# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. cisco_pixios = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2010-10-20 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Cisco Sytems" info.1.device = "PIX/IOS" info.1.version = "" # The name of the log format log.format.format_label = "Cisco PIX/IOS Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "%(PIX|SEC|IDS|FW|AUTH|IKE|PPTP)[^ ]*: " log.format.autodetect_lines = "200" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # A log entry is called an event statistics.miscellaneous.entry_name = "events" # Log fields log.fields = { source_ip = { label = "$lang_stats.field_labels.source_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # source_ip source_hostname = { label = "$lang_stats.field_labels.source_hostname" type = "flat" index = 0 subindex = 0 } # source_hostname destination_ip = { label = "$lang_stats.field_labels.destination_ip" type = "flat" index = 0 subindex = 0 } # destination_ip destination_hostname = { label = "$lang_stats.field_labels.destination_hostname" type = "flat" index = 0 subindex = 0 } # destination_hostname source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port service_name = { label = "$lang_stats.field_labels.service_name" type = "flat" index = 0 subindex = 0 } # destination_port source_side = { label = "$lang_stats.field_labels.source_side" type = "flat" index = 0 subindex = 0 } # source_side destination_side = { label = "$lang_stats.field_labels.destination_side" type = "flat" index = 0 subindex = 0 } # destination_side interface = { label = "$lang_stats.field_labels.interface" type = "flat" index = 0 subindex = 0 } # interface page = { label = "$lang_stats.field_labels.page" type = "flat" index = 0 subindex = 0 } # page operation = { label = "$lang_stats.field_labels.operation" type = "flat" index = 0 subindex = 0 } # operation message_code = { label = "$lang_stats.field_labels.message_code" type = "flat" index = 0 subindex = 0 } # message_code destination_bytes = { label = "$lang_stats.field_labels.destination_bytes" type = "flat" index = 0 subindex = 0 } # destination_bytes protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol flags = { label = "$lang_stats.field_labels.flags" type = "flat" index = 0 subindex = 0 } # flags bytes = { label = "$lang_stats.field_labels.bytes" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # bytes faddr_host = { label = "$lang_stats.field_labels.faddr_host" type = "flat" index = 0 subindex = 0 } # faddr_host faddr_port = { label = "$lang_stats.field_labels.faddr_port" type = "flat" index = 0 subindex = 0 } # faddr_port gaddr_host = { label = "$lang_stats.field_labels.gaddr_host" type = "flat" index = 0 subindex = 0 } # gaddr_host gaddr_port = { label = "$lang_stats.field_labels.gaddr_port" type = "flat" index = 0 subindex = 0 } # gaddr_port laddr_host = { label = "$lang_stats.field_labels.laddr_host" type = "flat" index = 0 subindex = 0 } # laddr_host laddr_port = { label = "$lang_stats.field_labels.laddr_port" type = "flat" index = 0 subindex = 0 } # laddr_port duration = { label = "$lang_stats.field_labels.duration" type = "flat" index = 0 subindex = 0 } # duration access_group = { label = "$lang_stats.field_labels.access_group" type = "flat" index = 0 subindex = 0 } # access_group url = { label = "$lang_stats.field_labels.url" type = "page" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # url message = { label = "$lang_stats.field_labels.message" type = "flat" index = 0 subindex = 0 } # message user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 } # user command = { label = "$lang_stats.field_labels.command" type = "flat" index = 0 subindex = 0 } # command type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type direction = { label = "$lang_stats.field_labels.direction" type = "flat" index = 0 subindex = 0 } # direction list = { label = "$lang_stats.field_labels.list" type = "flat" index = 0 subindex = 0 } # list duration = { label = "$lang_stats.field_labels.duration" type = "flat" index = 0 subindex = 0 } # duration } # log.fields # # Log Parsing Filters log.parsing_filters = { # These are the PIX log Parsing filters # Parse out the message code 1 = { label = "1" comment = "" value = "collect_fields_using_regexp('()(%[^:]*):', '*KEY*,message_code')" } # 1 # Parse out the Built portmap translation 2 = { label = "2" comment = "" value = "collect_fields_using_regexp('() (Portmapped translation built) ', '*KEY*,operation')" } # 2 # Parse out the "Built inbound/outbound TCP connection" lines 3 = { label = "3" comment = "" value = "collect_fields_using_regexp('() (Built|Teardown|Deny) (inbound|outbound|dynamic) (TCP|UDP|ICMP) ', '*KEY*,operation,direction,protocol')" } # 3 # Parse out alternate-format Deny inbound lines 4 = { label = "4" comment = "" value = "collect_fields_using_regexp('()(Deny) (inbound) .*(tcp|udp|icmp) ', '*KEY*,operation,direction,protocol')" } # 4 # Parse "No translation group found for" lines 5 = { label = "5" comment = "" value = "collect_fields_using_regexp('()(No translation group found) for (tcp|udp|icmp) ', '*KEY*,operation,protocol')" } # 5 # Parse Teardown TCP|UDP lines 6 = { label = "6" comment = "" value = "collect_fields_using_regexp(' ()(Teardown) (TCP|UDP) connection ', '*KEY*,operation,protocol')" } # 6 # Parse out alternate-format Deny lines 7 = { label = "7" comment = "" value = "collect_fields_using_regexp('() (Deny) (tcp|udp|icmp) ', '*KEY*,operation,protocol')" } # 7 # Parse out Deny lines (without access group) 8 = { label = "8" comment = "" value = "collect_fields_using_regexp('() (Deny) (tcp|udp|TCP) ([a-z ]*) ', '*KEY*,operation,protocol,type')" } # 8 # Parse out the Inbound TCP connection denied lines 9 = { label = "9" comment = "" value = "collect_fields_using_regexp('()(Inbound) (TCP) (connection denied) ', '*KEY*,direction,protocol,operation')" } # 9 # Parse out the ICMP packet denied lines 10 = { label = "10" comment = "" value = "collect_fields_using_regexp('()(ICMP) packet type [0-9]+ (denied) ', '*KEY*,protocol,operation')" } # 10 # Parse Teardown local-host 11 = { label = "11" comment = "" value = "collect_fields_using_regexp(' ()(Teardown local-host) ([^:]*):([^/ ]*)/*([0-9]*) duration ([0-9:]+)', '*KEY*,operation,source_side,source_ip,source_port,duration')" } # 11 # Parse out the Built UDP connection lines 12 = { label = "12" comment = "" value = "collect_fields_using_regexp('()(Built) (UDP)', '*KEY*,operation,protocol')" } # 12 # Parse out the Teardown UDP connection lines 13 = { label = "13" comment = "" value = "collect_fields_using_regexp('()(Teardown) ([^ ]*) ', '*KEY*,operation,protocol')" } # 13 # Parse out the interface 14 = { label = "14" comment = "" value = "collect_fields_using_regexp('() interface ([^\\']*)', '*KEY*,interface')" } # 14 # Parse out the flags 15 = { label = "15" comment = "" value = "collect_fields_using_regexp('() flags ([A-Z ]* [^ ]*)', '*KEY*,flags')" } # 15 # Parse out the bytes field 16 = { label = "16" comment = "" value = "collect_fields_using_regexp('() bytes ([0-9]*)', '*KEY*,bytes')" } # 16 # Parse out the duration field duration = { label = "duration" comment = "" value = "collect_fields_using_regexp('() duration ([0-9:]*)', '*KEY*,duration')" } # duration # Parse from/to info 17 = { label = "17" comment = "" value = "collect_fields_using_regexp('() from ([.0-9]*) to ([0-9.]