# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. nortel_ssl_vpn = { plugin_version = "1.0" # 2006-06-30 - 1.0beta - GMF - Initial plug-in # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy # This format was created using the logs from a Nortel SSL VPN 3050 # The name of the log format log.format.format_label = "Nortel SSL VPN Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "info SSL <[^>]+>: " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { type = "" # PORTAL fields vpn = "" user = "" proto = "" host = "" share = "" path.type = "page" # HTTP fields srcip.type = "host" request = "" operation = "" # "VPN AddressAssigned" fields tunip = "" # "VPN LoginSucceeded" fields method = "" groups = "" page_views = "" } # log.fields log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '^info SSL <[^>]+>: (HTTP|PORTAL|VPN Logout|VPN AddressAssigned|VPN LoginSucceeded) (.*)$')) then ( set_collected_field('', 'type', $1); v.pairs = $2; # Fix bug where there is no space after SrcIP in the v.pairs = replace_all(v.pairs, '"SrcIP="', '" SrcIP="'); # Extract field/value pairs collect_listed_fields('', v.pairs, ' ', '=', ''); # Parse operation and page from the request field if (matches_regular_expression(get_collected_field('', 'request'), '^([A-Z]+) (.*)$')) then ( set_collected_field('', 'operation', $1); set_collected_field('', 'path', $2); ); # Accept it into the database set_collected_field('', 'events', 1); accept_collected_entry('', false); ); # if matches ` # Database fields database.fields = { type = "" # PORTAL fields vpn = "" user = "" proto = "" host = "" share = "" path = "" file_type = "" # HTTP fields srcip = "" location = "" # request = "" operation = "" # "VPN AddressAssigned" fields tunip = "" # "VPN LoginSucceeded" fields method = "" groups = "" } # database.fields # Log Filters log.filters = { detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((type eq 'HTTP') and ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS'))) then page_views = 0; else page_views = 1;" } # detect_page_views # strip_non_page_views = { # label = '$lang_admin.log_filters.strip_non_page_views_label' # comment = '$lang_admin.log_filters.strip_non_page_views_comment' # value = "if (page_views == 0) then page = substr(page, 0, last_index(page, '/') + 1) . '(nonpage)';" # } # strip_non_page_views } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events page_views = "" } # database.numerical_fields log.field_options = { sessions_page_field = "path" sessions_visitor_id_field = "srcip" sessions_event_field = "page_views" } # log.field_options create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" type = "" content_group = { path = true file_type = true share = "" operation = "" } source_group = { srcip = true location = true user = true groups = "" } vpn_group = { vpn = "" proto = "" host = "" tunip = "" method = "" } syslog_group = { syslog_priority = true logging_device = true } } # report_groups } # create_profile_wizard_options } # nortel_ssl_vpn