# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. symantec_enterprise_firewall8 = { # The name of the log format log.format.format_label = "Symantec Enterprise Firewall 8 Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if the first line matches this regular expression log.format.autodetect_regular_expression = "^[A-Z][a-z][a-z] [0-9]+, [0-9][0-9][0-9][0-9][ ][0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\.[0-9][0-9][0-9][ ][^ ]*[ ][0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ .*Starting new log file" log.format.autodetect_lines = "10" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Entries are called accesses statistics.miscellaneous.entry_name = "accesses" # The format of dates and times in the log data log.format.date_format = "mmm/dd/yyyy" log.format.time_format = "hh:mm:ss" # Don't allow spaces (or tabs) in field value in listed parsing filters log.format.allow_spaces_in_listed_field_values = "false" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time server_ip = { label = "$lang_stats.field_labels.server_ip" type = "flat" index = 0 subindex = 0 } # server_ip service = { label = "$lang_stats.field_labels.service" type = "flat" index = 0 subindex = 0 } # service type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type subtype = { label = "$lang_stats.field_labels.subtype" type = "flat" index = 0 subindex = 0 } # subtype duration = { label = "$lang_stats.field_labels.duration" type = "flat" index = 0 subindex = 0 } # duration authentication_result = { label = "$lang_stats.field_labels.authentication_result" type = "flat" index = 0 subindex = 0 } # authentication_result id = { label = "$lang_stats.field_labels.id" type = "flat" index = 0 subindex = 0 } # id sent = { label = "$lang_stats.field_labels.sent" type = "flat" index = 0 subindex = 0 } # sent received = { label = "$lang_stats.field_labels.received" type = "flat" index = 0 subindex = 0 } # received bytes = { label = "$lang_stats.field_labels.bytes" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # bytes source_interface = { label = "$lang_stats.field_labels.source_interface" type = "flat" index = 0 subindex = 0 } # source_interface user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 } # user source_ip = { label = "$lang_stats.field_labels.source_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # source_ip source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port source_name = { label = "$lang_stats.field_labels.source_name" type = "flat" index = 0 subindex = 0 } # source_name destination_interface = { label = "$lang_stats.field_labels.destination_interface" type = "flat" index = 0 subindex = 0 } # destination_interface destination_ip = { label = "$lang_stats.field_labels.destination_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # destination_ip destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port destination_name = { label = "$lang_stats.field_labels.destination_name" type = "flat" index = 0 subindex = 0 } # destination_name server_source = { label = "$lang_stats.field_labels.server_source" type = "flat" index = 0 subindex = 0 } # server_source server_source_port = { label = "$lang_stats.field_labels.server_source_port" type = "flat" index = 0 subindex = 0 } # server_source_port url = { label = "$lang_stats.field_labels.url" type = "page" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" # is_sessions_page = true } # url operation = { label = "$lang_stats.field_labels.operation" type = "flat" index = 0 subindex = 0 } # operation resource = { label = "$lang_stats.field_labels.resource" type = "flat" index = 0 subindex = 0 } # resource protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol rule_id = { label = "$lang_stats.field_labels.rule_id" type = "flat" index = 0 subindex = 0 } # rule_id program_name = { label = "$lang_stats.field_labels.program_name" type = "flat" index = 0 subindex = 0 } # program_name status = { label = "$lang_stats.field_labels.status" type = "flat" index = 0 subindex = 0 } # status state = { label = "$lang_stats.field_labels.state" type = "flat" index = 0 subindex = 0 } # state } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse header fields # E.g. 