# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. palo_alto_networks_firewall_traffic = { plugin_version = "1.3.1" info.1.manufacturer = "Palo Alto Networks" info.1.device = "Firewall (Traffic)" info.1.version.1 = "1.3" info.1.version.2 = "2.0" info.1.version.3 = "3.0" info.1.version.4 = "3.1" # 2009-04-01 - KBB - 1.0 - Initial implementation, based on palo_alto_networks_firewall_threat. # 2009-07-08 - KBB - 1.1 - Added support for time format with year. # 2010-08-23 - Benson - 1.2 - Fixed for correct log format from syslog-ng. # 2010-09-22 - KBB - 1.3 - Backed out 1.2. Greg had added support for the missing 1,date already in # palo_alto_networks_firewall_threat.cfg and for threat in palo_alto_networks_firewall_integrated.cfg. # I extended it to traffic and added it here. Getting the year from the syslog header and the date and # time from the log are supported as long as time_generated is used, which is Palo Alto's preference. # This version is now in sync with palo_alto_networks_firewall_integrated.cfg. # 2010-10-05 - MSG - 1.2.1 - Edited info lines. # 2011-02-11 - KBB - 1.3.1 - Changed support for missing 1,date to make space following those optional # to fix bug where some logs with those missing do not parse properly. # The name of the log format log.format.format_label = "Palo Alto Networks Firewall Traffic Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The first date after the syslog header is being ignored because I'm not sure it is always there. KBB #Jun 3 13:44:20 10.0.10.10 Jun 03 13: 44:20 1,06/03 13:44:20,0001a100200,TRAFFIC,start,8,06/03 13:44:19,10.0.10.11,16.166.16.66,0.0.0.0,0.0.0.0,mike,,,ntp,vsys1,l2-lan-trust,l2-lan-untrust,ethernet1/12,ethernet1/11,Forward to Mike,06/03 13:44:20,490821,1,123,123,0,0,0x0,udp,allow,90,90,90,1,06/03 13:44:20,0,any,0 #2009-07-01 22:45:26 User.Info 10.222.2.222 Jul 1 22:45:26 1,2009/07/01 22:45:26,0002A100461,TRAFFIC,end,5,2009/07/01 22:45:24,22.122.2.122,10.222.2.122,0.0.0.0,0.0.0.0,Permit Any In,,,incomplete,vsys1,outside,inside,ethernet1/1,ethernet1/2,Log_to_KIWI_Sawmill,2009/07/01 22:45:25,313521,1,1247,81,0,0,0x0,tcp,allow,440,440,440,7,2009/07/01 22:44:52,30,any,0<000> # layered syslogs and no 1,[0-9]{4}... #2010-06-22 13:17:50 Local7.Info 192.168.66.66 Jun 22 13:17:59 1,2010/06/22 13:17:59,0003C100949,TRAFFIC,end,117,2010/06/22 13:17:58,192.168.44.44,168.95.2.2,99.120.42.42,169.99.1.1,rule3,,,dns,vsys1,net.14-trust,net.13.14-untru,ethernet1/6,ethernet1/5,traffic-log,2010/06/22 13:17:58,141355,1,50878,53,33043,53,0x40,udp,allow,217,217,217,2,2010/06/22 13:17:27,1,any,0 log.format.autodetect_regular_expression = "[0-9]{2}:[0-9]{2}:[0-9]{2},[0-9A-Za-z]+,TRAFFIC,(start|end)" #log.format.autodetect_regular_expression = "1,([0-9]{4}/)?[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9A-Za-z]+,TRAFFIC,(start|end)" log.format.autodetect_lines = 10000 # Log fields log.fields = { # receive_time = "" serial = "" # type = "" subtype = "" config_ver = "" src = "" dst = "" natsrc = "" natdst = "" rule = "" srcuser = "" dstuser = "" app = "" vsys = "" from = "" to = "" inbound_if = "" outbound_if = "" logset = "" time_received = "" sessionid = "" sport = "" dport = "" natsport = "" natdport = "" flags = "" proto = "" action = "" bytes = "" bytes_sent = "" bytes_received = "" packets = "" start = "" elapsed = "" category = "" repeatcnt = "" } # log.