# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. eventreporter_v6 = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2010-11-03 - 1.0.1 - MSG - Edited info lines. info.1.manfacturer = "Adiscon" info.1.device = "EventReporter v.6" info.1.version.1 = "6" # Event Reporter version 6 # The name of the log format log.format.format_label = "Event Reporter v6" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = " EvntSLog: " # Use parsing filters to extract data log.format.parse_only_with_filters = "true" log.format.allow_spaces_in_listed_field_values = "false" # Log fields log.fields = { source = "" severity = "" event_code = "" user_name = "" domain = "" logon_id = "" logon_type = "" logon_process = "" authentication_package = "" workstation_name = "" } # log.fields # # Log Parsing Filters log.parsing_filters = { evt538_token_list = { label = "Event 538 tokens" comment = "" value = `if (!node_exists('v.e538')) then ( v.e538.0 = 'Logon Type'; v.e538.1 = 'Logon ID'; v.e538.2 = 'Domain'; v.e538.3 = 'User Name' ) ` } # evt540_token_list 538 = { label = "Event 538" comment = "" value = `if ( matches_regular_expression(v.syslog_message, '[^ ]* EvntSLog: RealSource:"([^"]+)" EvntSLog: (\\\\[.*\\\\]) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([0-9]+): (.*) \\\\((538)\\\\) - "(.*)') ) then ( set_collected_field('', 'source', $1); set_collected_field('', 'severity', $2); set_collected_field('', 'date', $5 . '/' . $4 . '/' . $7 ); set_collected_field('', 'event_code', $9); v.message=$10; if ( !node_exists( 'token' ) ) then ( node token ); foreach token "v.e538" ( v.i = index( v.message, " " . node_value(token) . ": " ); if (v.i >= 0) then ( v.varval = substr( v.message, v.i + length(node_value(token)) + 3 ); v.message = substr( v.message, 0, v.i+1 ); set_collected_field( "", replace_all( lowercase(node_value(token)), " ", "_" ), v.varval ))); accept_collected_entry( '', false); );` } # 538 evt540_token_list = { label = "Event 540 tokens" comment = "" value = `if (!node_exists('v.e540')) then ( v.e540.0 = 'Workstation Name'; v.e540.1 = 'Authentication Package'; v.e540.2 = 'Logon Process'; v.e540.3 = 'Logon Type'; v.e540.4 = 'Logon ID'; v.e540.5 = 'Domain'; v.e540.6 = 'User Name' ) ` } # evt540_token_list 540 = { label = "Event 540" comment = "" value = `if ( matches_regular_expression(v.syslog_message, '[^ ]* EvntSLog: RealSource:"([^"]+)" EvntSLog: (\\\\[.*\\\\]) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([0-9]+): (.*) \\\\((540)\\\\) - "(.*)') ) then ( set_collected_field('', 'source', $1); set_collected_field('', 'severity', $2); set_collected_field('', 'date', $5 . '/' . $4 . '/' . $7 ); set_collected_field('', 'event_code', $9); v.message=$10; if ( !node_exists( 'token' ) ) then ( node token ); foreach token "v.e540" ( v.i = index( v.message, " " . node_value(token) . ": " ); if (v.i >= 0) then ( v.varval = substr( v.message, v.i + length(node_value(token)) + 3 ); v.message = substr( v.message, 0, v.i+1 ); set_collected_field( "", replace_all( lowercase(node_value(token)), " ", "_" ), v.varval ))); accept_collected_entry( '', false); );` } # 540 } # log.parsing_filters # Database fields database.fields = { source = { label = "$lang_stats.field_labels.source" log_field = "source" type = "string" suppress_top = 0 suppress_bottom = 2 } # source severity = { label = "$lang_stats.field_labels.severity" log_field = "severity" type = "string" suppress_top = 0 suppress_bottom = 2 } # severity event_code = { label = "$lang_stats.field_labels.event_code" log_field = "event_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # event_code user_name = { label = "$lang_stats.field_labels.user_name" log_field = "user_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # user_name domain = { label = "$lang_stats.field_labels.domain" log_field = "domain" type = "string" suppress_top = 0 suppress_bottom = 2 } # domain # logon_id = { # label = "$lang_stats.field_labels.logon_id" # log_field = "logon_id" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # logon_id logon_type = { label = "$lang_stats.field_labels.logon_type" log_field = "logon_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # logon_type logon_process = { label = "$lang_stats.field_labels.logon_process" log_field = "logon_process" type = "string" suppress_top = 0 suppress_bottom = 2 } # logon_process authentication_package = { label = "$lang_stats.field_labels.authentication_package" log_field = "authentication_package" type = "string" suppress_top = 0 suppress_bottom = 2 } # authentication_package workstation_name = { label = "$lang_stats.field_labels.workstation" log_field = "workstation_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # workstation } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry # convert_logon_id = { # label = "Convert Logon ID" # comment = "" # value = "logon_id = replace_all(replace_all(logon_id, '(', '['), ')', ']')" # } # convert_logon_id } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" user_name = true domain = true # logon_id = true logon_type = true logon_process = true authentication_package = true workstation = true source = true severity = true event_code = true } # report_groups } # create_profile_wizard_options not_supported = { individualhosts = true visitors = true sessions = true pageviews = true bandwidth = true } # not_supported } # eventreporter_v6