Added support for additional IIS log username variants (#4904)

Author: pyllyukko

plaso/parsers/text_plugins/iis.py

@@ -101,8 +101,8 @@ class WinIISTextPlugin(interface.TextPlugin):
       lambda tokens: int(tokens[0], 10)) | _BLANK
 
   # Username can consist of: "domain.username", "domain\username",
-  # "domain\user$" or "-" for an anonymous user.
-  _USERNAME = pyparsing.Word(pyparsing.alphanums + '-.\\$') | _BLANK
+  # "domain\user$", "domain/user", "user@domain" or "-" for an anonymous user.
+  _USERNAME = pyparsing.Word(pyparsing.alphanums + '-.\\$@/') | _BLANK
 
   _URI_SAFE_CHARACTERS = '/.?&+;_=()-:,%'
 

test_data/iis10_edge_cases.log

@@ -14,3 +14,5 @@
 2022-01-01 18:42:36 ::1 POST /ews/exchange.asmx &request_id=GHJGJYHG-ea2f-4e0f-894c-tdtyd667tyftyf 444 RaDomain\RandomMailbox3242354 ::1 Ews_Probe/Local+(ExchangeServicesClient/15.01.25965.004) - 200 0 0 102
 2022-01-01 18:42:37 ::1 POST /mapi/emdata/ useMailboxOfAuthenticatedUser=true 444 RaDomain\RandomMailbox3242354 ::1 MapiHttpClient - 200 0 0 4
 2022-01-01 18:42:55 ::1 GET /rancertloc/logoff.aspx ActID=werwer-3e02-56456-ererere545-sdf8798798dfh 444 RaDomain\RandomMailbox3242354 ::1 Mozilla/4.0+(compatible;+MSIE+12.0;+Trident/7.0;+rv:12.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+BACKLOOK) - 302 0 0 5
+2022-01-01 00:01:24 ::1 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  random/ranuser1 ::1 Microsoft+WinRM+Client - 200 0 0 15
+2022-01-01 00:01:24 ::1 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  ranuser1@random ::1 Microsoft+WinRM+Client - 200 0 0 15

tests/parsers/text_plugins/iis.py

@@ -176,7 +176,7 @@ def testProcessWithIIS10Log(self):
 
     number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
         'event_data')
-    self.assertEqual(number_of_event_data, 12)
+    self.assertEqual(number_of_event_data, 14)
 
     number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
         'extraction_warning')