# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. safesquid_orange = { plugin_version = "2.3" # 2008-03-10 - GMF - 1.0 - Created plug-in. # 2008-03-11 - GMF - 1.1 - Enhanced plug-in to extract username lines # 2008-03-24 - GMF - 2.0 - Complete reworking of input format; tracking change. # 2008-03-25 - GMF - 2.1 - Added tracking of client_referer and client_host # 2008-03-27 - GMF - 2.2 - Added support for safesquid_time field. # 2008-04-18 - GMF - 2.3 - Fixed a bug with parsing one-digit dates. # 2011-07-14 - MSG - 2.3.1 - Edited info lines. info.1.manufacturer = "Office Efficiencies" info.1.device = "SafeSquid (Orange)" info.1.version.1 = "" # The name of the log format log.format.format_label = "SafeSquid Log Format (Orange)" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^([^|]*)[|]?&?[|]?CLIENT[[]host[]]=" log.format.autodetect_lines = "10" log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" # # date_time = "" client_referer = "" client_host = "" client_accept = "" client_accept_language = "" nas_ip_address = "" acct_status_type = "" user_name = "" nas_port = "" nas_port_type = "" framed_ip_address = "" calling_station_id = "" called_station_id = "" acct_session_id = "" acct_authentic = "" acct_delay_time = "" aruba_essid_name = "" aruba_location_id = "" aruba_user_role = "" aruba_user_vlan = "" client_ip_address = "" acct_unique_session_id = "" timestamp = "" safesquid_time = "" # clientid = "" # client_cookie = "" # client_host = "" # client_range = "" # client_user_agent.type = "agent" # http_file.type = "page" # file_type = "" # http_host = "" # http_method = "" # http_port = "" # http_proto = "" # interface = "" # ip.type = "host" # port = "" # pwd = "" # shlvl = "" # time = "" # username = "" ## version = "" # clientid = "" # operation = "" } # log.fields log.parsing_filters.parse = ` # layout: CLIENT[referer]|&|CLIENT[host]|&|CLIENT[accept]|&|CLIENT[accept-language]|&||&|CLIENTID|&|IP|&|TIME|&|HTTP_METHOD|&|HTTP_PROTO|&|HTTP_HOST|&|HTTP_PORT|&||&|DATE|&|NAS-IP-Address|&|Acct-Status-Type|&|User-Name|&|NAS-Port|&|NAS-Port-Type|&|Framed-IP-Address|&|Calling-Station-Id|&|Called-Station-Id |&|Acct-Session-Id"|&|Acct-Authentic|&|Acct-Delay-Time|&|Aruba-Essid-Name|&|Aruba-Location-Id|&|Aruba-User-Role"|&|Aruba-User-Vlan|&|Client-IP-Address|&|Acct-Unique-Session-Id|&|Timestamp if (matches_regular_expression(current_log_line(), "^[|]&[|]([A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9][0-9][0-9][0-9])[|]&[|](.*)$")) then ( # set_collected_field('', 'date', $1); v.listed_fields = $2; collect_listed_fields('', v.listed_fields, '|&|', ' = ', ''); # # 'Mon Mar 24 13:39:10 2008' # if (matches_regular_expression(get_collected_field('', 'date'), '[A-Za-z]+ ([A-Za-z]+) ([0-9]+) ([0-9:]+) ([0-9]+)')) then ( # set_collected_field('', 'date', $2 . "/" . $1 . "/" . $4); # set_collected_field('', 'time', $3); # ); accept_collected_entry('', false); ); # if second line # Handle first line else if (matches_regular_expression(current_log_line(), "^([^|]*)[|]&[|]([^|]*)[|]&[|]CLIENT[[]accept[]]=([^|]+)[|]&[|]CLIENT[[]accept-language[]]=([^|]+)[|]&[|]([^|]*)[|]&[|]([^|]*)[|]&[|]([^|]*)[|]&[|]([^|]*)[|]&[|]([^|]*)[|]&[|]([^|]*)[|]&[|]")) then ( set_collected_field('', 'client_referer', $1); set_collected_field('', 'client_host', $2); set_collected_field('', 'client_accept', $3); set_collected_field('', 'client_accept_language', $4); # ', $5); set_collected_field('', 'clientid', $5); set_collected_field('', 'safesquid_time', $6); set_collected_field('', 'ip', $7); set_collected_field('', 'http_method', $8); set_collected_field('', 'http_proto', $9); set_collected_field('', 'http_port', $10); if (matches_regular_expression(get_collected_field('', 'client_host'), '^CLIENT[[]host[]]=(.*)$')) then set_collected_field('', 'client_host', $1); if (matches_regular_expression(get_collected_field('', 'client_referer'), '^CLIENT[[]referer[]]=(.*)$')) then set_collected_field('', 'client_referer', $1); # Chop leading single quote from referrer. if (matches_regular_expression(get_collected_field('', 'client_referer'), "^'(.