dissect.target 3.15.dev23__py3-none-any.whl → 3.15.dev25__py3-none-any.whl

dissect/target/plugin.py

@@ -951,6 +951,10 @@ class NamespacePlugin(Plugin):
         # the direct subclass of NamespacePlugin
         cls.__nsplugin__.SUBPLUGINS.add(cls.__namespace__)
 
+        # Generate a tuple of class names for which we do not want to add subplugin functions, which is the
+        # namespaceplugin and all of its superclasses (minus the base object).
+        reserved_cls_names = tuple({_class.__name__ for _class in cls.__nsplugin__.mro() if _class is not object})
+
         # Collect the public attrs of the subplugin
         for subplugin_func_name in cls.__exports__:
             subplugin_func = inspect.getattr_static(cls, subplugin_func_name)
@@ -963,12 +967,15 @@ class NamespacePlugin(Plugin):
             if getattr(subplugin_func, "__output__", None) != "record":
                 continue
 
-            # The method needs to be part of the current subclass and not a parent
-            if not subplugin_func.__qualname__.startswith(cls.__name__):
+            # The method may not be part of a parent class.
+            if subplugin_func.__qualname__.startswith(reserved_cls_names):
                 continue
 
             # If we already have an aggregate method, skip
             if existing_aggregator := getattr(cls.__nsplugin__, subplugin_func_name, None):
+                if not hasattr(existing_aggregator, "__subplugins__"):
+                    # This is not an aggregator, but a re-implementation of a subclass function by the subplugin.
+                    continue
                 existing_aggregator.__subplugins__.append(cls.__namespace__)
                 continue
 
@@ -978,10 +985,12 @@ class NamespacePlugin(Plugin):
                     for entry in aggregator.__subplugins__:
                         try:
                             subplugin = getattr(self.target, entry)
-                            for item in getattr(subplugin, method_name)():
-                                yield item
-                        except Exception:
+                            yield from getattr(subplugin, method_name)()
+                        except UnsupportedPluginError:
                             continue
+                        except Exception as e:
+                            self.target.log.error("Subplugin: %s raised an exception for: %s", entry, method_name)
+                            self.target.log.debug("Exception: %s", e, exc_info=e)
 
                 # Holds the subplugins that share this method
                 aggregator.__subplugins__ = []

dissect/target/plugins/apps/webserver/apache.py

@@ -1,74 +1,196 @@
-import enum
 import itertools
 import re
 from datetime import datetime
 from pathlib import Path
-from typing import Iterator, Optional
+from typing import Iterator, NamedTuple, Optional
 
 from dissect.target import plugin
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.fsutil import open_decompress
-from dissect.target.plugins.apps.webserver.webserver import WebserverAccessLogRecord
+from dissect.target.plugins.apps.webserver.webserver import (
+    WebserverAccessLogRecord,
+    WebserverErrorLogRecord,
+    WebserverPlugin,
+)
 from dissect.target.target import Target
 
-COMMON_REGEX = r'(?P<remote_ip>.*?) (?P<remote_logname>.*?) (?P<remote_user>.*?) \[(?P<ts>.*)\] "(?P<method>.*?) (?P<uri>.*?) ?(?P<protocol>HTTP\/.*?)?" (?P<status_code>\d{3}) (?P<bytes_sent>-|\d+)'  # noqa: E501
-REFERER_USER_AGENT_REGEX = r'"(?P<referer>.*?)" "(?P<useragent>.*?)"'
 
+class LogFormat(NamedTuple):
+    name: str
+    pattern: re.Pattern
 
-class LogFormat(enum.Enum):
-    VHOST_COMBINED = re.compile(rf"(?P<server_name>.*?):(?P<port>.*) {COMMON_REGEX} {REFERER_USER_AGENT_REGEX}")
-    COMBINED = re.compile(rf"{COMMON_REGEX} {REFERER_USER_AGENT_REGEX}")
-    COMMON = re.compile(COMMON_REGEX)
 
+# e.g. CustomLog "/custom/log/location/access.log" common
+RE_CONFIG_CUSTOM_LOG_DIRECTIVE = re.compile(
+    r"""
+        [\s#]*                          # Optionally prefixed by space(s) or pound sign(s).
+        CustomLog                       # Directive indicating that a custom access log location / format is used.
+        \s
+        "?(?P<location>[^"\s]+)"?       # Location to log to, optionally wrapped in double quotes.
+        \s
+        (?P<logformat>[^$]+)            # Format to use (can be either a format string or a nickname).
+        $
+    """,
+    re.VERBOSE,
+)
 
