# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. cwat_alert = { plugin_version = "1.9.1" plugin_time = "3.0" info.1.manufacturer = "IWI" info.1.device = "CWAT" info.1.version.1 = "3.0a" # 2006-08-29 - GMF - 1.7 - Added graphs to user group reports # 2006-09-17 - GMF - 1.8 - Changed '[empty]' to 'All' for user group # 2007-07-23 - GMF - 1.8.1 - Added support for optional double quotes around header line. # 2007-07-23 - GMF - 1.8.2 - Added new field names # 2007-11-02 - gas - 1.8.3 - changed name to "CWAT Alert Log Format" from "CWAT Log Format" # 2009-06-03 - GMF - 1.9 - Added support for fields with unknown names, and fields with names containing dots. # 2009-06-09 - GMF - 1.9.1 - Defaulted to Jan 1, 2000 when no date available # The name of the log format log.format.format_label = "CWAT Alert Log Format" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, '^"?Site ID,Alert ID,Alert sequence,Alert date,Alert status code,Alert status,') or matches_regular_expression(volatile.log_data_line, '^"?Site ID,Site name,Node count,Last alert time,Alert level,Power ON,LOGON,Power OFF,HIGH,MEDIUM,LOW,Pending,Checking,Processed,No action') ` # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Use comma as the field separator log.format.field_separator = "," # This handles #Fields lines, and creates log and database fields from them log.filter_preprocessor = ` ##echo("filter_preprocessor on: " . current_log_line()); if (matches_regular_expression(current_log_line(), '^"?(Site ID,.*)$')) then ( string fields = $1; if (matches_regular_expression(fields, '^"(.*)"$')) then ( fields = $1; v.header_line_in_quotes = true; ); ##echo("fields: " . fields); string fieldname; v.logfieldindex = 1; string numerical_fields = "profiles." . internal.profile_name . ".database.numerical_fields"; subroutine(set_log_field_index(string fieldname), ( debug_message("set_log_field_index(" . fieldname . ") [index=" . v.logfieldindex . "]\n"); # echo("set_log_field_index(" . fieldname . ") [index=" . v.logfieldindex . "]"); string logfieldpath = "profiles." . internal.profile_name . ".log.fields." . fieldname; # echo("logfieldpath: " . logfieldpath); (logfieldpath . "") = ""; if (!?logfieldpath) then ( # echo("CREATING LOG FIELD"); @("" . logfieldpath) = ""; ); # (logfieldpath . "") = ""; node logfield = logfieldpath; set_subnode_value(logfield, "index", v.logfieldindex); v.logfieldindex++; set_subnode_value(logfield, "subindex", 0); # if (type ne '') then # set_subnode_value(logfield, "type", type); logfield; )); # Reset all log fields to index 0, so they don't get populated unless they appear in this line node logfield; foreach logfield ("profiles." . internal.profile_name . ".log.fields") ( set_subnode_value(logfield, 'index', 0); ); # Extract the fields on at a time while (matches_regular_expression(fields, '^([^,]+),(.*)$')) ( string unconverted_fieldname = $1; fields = $2; if (unconverted_fieldname eq "Location") then unconverted_fieldname = "CWAT Location"; #echo("fieldname: " . fieldname); # Clean up the field name fieldname = lowercase(unconverted_fieldname); fieldname = replace_all(fieldname, ' ', '_'); fieldname = replace_all(fieldname, '(', '_'); fieldname = replace_all(fieldname, ')', '_'); fieldname = replace_all(fieldname, '/', '_'); fieldname = replace_all(fieldname, '.', '_'); if (starts_with(fieldname, '_')) then fieldname = substr(fieldname, 1); if (ends_with(fieldname, '_')) then fieldname = substr(fieldname, 0, length(fieldname) - 1); #echo("unconverted_fieldname: " . unconverted_fieldname); # Get the log field type # string log_field_type = ''; # Set the index set_log_field_index(fieldname); ); # while another field # Don't parse the header line as a data line 'reject'; ); # if header line ` log.parsing_filters = { get_date_time = ` if (matches_regular_expression(alert_status_update_time, '^([0-9/]+) ([0-9:]+ [AP]M)$')) then ( date = $1; time = $2; ); else if (matches_regular_expression(machine_time, '^([0-9/]+) ([0-9:]+ [AP]M)$')) then ( date = $1; time = $2; ); else if (matches_regular_expression(last_alert_time, '^([0-9/]+) ([0-9:]+ [AP]M)$')) then ( date = $1; time = $2; ); else if (matches_regular_expression(alert_date, '^([0-9/]+) ([0-9:]+ [AP]M)$')) then ( date = $1; time = $2; ); # Otherwise, reject else ( # date = "2000-01-01"; # time = "00:00:00"; ); ` compute_alert_count = `alert_count = low + medium + high` compute_priority_events = ` if (alert_level eq 'High') then high_priority_events = 1; else if (alert_level eq 'Medium') then medium_priority_events = 1; else low_priority_events = 1; ` compute_alert_month = ` if (matches_regular_expression(alert_date, "^([0-9]+)/[0-9]+(/[0-9]+) ")) then alert_month = $1 . $2; ` } # log.parsing_filters # log.fields log.fields = { date = "" time = "" # Site Monitor fields site_id = "" site_name = "" node_count = "" last_alert_time = "" alert_level = "" power_on = "" logon = "" power_off = "" high = "" medium = "" low = "" pending = "" checking = "" processed = "" no_action = "" # computed site monitor fields alert_count = "" # Organization Monitor Log #(ALSO IN SITE LOG): site_id = "" # 1 alert_id = "" alert_sequence = "" alert_date = "" alert_status_code = "" alert_status = "" process_id = "" thread_id = "" machine_time = "" sequence_number = "" # 10 cwat_node_management_id = "" alert_ip = "" alert_location = "" mac_address = "" flag_under_om_management = "" process_name = "" log_number = "" alert_type = "" #(ALSO IN SITE LOG) alert_level = "" policy_id = "" # 20 policy_category = "" policy_name = "" operation = "" suspicious_event_score = "" suspicious_event_day = "" suspicious_event_time = "" suspicious_event_score_statement = "" node_usage_type = "" logon_user = "" domain = "" # 30 bus_discrimination_id = "" bus_peculiar_code = "" bus_identifier = "" bus_unique_code = "" device_discrimination_id = "" device_peculiar_code = "" device_identifier = "" device_unique_code = "" bus_status = "" output_file_size = "" output_file_name = "" startup_shutdown_process_name = "" window_name = "" source_file_name = "" # 40 dest_file_name = "" install_app_name = "" dest_installation = "" book_name = "" keyword = "" screenshot_info = "" protocol = "" source_port = "" dest_port = "" source_address = "" # 50 dest_address = "" sourcemac = "" dest_mac = "" communication_type = "" unregistered_node_ip = "" unregistered_node_mac = "" last_shutdown = "" packet_data = "" tampered_log_name = "" os_time_after_tamper = "" # 60 hostname = "" machine_alert_id = "" alert_event_type = "" device_name = "" media_name = "" application_id = "" recipient = "" cc = "" bcc = "" sender = "" # 70 subject = "" send_time = "" mail_size = "" mail_count = "" mail_body = "" attachment_presence = "" attach_name = "" attach_size = "" cwat_location = "" keyboard_operation = "" # 80 clipboard_type = "" clipboard_information = "" alert_status_update_time = "" record_update_time = "" action_date = "" operator = "" action_contents_code = "" action_contents = "" action_result_code = "" action_result = "" # 90 auto_mnl_action_code = "" auto_mnl_action = "" cwat_standard_time_action = "" sequence_number_action = "" alert_id_action = "" user_name_action = "" process_name = "" process_id = "" comment = "" update_time = "" # 100 policy_version = "" virus_check_result_code = "" virus_check_result = "" virus_check_start_time = "" virus_check_complete_time = "" # Computed fields # managers_events = "" # partners_events = "" # normal_events = "" high_priority_events = "" medium_priority_events = "" low_priority_events = "" alert_month = "" } # log.fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" # Site Monitor fields site_id = "" site_name = "" last_alert_time = "" alert_level = "" power_on = "" logon = "" power_off = "" high = "" medium = "" low = "" pending = "" checking = "" processed = "" no_action = "" # Organization Monitor Log #(ALSO IN SITE LOG) site_id = "" alert_id = "" alert_sequence = "" alert_date = "" alert_status_code = "" alert_status = "" process_id = "" thread_id = "" machine_time = "" sequence_number = "" cwat_node_management_id = "" alert_ip = "" alert_location = "" mac_address = "" flag_under_om_management = "" process_name = "" log_number = "" alert_type = "" #(ALSO IN SITE LOG) alert_level = "" policy_id = "" policy_category = "" policy_name = "" operation = "" suspicious_event_score = "" suspicious_event_day = "" suspicious_event_time = "" suspicious_event_score_statement = "" node_usage_type = "" logon_user = "" domain = "" bus_discrimination_id = "" bus_peculiar_code = "" device_discrimination_id = "" device_peculiar_code = "" bus_status = "" output_file_size = "" output_file_name = "" startup_shutdown_process_name = "" window_name = "" source_file_name = "" dest_file_name = "" install_app_name = "" dest_installation = "" book_name = "" keyword = "" screenshot_info = "" protocol = "" source_port = "" dest_port = "" source_address = "" dest_address = "" sourcemac = "" dest_mac = "" communication_type = "" unregistered_node_ip = "" unregistered_node_mac = "" last_shutdown = "" packet_data = "" tampered_log_name = "" os_time_after_tamper = "" hostname = "" machine_alert_id = "" alert_event_type = "" device_name = "" media_name = "" application_id = "" recipient = "" cc = "" bcc = "" sender = "" subject = "" send_time = "" mail_size = "" mail_count = "" mail_body = "" attachment_presence = "" attach_name = "" attach_size = "" cwat_location = "" keyboard_operation = "" clipboard_type = "" clipboard_information = "" alert_status_update_time = "" record_update_time = "" action_date = "" operator = "" action_contents_code = "" action_contents = "" action_result_code = "" action_result = "" auto_mnl_action_code = "" auto_mnl_action = "" cwat_standard_time_action = "" sequence_number_action = "" alert_id_action = "" user_name_action = "" process_name = "" process_id = "" comment = "" update_time = "" policy_version = "" virus_check_result_code = "" virus_check_result = "" virus_check_start_time = "" virus_check_complete_time = "" # custom fields alert_month = "" } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events output_file_size = { type = "float" display_format_type = "bandwidth" } attach_size = { type = "float" display_format_type = "bandwidth" } alert_count = "" node_count = "" # managers_events = "" # partners_events = "" # normal_events = "" high_priority_events = "" medium_priority_events = "" low_priority_events = "" } # database.numerical_fields log.filters = { # ignore_empty_policy_id = `if (policy_id eq '(empty)') then 'reject'` # ignore_empty_alert_level = `if (alert_level eq '(empty)') then 'reject'` # ignore_empty_action_contents = `if (action_contents eq '(empty)') then 'reject'` # alert_level = `if (alert_level eq '(empty)') then alert_level = '[empty]'` user_group = `if (cwat_location eq '(empty)') then cwat_location = 'All'` # categorize_events = ` ## Not sure how to categorize events yet; for now, leave them all 0 #managers_events = 0; #partners_events = 0; #normal_events = 0; #` mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu manual_reports_menu = true report_groups = { overview.type = "overview" date_time_group = { items = { date_time = { label = "Years/months/days" graph_field = "events" only_bottom_level_items = false } days = { label = "Days" database_field_name = "date_time" graph_field = "events" } day_of_week = { graph_field = "events" } hour_of_day = { graph_field = "events" } } } # date_time_group # Section 3.1 in requirements doc sites_summary = { label = "Sites Summary" columns = { 0.field_name = "site_name" 1.field_name = "node_count" 2 = { field_name = "alert_count" show_graph = true } } # columns graphs.graph_type = "pie" pie_chart = true } # sites_summary # Section 3.2 in requirements doc 0.5 policy_summary = { label = "Policy Summary" columns = { 0.field_name = "policy_id" 1.field_name = "policy_name" 2.field_name = "cwat_location" 3.field_name = "alert_level" 4.field_name = "events" } # columns } # policy_summary # Section 3.3 in requirements doc 0.5 action_summary = { label = "Action Summary" columns = { 0.field_name = "policy_id" 1.field_name = "policy_name" 2.field_name = "cwat_location" 