# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. viruswall = { plugin_version = "1.0" info.1.manufacturer = "InterScan" info.1.device = "VirusWall" info.1.version.1 = "6" # 2008-06-04 - 1.0 - GMF - Initial implementation. This implements support for only the urlaccesslog (there are at least 4 other formats which are not yet supported) # The name of the log format log.format.format_label = "InterScan VirusWall (urlaccesslog)" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` # Handle urlaccesslog lines, e.g. # 2006/09/11 13:52:06,http,proxy,127.0.0.1,127.0.0.1,12.34.56.78,www.somewhere.com,,1364,text/html,GET matches_regular_expression(volatile.log_data_line, '^[0-9][0-9][0-9][0-9]/[0-9][0-9]/[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9],http,proxy,[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+,[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+,[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+,') ` # All log field parsing will be done using the parsing filters # log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" protocol = "" type = "" server_ip = "" unknown_ip = "" # field purpose unknown source_ip.type = "host" server_domain = "" page = "" url.type = "page" mime_type = "" operation = "" hits = "" page_views = "" bytes = "" } # log.fields log.parsing_filters.parse = ` # Handle urlaccesslog lines v.line = replace_all(current_log_line(), '\\\\,', '_COMMA_'); if (matches_regular_expression(v.line, '^([0-9][0-9][0-9][0-9]/[0-9][0-9]/[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)')) then ( date = $1; time = $2; protocol = $3; type = $4; server_ip = $5; unknown_ip = $6; source_ip = $7; server_domain = $8; page = replace_all($9, '_COMMA_', ','); bytes = $10; mime_type = $11; operation = $12; url = protocol . "://" . server_domain . "/" . page; hits = 1; ); # if urlaccesslog ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" protocol = "" type = "" server_ip = "" source_ip = "" location = "" server_domain = "" url = "" file_type = "" mime_type = "" operation = "" } # database.fields # Log Filters log.filters = { remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query categorize = { label = "$lang_admin.log_filters.categorize_hits_label" comment = "$lang_admin.log_filters.categorize_hits_comment" value = ` if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then ( ) else ( page_views = 1; ) ` } # categorize simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url } # log.filters database.numerical_fields = { hits = { default = true } # events page_views = { default = true } # page_views bytes = { default = true type = "float" display_format_type = "bandwidth" } # bytes unique_source_ips = { default = false log_field = "source_ip" type = "unique" } # unique_source_ips } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # viruswall