-def infer_log_format(line: str) -> Optional[LogFormat]:
-    """Attempt to infer what standard LogFormat is used. Returns None if no known format can be inferred.
+# e.g ErrorLog "/var/log/httpd/error_log"
+RE_CONFIG_ERRORLOG_DIRECTIVE = re.compile(
+    r"""
+        [\s#]*                          # Optionally prefixed by space(s) or pound sign(s).
+        ErrorLog                        # Directive indicating that a custom error log location / format is used.
+        \s
+        "?(?P<location>[^"\s$]+)"?      # Location to log to, optionally wrapped in double quotes.
+        $
+    """,
+    re.VERBOSE,
+)
 
-    Three default log type examples from Apache (note that the ipv4 could also be ipv6)::
-        combined       = '1.2.3.4 - - [19/Dec/2022:17:25:12 +0100] "GET / HTTP/1.1" 304 247 "-" "Mozilla/5.0
-                          (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0
-                          Safari/537.36"'
-        common         = '1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312'
-        vhost_combined = 'example.com:80 1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312 "-"
-                          "Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko)
-                          Chrome/108.0.0.0 Safari/537.36"'
-    """
+RE_REMOTE_PATTERN = r"""
+    (?P<remote_ip>.*?)                  # Client IP address of the request.
+    \s
+    (?P<remote_logname>.*?)             # Remote logname (from identd, if supplied).
+    \s
+    (?P<remote_user>.*?)                # Remote user if the request was authenticated.
+"""
 
-    first_part = line.split(" ")[0]
-    if ":" in first_part and "." in first_part:
-        # does not start with IP, hence it must be a vhost typed log
-        return LogFormat.VHOST_COMBINED
-    elif line[-1:] == '"':
-        # ends with a quotation mark, meaning three is a user agent
-        return LogFormat.COMBINED
-    elif line[-1:].isdigit():
-        return LogFormat.COMMON
-    return None
+RE_REFERER_USER_AGENT_PATTERN = r"""
+    "(?P<referer>.*?)"                  # Value of the 'Referer' HTTP Header.
+    \s
+    "(?P<useragent>.*?)"                # Value of the 'User-Agent' HTTP Header.
+"""
 
+RE_RESPONSE_TIME_PATTERN = r"""
+(
+    "
+    Time:\s
+    (?P<response_time>.*?)              # Time taken to serve the response, including a unit of measurement.
+    "
+)
+"""
 
-class ApachePlugin(plugin.Plugin):
+RE_ACCESS_COMMON_PATTERN = r"""
+    \[(?P<ts>[^\]]*)\]                  # Timestamp including milliseconds.
+    \s
+    (\[(?P<pid>[0-9]+)\]\s)?            # The process ID of the child that serviced the request (optional).
+    "
+    (?P<method>.*?)                     # The HTTP Method used for the request.
+    \s
+    (?P<uri>.*?)                        # The HTTP URI of the request.
+    \s
+    ?(?P<protocol>HTTP\/.*?)?           # The request protocol.
+    "
+    \s
+    (?P<status_code>\d{3})              # The HTTP Status Code of the response.
+    \s
+    (?P<bytes_sent>-|\d+)               # Bytes sent, including headers.
+"""
+
+RE_ERROR_COMMON_PATTERN = r"""
+    \[
+        (?P<ts>[^\]]*)                  # Timestamp including milliseconds.
+    \]
+    \s
+    \[
+        (?P<module>[^:]*)               # Name of the module logging the message.
+        \:
+        (?P<level>[^]]*)                # Loglevel of the message.
+    \]
+    \s
+    \[
+        pid\s(?P<pid>\d*)               # Process ID of current process.
+        (\:tid\s(?P<tid>\d*))?          # Thread ID of current thread (optional).
+    \]
+    \s
+    ((?P<error_source>[^\:]*)\:\s)?     # Source file name and line number of the log call (optional).
+    (
+        \[
+            client\s(?P<client>[^]]+)   # Client IP address and port of the request (optional).
+        \]\s
+    )?
+    ((?P<error_code>\w+)\:\s)?          # APR/OS error status code and string (optional).
+    (?P<message>.*)                     # The actual log message.
+"""
+
+LOG_FORMAT_ACCESS_COMMON = LogFormat(
+    "common",
+    re.compile(
+        rf"{RE_REMOTE_PATTERN}\s{RE_ACCESS_COMMON_PATTERN}",
+        re.VERBOSE,
+    ),
+)
+LOG_FORMAT_ACCESS_VHOST_COMBINED = LogFormat(
+    "vhost_combined",
+    re.compile(
+        rf"""
+        (?P<server_name>.*?):(?P<port>.*)
+        \s
+        {RE_REMOTE_PATTERN}
+        \s
+        {RE_ACCESS_COMMON_PATTERN}
+        \s
+        {RE_REFERER_USER_AGENT_PATTERN}
+        """,
+        re.VERBOSE,
+    ),
+)
+LOG_FORMAT_ACCESS_COMBINED = LogFormat(
+    "combined",
+    re.compile(
+        rf"{RE_REMOTE_PATTERN}\s{RE_ACCESS_COMMON_PATTERN}\s{RE_REFERER_USER_AGENT_PATTERN}",
+        re.VERBOSE,
+    ),
+)
+LOG_FORMAT_ERROR_COMMON = LogFormat("error", re.compile(RE_ERROR_COMMON_PATTERN, re.VERBOSE))
+
+
+def apache_response_time_to_ms(time_str: str) -> int:
+    """Convert a string containing amount and measurement (e.g. '10000 microsecs') to milliseconds."""
+    amount, _, measurement = time_str.partition(" ")
+    amount = int(amount)
+    if measurement == "microsecs":
+        return amount // 1000
+    raise ValueError(f"Could not parse {time_str}")
+
+
+class ApachePlugin(WebserverPlugin):
     """Apache log parsing plugin.
 