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters # log.field_options = { # # sessions_page_field = "page" # sessions_visitor_id_field = "user" # sessions_event_field = "page_views" # # } # log.field_options log.parsing_filters.parse = ` # Get the year from the syslog date. v.syslog_date = get_collected_field('', 'date_time'); v.year = ''; if (matches_regular_expression(v.syslog_date, '([0-9]{4})')) then ( v.year = $1; ); #v.session_user = ''; #Important fields: receive_time, subtype, time_generated, src, dst, rule, srcuser, app, from, to, time_received, sessionid, dport, proto, action, bytes, bytes_sent, bytes_received, packets, start, elapsed, bytes, bytes_sent, bytes_received, packets, start, elapsed, category #All fields: domain, receive_time, serial, type, subtype, config_ver, time_generated, src, dst, natsrc, natdst, rule, srcuser, dstuser, app, vsys, from, to, inbound_if, outbound_if, logset, time_received, sessionid, repeatcnt, sport, dport, natsport, natdport, flags, proto, action, bytes, bytes_sent, bytes_received, packets, start, elapsed, category, padding #Jun 3 13:44:20 10.0.0.244 Jun 03 13: 44:20 1,06/03 13:44:20,0001a100200,TRAFFIC,start,8,06/03 13:44:19,10.0.10.10,16.166.16.66,0.0.0.0,0.0.0.0,mike,,,ntp,vsys1,l2-lan-trust,l2-lan-untrust,ethernet1/12,ethernet1/11,Forward to Mike,06/03 13:44:20,490821,1,123,123,0,0,0x0,udp,allow,90,90,90,1,06/03 13:44:20,0,any,0 #2009-07-01 22:45:26 User.Info 10.222.2.222 Jul 1 22:45:26 1,2009/07/01 22:45:26,0002A100461,TRAFFIC,end,5,2009/07/01 22:45:24,22.122.2.122,10.222.2.122,0.0.0.0,0.0.0.0,Permit Any In,,,incomplete,vsys1,outside,inside,ethernet1/1,ethernet1/2,Log_to_KIWI_Sawmill,2009/07/01 22:45:25,313521,1,1247,81,0,0,0x0,tcp,allow,440,440,440,7,2009/07/01 22:44:52,30,any,0<000> if (matches_regular_expression(v.syslog_message, '(([^,]*),([0-9/]+) )? *([0-9]{2}:[0-9]{2}:[0-9]{2}),([^,]+),(TRAFFIC),([a-z]*),([0-9]*),([0-9/]+) ([0-9]{2}:[0-9]{2}:[0-9]{2}),([0-9.]+),([0-9.]+),([0-9.]+),([0-9.]+),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([0-9/]+ [0-9]{2}:[0-9]{2}:[0-9]{2}),([0-9]*),([0-9]*),([0-9]*),([0-9]*),([0-9]*),([0-9]*),([^,]*),([^,]*),([^,]*),([0-9]*),([0-9]*),([0-9]*),([0-9]*),([0-9/]+ [0-9]{2}:[0-9]{2}:[0-9]{2}),([0-9]*),([^,]*),([^,]*)(,([0-9]+))?')) then ( v.repeatcnt = $27; v.original_repeatcnt = $44; # Insert repeatcnt copies of log line. if (v.repeatcnt > 1) then ( v.in_context = "," . $25 . "," . $26 . "," . $27 . "," . $28 . "," . $29 . ","; v.once_only = "," . $25 . "," . $26 . "," . 1 . "," . $28 . "," . $29 . ","; v.line = replace_first(current_log_line(), v.in_context, v.once_only); for (int i = 0; i < v.repeatcnt; i++) ( set_subnode_value('volatile.log_line_insertions', i, v.line . "," . v.repeatcnt); ); ); # Accept repeated and non-repeated lines. else ( # Commented fields are currently not needed and not specified in log.fields or database.fields. v.user = $16; v.src = $11; v.date = $9; #set_collected_field('', 'domain', $2); #set_collected_field('', 'receive_time', $3 . " " . $4); set_collected_field('', 'serial', $5); #set_collected_field('', 'type', $6); set_collected_field('', 'subtype', $7); set_collected_field('', 'config_ver', $8); set_collected_field('', 'time', $10); set_collected_field('', 'src', v.src); set_collected_field('', 'dst', $12); set_collected_field('', 'natsrc', $13); set_collected_field('', 