*)$")) then set_collected_field('', 'client_referer', $1); # Deconstruct the timestamp set_collected_field('', 'date', normalize_date(get_collected_field('', 'safesquid_time'), 'seconds_since_jan1_1970')); set_collected_field('', 'time', normalize_time(get_collected_field('', 'safesquid_time'), 'seconds_since_jan1_1970')); # Extract client_accept separately, because it can contain ;'s # if (matches_regular_expression(current_log_line(), "CLIENT[[]accept[]]='([^']+)'")) then ( # set_collected_field('', 'client_accept', $3); # ); ); # if first line # ', $12); # nas_port_type = $17; # framed_ip_address = $18; # calling_station_id = $19; # called_station_id = $20; # acct_session_id = $21; # acct_authentic = $22; # acct_delay_time = $23; # aruba_essid_name = $24; # aruba_location_id = $25; # aruba_user_role = $26; # aruba_user_vlan = $27; # client_ip_address = $28; # acct_unique_session_id = $29; # timestamp = $30; #echo("Timestamp: " . get_collected_field('', 'Timestamp')); #echo("http_host: " . get_collected_field('', 'http_host')); # set_collected_field('', 'date', normalize_date(get_collected_field('', 'timestamp'), 'seconds_since_jan1_1970')); # set_collected_field('', 'time', normalize_time(get_collected_field('', 'timestamp'), 'seconds_since_jan1_1970')); # date = normalize_date(timestamp, 'seconds_since_jan1_1970')); # v.name = lowercase($1); # v.value = $2; # # v.name = replace_all(v.name, '[', '_'); # v.name = replace_all(v.name, '-', '_'); # v.name = replace_all(v.name, ']', ''); # if (v.name eq "time") then ( # set_collected_field('', 'time', normalize_time(v.value, 'seconds_since_jan1_1970')); # set_collected_field('', 'date', normalize_date(v.value, 'seconds_since_jan1_1970')); # ); # Ignore USERNAME=; we get it from the username lines. # else if (v.name eq "username") then ( # # ); # # else ( # set_collected_field('', v.name, v.value); # ); ); # if NAME=VALUE # Handle username lines, e.g. # someone someone shell S4171 Thu 16:26 12.34.56.78 98.76.54.32 #else if (matches_regular_expression(current_log_line(), '^([^ ]+) [^ ]+ [^ ]+ [^ ]+ [A-Z][a-z][a-z] [0-9][0-9]:[0-9][0-9] [0-9.]+ [0-9.]+')) then ( # set_collected_field('', 'username', $1); # set_collected_field('', 'found_username_line', true); #); # if username line # ## Accept on ======== lines, if we also saw a username line. #else if (matches_regular_expression(current_log_line(), '^=+$')) then ( # if (get_collected_field('', 'found_username_line')) then ( # set_collected_field('', 'events', 1); # accept_collected_entry('', false); # ); #); ` # Database fields database.fields = { date_time = "" client_referer = "" client_host = "" client_accept = "" client_accept_language = "" nas_ip_address = "" acct_status_type = "" user_name = "" nas_port = "" nas_port_type = "" framed_ip_address = "" calling_station_id = "" called_station_id = "" acct_session_id = "" acct_authentic = "" acct_delay_time = "" aruba_essid_name = "" aruba_location_id = "" aruba_user_role = "" aruba_user_vlan = "" client_ip_address = "" acct_unique_session_id = "" # clientid = "" ## client_cookie = "" # client_referer = "" # client_host = "" # client_range = "" ## client_user_agent = "" # web_browser = "" # http_file = "" # file_type = "" # http_host = "" # http_method = "" # http_port = "" # http_proto = "" ## interface = "" # ip = "" ## location = "" # port = "" # pwd = "" # shlvl = "" # time = "" # username = "" # version = "" # clientid = "" # operation = "" } # database.fields # Log Filters log.filters = { # remove_query = { # label = "$lang_admin.log_filters.remove_query_label" # comment = "$lang_admin.log_filters.remove_query_comment" # value = "if (contains(http_file, '?')) then http_file = substr(http_file, 0, index(http_file, '?') + 1) . '(parameters)';" # } # remove_query # detect_page_views = { # label = '$lang_admin.log_filters.detect_page_views_label' # comment = '$lang_admin.log_filters.detect_page_views_comment' # value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" # } # detect_page_views # simplify_url = { # label = "$lang_admin.log_filters.simplify_url_label" # comment = "$lang_admin.log_filters.simplify_url_comment" # value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" # } # simplify_url simplify_referrer = { label = "$lang_admin.log_filters.simplify_referrer_label" comment = "$lang_admin.log_filters.simplify_referrer_comment" value = "if (client_referer eq '-') then client_referer = '(no referrer)' else if (matches_regular_expression(client_referer, '^([^:]+://[^/]+/)')) then client_referer = $1 . '(omitted)'" } # simplify_referrer # strip_non_page_views = { # label = '$lang_admin.log_filters.strip_non_page_views_label' # comment = '$lang_admin.log_filters.strip_non_page_views_comment' # value = "if (page_views == 0) then http_file = substr(http_file, 0, last_index(http_file, '/') + 1) . '(nonpage)';" # } # strip_non_page_views set_event = "events = 1" } # log.filters statistics.miscellaneous.remove_reloads_from_sessions = false; log.field_options = { sessions_page_field = "client_host" sessions_visitor_id_field = "user_name" sessions_event_field = "events" } # log.field_options database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events # page_views = { # default = true # requires_log_field = false # } # page_views unique_client_ips = { log_field = "client_ip_address" type = "unique" } # unique_client_ips } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options } # safesquid