# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. firepass_ssl_vpn_syslog = { plugin_version = "1.0" info.1.manfacturer = "F5" info.1.device = "FirePass SSL VPN (with syslog)" info.1.version = "4100" # 2007-09-11 - 1.0 - KBB - added version number and changed file name from beta_firepass.cfg # 2009-10-02 - 1.1 - gas - changed name of plug-in to firepass_ssl_vpn_syslog, becuase it is the same device as firepass_ssl_vpn # 2010-11-17 - 1.1.1 - MSG - Edited info lines. # The name of the log format log.format.format_label = "Firepass SSL VPN (syslog) Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression # log.format.autodetect_regular_expression = "firepass\\[[0-9]+\\]: " log.format.autodetect_regular_expression = "[Ll]ogged (on|out) [from]* *[0-9.]* *Sid = [a-f0-9]+" log.format.autodetect_lines = "10" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { event_type = { label = "$lang_stats.field_labels.event_type" type = "flat" index = 0 subindex = 0 } # event_type protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol client_ip = { label = "$lang_stats.field_labels.client_ip" type = "host" index = 0 subindex = 0 } # client local_address = { label = "$lang_stats.field_labels.local_address" type = "flat" index = 0 subindex = 0 } # local_address remote_address = { label = "$lang_stats.field_labels.remote_address" type = "flat" index = 0 subindex = 0 } # remote_address user = "" action = "" # sid = "" message = "" } # log.fields # Log Parsing Filters log.parsing_filters = { ## this must be an old log format by now, but it might as well stay here if it matches anything - gas (02/10/2009 10:48:10) # Parse log out lines log_out = { label = "log out" comment = "" value = "collect_fields_using_regexp('()(Security \\\\[[0-9]+\\\\]) Session: (IPSEC)\\\\[([^]]+)\\\\]:[0-9]+ logged out', '*KEY*,event_type,protocol,client_ip')" } # log_out # Parse IPSEC lines ipsec = { label = "ipsec" comment = "" value = "collect_fields_using_regexp('()(Security \\\\[[0-9]+\\\\]) Session: (IPSEC)\\\\[([^]]+)\\\\]:[0-9]+ physical addresses: remote ([^ ]+) local ([^ ]+)', '*KEY*,event_type,protocol,client_ip,remote_address,local_address')" } # ipsec # Accept entries accept = { label = "accept" comment = "" value = "accept_collected_entry_using_regexp('()Security \\\\[[0-9]+\\\\] Session: IPSEC\\\\[[^]]+\\\\]:[0-9]+ logged out', false)" } # accept ## old format support new_line_format_parser.value = ` if (matches_regular_expression(v.syslog_message, '([^[]+)\\[[^]]+\\]: \\[([^@]+)@[^]]+\\] (Logged out) Sid = ([a-f0-9]+)')) then ( set_collected_field('', 'event_type', $1); set_collected_field('', 'user', $2); set_collected_field('', 'action', lowercase($3)); set_collected_field('', 'sid', $4); ); else if (matches_regular_expression(v.syslog_message, '([^[]+)\\[[^]]+\\]: \\[([^@]+)@[^]]+\\] User [^ ]* (logged on) from ([0-9.]+) Sid = ([a-f0-9]+)')) then ( set_collected_field('', 'event_type', $1); set_collected_field('', 'user', $2); set_collected_field('', 'action', $3); set_collected_field('', 'client_ip', $4); set_collected_field('', 'sid', $5); ); else if (matches_regular_expression(v.syslog_message, '([^[]+)\\[[^]]+\\]: \\[([^@]+)@[^]]+\\] (.*)')) then ( set_collected_field('', 'event_type', $1); set_collected_field('', 'user', $2); set_collected_field('', 'message', $3); set_collected_field('', 'action', '(various events)'); ); else if (matches_regular_expression(v.syslog_message, '([^[]+)\[[^]]+\]: (.*)')) then ( set_collected_field('', 'event_type', $1); set_collected_field('', 'message', $2); set_collected_field('', 'action', '(various events)'); ); accept_collected_entry('', false); ` } # log.parsing_filters # Database fields database.fields = { event_type = { label = "$lang_stats.field_labels.event_type" log_field = "event_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # event_type action = "" protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol user = "" client_ip = { label = "$lang_stats.field_labels.client_ip" log_field = "client_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # client remote_address = { label = "$lang_stats.field_labels.remote_address" log_field = "remote_address" type = "string" suppress_top = 0 suppress_bottom = 2 } # remote_address local_address = { label = "$lang_stats.field_labels.local_address" log_field = "local_address" type = "string" suppress_top = 0 suppress_bottom = 2 } # local_address message = "" } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events # duration = "" } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # firepass_ssl_vpn_syslog