# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. forti_gate_comma_sep = { plugin_version = "1.3" info.1.manufacturer = "Fortinet" info.1.device = "FortiGate Firewall (comma separated)" info.1.version = "" # - 1.0 - - Initial creation. # 2008-04-10 - 1.1 - KBB - Added new fields and groups and expanded autodetect regular expression. # 2009-12-17 : 1.2 : gas : changed pri to priority as v8 complained about not finding priority in profile.log.fields (?!) # 2010-10-05 - 1.3 - MSG - Edited info lines. # The name of the log format log.format.format_label = "FortiGate Comma Separated Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #2008-02-27 05:55:59,Local7.Notice,11.11.11.11,"date=2008-02-27,time=05:48:07,devname=FG100A3907505968,device_id=FG100A3907505968,log_id=0317099510,..." #log.format.autodetect_regular_expression = "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9],time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9],device_id=[^ ]+,log_id=[^ ]+," log.format.autodetect_regular_expression = "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9],time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9],(devname=[^ ]+,)?device_id=[^ ]+,log_id=[^ ]+," # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { attack_id = "" device_id = "" dir_disp = "" dst = "" dst_int = "" dst_port = "" dstname = "" duration = "" icmp_code = "" icmp_id = "" icmp_type = "" log_id = "" message = "" msg = "" policyid = "" fw_pri = "" proto = "" rcvd = "" rcvd_pkt = "" rule = "" sent = "" sent_pkt = "" service = "" sn = "" src = "" src_int = "" src_port = "" srcname = "" status = "" subtype = "" tran_disp = "" tran_ip = "" tran_port = "" type = "" vd = "" vpn = "" action = "" adgroup = "" aven = "" cat = "" cat_desc = "" devname = "" dport = "" fcni = "" fdni = "" ftp = "" group = "" hostname.type = "host" http = "" idsdb = "" idsmn = "" imap = "" libav = "" method = "" pop3 = "" reason = "" serial = "" smtp = "" sport = "" ui = "" url.type = "page" user = "" virdb = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # Parse out the comma-separated, =-divided variables collect_listed_fields('', v.syslog_message, ',', '=', 'time=devicetime|date=devicedate|device_id=device_id'); accept_collected_entry('', false); ` # Database fields database.fields = { #attack_id = "" device_id = "" dir_disp = "" dst = "" dst_int = "" dst_port = "" dstname = "" duration = "" icmp_code = "" #icmp_id = "" icmp_type = "" #log_id = "" #message = "" msg = "" policyid = "" fw_pri = "" proto = "" rcvd = "" rcvd_pkt = "" rule = "" sent = "" sent_pkt = "" service = "" sn = "" src = "" src_int = "" src_port = "" srcname = "" status = "" subtype = "" tran_disp = "" tran_ip = "" tran_port = "" type = "" vd = "" vpn = "" action = "" adgroup = "" aven = "" cat = "" cat_desc = "" devname = "" dport = "" fcni = "" fdni = "" ftp = "" group = "" hostname = "" http = "" idsdb = "" idsmn = "" imap = "" libav = "" method = "" pop3 = "" reason = "" serial = "" smtp = "" sport = "" ui = "" url = "" file_type = "" user = "" virdb = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses unique_source_ips = { label = "$lang_stats.field_labels.unique_source_ips" default = false requires_log_field = true log_field = "src" type = "unique" display_format_type = "integer" } # unique_source_ips sent = { label = "$lang_stats.field_labels.sent" default = false requires_log_field = true log_field = "sent" type = "float" display_format_type = "bandwidth" } # sent rcvd = { label = "$lang_stats.field_labels.rcvd" default = false requires_log_field = true log_field = "rcvd" type = "float" display_format_type = "bandwidth" } # rcvd sent_pkt = { label = "$lang_stats.field_labels.sent_pkt" default = false requires_log_field = true log_field = "sent_pkt" type = "float" display_format_type = "bandwidth" } # sent_pkt rcvd_pkt = { label = "$lang_stats.field_labels.rcvd_pkt" default = false requires_log_field = true log_field = "rcvd_pkt" type = "float" display_format_type = "bandwidth" } # rcvd_pkt duration = { label = $lang_stats.field_labels.duration default = false requires_log_field = true type = int display_format_type = duration_milliseconds } # duration } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" server_group = { device_id = true type = true subtype = true fw_pri = true rule = true } source_group = { src = true srcname = true src_port = true src_int = true } destination_group = { dst = true dstname = true dst_port = true dst_int = true tran_ip = true tran_port = true } content_group = { url = true file_type = true cat = true cat_desc = true } users_group = { user = true group = true } other_group = { icmp_type = true icmp_code = true status = true proto = true service = true sn = true vd = true policyid = true msg = true vpn = true dir_disp = true tran_disp = true action = true adgroup = true aven = true devname = true dport = true fcni = true fdni = true ftp = true hostname = true http = true idsdb = true idsmn = true imap = true libav = true method = true pop3 = true reason = true serial = true smtp = true sport = true ui = true virdb = true } } # report_groups } # create_profile_wizard_options } # forti_gate_comma_sep