-    Apache has three default log formats, which this plugin can all parse automatically. These are::
+    Apache has three default access log formats, which this plugin can all parse automatically. These are::
+
         LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
         LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
-        LogFormat "%h %l %u %t \"%r\" %>s %O" common
+        LogFormat "%h %l %u %t \"%r\" %>s %O"`` common
 
     For the definitions of each format string, see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
-    """
+
+    For Apache, the error logs by default follow the following format::
+
+        ErrorLogFormat ``"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"``
+    """  # noqa: E501, W605
 
     __namespace__ = "apache"
 
+    DEFAULT_LOG_DIRS = ["/var/log/apache2", "/var/log/apache", "/var/log/httpd", "/var/log"]
+    ACCESS_LOG_NAMES = ["access.log", "access_log", "httpd-access.log"]
+    ERROR_LOG_NAMES = ["error.log"]
+    DEFAULT_CONFIG_PATHS = [
+        "/etc/apache2/apache2.conf",
+        "/usr/local/etc/apache22/httpd.conf",
+        "/etc/httpd/conf/httpd.conf",
+        "/etc/httpd.conf",
+    ]
+
     def __init__(self, target: Target):
         super().__init__(target)
-        self.log_paths = self.get_log_paths()
+        self.access_log_paths, self.error_log_paths = self.get_log_paths()
 
     def check_compatible(self) -> None:
-        if not len(self.log_paths):
+        if not len(self.access_log_paths) and not len(self.error_log_paths):
             raise UnsupportedPluginError("No Apache directories found")
 
     @plugin.internal
-    def get_log_paths(self) -> list[Path]:
+    def get_log_paths(self) -> tuple[list[Path], list[Path]]:
         """
         Discover any present Apache log paths on the target system.
 
@@ -77,83 +199,175 @@ class ApachePlugin(plugin.Plugin):
             - https://unix.stackexchange.com/a/269090
         """
 
-        log_paths = []
+        access_log_paths = set()
+        error_log_paths = set()
 
         # Check if any well known default Apache log locations exist
-        default_log_dirs = ["/var/log/apache2", "/var/log/apache", "/var/log/httpd", "/var/log"]
-        default_log_names = ["access.log", "access_log", "httpd-access.log"]
-        for log_dir, log_name in itertools.product(default_log_dirs, default_log_names):
-            log_paths.extend(self.target.fs.path(log_dir).glob(log_name + "*"))
-
-        # Check default Apache configs for their CustomLog directive
-        default_config_paths = [
-            "/etc/apache2/apache2.conf",
-            "/usr/local/etc/apache22/httpd.conf",
-            "/etc/httpd/conf/httpd.conf",
-        ]
-
-        for config in default_config_paths:
+        for log_dir, log_name in itertools.product(self.DEFAULT_LOG_DIRS, self.ACCESS_LOG_NAMES):
+            access_log_paths.update(self.target.fs.path(log_dir).glob(f"{log_name}*"))
+
+        for log_dir, log_name in itertools.product(self.DEFAULT_LOG_DIRS, self.ERROR_LOG_NAMES):
+            error_log_paths.update(self.target.fs.path(log_dir).glob(f"{log_name}*"))
+
+        # Check default Apache configs for CustomLog or ErrorLog directives
+        for config in self.DEFAULT_CONFIG_PATHS:
             if (path := self.target.fs.path(config)).exists():
                 for line in path.open("rt"):
                     line = line.strip()
 
