# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. cisco_waas_tcp_proxy = { plugin_version = "1.4.2" # 2009-02-02 - 1.0 - Mani Ramasamy of Cisco - Initial creation based on cisco_waas_tcp_proxy for 4.0 # 2009-02-04 - 1.1 - KBB - Debugged regular expressions and restructured for accurate keying. # 2009-03-21 - 1.2 - KBB and Mani - Debugged START regular expression and changed SODRE event # processing to carry over. There are problems with this because the SODRE event is sometimes after # the OT END event. Concurrent connections calculations are commented out until the log contains a # way to tell if the devices has restarted, otherwise, there is no way to know to start the count # over and events that don't end are never dropped from the count. # 2009-03-23 - 1.2.1 - KBB - Changed SODRE event back to accept with false because order of SODRE END # and OT END is random and numeric values are wrong. # 2009-07-28 - 1.3 - KBB - Fixed bug in 4.1.3 where duration was not calculated by parsing missing # fields. Added optional fields ssl_reject_reason and x_final_policy. (Not really a bug. Due to a # miscommunication, the fields were not added.) # 2009-07-31 - 1.3.1 - KBB - Changed name of x_final_policy to applied policy. # 2010-01-28 - 1.4 - Mani and KBB - Restored support for BP events # 2010-02-02 - 1.4.1 - Mani - Added support for BP in 4.1.3 by adding optional field ssl_reject_reason. # 2010-02-03 - 1.4.2 - KBB - Made counts of events more accurate by counting starts, # ends and pass throughs. Also stopped carry over of data from START to OT END event. Because of the # unpredictable order of OT and SODRE end events, it is not possible to treat the whole connection # as one event, so it throws off counting if a value may or may not be in an entry depending on the # order in the log. info.1.manfacturer = "Cisco" info.1.device = "WAAS TCP Proxy" info.1.version.1 = "4.1.0" # ? info.1.version.2 = "4.1.1" info.1.version.3 = "4.1.3" # The name of the log format log.format.format_label = "Cisco Wide Area Application Services (WAAS) TCP Proxy (v4.1+) Log Format" log.miscellaneous.log_data_type = "tcp_proxy" log.miscellaneous.log_format_type = "proxy_server" # The log is in this format if any of the first ten lines match this regular expression # Fri Jan 30 00:00:01 2009 :149146 :157.57.68.26 :3624 :157.54.61.44 :443 :OT :START :EXTERNAL CLIENT :00.1a.64.ca.64.1c :basic :Web :HTTPS :F :(TFO) (TFO) (TFO) (TFO) : :(None) (None) (None) : :0 :85 log.format.autodetect_regular_expression = '^[A-Za-z]{3} [A-Za-z]{3} [0-9 ][0-9] [0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{4} :[0-9]+' log.format.date_format = "d/mmm/yyyy" log.format.time_format = "hh:mm:ss" # Don't retire the "open" count log.format.collected_entry_lifespan = 0 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" start_time = "" action = "" ao_cfgd_policy = "" ao_drvd_policy = "" ao_final_policy = "" ao_reject_reason = "" ssl_reject_reason = "" app_classifier_name = "" app_map_name = "" app_name = "" cfgd_policy = "" connection_id = "" connection_type = "" # concurrent_connections = "" destination_ip = "" destination_port = "" dirm = "" drvd_policy = "" dscp = "" duration = "" final_policy = "" applied_policy = "" link_rtt = "" non_optimized_bytes_read = "" non_optimized_bytes_written = "" operation = "" optimized_bytes_read = "" optimized_bytes_written = "" peer_policy = "" source_ip = "" source_port = "" tcp_rst_reason = "" tfo_reject_reason = "" wae_ip = "" pass_through_reason = "" wae_peer_id = "" connections_started = "" connections_ended_ot = "" connections_ended_sodre = "" pass_throughs = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); v.wae_ip = ''; if (matches_regular_expression(current_log_pathname(), '_([0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3})_')) then ( v.wae_ip = $1; ); #Thu Jun 11 10:00:00 2009 :720293 :155.155.75.5 :10820 :205.205.250.5 :80 :OT :START :EXTERNAL SERVER :00.14.5e.cd.13.1d :basic :Web :HTTP :F :(DRE,LZ,TFO) (DRE,LZ,TFO) (DRE,LZ,TFO) (DRE,LZ,TFO) (DRE,LZ,TFO) : :(HTTP) (HTTP) (HTTP) : : :18 :161 #Fri Jan 30 00:00:01 2009 :149146 :157.57.68.26 :3624 :157.54.61.44 :443 :OT :START :EXTERNAL CLIENT :00.1a.64.ca.64.1c :basic :Web :HTTPS :F :(TFO) (TFO) (TFO) (TFO): :(None) (None) (None) : :0 :85 #Fri Jan 30 00:00:01 2009 :149146 :157.57.68.26 :3624 :157.54.61.44 :443 :OT :END :EXTERNAL CLIENT :(None) #Fri Jan 30 00:00:01 2009 :149146 :157.57.68.26 :3624 :157.54.61.44 :443 :SODRE :END :0 :0 :0 :0 :6 if (matches_regular_expression(v.line, '^[A-Za-z]{3} ([A-Za-z]{3}) +([0-9]{1,2}) ([0-9]{2}:[0-9]{2}:[0-9]{2}) ([0-9]{4}) :([0-9]+) :([0-9.]+) :([0-9]+) :([0-9.]+) :([0-9]+) :(OT|SODRE) :(.*)$')) then ( v.key = $5 . "_" . v.wae_ip; set_collected_field(v.key, 'date', $2 . '/' . $1 . '/' . $4); set_collected_field(v.key, 'time', $3); set_collected_field(v.key, 'connection_id', $5); set_collected_field(v.key, 'source_ip', $6); set_collected_field(v.key, 'source_port', $7); set_collected_field(v.key, 'destination_ip', $8); set_collected_field(v.key, 'destination_port', $9); v.op = $10; v.line = $11; set_collected_field(v.key, 'operation', v.op); #Fri Jan 30 00:00:01 2009 :149146 :157.57.57.57 :3624 :154.54.54.54 :443 :SODRE :END :0 :0 :0 :0 :6 if ((v.op eq 'SODRE') and matches_regular_expression(v.line, 'END :([0-9]+) :([0-9]+) :([0-9]+) :([0-9]+) :([0-9]+)')) then ( set_collected_field(v.key, 'wae_ip', v.wae_ip); set_collected_field(v.key, 'non_optimized_bytes_read', $1); set_collected_field(v.key, 'non_optimized_bytes_written', $2); set_collected_field(v.key, 'optimized_bytes_read', $3); set_collected_field(v.key, 'optimized_bytes_written', $4); set_collected_field(v.key, 'tcp_rst_reason', $5); set_collected_field(v.key, 'action', 'END'); # Save open connections for the device # set_collected_field(v.key, 'concurrent_connections', # get_collected_field(v.wae_ip, 'concurrent_connections')); set_collected_field(v.key, 'connections_ended_sodre', 1); accept_collected_entry(v.key, false); ); #Fri Jan 30 00:00:01 2009 :149146 :157.57.57.57 :3624 :154.54.54.54 :443 :OT :START :EXTERNAL CLIENT :00.1a.64.ca.64.1c :basic :Web :HTTPS :F :(TFO) (TFO) (TFO) (TFO): :(None) (None) (None) : :0 :85 # else if (matches_regular_expression(v.line, '(START|END) :(.*)$')) then ( else if (matches_regular_expression(v.line, '(START|END) :([^:]+[^ ]) *:([^:]+[^ ])( *:(.*))?$')) then ( v.action = $1; v.line = $5; set_collected_field(v.key, 'wae_ip', v.wae_ip); set_collected_field(v.key, 'connection_type', $2); set_collected_field(v.key, 'wae_peer_id', $3); set_collected_field(v.key, 'action', v.action); # Spacing isn't identical in the two examples, so made spaces before : flexible everywhere. #Thu Jan 22 16:00:41 2009 :235781 :10.10.1.10 :56497 :10.10.10.12 :443 :OT :START :INTERNAL CLIENT :00.14.5e.84.64.33 :basic :SSL :HTTPS :F :(TFO) (TFO) (TFO) (TFO) : :(None) (None) (None) : :0 :81 #Fri Jan 30 00:00:01 2009 :149146 :157.57.57.57 :3624 :154.54.54.54 :443 :OT :START :EXTERNAL CLIENT :00.1a.64.ca.64.1c :basic :Web :HTTPS :F :(TFO) (TFO) (TFO) (TFO): :(None) (None) (None) : :0 :85 #Thu Jun 11 10:00:00 2009 :720293 :155.155.75.5 :10820 :205.205.250.5 :80 :OT :START :EXTERNAL SERVER :00.14.5e.cd.13.1d :basic :Web :HTTP :F :(DRE,LZ,TFO) (DRE,LZ,TFO) (DRE,LZ,TFO) (DRE,LZ,TFO) (DRE,LZ,TFO) : :(HTTP) (HTTP) (HTTP) : : :18 :161 # if ((v.action eq 'START') and matches_regular_expression(v.line, '^([^:]+[^ ]) *:([0-9a-f.]