*) ', '*KEY*,source_ip,destination_ip')" } # 17 # Parse for/to or from/to lines with unresolved hostnames 18 = { label = "18" comment = "" value = "collect_fields_using_regexp('() f(or|rom) ([a-zA-Z0-9]+):([^:/ ]*)/*([0-9]*) to ([a-zA-Z0-9]+):([^:/ ]*)/*([0-9]*) ', '*KEY*,dummy,source_side,source_ip,source_port,destination_side,destination_ip,destination_port')" } # 18 # Parse for/to or from/to section for_to = { label = "for_to" comment = "" value = " if (matches_regular_expression(current_log_line(), ' f(or|rom) (.*) to (.*)')) then ( volatile.from = $2; volatile.to = $3; if (matches_regular_expression(volatile.from, '^([a-zA-Z0-9]+):([^ ]*)/([0-9]+)')) then ( set_collected_field('', 'source_side', $1); set_collected_field('', 'source_ip', $2); set_collected_field('', 'source_port', $3); ); if (matches_regular_expression(volatile.to, '^([a-zA-Z0-9]+):([^ ]*)/([0-9]+)')) then ( set_collected_field('', 'destination_side', $1); set_collected_field('', 'destination_ip', $2); set_collected_field('', 'destination_port', $3); ); ) " } # for_to # Parse src/dst or from/to lines with resolved hostname 19 = { label = "19" comment = "" value = "collect_fields_using_regexp(' ()(from|src) ([a-zA-Z0-9]+):([0-9.]*) \\\\(([^)]*)\\\\) /*([0-9]*) (to|dst) ([a-zA-Z0-9]+):([0-9.]*) \\\\(([^)]*)\\\\) /*([0-9]*)', '*KEY*,dummy,source_side,source_ip,source_hostname,source_port,dummy,destination_side,destination_ip,destination_hostname,destination_port')" } # 19 # Parse src/dst lines with just IPs or just hostnames 20 = { label = "20" comment = "" value = "collect_fields_using_regexp(' ()src ([a-zA-Z0-9]+):([0-9.A-Za-z_]*)/*([0-9]*) dst ([a-zA-Z0-9]+):([0-9.A-Za-z_]*)/*([0-9]*)', '*KEY*,source_side,source_ip,source_port,destination_side,destination_ip,destination_port')" } # 20 # Parse src/dest lines 21 = { label = "21" comment = "" value = "collect_fields_using_regexp(' ()src ([0-9.]+) *([0-9]*) dest ([0-9.]+) *([0-9]*)', '*KEY*,source_ip,source_port,destination_ip,destination_port')" } # 21 # Parse out the source/destination IP/port 22 = { label = "22" comment = "" value = "collect_fields_using_regexp('() from ([0-9.]*)/([0-9]*) to ([0-9.]*)/([0-9]*)', '*KEY*,source_ip,source_port,destination_ip,destination_port')" } # 22 # Parse out the source/destination IP/hostname/port 23 = { label = "23" comment = "" value = "collect_fields_using_regexp('() from ([0-9.]*) \\\\(([^)]*)\\\\) /([0-9]*) to ([0-9.]*) \\\\(([^)]*)\\\\) /([0-9]*) ', '*KEY*,source_ip,source_hostname,source_port,destination_ip,destination_hostname,destination_port')" } # 23 # Parse out the faddr/laddr/gaddr info 24 = { label = "24" comment = "" value = "collect_fields_using_regexp('() faddr ([^/]*)/([^ ]*) ', '*KEY*,faddr_host,faddr_port')" } # 24 # Parse out gaddr/laddr info 25 = { label = "25" comment = "" value = "collect_fields_using_regexp('() gaddr ([^/]*)/([^ ]*) laddr ([^/]*)/([^ ]*)', '*KEY*,gaddr_host,gaddr_port,laddr_host,laddr_port')" } # 25 # Parse out global/local lines 26 = { label = "26" comment = "" value = "collect_fields_using_regexp('() global ([^/]*)/([^ ]*) local ([^/]*)/([^ ]*)', '*KEY*,gaddr_host,gaddr_port,laddr_host,laddr_port')" } # 26 # Parse out the "Accessed URL" lines 27 = { label = "27" comment = "" value = "collect_fields_using_regexp('() ([0-9.]*) (Accessed URL) ([^:]*):([^\\']*)', '*KEY*,source_ip,operation,destination_ip,page')" } # 27 # Parse out the "Accessed URL" lines with resolved hostnames 28 = { label = "28" comment = "" value = "collect_fields_using_regexp('() ([0-9.]