-                    if not line or "CustomLog" not in line:
+                    if not line or ("CustomLog" not in line and "ErrorLog" not in line):
                         continue
 
-                    try:
-                        # CustomLog "/custom/log/location/access.log" common
-                        log_path = line.split("CustomLog")[1].strip().split(" ")[0].replace('"', "")
-                        custom_log = self.target.fs.path(log_path)
-                        log_paths.extend(
-                            path for path in custom_log.parent.glob(f"{custom_log.name}*") if path not in log_paths
-                        )
-                    except IndexError:
+                    if "ErrorLog" in line:
+                        set_to_update = error_log_paths
+                        pattern_to_use = RE_CONFIG_ERRORLOG_DIRECTIVE
+                    else:
+                        set_to_update = access_log_paths
+                        pattern_to_use = RE_CONFIG_CUSTOM_LOG_DIRECTIVE
+
+                    match = pattern_to_use.match(line)
+                    if not match:
                         self.target.log.warning("Unexpected Apache log configuration: %s (%s)", line, path)
+                        continue
+
+                    directive = match.groupdict()
+                    custom_log = self.target.fs.path(directive["location"])
+                    set_to_update.update(path for path in custom_log.parent.glob(f"{custom_log.name}*"))
 
-        return log_paths
+        return sorted(access_log_paths), sorted(error_log_paths)
 
     @plugin.export(record=WebserverAccessLogRecord)
     def access(self) -> Iterator[WebserverAccessLogRecord]:
-        """Return contents of Apache access log files in unified WebserverAccessLogRecord format."""
-        for path in self.log_paths:
+        """Return contents of Apache access log files in unified ``WebserverAccessLogRecord`` format."""
+        for line, path in self._iterate_log_lines(self.access_log_paths):
+            try:
+                logformat = self.infer_access_log_format(line)
+                if not logformat:
+                    self.target.log.warning("Apache log format could not be inferred for log line: %s (%s)", line, path)
+                    continue
+
+                match = logformat.pattern.match(line)
+                if not match:
+                    self.target.log.warning(
+                        "Could not match Apache log format %s for log line: %s (%s)", logformat.name, line, path
+                    )
+                    continue
+
+                log = match.groupdict()
+                if response_time := log.get("response_time"):
+                    response_time = apache_response_time_to_ms(response_time)
+
+                yield WebserverAccessLogRecord(
+                    ts=datetime.strptime(log["ts"], "%d/%b/%Y:%H:%M:%S %z"),
+                    remote_user=log["remote_user"],
+                    remote_ip=log["remote_ip"],
+                    local_ip=log.get("local_ip"),
+                    method=log["method"],
+                    uri=log["uri"],
+                    protocol=log["protocol"],
+                    status_code=log["status_code"],
+                    bytes_sent=log["bytes_sent"].strip("-") or 0,
+                    pid=log.get("pid"),
+                    referer=log.get("referer"),
+                    useragent=log.get("useragent"),
+                    response_time_ms=response_time,
+                    source=path,
+                    _target=self.target,
+                )
+
+            except Exception as e:
+                self.target.log.warning("An error occured parsing Apache log file %s: %s", path, str(e))
+                self.target.log.debug("", exc_info=e)
+
+    @plugin.export(record=WebserverErrorLogRecord)
+    def error(self) -> Iterator[WebserverErrorLogRecord]:
+        """Return contents of Apache error log files in unified ``WebserverErrorLogRecord`` format."""
+        for line, path in self._iterate_log_lines(self.error_log_paths):
+            try:
+                match = LOG_FORMAT_ERROR_COMMON.pattern.match(line)
+                if not match:
+                    self.target.log.warning("Could not match Apache error log format for log line: %s (%s)", line, path)
+                    continue
+
+                log = match.groupdict()
+                remote_ip = log.get("client")
+                if remote_ip and ":" in remote_ip:
+                    remote_ip, _, port = remote_ip.rpartition(":")
+                error_source = log.get("error_source")
+                error_code = log.get("error_code")
+
+                # Both error_source and error_code follow the same logformat. When both are present, the error source
+                # goes before the client and the error code goes after. However, it is also possible that only the error
+                # code is available, in which case it is situated *after* the client. In such situations our regex match
+                # has assigned the variables wrong, and we need to do a swap.
+                if error_source and error_code is None:
+                    error_source, error_code = error_code, error_source
+
+                # Unlike with access logs, ErrorLogFormat doesn't log the offset to UTC but insteads logs in local time.
+                ts = self.target.datetime.local(datetime.strptime(log["ts"], "%a %b %d %H:%M:%S.%f %Y"))
+
+                yield WebserverErrorLogRecord(
+                    ts=ts,
+                    pid=log.get("pid"),
+                    remote_ip=remote_ip,
+                    module=log["module"],
+                    level=log["level"],
+                    error_source=error_source,
+                    error_code=error_code,
+                    message=log["message"],
+                    source=path,
+                    _target=self.target,
+                )
+
+            except Exception as e:
+                self.target.log.warning("An error occured parsing Apache log file %s: %s", path, str(e))
+                self.target.log.debug("", exc_info=e)
+
+    def _iterate_log_lines(self, paths: list[Path]) -> Iterator[tuple[str, Path]]:
+        """Iterate through a list of paths and yield tuples of loglines and the path of the file where they're from."""
+        for path in paths:
             try:
                 path = path.resolve(strict=True)
                 for line in open_decompress(path, "rt"):
                     line = line.strip()
                     if not line:
                         continue
+                    yield line, path
+            except FileNotFoundError:
+                self.target.log.warning("Apache log file configured but could not be found (dead symlink?): %s", path)
 