+) *:([^:]*) *:([^:]*) :([^:]*) *:([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) *:([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) *:([^:]*) *:([0-9]+) *:([0-9]+)')) then ( # if ((v.action eq 'START') and matches_regular_expression(v.line, '^([^:]+[^ ]) *:([0-9a-f.]+) *:([^:]*) *:([^:]*) :([^:]*) *:([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\)( \\\\(([^)]*)\\\\))? *:([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) *:([^:]*)( *:([^:]*))? *:([0-9]+) *:([0-9]+)')) then ( if ((v.action eq 'START') and matches_regular_expression(v.line, '^([^:]*) *:([^:]*) :([^:]*) *:([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\)( \\\\(([^)]*)\\\\))? *:([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) *:([^:]*)( *:([^:]*))? *:([0-9]+) *:([0-9]+)')) then ( set_collected_field(v.key, 'app_map_name', $1); set_collected_field(v.key, 'app_name', $2); set_collected_field(v.key, 'app_classifier_name', $3); set_collected_field(v.key, 'dirm', $4); set_collected_field(v.key, 'cfgd_policy', $5); set_collected_field(v.key, 'drvd_policy', $6); set_collected_field(v.key, 'peer_policy', $7); set_collected_field(v.key, 'final_policy', $8); set_collected_field(v.key, 'applied_policy', $10); set_collected_field(v.key, 'tfo_reject_reason', $11); set_collected_field(v.key, 'ao_cfgd_policy', $12); set_collected_field(v.key, 'ao_drvd_policy', $13); set_collected_field(v.key, 'ao_final_policy', $14); set_collected_field(v.key, 'ao_reject_reason', $15); set_collected_field(v.key, 'ssl_reject_reason', $17); set_collected_field(v.key, 'dscp', $18); set_collected_field(v.key, 'link_rtt', $19); set_collected_field(v.key, 'connections_started', 1); set_collected_field(v.key, 'start_time', get_collected_field(v.key, 'date_time')); # set_collected_field(v.wae_ip, 'concurrent_connections', # get_collected_field(v.wae_ip, 'concurrent_connections') + 1); accept_collected_entry(v.key, true); ); #Thu Jan 22 16:00:41 2009 :235781 :10.10.1.10 :56497 :10.10.10.12 :443 :OT :END :INTERNAL CLIENT :(None) # else if ((v.action eq 'END') and matches_regular_expression(v.line, '^([^:]+) *:([^:]*)')) then ( else if (v.action eq 'END') then ( # clear these so they don't carry over - all we care about is the start_time set_collected_field(v.key, 'app_map_name', ''); set_collected_field(v.key, 'app_name', ''); set_collected_field(v.key, 'app_classifier_name', ''); set_collected_field(v.key, 'dirm', ''); set_collected_field(v.key, 'cfgd_policy', ''); set_collected_field(v.key, 'drvd_policy', ''); set_collected_field(v.key, 'peer_policy', ''); set_collected_field(v.key, 'final_policy', ''); set_collected_field(v.key, 'applied_policy', ''); set_collected_field(v.key, 'tfo_reject_reason', ''); set_collected_field(v.key, 'ao_cfgd_policy', ''); set_collected_field(v.key, 'ao_drvd_policy', ''); set_collected_field(v.key, 'ao_final_policy', ''); set_collected_field(v.key, 'ao_reject_reason', ''); set_collected_field(v.key, 'ssl_reject_reason', ''); set_collected_field(v.key, 