# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. i_chain = { plugin_version = "1.2" info.1.manufacturer = "Novell" info.1.device = "iChain (W3C Extended)" info.1.version.1 = "2.3" # 22/03/2007 10:10 : 1.1beta : gas : added support for v2.3 logs (almost a complete re-write) # 2007-09-14 - 1.1 - KBB - renumbered per new beta policy # 2010-10-01 - 1.2 - MSG - Edited info lines # The name of the log format log.format.format_label = "Novell iChain Extended (W3C) Web Server Log Format" log.miscellaneous.log_data_type = "generic_w3c" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^#Software: iChain" # The format of dates and times in this log log.format.date_format = "yyyy-mm-dd" log.format.time_format = "hh:mm:ss" # Don't track these fields as discrete database fields # not sure why this is ommitted, unccomment if it really shouldn't track these fields - gas auto_setup.omit_database_fields = "sc_bytes,cs_bytes,time_taken,cs_uri_query" # Get search engine and search phrase information from the referrer field (before it gets simplified). log.parsing_filters.compute_se_sp = { value = `if (get_search_engine_info(referrer)) then ( search_engine = volatile.search_engine; search_phrase = volatile.search_phrase; ); ` requires_fields = { referrer = true } } # Get web browser, operating system, web browser, and spider information from the user-agent field. log.parsing_filters.derive_from_user_agent = { value = `get_user_agent_info(replace_all(cs_user_agent, '+', ' ')); web_browser = volatile.web_browser; operating_system = volatile.operating_system; spider = volatile.spider; ` requires_fields = { cs_user_agent = true } } # check for log_analysis_screen_info lines that are not populated and reject, they are no parsed correctly log.parsing_filters.log_analysis_screen_info_clean = { value = `if(matches_regular_expression(current_log_line(), '(screen.colorDepth|screen.height|screen.width)')) then 'reject';` } # log_analysis_screen_info_clean # Log Filters log.filters = { # 1 = { # label = "1" # comment = "" # value = "if (matches_regular_expression(src_port, '^[0-9.]+/([0-9]+)$')) then src = $1;" # requires_fields = { # src_port = true # src = true # } # } # 1 # 2 = { # label = "2" # comment = "" # value = "if (matches_regular_expression(src, '^([0-9.]+)/[0-9]+$')) then src = $1;" # requires_fields = { # src = true # } # } # 2 # Extract the IP and port from src # 3 = { # label = "3" # comment = "" # value = "if (matches_regular_expression(dst_port, '^[0-9.]+/([0-9]+)$')) then dst = $1;" # requires_fields = { # dst_port = true # dst = true # } # } # 3 # # 4 = { # label = "4" # comment = "" # value = "if (matches_regular_expression(dst, '^([0-9.]+)/[0-9]+$')) then dst = $1;" # requires_fields = { # dst = true # } # } # 4 # # # # Extract the IP and port from svsrc # 5 = { # label = "5" # comment = "" # value = "if (matches_regular_expression(svsrc_port, '^[0-9.]+/([0-9]+)$')) then svsrc = $1;" # requires_fields = { # svsrc_port = true # svsrc = true # } # } # 5 # # 6 = { # label = "6" # comment = "" # value = "if (matches_regular_expression(svsrc, '^([0-9.]+)/[0-9]+$')) then svsrc = $1;" # requires_fields = { # svsrc = true # } # } # 6 pre_v23_backward_compatability = { label = "Pre iChain v2.3 filter" comment = "This filter supports an older format" value = `if (matches_regular_expression(src_port, '^[0-9.]+/([0-9]+)$')) then src = $1; if (matches_regular_expression(src, '^([0-9.]+)/[0-9]+$')) then src = $1; if (matches_regular_expression(dst_port, '^[0-9.]+/([0-9]+)$')) then dst = $1; if (matches_regular_expression(dst, '^([0-9.]+)/[0-9]+$')) then dst = $1; if (matches_regular_expression(svsrc_port, '^[0-9.]+/([0-9]+)$')) then svsrc = $1; if (matches_regular_expression(svsrc, '^([0-9.]+)/[0-9]+$')) then svsrc = $1;` requires_fields = { src_port = true src = true dst_port = true dst = true svsrc_port = true svsrc = true } } # pre_v23_backward_compatability not_authenticated = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "$lang_admin.log_filters.not_authenticated_comment" value = "if (cs_authname eq '-') then cs_authname = '(not authenticated)';" requires_fields = { cs_authname = true } } # not_authenticated ip_port_sep = { label = "Port remover" comment = "This filter removes the port info from IP field" value = "if (matches_regular_expression(c_ip, '^([0-9.]