3.field_name = "action_contents" 4.field_name = "events" } # columns } # action_summary ## ## ALERTS BY PRIORITY GROUP ## alerts_by_priority_group = { items = { # Section 3.4 in requirements doc 0.5 high_priority_alerts = { label = "High Priority Alerts" filter = "alert_level within 'High'" columns = { 0.field_name = "policy_id" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns graphs.graph_type = "pie" pie_chart = true } # policy_summary # Section 3.4 in requirements doc 0.5 medium_priority_alerts = { label = "Medium Priority Alerts" filter = "alert_level within 'Medium'" columns = { 0.field_name = "policy_id" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns graphs.graph_type = "pie" pie_chart = true } # policy_summary # Section 3.4 in requirements doc 0.5 low_priority_alerts = { label = "Low Priority Alerts" filter = "alert_level within 'Low'" columns = { 0.field_name = "policy_id" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns graphs.graph_type = "pie" pie_chart = true } # policy_summary } # items } # alerts_by_priority_group ## ## ALERTS BY USERGROUPS ## alerts_by_usergroup_group = { items = { # Section 3.3 in requirements doc user_group_high_priority_alerts = { label = "User Group High Priority Alerts" filter = "alert_level within 'High'" columns = { 0.field_name = "cwat_location" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns subtable = true } # user_group_high_priority_alerts # Section 3.3 in requirements doc user_group_medium_priority_alerts = { label = "User Group Medium Priority Alerts" filter = "alert_level within 'Medium'" columns = { 0.field_name = "cwat_location" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns subtable = true } # user_group_medium_priority_alerts # Section 3.3 in requirements doc user_group_low_priority_alerts = { label = "User Group Low Priority Alerts" filter = "alert_level within 'Low'" columns = { 0.field_name = "cwat_location" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns subtable = true } # user_group_low_priority_alerts } # items } # alerts_by_usergroup_group ## ## MONTHLY ALERTS ## alerts_by_month_group = { items = { # Section 3.6 in requirements doc monthly_high_priority_alerts = { label = "Monthly High Priority Alerts" filter = "alert_level within 'High'" columns = { 0.field_name = "alert_month" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns subtable = true } # monthly_alerts # Section 3.6 in requirements doc monthly_medium_priority_alerts = { label = "Monthly Medium Priority Alerts" filter = "alert_level within 'Medium'" columns = { 0.field_name = "alert_month" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns subtable = true } # monthly_alerts # Section 3.6 in requirements doc monthly_low_priority_alerts = { label = "Monthly Low Priority Alerts" filter = "alert_level within 'Low'" columns = { 0.field_name = "alert_month" 1.field_name = "policy_name" 2 = { field_name = "events" show_graph = true } } # columns subtable = true } # monthly_alerts } # items } # alerts_by_month_group # Section 3.7 in requirements doc v0.5 daily_alerts = { label = "Daily Alerts" columns = { 0.field_name = "date_time" 1 = { field_name = "events" show_graph = true } 2 = { field_name = "high_priority_events" show_graph = true } 3 = { field_name = "medium_priority_events" show_graph = true } 4 = { field_name = "low_priority_events" show_graph = true } } # columns } # daily_high_priority_alerts # Section 3.6 in requirements doc top_ten_violators = { label = "Top 10 Violators" filter = "alert_level within 'High'" columns = { 0.field_name = "logon_user" 1.field_name = "policy_name" 2.field_name = "events" } # columns subtable = true } # daily_high_priority_alerts } # report_groups final_step = ` include "templates.admin.profiles.setup_reports_util"; string profile = "profiles." . volatile.new_profile_name; add_standard_reports(profile); # Add the single-page summary add_single_page_summary(profile); # Add the log detail report add_log_detail_report(profile); ` } # create_profile_wizard_options } # cwat_alert