SharePoint Server Logs (SPSE) parser

These logs are very useful to detect ToolShell exploitation events. The most useful logs use the following naming scheme: `HOSTNAME-YYYYMMDD-<NUMBER>.log`.

```
Timestamp               Process                                         TID     Area                            Category                        EventID Level           Message         Correlation
MM/DD/YYYY HH:MM:ss  w3wp.exe (XXX)                               XXXX  SharePoint Foundation           General                         XXXX    Medium          Application error when access /_layouts/15/spinstall0.aspx, Error=The file '/_layouts/15/spinstall0.aspx' does not exist.  [...]
```

## References

- <https://learn.microsoft.com/en-us/sharepoint/administration/configure-diagnostic-logging>(https://learn.microsoft.com/en-us/sharepoint/administration/configure-diagnostic-logging)
- <https://github.com/fox-it/acquire/pull/257>(https://github.com/fox-it/acquire/pull/257)
- <https://research.eye.security/sharepoint-under-siege/>(https://research.eye.security/sharepoint-under-siege/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SharePoint Server Logs (SPSE) parser #1255

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SharePoint Server Logs (SPSE) parser #1255

Description

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions