# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sidewinder_syslog = { # The name of the log format log.format.format_label = "Sidewinder Syslog Log Format" log.miscellaneous.log_data_type = "syslog" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^date=\"[A-Z][a-z][a-z] *[0-9]+ [0-9]+:[0-9]+:[0-9]+ [0-9]* [A-Z]*\",[^=]+=[^,]+,[^=]+=[^,]+,[^=]+=[^,]+," # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date_time = { label = "$lang_stats.field_labels.date_time" type = "date_time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date_time # logging_device = { # label = "$lang_stats.field_labels.logging_device" # type = "flat" # index = 0 # subindex = 0 # } # logging_device # area = { # label = "$lang_stats.field_labels.area" # type = "flat" # index = 0 # subindex = 0 # } # area # type = { # label = "$lang_stats.field_labels.type" # type = "flat" # index = 0 # subindex = 0 # } # type # syslog_priority = { # label = "$lang_stats.field_labels.syslog_priority" # type = "flat" # index = 0 # subindex = 0 # } # syslog_priority syslog_message = "" } # log.fields # # Log Parsing Filters log.parsing_filters = { syslog_parse = " v.syslog_message = ''; # 2006-10-24 - GMF - switching to track all comma-separated values in sidewinder_firewall.cfg; why were they here? #if (matches_regular_expression(current_log_line(), '^date=\"([A-Za-z]+ +[0-9]+ [0-9:]* [0-9]+) [^\"]*\",fac=([^,]+),area=([^,]+),type=([^,]+),pri=([^,]+),(.*)$')) then ( if (matches_regular_expression(current_log_line(), '^date=\"([A-Za-z]+ +[0-9]+ [0-9:]* [0-9]+) [^\"]*\",(.*)$')) then ( set_collected_field('', 'date', normalize_date($1, 'mmm dd hh:mm:ss yyyy')); set_collected_field('', 'time', normalize_time($1, 'mmm dd hh:mm:ss yyyy')); # set_collected_field('', 'logging_device', $2); # set_collected_field('', 'syslog_area', $3); # set_collected_field('', 'syslog_type', $4); # set_collected_field('', 'syslog_priority', $5); v.syslog_message = $2; ); " } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day # logging_device = { # label = "$lang_stats.field_labels.logging_device" # log_field = "logging_device" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # logging_device # area = { # label = "$lang_stats.field_labels.area" # log_field = "area" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # area # type = { # label = "$lang_stats.field_labels.type" # log_field = "type" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # type # syslog_priority = { # label = "$lang_stats.field_labels.syslog_priority" # log_field = "syslog_priority" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # syslog_priority } # database.fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" # logging_device = true # area = true # type = true # syslog_priority = true } # report_groups } # create_profile_wizard_options } # sidewinder_syslog