-                    fmt = infer_log_format(line)
-                    if not fmt:
-                        self.target.log.warning(
-                            "Apache log format could not be inferred for log line: %s (%s)", line, path
-                        )
-                        continue
+    @staticmethod
+    def infer_access_log_format(line: str) -> Optional[LogFormat]:
+        """Attempt to infer what standard LogFormat is used. Returns None if no known format can be inferred.
 
-                    match = fmt.value.match(line)
-                    if not match:
-                        self.target.log.warning(
-                            "Could not match Apache log format %s for log line: %s (%s)", fmt, line, path
-                        )
-                        continue
+        Three default log type examples from Apache (note that the ipv4 could also be ipv6)
 
-                    log = match.groupdict()
-                    yield WebserverAccessLogRecord(
-                        ts=datetime.strptime(log["ts"], "%d/%b/%Y:%H:%M:%S %z"),
-                        remote_user=log["remote_user"],
-                        remote_ip=log["remote_ip"],
-                        method=log["method"],
-                        uri=log["uri"],
-                        protocol=log["protocol"],
-                        status_code=log["status_code"],
-                        bytes_sent=log["bytes_sent"].strip("-") or 0,
-                        referer=log.get("referer"),
-                        useragent=log.get("useragent"),
-                        source=path,
-                        _target=self.target,
-                    )
-            except FileNotFoundError:
-                self.target.log.warning("Apache log file configured but could not be found (dead symlink?): %s", path)
-            except Exception as e:
-                self.target.log.warning("An error occured parsing Apache log file %s: %s", path, str(e))
-                self.target.log.debug("", exc_info=e)
+
+        Combined::
+
+            1.2.3.4 - - [19/Dec/2022:17:25:12 +0100] "GET / HTTP/1.1" 304 247 "-" "Mozilla/5.0
+                        (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0
+                        Safari/537.36\"
+
+        Common::
+
+            1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312
+
+        vhost_combined::
+
+            example.com:80 1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312 "-"
+            "Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko)
+            Chrome/108.0.0.0 Safari/537.36\"
+        """
+        parts = line.split()
+        first_part = parts[0]
+        if ":" in first_part and "." in first_part:
+            # does not start with IP, hence it must be a vhost typed log
+            return LOG_FORMAT_ACCESS_VHOST_COMBINED
+        elif line[-1] == '"':
+            # ends with a quotation mark but does not contain a response time, meaning there is only a user agent
+            return LOG_FORMAT_ACCESS_COMBINED
+        elif line[-1].isdigit():
+            return LOG_FORMAT_ACCESS_COMMON
+
+        return None

dissect/target/plugins/apps/webserver/caddy.py

@@ -9,7 +9,10 @@ from dissect.util.ts import from_unix
 from dissect.target import plugin
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.fsutil import basename, open_decompress
-from dissect.target.plugins.apps.webserver.webserver import WebserverAccessLogRecord
+from dissect.target.plugins.apps.webserver.webserver import (
+    WebserverAccessLogRecord,
+    WebserverPlugin,
+)
 from dissect.target.target import Target
 
 LOG_FILE_REGEX = re.compile(r"(log|output file) (?P<log_file>.*)( \{)?$")
@@ -18,7 +21,7 @@ LOG_REGEX = re.compile(
 )
 
