# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. cp_secure_content_security = { info.1.manfacturer = "CP Secure" info.1.device = "Content Security Gateway" info.1.version.1 = "300" # The name of the log format log.format.format_label = "CP Secure Content Security Gateway" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "proxy_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "syslogd: [0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] +[^ ]+ +[0-9]+ +[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ + [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ +[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ +[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" protocol = "" bytes = "" source_ip.type = "host" destination_ip = "" url.type = "page" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '^ *syslogd: ([^ ]+) ([^ ]+) +([^ ]+) +([0-9]+) +([0-9.]+) +([0-9.]+) +([0-9.]+) +([0-9.]+) +([^ ].*[^ ]) *$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'protocol', $3); set_collected_field('', 'bytes', $4); set_collected_field('', 'source_ip', $5); set_collected_field('', 'destination_ip', $6); # duplicate of destination_ip = $7? # duplicate of source_ip = $8 set_collected_field('', 'url', $9); accept_collected_entry('', false); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" protocol = "" source_ip = "" location = "" destination_ip = "" url = { suppress_top = 1 suppress_bottom = 3 } file_type = "" worm = "" } # database.fields # Log Filters log.filters = { detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "source_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { accesses = { default = false requires_log_field = false entries_field = true } # accesses page_views = { default = true } unique_source_ips = { default = false log_field = "source_ip" type = "unique" } # unique_source_ips bytes = { type = "float" display_format_type = "bandwidth" } # bytes } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # cp_secure_content_security