# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. nokia_ip350_checkpoint_ng = { plugin_version = "1.1" info.1.manfacturer = "Nokia" info.1.device = "IP350/Checkpoint NG" info.1.version.1 = "" # ????-??-?? - 1.0 - GMF? - Initial creation. # 2009-03-19 - 1.1 - KBB - Added support for a new variant. Added new fields and removed # the length field since we have no example of it. Updated syntax of parsing filters. # Changed hits to events and renamed fields to allow collect_listed_fields with new format. # 2009-03-19 - KBB - 1.2 - Added location and other derived IP fields. # The name of the log format log.format.format_label = "Nokia IP350/Checkpoint NG (fw log export) Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #6Oct2008 0:00:05 accept 222.92.92.22 >eth2c0 product: VPN-1 & FireWall-1; src: 166.66.166.66; s_port: prm-nm-np; dst: 155.55.155.155; service: 21784; proto: tcp; rule: 24; log.format.autodetect_regular_expression = "[0-9 ][0-9]:[0-9][0-9]:[0-9][0-9] [a-z]* *[^ ]* [><][a-z0-9]* product:? " # The format of dates and times in this log log.format.time_format = "auto" log.format.date_format = "auto" # Extract date from Date: lines # #23:59:02 ctl 10.10.13.113 >daemon log_sys_message Log file has been switched to: 2005-01-10_235900.log product VPN-1 & FireWall-1 # #6Oct2008 0:00:05 ctl 222.22.29.22 >daemon log_sys_message: Log file has been switched to: 081006.log; product: VPN-1 & FireWall-1; # log.format.global_date_regular_expression = ">[^ ]+ log_sys_message Log file has been switched to: ([-0-9]+)" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time src = { label = "$lang_stats.field_labels.src" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # src dst = { label = "$lang_stats.field_labels.dst" type = "flat" index = 0 subindex = 0 } # dst operation = { label = "$lang_stats.field_labels.operation" type = "flat" index = 0 subindex = 0 } # operation proto = { label = "$lang_stats.field_labels.proto" type = "flat" index = 0 subindex = 0 } # proto rule = { label = "$lang_stats.field_labels.rule" type = "flat" index = 0 subindex = 0 } # rule # len = { # label = "$lang_stats.field_labels.len" # type = "size" # index = 0 # subindex = 0 # hierarchy_dividers = "" # left_to_right = false # leading_divider = "false" # } # len service = { label = "$lang_stats.field_labels.service" type = "flat" index = 0 subindex = 0 } # service s_port = { label = "$lang_stats.field_labels.s_port" type = "integer" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # s_port message_info = { label = "$lang_stats.field_labels.message_info" type = "integer" index = 0 subindex = 0 } # message_info nat_addtnl_rulenum = "" nat_rulenum = "" icmp_code = "" icmp_type = "" tcp_flags = "" xlatesport = "" xlatesrc = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); #23:59:02 ctl 10.10.13.113 >daemon log_sys_message Log file has been switched to: 2005-01-10_235900.log product VPN-1 & FireWall-1 #6Oct2008 0:00:05 ctl 222.22.29.22 >daemon log_sys_message: Log file has been switched to: 081006.log; product: VPN-1 & FireWall-1; if (matches_regular_expression(v.line, ">[^ ]+ log_sys_message:? Log file has been switched to: ([^ ]+).log")) then ( v.logfile = $1; if (matches_regular_expression(v.logfile, "^([0-9]{4}-[0-9]{2}-[0-9]{2})[^0-9]")) then ( set_collected_field('global', 'date', normalize_date($1, 'yyyy-mm-dd')); ); else if (matches_regular_expression(v.logfile, "^([0-9]{6})[^0-9]")) then ( set_collected_field('global', 'date', normalize_date($1, 'yymmdd')); ); ); else ( # Parse out all the beginning fields if (matches_regular_expression(v.line, '([0-9]+[A-Za-z]{3}[0-9]{4})? *([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9]) ([a-z]+) ')) then ( v.date = $1; if (v.date ne '') then ( set_collected_field('', 'date', v.date); ); else ( set_collected_field('', 'date', get_collected_field('global', 'date')); ); set_collected_field('', 'time', $2); set_collected_field('', 'operation', $3); ); # The TCP packet out of state message breaks the pattern, so extract separately # and treat like IMCP packet out of state message. # 6Oct2008 0:00:21 drop 222.92.92.22 >eth3c0 product: VPN-1 & FireWall-1; TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK; src: 155.88.155.255; s_port: 139; dst: 166.66.166.66; service: 4170; proto: tcp; # 6Oct2008 0:00:11 drop 222.92.92.22 eth2c0 product VPN-1 & FireWall-1 src 10.10.0.10 s_port 137 dst 10.10.2.2 service 137 proto udp rule 71 #23:49:46 reject 10.10.10.2 >eth2c0 alert product VPN-1 & FireWall-1 src 10.10.5.5 s_port 1916 dst 10.10.2.3 service 6000 proto tcp rule 71 message_info X11 is not allowed through service '* any'. To enable, create an earlier rule that explicitly allows X11. if (matches_regular_expression(v.line, ' product (.+) src ([0-9.]+) s_port ([^ ]+) dst ([0-9.]+) service ([^ ]+) proto ([^ ]+) rule ([^ ]+)( message_info (.*))?')) then ( set_collected_field('', 'firewall', $1); set_collected_field('', 'src', $2); set_collected_field('', 's_port', $3); set_collected_field('', 'dst', $4); set_collected_field('', 'service', $5); set_collected_field('', 'proto', $6); set_collected_field('', 'rule', $7); set_collected_field('', 'message_info', $9); accept_collected_entry('', false); ); # New format lends itself to collect_listed_fields, plus it has new fields. # 6Oct2008 0:00:05 accept 222.92.92.22 >eth2c0 product: VPN-1 & FireWall-1; src: 155.55.155.55; s_port: prm-nm-np; dst: 166.66.166.166; service: 21784; proto: tcp; rule: 24; else if (matches_regular_expression(v.line, ' (product:.*);$')) then ( v.line = $1; collect_listed_fields('', v.line, '; ', ': ', 'product=firewall'); accept_collected_entry('', false); ); ); # regular line ` # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day src = { label = "$lang_stats.field_labels.src" log_field = "src" type = "string" suppress_top = 0 suppress_bottom = 3 } # src dst = { label = "$lang_stats.field_labels.dst" log_field = "dst" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst operation = { label = "$lang_stats.field_labels.operation" log_field = "operation" type = "string" suppress_top = 0 suppress_bottom = 2 } # operation proto = { label = "$lang_stats.field_labels.proto" log_field = "proto" type = "string" suppress_top = 0 suppress_bottom = 2 } # proto rule = { label = "$lang_stats.field_labels.rule" log_field = "rule" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule service = { label = "$lang_stats.field_labels.service" log_field = "service" type = "string" suppress_top = 0 suppress_bottom = 2 } # service s_port = { label = "$lang_stats.field_labels.s_port" log_field = "s_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # s_port message_info = { label = "$lang_stats.field_labels.message_info" log_field = "message_info" type = "string" suppress_top = 0 suppress_bottom = 2 } # message_info nat_rulenum = "" nat_addtnl_rulenum = "" icmp_code = "" icmp_type = "" tcp_flags = "" xlatesport = "" xlatesrc = "" location = "" organization = "" isp = "" domain = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events # len = { # label = "$lang_stats.field_labels.bandwidth" # default = false # requires_log_field = true # log_field = "len" # type = "float" # display_format_type = "bandwidth" # } # len } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # nokia_ip350_checkpoint_ng