 
-class CaddyPlugin(plugin.Plugin):
+class CaddyPlugin(WebserverPlugin):
     __namespace__ = "caddy"
 
     def __init__(self, target: Target):

dissect/target/plugins/apps/webserver/citrix.py

@@ -0,0 +1,82 @@
+import re
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.plugin import OperatingSystem
+from dissect.target.plugins.apps.webserver.apache import (
+    RE_ACCESS_COMMON_PATTERN,
+    RE_REFERER_USER_AGENT_PATTERN,
+    RE_REMOTE_PATTERN,
+    RE_RESPONSE_TIME_PATTERN,
+    ApachePlugin,
+    LogFormat,
+)
+
+LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME = LogFormat(
+    "combined_resptime",
+    re.compile(
+        rf"""
+        {RE_REMOTE_PATTERN}                  # remote_ip, remote_logname, remote_user
+        \s
+        {RE_ACCESS_COMMON_PATTERN}           # Timestamp, pid, method, uri, protocol, status code, bytes_sent
+        \s
+        {RE_REFERER_USER_AGENT_PATTERN}      # Referer, user_agent
+        \s
+        {RE_RESPONSE_TIME_PATTERN}           # Response time
+        """,
+        re.VERBOSE,
+    ),
+)
+
+LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME_WITH_HEADERS = LogFormat(
+    "combined_resptime_with_citrix_hdrs",
+    re.compile(
+        rf"""
+        (?P<remote_ip>.*?)              # Client IP address of the request.
+        \s
+        ->
+        \s
+        (?P<local_ip>.*?)               # Local IP of the Netscaler.
+        \s
+        (?P<remote_logname>.*?)         # Remote logname (from identd, if supplied).
+        \s
+        (?P<remote_user>.*?)            # Remote user if the request was authenticated.
+        \s
+        {RE_ACCESS_COMMON_PATTERN}      # Timestamp, pid, method, uri, protocol, status code, bytes_sent
+        \s
+        {RE_REFERER_USER_AGENT_PATTERN} # Referer, user_agent
+        \s
+        {RE_RESPONSE_TIME_PATTERN}      # Response time
+        """,
+        re.VERBOSE,
+    ),
+)
+
+
+class CitrixWebserverPlugin(ApachePlugin):
+    """Apache log parsing plugin for Citrix specific logs.
+
+    Citrix uses Apache with custom access log formats. These are::
+
+        LogFormat "%{Citrix-ns-orig-srcip}i -> %{Citrix-ns-orig-destip}i %l %u %t [%P] \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"Time: %D microsecs\"" combined_resptime_with_citrix_hdrs
+        LogFormat "%a %l %u %t [%P] \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"Time: %D microsecs\"" combined_resptime
+    """  # noqa: E501, W605
+
+    __namespace__ = "citrix"
+
+    ACCESS_LOG_NAMES = ApachePlugin.ACCESS_LOG_NAMES + ["httpaccess.log", "httpaccess-vpn.log"]
+    ERROR_LOG_NAMES = ApachePlugin.ERROR_LOG_NAMES + ["httperror.log", "httperror-vpn.log"]
+
+    def check_compatible(self) -> None:
+        if not self.target.os == OperatingSystem.CITRIX:
+            raise UnsupportedPluginError("Target is not a Citrix Netscaler")
+
+    @staticmethod
+    def infer_access_log_format(line: str) -> LogFormat:
+        splitted_line = line.split()
+        second_part = splitted_line[1]
+        if second_part == "->":
+            return LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME_WITH_HEADERS
+        if "Time: " in line:
+            return LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME
+
+        return ApachePlugin.infer_access_log_format(line)

dissect/target/plugins/apps/webserver/iis.py

@@ -11,7 +11,10 @@ from dissect.target import plugin
 from dissect.target.exceptions import FileNotFoundError as DissectFileNotFoundError
 from dissect.target.exceptions import PluginError, UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugins.apps.webserver.webserver import WebserverAccessLogRecord
+from dissect.target.plugins.apps.webserver.webserver import (
+    WebserverAccessLogRecord,
+    WebserverPlugin,
+)
 
 LOG_RECORD_NAME = "filesystem/windows/iis/logs"
 
@@ -41,7 +44,7 @@ BasicRecordDescriptor = TargetRecordDescriptor(LOG_RECORD_NAME, BASIC_RECORD_FIE
 FIELD_NAME_INVALID_CHARS_RE = re.compile(r"[^a-zA-Z0-9]")
 
 
-class IISLogsPlugin(plugin.Plugin):
+class IISLogsPlugin(WebserverPlugin):
     """IIS 7 (and above) logs plugin.
 