'natdst', $14); set_collected_field('', 'rule', $15); set_collected_field('', 'srcuser', v.user); # set_collected_field('', 'user', v.user); set_collected_field('', 'dstuser', $17); set_collected_field('', 'app', $18); set_collected_field('', 'vsys', $19); set_collected_field('', 'from', $20); set_collected_field('', 'to', $21); set_collected_field('', 'inbound_if', $22); set_collected_field('', 'outbound_if', $23); set_collected_field('', 'logset', $24); set_collected_field('', 'time_received', $25); set_collected_field('', 'sessionid', $26); # set_collected_field('', 'repeatcnt', $27); if (v.original_repeatcnt eq '') then ( v.original_repeatcnt = "1"; ); set_collected_field('', 'repeatcnt', v.original_repeatcnt); set_collected_field('', 'sport', $28); set_collected_field('', 'dport', $29); set_collected_field('', 'natsport', $30); set_collected_field('', 'natdport', $31); set_collected_field('', 'flags', $32); set_collected_field('', 'proto', $33); set_collected_field('', 'action', $34); set_collected_field('', 'bytes', $35); set_collected_field('', 'bytes_sent', $36); set_collected_field('', 'bytes_received', $37); set_collected_field('', 'packets', $38); set_collected_field('', 'start', $39); set_collected_field('', 'elapsed', $40); set_collected_field('', 'category', $41); #set_collected_field('', 'padding', $42); if (matches_regular_expression(v.date, '^[0-9]{4}/[0-9]{2}/[0-9]{2}$')) then ( set_collected_field('', 'date', v.date); ); else if (v.year ne '') then ( set_collected_field('', 'date', v.year . "/" . v.date); ); else ( set_collected_field('', 'date', normalize_date(v.date, 'mm/dd')); ); #v.session_user = v.src; #if (v.user ne '') then ( # v.session_user .= '_' . v.user; #); #set_collected_field('', 'user', v.session_user); accept_collected_entry('', false); ); ); #else ( # debug # echo(v.syslog_message); #); ` # Database fields database.fields = { # recieve_time = "" serial = "" # type = "" subtype = "" config_ver = "" src = "" dst = "" natsrc = "" natdst = "" rule = "" srcuser = "" dstuser = "" app = "" vsys = "" from = "" to = "" inbound_if = "" outbound_if = "" logset = "" time_received = "" sessionid = "" sport = "" dport = "" natsport = "" natdport = "" flags = "" proto = "" action = "" start = "" category = "" repeatcnt = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events bytes = { type = "float" display_format_type = "bandwidth" } # bytes bytes_sent = { type = "float" display_format_type = "bandwidth" } # bytes_sent bytes_received = { type = "float" display_format_type = "bandwidth" } # bytes_received packets = { type = "float" display_format_type = "bandwidth" } # packets elapsed = { type = "float" display_format_type = "duration_compact" } # elapsed } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { src = "" natsrc = "" srcuser = "" sport = "" natsport = "" from = "" outbound_if = "" } # source_group destination_group = { dst = "" natdst = "" dstuser = "" dport = "" natdport = "" to = "" inbound_if = "" } # destintation_group other_group = { time_received = "" serial = "" subtype = "" config_ver = "" rule = "" app = "" vsys = "" logset = "" time_received = "" sessionid = "" flags = "" proto = "" action = "" start = "" category = "" repeatcnt = "" } # other_group } # report_groups } # create_profile_wizard_options } # palo_alto_networks_firewall_traffic