# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. array_spx_squid = { plugin_version = "2.5.1" info.1.manfacturer = "Array Networks" info.1.device = "SPX 3000 Welf/Squid combined" info.1.version.1 = "Rel.SP.8.4.4.2" info.1.version.2 = "Rel.SP.8.4.4.1 Build 4" # 2008-06-04 - 1.0 - GMF - Initial implementation. This implements support for only the urlaccesslog (there are at least 4 other formats which are not yet supported) # 2010-08-12 - 2.0 - Benson - Fixed for full WELF log format support. # 2010-08-13 - 2.5 - Benson - Adds mixed Squid proxy log format support. # 2010-08-20 - 2.5.1 - Benson - Update for older firmware SP.8.4.4.1 Build 4. # The name of the log format log.format.format_label = "Array Networks SPX WELF & Squid mixed Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression # 2007-05-11 16:58:47 Local0.Info 12.34.56.78 May 11 17:03:41 AN id=ArraySP time="2007-5-11 17:03:41" fw=AN pri=6 user=someone type=mgmt msg="CLI cmd "sh run" success code 0" # 2010-08-10 14:24:44 Local0.Info 10.1.1.12 Aug 10 15:03:01 AN id=ArrayOS time="2010-8-10 15:03:01" fw=AN pri=6 vpn=intranet proto=http src=10.1.0.3 sport=47562 dstname=localhost arg=/ op=GET result=302 type=vpn msg="Request on port 80 redirected to port 443" # 2010-08-10 14:24:19 Local0.Info 10.1.1.12 Aug 10 15:02:36 AN AN_SQUID_LOG 1281452556.369 729 10.1.0.3 TCP_MISS/200 1075 GET /exchweb/img/newitem.gif - DIRECT/10.1.1.10 - # 2010-08-20 15:09:12 Local7.Info 192.168.0.11 Aug 20 15:10:54 GMT(+0000) SPX3000 id=ArrayOS time="2010-8-20 15:10:54" fw=SPX3000 pri=6 user=array src=192.168.5.28 sport=1059 type=mgmt msg="CLI cmd "show log config" success code 0" log.format.autodetect_regular_expression = "(id=ArraySP|id=ArrayOS|AN_SQUID_LOG) " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { id = "" log_type = "" fwtime = "" fw = "" pri = "" vpn = "" user = "" proto = "" src = "" action = "" sport = "" dst = "" dport = "" dstname = "" arg = "" op = "" result = "" rcvd = "" sent = "" type = "" message = "" events = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # 2010-08-10 14:24:19 Local0.Info 10.1.1.12 Aug 10 15:02:36 AN AN_SQUID_LOG 1281452556.369 729 10.1.0.3 TCP_MISS/200 1075 GET /exchweb/img/newitem.gif - DIRECT/10.1.1.10 - # 2010-08-12 14:00:22 Local0.Info 10.1.1.12 Aug 12 14:39:24 AN AN_SQUID_LOG 1281623964.048 1 10.1.0.3 TCP_MISS/304 341 GET /bugzilla/skins/contrib/Mine/index.css - DIRECT/10.3.0.70 - # SQUID log type #if (matches_regular_expression(v.syslog_message, 'AN_SQUID_LOG [0-9.]+ [0-9]+ ([^ ]*) ([A-Z_ ]*)/([0-9]*) ([0-9]*) ([A-Z]*) ([^ ]*)[ | ]([^ ]*) ([A-Z_]*)/([^ ]*) (.*)')) then ( if (matches_regular_expression(v.syslog_message, 'AN_SQUID_LOG [0-9.]+ [0-9]* ([^ ]*) ([A-Z_ ]*)/([0-9]*) ([0-9]*) ([^ ]*) ([^ ]*)[ | ](.*)')) then ( set_collected_field('', 'src', $1); set_collected_field('', 'action', $2); set_collected_field('', 'result', $3); set_collected_field('', 'rcvd', $4); set_collected_field('', 'op', $5); set_collected_field('', 'arg', $6); v.message = $7; if (matches_regular_expression(v.message, '([^ ]+) ([A-Z_]*)/([^ ]*) (.*)')) then ( set_collected_field('', 'user', $1); set_collected_field('', 'message', $2); set_collected_field('', 'dst', $3); set_collected_field('', 'type', $4); ); set_collected_field('', 'log_type', 'SQUID'); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); # WELF log type else if (matches_regular_expression(v.syslog_message, '[^ ]+ (id=.*) msg=(.*)$')) then ( collect_listed_fields('', $1, ' ', '=', 'time=fwtime'); set_collected_field('', 'message', $2); # Define log type if (matches_regular_expression($2, 'Authorized access')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'CLI cmd')) then (set_collected_field('', 'log_type', 'CLI');); else if (matches_regular_expression($2, 'Request on port 80 redirected to port 443')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'URL')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Authentication successful')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'valid session')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Session has expired')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'idletime')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'logged')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Backend connection')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'clientapp:')) then (set_collected_field('', 'log_type', 'ClientApp');); else if (matches_regular_expression($2, 'Killed an expired session')) then (set_collected_field('', 'log_type', 'MGMT');); else if (matches_regular_expression($2, 'vpn:')) then (set_collected_field('', 'log_type', 'VPN');); else if (matches_regular_expression($2, 'AAA authentication')) then (set_collected_field('', 'log_type', 'Mail Proxy');); else if (matches_regular_expression($2, 'SSL [client|driver|handshake|backend|tunnel]')) then (set_collected_field('', 'log_type', 'SSL');); else if (matches_regular_expression($2, 'Invalid request')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Authentication failed (.*)')) then ( while ( matches_regular_expression($1, 'host check') or matches_regular_expression($1, 'credentials rejected') or matches_regular_expression($1, 'internal') or matches_regular_expression($1, 'sessions') or matches_regular_expression($1, 'username') or matches_regular_expression($1, 'SSL') ) (set_collected_field('', 'log_type', 'HTTP');) ); else (set_collected_field('', 'log_type', 'Misc')); # convert date and time if (matches_regular_expression(get_collected_field('', 'fwtime'), '^([0-9-]+) ([0-9:]+)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); # 2010-08-11 14:02:41 Local0.Notice 10.1.1.12 Aug 11 14:41:20 AN DNS: All nameservers - down. # Other log types else if (matches_regular_expression(v.syslog_message, '[^ ] DNS: (.*)$')) then ( set_collected_field('', 'log_type', 'DNS'); set_collected_field('', 'message', $1); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ` # Database fields database.fields = { id = "" log_type = "" #fwtime = "" fw = "" pri = "" vpn = "" user = "" proto = "" src = "" sport = "" dst = "" dport = "" dstname = "" action = "" arg = "" op = "" result = "" type = "" message = "" } # database.fields # Log Filters log.filters = { } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events rcvd = { default = true type = "float" display_format_type = "bandwidth" } sent = { default = true type = "float" display_format_type = "bandwidth" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options } # array_spx_squid