*) \\\\(([^)]*)\\\\) (Accessed URL) ([^:]*) \\\\(([^)]*)\\\\) :([^\\']*)', '*KEY*,source_ip,source_hostname,operation,destination_ip,destination_hostname,page')" } # 28 # Parse out the "Accessed URL" lines 29 = { label = "29" comment = "" value = "collect_fields_using_regexp('() (Accessed URL) ([^\\']*)', '*KEY*,operation,url')" } # 29 # Parse a tcp|udp list line 30 = { label = "30" comment = "" value = "collect_fields_using_regexp('()(list) ([^ ]*) (permitted|denied) (tcp|udp) ([0-9.]*) *\\\\(*([^)]*)\\\\)* *\\\\(([0-9]*)\\\\).*-> ([0-9.]*) *\\\\(*([^)]*)\\\\)* *\\\\(([0-9]*)\\\\), [0-9]* packet', '*KEY*,type,list,operation,protocol,source_ip,source_hostname,source_port,destination_ip,destination_hostname,destination_port')" } # 30 # Parse a access-list line with sides and IPs access_list = { label = "access_list" comment = "" value = "collect_fields_using_regexp('()(access-list) ([^ ]*) (permitted|denied) (tcp|udp) ([^/]+)/([0-9.]*)\\\\(([0-9]*)\\\\) -> ([^/]+)/([0-9.]*)\\\\(([0-9]*)\\\\)', '*KEY*,type,list,operation,protocol,source_side,source_ip,source_port,destination_side,destination_ip,destination_port')" } # Parse a tcp|udp list line 31 = { label = "31" comment = "" value = "collect_fields_using_regexp('()(tcp|udp) (connection denied) by (outbound list) ([^ ]*)', '*KEY*,protocol,operation,type,list')" } # 31 # Parse a icmp list line 32 = { label = "32" comment = "" value = "collect_fields_using_regexp('()(list) ([0-9]*) (permitted|denied) (icmp) ([0-9.]*).*-> ([0-9.]*) ', '*KEY*,type,list,operation,protocol,source_ip,destination_ip')" } # 32 # Parse a route add line 33 = { label = "33" comment = "" value = "collect_fields_using_regexp('()(RT): (add) ([0-9.]*) ([0-9.]*) via ([0-9.]*), isis metric \\\\[([0-9]*/[0-9]*)\\\\]', '*KEY*,type,operation,destination_ip,netmask,router,metric')" } # 33 # Parse a route delete line 34 = { label = "34" comment = "" value = "collect_fields_using_regexp('()(RT): (delete route) to ([0-9.]*) via ([0-9.]*), isis metric \\\\[([0-9]*/[0-9]*)\\\\]', '*KEY*,type,operation,destination_ip,router,metric')" } # 34 # Parse a delete subnet route line 35 = { label = "35" comment = "" value = "collect_fields_using_regexp('()(RT): (delete subnet route) to ([0-9.]*) ([0-9.]*)', '*KEY*,type,operation,destination_ip,subnet')" } # 35 # Parse a no routes line 36 = { label = "36" comment = "" value = "collect_fields_using_regexp('()(RT): (no routes) to ([0-9.]*)', '*KEY*,type,operation,destination_ip')" } # 36 # Parse an FW-3/4 line; put the full error in message 37 = { label = "37" comment = "" value = "collect_fields_using_regexp('()%FW-[34][^:]*: ([^\\']*)', '*KEY*,message')" } # 37 # Parse an FW-3 line with initiator info 38 = { label = "38" comment = "" value = "collect_fields_using_regexp('()%FW-3[^:]*: (.*)\\\\(total ([0-9]*) chars\\\\) from initiator \\\\(([0-9.]*):([0-9]*)', '*KEY*,message,bytes,source_ip,source_port')" } # 38 # Parse an FW-6 line fw6 = { label = "FW-6" comment = "" value = " if (matches_regular_expression(v.syslog_message, '%FW-6[^:]*: (Stop http session): initiator \\\\(([0-9.]+):([0-9]+)\\\\) sent ([0-9]+) bytes -- responder \\\\(([0-9.]+):([0-9]+)\\\\) sent ([0-9]+) bytes')) then ( set_collected_field('', 'operation', $1); set_collected_field('', 'source_ip', $2); set_collected_field('', 'source_port', $3); set_collected_field('', 'bytes', $4); set_collected_field('', 'destination_ip', $5); set_collected_field('', 'destination_port', $6); set_collected_field('', 'destination_bytes', $7); ) " } # fw6 # Parse an AUDIT_TRAIL line 39 = { label = "39" comment = "" value = "collect_fields_using_regexp('()AUDIT_TRAIL: ([a-z-]*) (session initiator) \\\\(([0-9.]*):([0-9]*)\\\\) sent ([0-9]*) bytes -- responder \\\\(([0-9.]