'dscp', ''); set_collected_field(v.key, 'link_rtt', ''); # Calculate the duration if we know about the START event. int start_time_epoc = date_time_to_epoc(get_collected_field(v.key, 'start_time')); if (start_time_epoc > 0) then ( int end_time_epoc = date_time_to_epoc(get_collected_field(v.key, 'date_time')); set_collected_field(v.key, 'duration', 0.0 + (end_time_epoc - start_time_epoc)); ); # # Save open connections for the device # set_collected_field(v.key, 'concurrent_connections', # get_collected_field(v.wae_ip, 'concurrent_connections')); # # Don't decrement if the open did not happen within the log data. # #if (get_collected_field(v.key, 'open') eq 'yes') then ( # if (start_time_epoc > 0) then ( # set_collected_field(v.wae_ip, 'concurrent_connections', # get_collected_field(v.wae_ip, 'concurrent_connections') - 1); # ); set_collected_field(v.key, 'connections_ended_ot', 1); set_collected_field(v.key, 'connections_started', 0); # this also shouldn't carry over accept_collected_entry(v.key, false); ); ); ); # This is parsed separately, even the dates, because there is no connection id #Fri Jan 30 00:01:00 2009 :10.66.166.6 :33956 :10.66.166.160 :443 :BP :NO_PEER :(TFO) (TFO) (None) : :(None) (None) : #Thu Jun 11 10:00:04 2009 :155.115.55.155 :1727 :151.115.50.155 :88 :BP :APP_CFG :(None) (None) (None) : :(None) (None) : : else if (matches_regular_expression(v.line, '^[A-Za-z]{3} ([A-Za-z]{3}) +([0-9]{1,2}) ([0-9]{2}:[0-9]{2}:[0-9]{2}) ([0-9]{4}) :([0-9.]+) :([0-9]+) :([0-9.]+) :([0-9]+) :(BP) :([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) *:([^:]*) *:\\\\(([^)]*)\\\\) \\\\(([^)]*)\\\\) *:([^:]*)( *:([^:]*))?')) then ( v.key = v.wae_ip; # no connection id set_collected_field(v.key, 'date', $2 . '/' . $1 . '/' . $4); set_collected_field(v.key, 'time', $3); set_collected_field(v.key, 'source_ip', $5); set_collected_field(v.key, 'source_port', $6); set_collected_field(v.key, 'destination_ip', $7); set_collected_field(v.key, 'destination_port', $8); set_collected_field(v.key, 'pass_through_reason', $10); set_collected_field(v.key, 'cfgd_policy', $11); set_collected_field(v.key, 'drvd_policy', $12); set_collected_field(v.key, 'peer_policy', $13); set_collected_field(v.key, 'tfo_reject_reason', $14); set_collected_field(v.key, 'ao_cfgd_policy', $15); set_collected_field(v.key, 'ao_drvd_policy', $16); set_collected_field(v.key, 'ao_reject_reason', $17); set_collected_field(v.key, 'ssl_reject_reason', $19); set_collected_field(v.key, 'pass_throughs', 1); accept_collected_entry(v.key, false); ); ` # Database fields database.fields = { # date_time.suppress_bottom = 6 # for concurrent_connections date_time = "" day_of_week = "" hour_of_day = "" action = "" ao_cfgd_policy = "" ao_drvd_policy = "" ao_final_policy = "" ao_reject_reason = "" ssl_reject_reason = "" app_classifier_name = "" app_map_name = "" app_name = "" cfgd_policy = "" connection_id = "" connection_type = "" # concurrent_connections = "" destination_ip = "" destination_port = "" dirm = "" drvd_policy = "" dscp = "" duration = "" final_policy = "" applied_policy = "" link_rtt = "" non_optimized_bytes_read = "" non_optimized_bytes_written = "" operation = "" optimized_bytes_read = "" optimized_bytes_written = "" peer_policy = "" source_ip = "" source_port = "" tcp_rst_reason = "" tfo_reject_reason = "" pass_through_reason = "" wae_ip = "" wae_peer_id = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events connections_started = "" connections_ended_ot = "" connections_ended_sodre = "" pass_throughs = "" duration = { type = float display_format_type = duration_compact } # duration #bytes_passed_through = { # type = "float" # display_format_type = "bandwidth" #} non_optimized_bytes_read = { type = "float" display_format_type = "bandwidth" } optimized_bytes_written = { type = "float" display_format_type = "bandwidth" } optimized_bytes_read = { type = "float" display_format_type = "bandwidth" } non_optimized_bytes_written = { type = "float" display_format_type = "bandwidth" } # concurrent_connections = { # default = "true" # aggregation_method = "max" # } } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # Specify the reports menu manually manual_reports_menu = true # How the reports should be grouped in the report menu report_groups = { overview.type = "overview" date_time_group = { items = { date_time = { label = "$lang_stats.miscellaneous.years_months_days" only_bottom_level_items = false } days = { label = "$lang_stats.miscellaneous.days" database_field_name = "date_time" } day_of_week = "" hour_of_day = "" } } # date_time_group source_group = { items = { source_ip = "" source_port = "" } # items } # source_group destination_group = { items = { destination_ip = "" destination_port = "" } # items } # destination_group connections_group = { items = { #maximum_concurrent_connections = { # database_field_name = "date_time" # label = "$lang_stats.field_labels.maximum_concurrent_connections" #} # maximum_concurrent_connections = { # database_field_name = "date_time" # label = "$lang_stats.field_labels.maximum_concurrent_connections" # #show_header_bar = "true" # columns = { # 0 = { # #data_type = "string" # display_format_type = "date_time" # field_name = "date_time" # #header_label = "{=capitalize(database.fields.date_time.label)=}" # main_column = "true" # #type = "string" # #visible = "true" # } # 0 # 1 = { # #data_type = "int" # #display_format_type = "integer" # field_name = "concurrent_connections" # #header_label = "{=capitalize(database.fields.concurrent_connections.label)=}" # show_bar_column = "true" # show_graph = "true" # #show_number_column = "true" # #show_percent_column = "false" # #type = "number" # #visible = "true" # } # 1 # } # columns # #disabled = "false" # ending_row = "60" # graphs = { # bar_line_graph = { # x_axis_length = "744" # y_axis_height = "150" # } # bar_line_graph # graph_type = "line" # } # graphs # #omit_parenthesized_items = "true" # #omit_table = "false" # only_bottom_level_items = "false" # show_averages_row = "false" # show_header_bar = "false" # show_omitted_items_row = "false" # show_totals_row = "false" # sort_by = "concurrent_connections" # sort_direction = "descending" # #starting_row = "1" # #type = "table" # } connection_id = "" connection_type = "" operation = "" } # items } # connections_group policies_group = { items = { app_map_name = "" app_name = "" app_classifier_name = "" cfgd_policy = "" drvd_policy = "" peer_policy = "" final_policy = "" applied_policy = "" tfo_reject_reason = "" ao_cfgd_policy = "" ao_drvd_policy = "" ao_final_policy = "" ao_reject_reason = "" ssl_reject_reason = "" } # items } # policies_group results_group = { items = { tcp_rst_reason = "" pass_through_reason = "" } # items } # results_group other_group = { items = { wae_peer_id = "" wae_ip = "" action = "" dirm = "" } # items } # other_group log_detail = true single_page_summary = true } # report_groups } # create_profile_wizard_options } # cisco_waas_tcp_proxy