# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. cisco_vpnconcentrator_commas = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2010-10-26 - 1.0.1 - MSG - Edited info lines. info.1.manfacturer = "Cisco Systems" info.1.device = "VPN Concentrator (Comma delimited)" info.1.version.1 = "" # Cisco VPN Concentrator (Comma-delimited) # The name of the log format log.format.format_label = "Cisco VPN Concentrator (Comma-delimited)" log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[A-Z][a-z]+ [ 0-9]+, [0-9][0-9][0-9][0-9], [0-9][0-9]:[0-9][0-9] [AP]M [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+:[0-9]+ <[0-9]+>[0-9]+ [0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\.[0-9][0-9][0-9] SEV=" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "mm/dd/yyyy" log.format.time_format = "hh:mm:ss" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time source_host = { label = "$lang_stats.field_labels.source_host" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # source_host operation = { label = "$lang_stats.field_labels.operation" type = "flat" index = 0 subindex = 0 } # operation user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 } # user group = { label = "$lang_stats.field_labels.group" type = "flat" index = 0 subindex = 0 } # group cn = { label = "$lang_stats.field_labels.cn" type = "flat" index = 0 subindex = 0 } # cn sn = { label = "$lang_stats.field_labels.sn" type = "flat" index = 0 subindex = 0 } # sn sa = { label = "$lang_stats.field_labels.sa" type = "flat" index = 0 subindex = 0 } # sa sev = { label = "$lang_stats.field_labels.sev" type = "flat" index = 0 subindex = 0 } # sev rpt = { label = "$lang_stats.field_labels.rpt" type = "flat" index = 0 subindex = 0 } # rpt payload = { label = "$lang_stats.field_labels.payload" type = "flat" index = 0 subindex = 0 } # payload protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol port = { label = "$lang_stats.field_labels.port" type = "flat" index = 0 subindex = 0 } # port source_host = { label = "$lang_stats.field_labels.source_host" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # source_host inbound_spi = { label = "$lang_stats.field_labels.inbound_spi" type = "flat" index = 0 subindex = 0 } # inbound_spi outbound_spi = { label = "$lang_stats.field_labels.outbound_spi" type = "flat" index = 0 subindex = 0 } # outbound_spi server_hostname = { label = "$lang_stats.field_labels.server_hostname" type = "flat" index = 0 subindex = 0 } # server_hostname local_proxy_host = { label = "$lang_stats.field_labels.local_proxy_host" type = "flat" index = 0 subindex = 0 } # local_proxy_host local_proxy_subnet = { label = "$lang_stats.field_labels.local_proxy_subnet" type = "flat" index = 0 subindex = 0 } # local_proxy_subnet local_proxy_mask = { label = "$lang_stats.field_labels.local_proxy_mask" type = "flat" index = 0 subindex = 0 } # local_proxy_mask remote_proxy_host = { label = "$lang_stats.field_labels.remote_proxy_host" type = "flat" index = 0 subindex = 0 } # remote_proxy_host remote_proxy_subnet = { label = "$lang_stats.field_labels.remote_proxy_subnet" type = "flat" index = 0 subindex = 0 } # remote_proxy_subnet remote_proxy_mask = { label = "$lang_stats.field_labels.remote_proxy_mask" type = "flat" index = 0 subindex = 0 } # remote_proxy_mask } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse out the date/time 1 = { label = "1" comment = "" value = "collect_fields_using_regexp('^()[^,]*, [0-9]+, [0-9:]+ [A-Z]+ ([0-9.]+):[0-9]* <[0-9]+>[0-9]+ ([0-9/]+) ([0-9:]+)\\\\.[0-9]+ SEV=([0-9]+) ([^ ]+) RPT=([0-9]+) ', '*KEY*,server_hostname,date,time,sev,rpt')" } # 1 # Parse a general Group/User line 2 = { label = "2" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+ +([0-9.]