# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. iptables = { plugin_version = "1.2" info.1.manfacturer = "Netfilter" info.1.device = "IPtables" info.1.version.1 = "1.4.9.1" # - - 1.0 - Initial creation. # 2008-05-02 - KBB & MSG - 1.1 - Added support format with uptime field, which will be ignored. # 2010-10-01 - 1.2 - MSG - Edited info lines. # The name of the log format log.format.format_label = "iptables Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "IN=[a-z0-9]* OUT=[a-z0-9]* .*LEN=[0-9]+ .*PROTO=[A-Z]+ " # An entry is called a packet statistics.miscellaneous.entry_name = "packets" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { in = { label = "$lang_stats.field_labels.in_interface" type = "flat" index = 0 subindex = 0 } # in out = { label = "$lang_stats.field_labels.out_interface" type = "flat" index = 0 subindex = 0 } # out mac = { label = "$lang_stats.field_labels.mac_address" type = "flat" index = 0 subindex = 0 } # mac src = { label = "$lang_stats.field_labels.source_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # src dst = { label = "$lang_stats.field_labels.destination_ip" type = "flat" index = 0 subindex = 0 } # dst len = { label = "$lang_stats.field_labels.packet_length" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # len tos = { label = "$lang_stats.field_labels.service_type" type = "flat" index = 0 subindex = 0 } # tos prec = { label = "$lang_stats.field_labels.precedence" type = "flat" index = 0 subindex = 0 } # prec ttl = { label = "$lang_stats.field_labels.ttl" type = "flat" index = 0 subindex = 0 } # ttl id = { label = "$lang_stats.field_labels.packet_id" type = "flat" index = 0 subindex = 0 } # id proto = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # proto spt = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # spt dpt = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # dpt window = { label = "$lang_stats.field_labels.window" type = "flat" index = 0 subindex = 0 } # window res = { label = "$lang_stats.field_labels.reserved_bits" type = "flat" index = 0 subindex = 0 } # res urgp = { label = "$lang_stats.field_labels.urgent_pointer" type = "flat" index = 0 subindex = 0 } # urgp tcp_flags = { label = "$lang_stats.field_labels.tcp_flags" type = "flat" index = 0 subindex = 0 } # tcp_flags ip_flags = { label = "$lang_stats.field_labels.ip_flags" type = "flat" index = 0 subindex = 0 } # ip_flags rule = { label = "$lang_stats.field_labels.rule" type = "flat" index = 0 subindex = 0 } # rule result = { label = "$lang_stats.field_labels.result" type = "flat" index = 0 subindex = 0 } # result } # log.fields # # Log Parsing Filters log.parsing_filters = { parse = " if (matches_regular_expression(v.syslog_message, 'RULE ([0-9]*) -- ([A-Z]+) ')) then ( set_collected_field('', 'rule', $1); set_collected_field('', 'result', $2); ) #Apr 30 15:56:12 myhost kernel: [45562726.430000]: [IPTABLES ACCEPT]: IN=eth0 OUT= MAC=00:15:c5:f4:99:94:00:0c:f1:b7:9f:aa:09:00 SRC=222.22.22.22 DST=233.33.33.33 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=31754 DF PROTO=TCP SPT=58566 DPT=22 WINDOW=252 RES=0x00 ACK URGP=0 else if (matches_regular_expression(v.syslog_message, 'kernel: (\\\\[([^]]*)\\\\]:)? ?\\\\[([^]]*)\\\\]: IN=')) then ( set_collected_field('', 'rule', $3); ); else if (matches_regular_expression(v.syslog_message, 'kernel: (.*)IN=')) then ( set_collected_field('', 'rule', $1); ); if (matches_regular_expression(v.syslog_message, '(IN=.*)$')) then ( collect_listed_fields('', $1, ' ', '=', ''); accept_collected_entry('', false); ); " } # log.parsing_filters # Database fields database.fields = { src = { label = "$lang_stats.field_labels.src" log_field = "src" type = "string" suppress_top = 0 suppress_bottom = 2 } # src spt = { label = "$lang_stats.field_labels.source_port" log_field = "spt" type = "string" suppress_top = 0 suppress_bottom = 2 } # spt dst = { label = "$lang_stats.field_labels.destination_ip" log_field = "dst" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst dpt = { label = "$lang_stats.field_labels.destination_port" log_field = "dpt" type = "string" suppress_top = 0 suppress_bottom = 2 } # dpt in = { label = "$lang_stats.field_labels.in_interface" log_field = "in" type = "string" suppress_top = 0 suppress_bottom = 2 } # in out = { label = "$lang_stats.field_labels.out_interface" log_field = "out" type = "string" suppress_top = 0 suppress_bottom = 2 } # out mac = { label = "$lang_stats.field_labels.mac_address" log_field = "mac" type = "string" suppress_top = 0 suppress_bottom = 2 } # mac proto = { label = "$lang_stats.field_labels.protocol" log_field = "proto" type = "string" suppress_top = 0 suppress_bottom = 2 } # proto tos = { label = "$lang_stats.field_labels.service_type" log_field = "tos" type = "string" suppress_top = 0 suppress_bottom = 2 } # tos tcp_flags = { label = "$lang_stats.field_labels.tcp_flags" log_field = "tcp_flags" type = "string" suppress_top = 0 suppress_bottom = 2 } # tcp_flags ip_flags = { label = "$lang_stats.field_labels.ip_flags" log_field = "ip_flags" type = "string" suppress_top = 0 suppress_bottom = 2 } # ip_flags ttl = { label = "$lang_stats.field_labels.ttl" log_field = "ttl" type = "string" suppress_top = 0 suppress_bottom = 2 } # ttl prec = { label = "$lang_stats.field_labels.precedence" log_field = "prec" type = "string" suppress_top = 0 suppress_bottom = 2 } # prec window = { label = "$lang_stats.field_labels.window" log_field = "window" type = "string" suppress_top = 0 suppress_bottom = 2 } # window rule = { label = "$lang_stats.field_labels.rule" log_field = "rule" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule result = { label = "$lang_stats.field_labels.result" log_field = "result" type = "string" suppress_top = 0 suppress_bottom = 2 } # result } # database.fields database.numerical_fields = { packets = { label = "$lang_stats.field_labels.packets" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # packets len = { label = "$lang_stats.field_labels.packet_length" default = false requires_log_field = true log_field = "len" type = "float" display_format_type = "bandwidth" } # len } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'packets = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" src = true spt = true dest = true dpt = true in = true out = true mac = true proto = true service_type = true tcp_flags = true ip_flags = true ttl = true prec = true window = true rule = true result = true } # report_groups } # create_profile_wizard_options } # iptables