+):[0-9]+$')) then c_ip = $1;" requires_fields = { c_ip = true } } # ip_port_sep simplify_referrer = { label = "$lang_admin.log_filters.simplify_referrer_label" comment = "$lang_admin.log_filters.simplify_referrer_comment" value = "if (referrer eq '-') then referrer = '(no referrer)' else if (matches_regular_expression(referrer, '^([^:]+://[^/]+/)')) then referrer = $1 . '(omitted)'" requires_fields = { referrer = true } } # simplify_referrer internal_referrer = { label = "$lang_admin.log_filters.internal_referrer_label" comment = "$lang_admin.log_filters.internal_referrer_comment" value = "if (contains(referrer, 'mydomain.com/')) then referrer = '(internal referrer)';" disabled = true requires_fields = { referrer = true } } # internal_referrer set_page_for_worm = { label = "$lang_admin.log_filters.set_page_for_worm_label" comment = "$lang_admin.log_filters.set_page_for_worm_comment" value = "if (starts_with(worm, '(')) then '' else cs_uri_stem = '(worm)';" requires_fields = { cs_uri_stem = true worm = true } } # set_page_for_worm # This filter tacks the page parameters ("URL query") onto the end of the page field empty_uri_query = { label = "$lang_admin.log_filters.empty_uri_query_label" comment = "$lang_admin.log_filters.empty_uri_query_comment" value = "if (cs_uri_query eq '-') then cs_uri_query = '(empty)';" disabled = true requires_fields = { cs_uri_query = true } } # empty_uri_query add_cs_uri_query = { label = "$lang_admin.log_filters.add_cs_uri_query_label" comment = "$lang_admin.log_filters.add_cs_uri_query_comment" value = "cs_uri_stem = cs_uri_stem . '?' . cs_uri_query" disabled = true requires_fields = { cs_uri_query = true cs_uri_stem = true } } # add_cs_uri_query remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(page, '?')) then page = substr(page, 0, index(page, '?') + 1) . '(parameters)';" requires_fields = { page = true } } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then page = substr(page, 0, last_index(page, '/') + 1) . '(nonpage)';" requires_fields = { page = true } } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters log.field_options = { # have reset this to cs_uri_stem, if you need page, uncomment this line # sessions_page_field = "page" sessions_page_field = "cs_uri_stem" # have changed this to c_ip, if you need src, uncomment this line # sessions_visitor_id_field = "src" sessions_visitor_id_field = "c_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { hits = { label = "$lang_stats.field_labels.hits" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # hits page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" } # page_views visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true # uncomment this line for "src" as visitors # log_field = "src" log_field = "c_ip" type = "unique" display_format_type = "integer" } # visitors sc_bytes = { label = "$lang_stats.field_labels.sc_bytes" default = false log_field = "sc_bytes" requires_log_field = true type = "float" display_format_type = "bandwidth" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { file_type = true cs_uri_stem = true } visitor_demographics_group = { c_ip = true cs_authname = true domain_description = true location = true } visitor_systems_group = { screen_dimensions = true screen_depth = true web_browser = true operating_system = true } referrer_group = { referrer = true search_engine = true search_phrase = true referrer_description = true search_phrase_by_search_engine = true } server_group = { s_sitename = true s_computername = true s_ip = true s_port = true cs_host = true } other_group = { c_version = true spider = true worm = true cs_method = true sc_status = true sc_substatus = true sc_win32_status = true cs_cookie = true } } # report_groups } # create_profile_wizard_options not_supported = { } # not_supported } # i_chain