# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. netscreen_ssl_gateway = { plugin_version = "1.0" # 2007-09-13 - 1.0 - KBB - added version number and changed file name from # beta_netscreen_ssl_gateway.cfg # The name of the log format log.format.format_label = "Netscreen SSL Gateway Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "^[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] - [^ ]+ - \\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\\] [^(]*\\([^)]*\\)\\[[^]]*\\] - ") or matches_regular_expression(volatile.log_data_line, '^id=[^ ]+ time="[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]" pri=[0-9]+ fw=[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ vpn=[^ ]+ user=[^ ]+ realm="[^"]*" roles="[^"]*" type=[^ ]* msg="[^"]*"') or #matches_regular_expression(volatile.log_data_line, '^id=[^ ]+ time="[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]" pri=[0-9]+ fw=[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ vpn=[^ ]+ user=[^ ]+ realm="[^"]*" roles="[^"]*" type=[^ ]* proto=[^ ]* src[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ dst=[^ ]* dstname=[^ ]* sent=[0-9]* rcvd=[0-9]* msg="[^"]*"') matches_regular_expression(volatile.log_data_line, '^id=[^ ]+ time="[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]" pri=[0-9]+ fw=[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ vpn=[^ ]+ user=[^ ]+ realm="[^"]*" roles="[^"]*" type=[^ ]* proto=[^ ]* src=[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ dst=[^ ]* dstname=[^ ]* sent=[0-9]* rcvd=[0-9]* msg="[^"]*"') ` # All log field parsing will be done using the parsing filters # log.format.parse_only_with_filters = "true" # Log fields log.fields = { event_type = "" # access logs date = "" time = "" node_field = "" source_ip = "" user = "" realm = "" role = "" message = "" operation = "" url.type = "page" client_ip.type = "host" result = "" accesses = "" sent = "" received = "" duration = "" # admin logs id = "" pri = "" fw = "" vpn = "" roles = "" type = "" proto = "" msg = "" # admin_events = "" # event logs src = "" dst = "" dstname = "" events = "" } # log.fields log.parsing_filters.parse = ` # access logs if (matches_regular_expression(current_log_line(), "^([0-9-]+) ([0-9:]+) - ([^ ]+) - \\[([0-9.]+)\\] ([^(]*)\\(([^)]*)\\)\\[([^]]*)\\] - (.*)")) then ( date = $1; time = $2; node_field = $3; source_ip = $4; user = $5; realm = $6; role = $7; message = $8; if (matches_regular_expression(message, '^WebRequest completed, ([A-Z]+) to ([^ ]+) from ([^ ]+) result=([0-9]+) sent=([0-9]+) received=([0-9]+) in ([0-9]+) seconds')) then ( operation = $1; url = $2; client_ip = $3; result = $4; sent = $5; received = $6; duration = $7; accesses = 1; ); else if (matches_regular_expression(message, '^(Closed connection) to ([^ ]+) port ([^ ]+) after ([^ ]+) seconds, with ([^ ]+) bytes read \\(in [0-9]+ chunks\\) and ([0-9]+) bytes written \\(in [0-9]+ chunks\\)')) then ( operation = $1; vpn = $2; src = $3; duration = $4; received = $5; sent = $6; accesses = 1; ) else 'reject'; event_type = "access"; ); # access # Handle admin events #else if (matches_regular_expression(current_log_line(), '^id=([^ ]+) time="([0-9-]+) ([0-9:]+)" pri=([0-9]+) fw=([0-9.]+) vpn=([^ ]+) user=([^ ]+) realm="([^"]*)" roles="([^"]*)" type=([^ ]*) msg="([^"]*)"')) then ( # # id = $1; # date = $2; # time = $3; # pri = $4; # fw = $5; # vpn = $6; # user = $7; # realm = $8; # roles = $9; # type = $10; ## msg = $11; # event_type = "admin"; # admin_events = 1; # #); # admin # Handle WELF lines else if (matches_regular_expression(current_log_line(), '^(id=.*)')) then ( collect_listed_fields('', $1, ' ', '=', 'rcvd=received'); if (matches_regular_expression(get_collected_field('', 'time'), '^([0-9-]+) ([0-9:]+)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); set_collected_field('', 'events', 1); set_collected_field('', 'event_type', 'event'); accept_collected_entry('', false); ); # event ` # Database fields database.fields = { date_time = "" hour_of_day = "" day_of_week = "" event_type = "" node_field = "" source_ip = "" user = "" realm = "" role = "" # message = "" operation = "" url = { suppress_top = 1 suppress_bottom = 3 } file_type = "" worm = "" client_ip = "" location = "" result = "" # Admin events id = "" pri = "" fw = "" vpn = "" roles = "" type = "" proto = "" msg = "" # event logs src = "" dst = "" dstname = "" } # database.fields # Log Filters log.filters = { detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((event_type ne 'access') or (file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url } # log.filters # Enable session reports log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "client_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" } # page_views unique_client_ips = { label = "$lang_stats.field_labels.unique_client_ips" default = false requires_log_field = true log_field = "client_ip" type = "unique" display_format_type = "integer" } # unique_client_ips sent = { label = "$lang_stats.field_labels.sent" default = false requires_log_field = true log_field = "sent" type = "float" display_format_type = "bandwidth" } # sent received = { label = "$lang_stats.field_labels.received" default = false requires_log_field = true log_field = "received" type = "float" display_format_type = "bandwidth" } # received duration = { label = $lang_stats.field_labels.duration default = false requires_log_field = true type = int display_format_type = duration_compact } # duration # admin_events = { # label = "$lang_stats.field_labels.admin_events" # default = false # requires_log_field = false # type = "int" # display_format_type = "integer" # } # admin_events events = { label = "$lang_stats.field_labels.events" default = false requires_log_field = false type = "int" display_format_type = "integer" } # events } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true host_tracking = true # This shows which numerical fields are related to which non-numerical fields. database_field_associations = { # access fields node_field = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } source_ip = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } user = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true # admin_events = true } realm = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true # admin_events = true } role = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } message = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } operation = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } url = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } file_type = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } worm = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } client_ip = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } location = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } result = { accesses = true page_views = true unique_client_ips = true sent = true received = true duration = true } # admin and event fields id = { # admin_events = true events = true } pri = { # admin_events = true events = true } fw = { # admin_events = true events = true } vpn = { # admin_events = true events = true } user = { # admin_events = true events = true } realm = { # admin_events = true events = true } roles = { # admin_events = true events = true } type = { # admin_events = true events = true } proto = { # admin_events = true events = true } msg = { # admin_events = true events = true } # event fields src.events = true dst.events = true dstname.events = true } # database_field_associations # How the reports should be grouped in the report menu report_groups = { date_time_group = "" client_information_group = { source_ip = true user = true client_ip = true location = true role = true user = true realm = true } other_group = { operation = true result = true node_field = true event_type = true } content_group = { url = true file_type = true worm = true } event_group = { src = true dst = true dstname = true # } # admin_group = { id = true pri = true fw = true vpn = true roles = true type = true proto = true msg = true } } # report_groups } # create_profile_wizard_options } # netscreen_ssl_gateway