*) Group \\\\[([0-9A-Z]*)\\\\] User \\\\[([^]]*)\\\\] (.*)$', '*KEY*,source_host,group,user,operation')" } # 2 # Parse a general User line 3 = { label = "3" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+ +User ([^ ]*)', '*KEY*,user')" } # 3 # Parse an 'authenticated' line 4 = { label = "4" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+ +[0-9.]+ +Group \\\\[([0-9A-Z]*)\\\\] User \\\\[[^]]+\\\\] User \\\\(([^)]+)\\\\) (authenticated)', '*KEY*,group,user,operation')" } # 4 # Parse a 'Validation of certificate successful' line 5 = { label = "5" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]*): Group \\\\[([0-9A-Z]+)\\\\] (Validation of certificate successful) \\\\(CN=([^,]+), SN=([A-F0-9]+)\\\\)', '*KEY*,source_host,group,operation,cn,sn')" } # 5 # Parse a 'Received local Proxy Host' line 6 = { label = "6" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]+): Group \\\\[([0-9A-Z]+)\\\\] User \\\\[([^]]+)\\\\] (Received local Proxy Host data in ID Payload): *Address ([0-9.]+), Protocol ([0-9]+), Port ([0-9]+)', '*KEY*,source_host,group,user,operation,local_proxy_host,protocol,port')" } # 6 # Parse a 'Received local Proxy Subnet data' line 7 = { label = "7" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]*): Group \\\\[([0-9A-Z]*)\\\\] User \\\\[([^]]*)\\\\] (Received local IP Proxy Subnet data in ID Payload): *Address ([0-9.]*), Mask ([0-9.]*), Protocol ([0-9]*), Port ([0-9]*)', '*KEY*,source_host,group,user,operation,local_proxy_subnet,local_proxy_mask,protocol,port')" } # 7 # Parse a 'Received remote Proxy Host' line 8 = { label = "8" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]*): Group \\\\[([0-9A-Z]*)\\\\] User \\\\[([^]]*)\\\\] (Received remote Proxy Host data in ID Payload): *Address ([0-9.]*), Protocol ([0-9]*), Port ([0-9]*)', '*KEY*,source_host,group,user,operation,remote_proxy_host,protocol,port')" } # 8 # Parse a 'Received remote Proxy Subnet data' line 9 = { label = "9" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]*): Group \\\\[([0-9A-Z]*)\\\\] User \\\\[([^]]*)\\\\] (Received remote IP Proxy Subnet data in ID Payload): *Address ([0-9.]*), Mask ([0-9.]*), Protocol ([0-9]*), Port ([0-9]*)', '*KEY*,source_host,group,user,operation,remote_proxy_subnet,remote_proxy_mask,protocol,port')" } # 9 # Parse a 'Security negotiation complete' line 10 = { label = "10" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]*): Group \\\\[([0-9A-Z]*)\\\\] User \\\\[[^]]*\\\\] (Security negotiation complete) for User \\\\(([^]]*)\\\\) Responder, Inbound SPI = ([^,]*), Outbound SPI = ([^,]*)', '*KEY*,source_host,group,operation,user,inbound_spi,outbound_spi')" } # 10 # Parse a 'Connection terminated' line 11 = { label = "11" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]*): Group \\\\[([0-9A-Z]*)\\\\] User \\\\[([^]]*)\\\\] (Connection terminated for peer) ([^ ]*) \\\\([^)]*\\\\) *Remote Proxy ([^,]*), Local Proxy ([^,])*', '*KEY*,source_host,group,user,operation,remote_proxy,local_proxy')" } # 11 # Parse a 'PHASE 2 COMPLETE' line 12 = { label = "12" comment = "" value = "collect_fields_using_regexp('()RPT=[0-9]+[: ]+([0-9.]