SharePoint Server Logs (SPSE) parser

Open respondersGY opened this issue 5 months ago • 0 comments

These logs are very useful to detect ToolShell exploitation events. The most useful logs use the following naming scheme: HOSTNAME-YYYYMMDD-<NUMBER>.log.

Timestamp               Process                                         TID     Area                            Category                        EventID Level           Message         Correlation
MM/DD/YYYY HH:MM:ss  w3wp.exe (XXX)                               XXXX  SharePoint Foundation           General                         XXXX    Medium          Application error when access /_layouts/15/spinstall0.aspx, Error=The file '/_layouts/15/spinstall0.aspx' does not exist.  [...]

References

https://learn.microsoft.com/en-us/sharepoint/administration/configure-diagnostic-logging(https://learn.microsoft.com/en-us/sharepoint/administration/configure-diagnostic-logging)
https://github.com/fox-it/acquire/pull/257(https://github.com/fox-it/acquire/pull/257)
https://research.eye.security/sharepoint-under-siege/(https://research.eye.security/sharepoint-under-siege/)

Jul 28 '25 14:07 respondersGY