*):([0-9]*)\\\\) sent ([0-9]*) bytes', '*KEY*,protocol,operation,source_ip,source_port,bytes,destination_ip,destination_port,destination_bytes')" } # 39 # parse IDS events 40 = { label = "40" comment = "" value = "collect_fields_using_regexp('() (IDS:.*) from', '*KEY*,message')" } # 40 # parse audit cmd lines 41 = { label = "41" comment = "" value = "collect_fields_using_regexp('() User *\\'([^\\']*)\\' executed cmd: ([^\\']*)', '*KEY*,user,command')" } # 41 # Parse out the audit command lines 42 = { label = "42" comment = "" value = "collect_fields_using_regexp('()User *\\'([^\\']*)\\' executed the \\'([^\\']*)\\' command', '*KEY*,user,command')" } # 42 # Parse out the audit operation lines 43 = { label = "43" comment = "" value = "collect_fields_using_regexp('()User *\\'([^\\']*)\\' executed the \\'([^\\']*)\\' command', '*KEY*,user,command')" } # 43 # Parse out the audit operation lines 44 = { label = "44" comment = "" value = "collect_fields_using_regexp('() (New user added to local dbase|User deleted from local dbase): Uname: ([^ ]*) ', '*KEY*,operation,user')" } # 44 # Accept this log entry 45 = { label = "45" comment = "" value = "accept_collected_entry_using_regexp('^()', false)" } # 45 } # log.parsing_filters # Database fields database.fields = { operation = { label = "$lang_stats.field_labels.operation" log_field = "operation" type = "string" suppress_top = 0 suppress_bottom = 2 } # operation message = { label = "$lang_stats.field_labels.message" log_field = "message" type = "string" suppress_top = 0 suppress_bottom = 2 } # message message_code = { label = "$lang_stats.field_labels.message_code" log_field = "message_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # message_code protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 9 } # source_ip destination_ip = { label = "$lang_stats.field_labels.destination_ip" log_field = "destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_ip source_hostname = { label = "$lang_stats.field_labels.source_hostname" log_field = "source_hostname" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_hostname destination_hostname = { label = "$lang_stats.field_labels.destination_hostname" log_field = "destination_hostname" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_hostname source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port source_side = { label = "$lang_stats.field_labels.source_side" log_field = "source_side" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_side destination_side = { label = "$lang_stats.field_labels.destination_side" log_field = "destination_side" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_side location = { label = "$lang_stats.field_labels.location" log_field = "location" type = "string" suppress_top = 0 suppress_bottom = 2 } # location interface = { label = "$lang_stats.field_labels.interface" log_field = "interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # interface direction = { label = "$lang_stats.field_labels.direction" log_field = "direction" type = "string" suppress_top = 0 suppress_bottom = 2 } # direction faddr_host = { label = "$lang_stats.field_labels.faddr_host" log_field = "faddr_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # faddr_host faddr_port = { label = "$lang_stats.field_labels.faddr_port" log_field = "faddr_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # faddr_port gaddr_host = { label = "$lang_stats.field_labels.gaddr_host" log_field = "gaddr_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # gaddr_host gaddr_port = { label = "$lang_stats.field_labels.gaddr_port" log_field = "gaddr_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # gaddr_port laddr_host = { label = "$lang_stats.field_labels.laddr_host" log_field = "laddr_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # laddr_host laddr_port = { label = "$lang_stats.field_labels.laddr_port" log_field = "laddr_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # laddr_port service_name = { label = "$lang_stats.field_labels.service_name" log_field = "service_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port url = { label = "$lang_stats.field_labels.url" log_field = "url" type = "string" suppress_top = 1 suppress_bottom = 4 } # url flags = { label = "$lang_stats.field_labels.flags" log_field = "flags" type = "string" suppress_top = 0 suppress_bottom = 2 } # flags user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user command = { label = "$lang_stats.field_labels.command" log_field = "command" type = "string" suppress_top = 0 suppress_bottom = 2 } # command type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type list = { label = "$lang_stats.field_labels.list" log_field = "list" type = "string" suppress_top = 0 suppress_bottom = 2 } # list } # database.fields # Log Filters log.filters = { set_page_for_worm = { label = "$lang_admin.log_filters.set_page_for_worm_label" comment = "$lang_admin.log_filters.set_page_for_worm_comment" value = "if (starts_with(worm, '(')) then '' else url = '(worm)';" } # set_page_for_worm remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry look_up_service = { label = '$lang_admin.log_filters.look_up_service' comment = '$lang_admin.log_filters.look_up_comment' value = "service_name = destination_port . \"_\" . protocol ; volatile.service_name = node_value( subnode_by_name(\"rewrite_rules.services\", service_name) ); if ( volatile.service_name ne \"\" ) then service_name = volatile.service_name;" } # look_up_service } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "source_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events page_views = { label = "$lang_stats.field_labels.page_views" default = false requires_log_field = false type = "int" display_format_type = "integer" } # page_views unique_source_ips = { label = "$lang_stats.field_labels.unique_source_ips" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # unique_source_ips bytes = { label = "$lang_stats.field_labels.bytes" default = false requires_log_field = true log_field = "bytes" type = "float" display_format_type = "bandwidth" } # bytes destination_bytes = { label = "$lang_stats.field_labels.destination_bytes" default = false requires_log_field = true log_field = "destination_bytes" type = "float" display_format_type = "bandwidth" } # destination_bytes duration = { label = $lang_stats.field_labels.duration default = false requires_log_field = true type = int display_format_type = duration_compact } # duration } # database.numerical_fields create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { source_ip = true source_hostname = true source_port = true source_side = true user = true interface = true laddr_host = true laddr_port = true location = true } destination_group = { destination_ip = true destination_hostname = true destination_port = true destination_side = true url = true faddr_host = true faddr_port = true gaddr_host = true gaddr_port = true service_name = true } other_group = { logging_device = true syslog_priority = true operation = true direction = true message = true message_code = true protocol = true flags = true command = true type = true list = true } } # report_groups } # create_profile_wizard_options not_supported = { pageviews = true } # not_supported } # cisco_pixios