P[^:]*) # Name of the module logging the message. \: (?P[^]]*) # Loglevel of the message. \] \s \[ pid\s(?P\d*) # Process ID of current process. (\:tid\s(?P\d*))? # Thread ID of current thread (optional). \] \s ((?P[^\:]*)\:\s)? # Source file name and line number of the log call (optional). ( \[ client\s(?P[^]]+) # Client IP address and port of the request (optional). \]\s )? ((?P\w+)\:\s)? # APR/OS error status code and string (optional). (?P.*) # The actual log message. """ .. raw:: html
.. py:data:: LOG_FORMAT_ACCESS_COMMON .. py:data:: LOG_FORMAT_ACCESS_VHOST_COMBINED .. py:data:: LOG_FORMAT_ACCESS_COMBINED .. py:data:: LOG_FORMAT_ERROR_COMMON .. py:function:: apache_response_time_to_ms(time_str: str) -> int Convert a string containing amount and measurement (e.g. '10000 microsecs') to milliseconds. .. py:class:: ApachePlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugins.apps.webserver.webserver.WebserverPlugin` Apache log parsing plugin. Apache has three default access log formats, which this plugin can all parse automatically. These are:: LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common For the definitions of each format string, see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats For Apache, the error logs by default follow the following format:: ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" .. py:attribute:: __namespace__ :value: 'apache' .. py:attribute:: DEFAULT_LOG_DIRS :value: ['/var/log/apache2', '/var/log/apache', '/var/log/httpd', '/var/log',... .. py:attribute:: ACCESS_LOG_NAMES :value: ['access.log', 'access_log', 'httpd-access.log'] .. py:attribute:: ERROR_LOG_NAMES :value: ['error.log'] .. py:attribute:: DEFAULT_CONFIG_PATHS :value: ['/etc/apache2/apache2.conf', '/usr/local/etc/apache22/httpd.conf',... .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: get_log_paths() -> tuple[list[pathlib.Path], list[pathlib.Path]] Discover any present Apache log paths on the target system. .. rubric:: References - https://www.cyberciti.biz/faq/apache-logs/ - https://unix.stackexchange.com/a/269090 .. py:method:: access() -> Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverAccessLogRecord] Return contents of Apache access log files in unified ``WebserverAccessLogRecord`` format. .. py:method:: error() -> Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverErrorLogRecord] Return contents of Apache error log files in unified ``WebserverErrorLogRecord`` format. .. py:method:: infer_access_log_format(line: str) -> Optional[LogFormat] :staticmethod: Attempt to infer what standard LogFormat is used. Returns None if no known format can be inferred. Three default log type examples from Apache (note that the ipv4 could also be ipv6) Combined:: 1.2.3.4 - - [19/Dec/2022:17:25:12 +0100] "GET / HTTP/1.1" 304 247 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" Common:: 1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312 vhost_combined:: example.com:80 1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"