Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Kerberos principal username not supported by apache_access parser
See original GitHub issueDescription of problem:
pyparsing.alphanums is not sufficient to parse user names in the apache_access parser. For instance with mod_auth_gssapi the user name is a Kerberos principal (e.g. “pyllyukko@EXAMPLE.COM”). Another non-alphanum char I encountered was the underscore.
Plaso’s result in parsing my Apache logs:
************************** Plaso Storage Information ***************************
Filename : test-1.plaso
Format version : 20210514
Storage type : session
Serialization format : json
--------------------------------------------------------------------------------
*********************************** Sessions ***********************************
d6dcde46-8f50-494c-9768-be9dad3f2f53 : 2021-09-03T17:31:45.047702Z
--------------------------------------------------------------------------------
******************************** Event sources *********************************
Total : 1
--------------------------------------------------------------------------------
No events stored.
No events labels stored.
No warnings stored.
No analysis reports stored.
After modifying apache_access as follows:
diff --git a/plaso/parsers/apache_access.py b/plaso/parsers/apache_access.py
index ec801ef6..4d7bffe0 100644
--- a/plaso/parsers/apache_access.py
+++ b/plaso/parsers/apache_access.py
@@ -109,7 +109,7 @@ class ApacheAccessParser(text_parser.PyparsingSingleLineTextParser):
pyparsing.Suppress('"'))
_USER_NAME = (
- pyparsing.Word(pyparsing.alphanums) |
+ pyparsing.Word(pyparsing.printables) |
pyparsing.Literal('-')).setResultsName('user_name')
# Defined in https://httpd.apache.org/docs/2.4/logs.html
The events got properly parsed (the log had 14717 lines in it):
************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
apache_access : 14716
Total : 14716
--------------------------------------------------------------------------------
I’m not sure whether pyparsing.printables is the correct answer either, but that’s what I used to hack my way around this issue. The valid Kerberos principal chars could be a starting point though.
Command line and arguments:
log2timeline.py --hashers none --parsers apache_access test-2.plaso access_log.1-2
Source data:
192.168.0.64 - pyllyukko@EXAMPLE.COM [16/Nov/2019:09:46:42 +0200] "GET / HTTP/1.1" 200 8264
Plaso version:
20210606
Installation method:
Docker.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I reproduced the bug and will work on a fix. Thanks for reporting!
Yes. The initial source where I stumbled upon this issue wasn’t actually Kerberos principals, but just arbitrary usernames. I used the Kerberos principal as an example to demonstrate that
pyparsing.alphanumsis insufficient.Nope. Sounds like Windows world 😃 (Or domain\username to be exact.) Doesn’t still mean that these kind of entries couldn’t exist, but I just haven’t seen one.