# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sophos_web_appliance = { plugin_version = "1.0" info.1.manfacturer = "Sophos" info.1.device = "Web Appliance" info.1.version.1 = "" # 2007-12-31 - GMF - Initial version # The name of the log format log.format.format_label = "Sophos Web Appliance" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = '^h=[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ u="[^"]*" s=[0-9]+' # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = seconds_since_jan1_1970 log.format.time_format = seconds_since_jan1_1970 # Log fields log.fields = { remote_host = "" location = "" remote_user = "" http_status_code = "" connection_status = "" date_time = "" request_time_microseconds = "" request_time_seconds = "" action_code = "" matched_uri_category = "" reason_code = "" threat = "" mime_type = "" content_type = "" antivirus_engine_version = "" antivirus_data_version = "" uri_list_version = "" cache = "" bytes_in = "" bytes_out = "" http_method = "" referrer = "" # The user agent, and fields derived from it user_agent = "" web_browser = "" operating_system = "" # The HTTP request string, and fields derived from it http_request_string = "" uri.type = "page" protocol = "" file_type = "" worm = "" domain = "" filetype_category = "" policy_rule_id = "" file_size = "" access_checks_time = "" file_typing_time = "" scanning_time = "" src_cat = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # Collect all field values collect_listed_fields('', current_log_line(), ' ', '=', 'h=remote_host|u=remote_user|s=http_status_code|X=connection_status|t=date_time|T=request_time_microseconds|Ts=request_time_seconds|act=action_code|cat=matched_uri_category|rsn=reason_code|type=mime_type|ctype=content_type|sav-ev=antivirus_engine_version|sav-dv=antivirus_data_version|uri-dv=uri_list_version|in=bytes_in|out=bytes_out|meth=http_method|ref=referrer|ua=user_agent|req=http_request_string|dom=domain|filetype=filetype_category|rule=policy_rule_id|axtime=access_checks_time|fttime=file_typing_time|scantime=scanning_time|filesize=file_size'); # Parse the HTTP request string if (matches_regular_expression(get_collected_field('', 'http_request_string'), '^([A-Z]+) ([^ ]+) ([^ ]+)$')) then ( # set_collected_field('', 'http_operation', $1); set_collected_field('', 'uri', $2); set_collected_field('', 'protocol', $3); ); # Accept this entry accept_collected_entry('', false); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" remote_host = "" location = "" remote_user = "" http_status_code = "" connection_status = "" action_code = "" matched_uri_category = "" reason_code = "" threat = "" mime_type = "" content_type = "" antivirus_engine_version = "" antivirus_data_version = "" uri_list_version = "" cache = "" http_method = "" referrer = "" # The user agent, and fields derived from it # user_agent = "" web_browser = "" operating_system = "" # The HTTP request string, and fields derived from it # http_request_string = "" uri = "" protocol = "" file_type = "" worm = "" domain = "" filetype_category = "" policy_rule_id = "" src_cat = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } bytes_in = { type = "float" display_format_type = "bandwidth" } bytes_out = { type = "float" display_format_type = "bandwidth" } request_time_microseconds = { type = "float" display_format_type = "duration_microseconds" } request_time_seconds = { type = "int" display_format_type = "duration_compact" } access_checks_time = { type = "int" display_format_type = "duration_compact" } file_typing_time = { type = "int" display_format_type = "duration_compact" } scanning_time = { type = "int" display_format_type = "duration_compact" } file_size = { type = "float" display_format_type = "bandwidth" } } # database.numerical_fields log.filters = { simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(uri, '^([^:]+://[^/]+/)')) then uri = $1 . '(omitted)'" } # simplify_url simplify_referrer = { label = "$lang_admin.log_filters.simplify_referrer_label" comment = "$lang_admin.log_filters.simplify_referrer_comment" value = "if (referrer eq '-') then referrer = '(no referrer)' else if (matches_regular_expression(referrer, '^([^:]+://[^/]+/)')) then referrer = $1 . '(omitted)'" } # simplify_referrer handle_corrupt_dates = { label = "Discard corrupt date/time values" value = "if (date_time_to_epoc(date_time) < 1000000000) then 'reject'" } mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { remote_host = "" location = "" remote_user = "" web_browser = "" operating_system = "" src_cat = "" } content_group = { domain = "" uri = "" mime_type = "" content_type = "" file_type = "" filetype_category = "" } filtering_group = { connection_status = "" action_code = "" matched_uri_category = "" reason_code = "" threat = "" antivirus_engine_version = "" antivirus_data_version = "" uri_list_version = "" cache = "" http_method = "" referrer = "" policy_rule_id = "" } other_group = { worm = "" http_status_code = "" protocol = "" } } # report_groups } # create_profile_wizard_options } # sophos_web_appliance