     References:

dissect/target/plugins/apps/webserver/nginx.py

@@ -6,7 +6,10 @@ from typing import Iterator
 from dissect.target import plugin
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.fsutil import open_decompress
-from dissect.target.plugins.apps.webserver.webserver import WebserverAccessLogRecord
+from dissect.target.plugins.apps.webserver.webserver import (
+    WebserverAccessLogRecord,
+    WebserverPlugin,
+)
 from dissect.target.target import Target
 
 LOG_REGEX = re.compile(
@@ -14,7 +17,7 @@ LOG_REGEX = re.compile(
 )
 
 
-class NginxPlugin(plugin.Plugin):
+class NginxPlugin(WebserverPlugin):
     __namespace__ = "nginx"
 
     def __init__(self, target: Target):

dissect/target/plugins/apps/webserver/webserver.py

@@ -1,16 +1,16 @@
-from typing import Iterator
+from typing import Iterator, Union
 
-from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import Plugin, export
-from dissect.target.target import Target
+from dissect.target.plugin import NamespacePlugin, export
 
 WebserverAccessLogRecord = TargetRecordDescriptor(
-    "application/log/webserver",
+    "application/log/webserver/access",
     [
         ("datetime", "ts"),
         ("string", "remote_user"),
         ("net.ipaddress", "remote_ip"),
+        ("net.ipaddress", "local_ip"),
+        ("varint", "pid"),
         ("string", "method"),
         ("uri", "uri"),
         ("string", "protocol"),
@@ -18,49 +18,33 @@ WebserverAccessLogRecord = TargetRecordDescriptor(
         ("varint", "bytes_sent"),
         ("uri", "referer"),
         ("string", "useragent"),
+        ("varint", "response_time_ms"),
         ("path", "source"),
     ],
 )
 
+WebserverErrorLogRecord = TargetRecordDescriptor(
+    "application/log/webserver/error",
+    [
+        ("datetime", "ts"),
+        ("net.ipaddress", "remote_ip"),
+        ("varint", "pid"),
+        ("string", "module"),
+        ("string", "level"),
+        ("string", "error_source"),
+        ("string", "error_code"),
+        ("string", "message"),
+        ("path", "source"),
+    ],
+)
 
-class WebserverPlugin(Plugin):
+
+class WebserverPlugin(NamespacePlugin):
     __namespace__ = "webserver"
     __findable__ = False
 
-    WEBSERVERS = [
-        "apache",
-        "nginx",
-        "iis",
-        "caddy",
-    ]
-
-    def __init__(self, target: Target):
-        super().__init__(target)
-        self._plugins = []
-        for entry in self.WEBSERVERS:
-            try:
-                self._plugins.append(getattr(self.target, entry))
-            except Exception:  # noqa
-                target.log.exception("Failed to load webserver plugin: %s", entry)
-
-    def check_compatible(self) -> None:
-        if not len(self._plugins):
-            raise UnsupportedPluginError("No compatible webserver plugins found")
-
-    def _func(self, f: str) -> Iterator[WebserverAccessLogRecord]:
-        for p in self._plugins:
-            try:
-                yield from getattr(p, f)()
-            except Exception:
-                self.target.log.exception("Failed to execute webserver plugin: %s.%s", p._name, f)
-
-    @export(record=WebserverAccessLogRecord)
-    def logs(self) -> Iterator[WebserverAccessLogRecord]:
+    @export(record=[WebserverAccessLogRecord, WebserverErrorLogRecord])
+    def logs(self) -> Iterator[Union[WebserverAccessLogRecord, WebserverErrorLogRecord]]:
         """Returns log file records from installed webservers."""
         yield from self.access()
-        # TODO: In the future we should add error logs too.
-
-    @export(record=WebserverAccessLogRecord)
-    def access(self) -> Iterator[WebserverAccessLogRecord]:
-        """Returns WebserverAccessLogRecord records from installed webservers."""
-        yield from self._func("access")
+        yield from self.error()

{dissect.target-3.15.dev23.dist-info → dissect.target-3.15.dev25.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.15.dev23
+Version: 3.15.dev25
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.15.dev23.dist-info → dissect.target-3.15.dev25.dist-info}/RECORD