*): Group \\\\[([0-9A-Z]*)\\\\] User \\\\[([^]]*)\\\\] (PHASE 2 COMPLETED)', '*KEY*,source_host,group,user,operation')" } # 12 # Accept this log entry 13 = { label = "13" comment = "" value = "accept_collected_entry_using_regexp('()', false)" } # 13 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day server_hostname = { label = "$lang_stats.field_labels.server_hostname" log_field = "server_hostname" type = "string" suppress_top = 0 suppress_bottom = 2 } # server_hostname operation = { label = "$lang_stats.field_labels.operation" log_field = "operation" type = "string" suppress_top = 0 suppress_bottom = 2 } # operation user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user group = { label = "$lang_stats.field_labels.group" log_field = "group" type = "string" suppress_top = 0 suppress_bottom = 2 } # group cn = { label = "$lang_stats.field_labels.cn" log_field = "cn" type = "string" suppress_top = 0 suppress_bottom = 2 } # cn sn = { label = "$lang_stats.field_labels.sn" log_field = "sn" type = "string" suppress_top = 0 suppress_bottom = 2 } # sn sa = { label = "$lang_stats.field_labels.sa" log_field = "sa" type = "string" suppress_top = 0 suppress_bottom = 2 } # sa sev = { label = "$lang_stats.field_labels.sev" log_field = "sev" type = "string" suppress_top = 0 suppress_bottom = 2 } # sev rpt = { label = "$lang_stats.field_labels.rpt" log_field = "rpt" type = "string" suppress_top = 0 suppress_bottom = 2 } # rpt payload = { label = "$lang_stats.field_labels.payload" log_field = "payload" type = "string" suppress_top = 0 suppress_bottom = 2 } # payload protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol port = { label = "$lang_stats.field_labels.port" log_field = "port" type = "string" suppress_top = 0 suppress_bottom = 2 } # port source_host = { label = "$lang_stats.field_labels.source_host" log_field = "source_host" type = "string" suppress_top = 0 suppress_bottom = 9 } # source_host inbound_spi = { label = "$lang_stats.field_labels.inbound_spi" log_field = "inbound_spi" type = "string" suppress_top = 0 suppress_bottom = 2 } # inbound_spi outbound_spi = { label = "$lang_stats.field_labels.outbound_spi" log_field = "outbound_spi" type = "string" suppress_top = 0 suppress_bottom = 2 } # outbound_spi local_proxy_host = { label = "$lang_stats.field_labels.local_proxy_host" log_field = "local_proxy_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # local_proxy_host local_proxy_subnet = { label = "$lang_stats.field_labels.local_proxy_subnet" log_field = "local_proxy_subnet" type = "string" suppress_top = 0 suppress_bottom = 2 } # local_proxy_subnet local_proxy_mask = { label = "$lang_stats.field_labels.local_proxy_mask" log_field = "local_proxy_mask" type = "string" suppress_top = 0 suppress_bottom = 2 } # local_proxy_mask remote_proxy_host = { label = "$lang_stats.field_labels.remote_proxy_host" log_field = "remote_proxy_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # remote_proxy_host remote_proxy_subnet = { label = "$lang_stats.field_labels.remote_proxy_subnet" log_field = "remote_proxy_subnet" type = "string" suppress_top = 0 suppress_bottom = 2 } # remote_proxy_subnet remote_proxy_mask = { label = "$lang_stats.field_labels.remote_proxy_mask" log_field = "remote_proxy_mask" type = "string" suppress_top = 0 suppress_bottom = 2 } # remote_proxy_mask } # database.fields database.numerical_fields = { hits = { label = "$lang_stats.field_labels.hits" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # hits } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" server_hostname = true operation = true user = true group = true cn = true sn = true sa = true sev = true rpt = true payload = true protocol = true port = true source_host = true inbound_spi = true outbound_spi = true local_proxy_host = true local_proxy_subnet = true local_proxy_mask = true remote_proxy_host = true remote_proxy_subnet = true remote_proxy_mask = true } # report_groups } # create_profile_wizard_options not_supported = { visitors = true sessions = true pageviews = true bandwidth = true } # not_supported } # cisco_vpnconcentrator_commas