# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. watchguard_firebox_v60_syslog = { plugin_version = 1.1 # Initial creation - 1.0 # 2010-10-05 - 1.1 - MSG - Edited info lines. info.1.manufacturer = "Watchguard" info.1.device = "Firebox V60 Syslog required" info.1.version.1 = "" # The name of the log format log.format.format_label = "Watchguard Firebox V60 Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #log.format.autodetect_regular_expression = '^[A-Z][a-z][a-z] [0-9][0-9] [0-9:]+ [^ ]+ id=[^ ]+ time="[^"]+"' log.format.autodetect_regular_expression = 'proto=[^ ]* sport=[^ ]* dport=[^ ]* indev=[^ ]* inport=' # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The name of an entry in this log, in the format: entry_name value statistics.miscellaneous.entry_name = "event" # Log fields - id,time,fw,pri,rule,src,dst,proto,sport,dport,indev,inport,rc,msg log.fields = { id = { label = "$lang_stats.field_labels.id" type = "flat" index = 0 subindex = 0 } # id fwtime = { label = "$lang_stats.field_labels.fwtime" type = "flat" index = 0 subindex = 0 } # fwtime fw = { label = "$lang_stats.field_labels.fw" type = "flat" index = 0 subindex = 0 } # fw pri = { label = "$lang_stats.field_labels.pri" type = "flat" index = 0 subindex = 0 } # pri rule = { label = "$lang_stats.field_labels.rule" type = "flat" index = 0 subindex = 0 } # rule src = { label = "$lang_stats.field_labels.src" type = "flat" index = 0 subindex = 0 } # src dst = { label = "$lang_stats.field_labels.dst" type = "flat" index = 0 subindex = 0 } # dst proto = { label = "$lang_stats.field_labels.proto" type = "flat" index = 0 subindex = 0 } # proto sport = { label = "$lang_stats.field_labels.sport" type = "flat" index = 0 subindex = 0 } # sport dport = { label = "$lang_stats.field_labels.dport" type = "flat" index = 0 subindex = 0 } # dport indev = { label = "$lang_stats.field_labels.indev" type = "flat" index = 0 subindex = 0 } # indev inport = { label = "$lang_stats.field_labels.inport" type = "flat" index = 0 subindex = 0 } # inport rc = { label = "$lang_stats.field_labels.rc" type = "flat" index = 0 subindex = 0 } # rc msg = { label = "$lang_stats.field_labels.msg" type = "flat" index = 0 subindex = 0 } # msg } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse each line 1 = { label = "1" comment = "" value = "collect_listed_fields_using_regexp('()(id=.*)$', ' ', '=', 'time=fwtime')" } # 1 # Accept a collected line 3 = { label = "3" comment = "" value = 'accept_collected_entry_using_regexp("()", false)' } # 3 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day fw = { label = "$lang_stats.field_labels.fw" log_field = "fw" type = "string" suppress_top = 0 suppress_bottom = 2 } # fw pri = { label = "$lang_stats.field_labels.pri" log_field = "pri" type = "string" suppress_top = 0 suppress_bottom = 2 } # pri rule = { label = "$lang_stats.field_labels.rule" log_field = "rule" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule src = { label = "$lang_stats.field_labels.src" log_field = "src" type = "string" suppress_top = 0 suppress_bottom = 2 } # src dst = { label = "$lang_stats.field_labels.dst" log_field = "dst" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst proto = { label = "$lang_stats.field_labels.proto" log_field = "proto" type = "string" suppress_top = 0 suppress_bottom = 2 } # proto sport = { label = "$lang_stats.field_labels.sport" log_field = "sport" type = "string" suppress_top = 0 suppress_bottom = 2 } # sport dport = { label = "$lang_stats.field_labels.dport" log_field = "dport" type = "string" suppress_top = 0 suppress_bottom = 2 } # dport indev = { label = "$lang_stats.field_labels.indev" log_field = "indev" type = "string" suppress_top = 0 suppress_bottom = 2 } # indev inport = { label = "$lang_stats.field_labels.inport" log_field = "inport" type = "string" suppress_top = 0 suppress_bottom = 2 } # inport rc = { label = "$lang_stats.field_labels.rc" log_field = "rc" type = "string" suppress_top = 0 suppress_bottom = 2 } # rc msg = { label = "$lang_stats.field_labels.msg" log_field = "msg" type = "string" suppress_top = 0 suppress_bottom = 2 } # msg } # database.fields database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses } # database.numerical_fields log.filters = { 1 = { value = "if (matches_regular_expression(proto, '[0-9]+/(.*)')) then proto = $1;" comment = "This removes the port information from the protocol fields, as we have it in the s/d port field already" label = "remove port from protocol field" } # 1 mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" fw = true pri = true rule = true src = true dst = true proto = true sport = true dport = true indev = true inport = true msg = true } # report_groups } # create_profile_wizard_options not_supported = { sessions = true pageviews = true visitors = true bandwidth = true } # not_supported } # watchguard_firebox_v60_syslog