@@ -3,7 +3,7 @@ dissect/target/container.py,sha256=9ixufT1_0WhraqttBWwQjG80caToJqvCX8VjFk8d5F0,9
 dissect/target/exceptions.py,sha256=VVW_Rq_vQinapz-2mbJ3UkxBEZpb2pE_7JlhMukdtrY,2877
 dissect/target/filesystem.py,sha256=r7JxYP1oI6fy6F29-7FCZZkldnn516d5_XQ7QhQHnH4,53765
 dissect/target/loader.py,sha256=0-LcZNi7S0qsXR7XGtrzxpuCh9BsLcqNR1T15O7SnBM,7257
-dissect/target/plugin.py,sha256=MyBjC7uJ-qml9SQMQ6xsNMdudsOFNJiHNMRn-AFi_pM,47405
+dissect/target/plugin.py,sha256=vEk-jZdhPKhD7rxRuWGb9XAjHRXewWjflC03qOIF3rI,48113
 dissect/target/report.py,sha256=06uiP4MbNI8cWMVrC1SasNS-Yg6ptjVjckwj8Yhe0Js,7958
 dissect/target/target.py,sha256=CuqLTD3fwr4HIxtDgN_fwJ3UHSqe5PhNJlLTVGsluB8,31908
 dissect/target/volume.py,sha256=aQZAJiny8jjwkc9UtwIRwy7nINXjCxwpO-_UDfh6-BA,15801
@@ -136,11 +136,12 @@ dissect/target/plugins/apps/vpn/wireguard.py,sha256=45WvCqQQGrG3DVDH5ghcsGpM_Bom
 dissect/target/plugins/apps/webhosting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/webhosting/cpanel.py,sha256=OeFQnu9GmpffIlFyK-AR2Qf8tjyMhazWEAUyccDU5y0,2979
 dissect/target/plugins/apps/webserver/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/apps/webserver/apache.py,sha256=_dZVlQMo5bngVkuQorz6QgjWxDOSLgHm2bpUqVcD2js,7182
-dissect/target/plugins/apps/webserver/caddy.py,sha256=Ik0mXNUpYg3dMA5M_8n5zjaFhNd-tYhM7gRPaf9ASa0,6390
-dissect/target/plugins/apps/webserver/iis.py,sha256=BVYwLn25n5wjX5X5uedmJOFE7CNae59twUeHuXYkPZc,14637
-dissect/target/plugins/apps/webserver/nginx.py,sha256=nO-YGx68Hw_meSqp2u_d8hQB7NKsx2d09b-H9ngrUKo,4097
-dissect/target/plugins/apps/webserver/webserver.py,sha256=_rkI0FRF4b3cUqSix_c00NoPYCfc6_GErt72sP2Jngk,2156
+dissect/target/plugins/apps/webserver/apache.py,sha256=H38Zj41EkfS27x98gBTuPHJmTOmlhfMK73PX6zQ4YOY,14933
+dissect/target/plugins/apps/webserver/caddy.py,sha256=qZsAK_tILGvroV4SWkDKc-Otwd41bUEtv9H9TuHmt-0,6422
+dissect/target/plugins/apps/webserver/citrix.py,sha256=FEPdBteEJeeGg3B95W_27O9wLJVhenEc5A5fSLDmK18,3044
+dissect/target/plugins/apps/webserver/iis.py,sha256=UwRVzLqnKScijdLoZFfpkSUzKTQosicZpn16q__4QBU,14669
+dissect/target/plugins/apps/webserver/nginx.py,sha256=WA5soi1FU1c44oHRcyOoHK3gH8Jzc_Qi5uXcimDYukw,4129
+dissect/target/plugins/apps/webserver/webserver.py,sha256=a7a2lLrhsa9c1AXnwiLP-tqVv-IUbmaVaSZI5S0fKa8,1500
 dissect/target/plugins/child/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/child/esxi.py,sha256=GfgQzxntcHcyxAE2QjMJ-TrFhklweSXLbYh0uuv-klg,693
 dissect/target/plugins/child/hyperv.py,sha256=R2qVeu4p_9V53jO-65znN0LwX9v3FVA-9jbbtOQcEz8,2236
@@ -317,10 +318,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.15.dev23.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.15.dev23.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.15.dev23.dist-info/METADATA,sha256=fDcJUO3AZyaTwQKqSs910EeZLpf8wLhykMH8u3Kff6Y,11113
-dissect.target-3.15.dev23.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.15.dev23.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.15.dev23.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.15.dev23.dist-info/RECORD,,
+dissect.target-3.15.dev25.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.15.dev25.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.15.dev25.dist-info/METADATA,sha256=EhglYTVaAYzVR_mUdsZKJJDV0Rcmwzsw9D_1mw9u5mg,11113
+dissect.target-3.15.dev25.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.15.dev25.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.15.dev25.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.15.dev25.dist-info/RECORD,,