'Dec 09, 2004 23:59:59.968 208.15.237.100 kernel[1592] 121 INFORMATIONAL...' 1 = { label = "1" comment = "" # value = "collect_fields_using_regexp('^()([A-Za-z]+ [0-9]+, [0-9]+)[ ]([0-9:]+)\\\\.[0-9]+[ ][^ ]*[ ]([0-9.]+) *([^ ]*)[ ][0-9]*[ ][0-9]*[ ]([^ ]*)[ ]([^ ]*)', '*KEY*,date,time,server_ip,service,type,subtype')" value = "collect_fields_using_regexp('^()([A-Za-z]+ [0-9]+, [0-9]+) ([0-9:]+)\\\\.[0-9]+ [^ ]* ([0-9.]+) ([^ ]*) [0-9]+ ([A-Z]+)', '*KEY*,date,time,server_ip,service,type')" } # 1 # Parse out the space-separated, =-divided variables # E.g. # Dec 09, 2004 23:59:59.968 208.15.237.100 kernel[1592] 121 INFORMATIONAL: Statistics, Duration=66.00 , Authentication Result=N/A, ID=1BZE2, Sent=52, Received=56, Bytes=108, Source Interface=A8C7C318-441, Source IP=10.1.1.210, Source Port=1182, Source Name=10.1.1.210, Server Source=208.15.237.100, Server Source Port=62090, Destination Interface=146498E8-D40, Destination IP=65.160.60.161, Destination Port=161, Destination Name=65.160.60.161, Operation=N/A, Protocol=161/udp, Rule ID=13, Notes=(Idle timeout) 2 = { label = "2" comment = "" # value = "collect_listed_fields_using_regexp('^()[A-Za-z]+ [0-9]+, [0-9]+[ ][0-9:.]+[ ][^ ]*[ ][^ ]*[ ][0-9]*[ ][0-9]*[ ][^ ]*[ ][^ ]*[ ](.*)$', ' ', ' ', 'argument=url')" value = "collect_listed_fields_using_regexp('^()[A-Za-z]+ [0-9]+, [0-9]+ [0-9:.]+ [^ ]* [0-9.]+ [^ ]+ [0-9]+ [A-Z]+: Statistics, (.*)$', ', ', '=', 'Argument=url')" } # 2 # Accept this entry 3 = { label = "3" comment = "" value = "accept_collected_entry_using_regexp('^()', false)" } # 3 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day server_ip = { label = "$lang_stats.field_labels.server_ip" log_field = "server_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # server_ip service = { label = "$lang_stats.field_labels.service" log_field = "service" type = "string" suppress_top = 0 suppress_bottom = 2 } # service type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type subtype = { label = "$lang_stats.field_labels.subtype" log_field = "subtype" type = "string" suppress_top = 0 suppress_bottom = 2 } # subtype duration = { label = "$lang_stats.field_labels.duration" log_field = "duration" type = "string" suppress_top = 0 suppress_bottom = 2 } # duration authentication_result = { label = "$lang_stats.field_labels.authentication_result" log_field = "authentication_result" type = "string" suppress_top = 0 suppress_bottom = 2 } # authentication_result id = { label = "$lang_stats.field_labels.id" log_field = "id" type = "string" suppress_top = 0 suppress_bottom = 2 } # id source_interface = { label = "$lang_stats.field_labels.source_interface" log_field = "source_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_interface user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port source_name = { label = "$lang_stats.field_labels.source_name" log_field = "source_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_name destination_interface = { label = "$lang_stats.field_labels.destination_interface" log_field = "destination_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_interface destination_ip = { label = "$lang_stats.field_labels.destination_ip" log_field = "destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_ip destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port destination_name = { label = "$lang_stats.field_labels.destination_name" log_field = "destination_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_name server_source_port = { label = "$lang_stats.field_labels.server_source_port" log_field = "server_source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # server_source_port url = { label = "$lang_stats.field_labels.url" log_field = "url" type = "string" suppress_top = 0 suppress_bottom = 2 } # url file_type = { label = "$lang_stats.field_labels.file_type" log_field = "file_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # file_type worm = { label = "$lang_stats.field_labels.worm" log_field = "worm" type = "string" suppress_top = 0 suppress_bottom = 2 } # worm operation = { label = "$lang_stats.field_labels.operation" log_field = "operation" type = "string" suppress_top = 0 suppress_bottom = 2 } # operation resource = { label = "$lang_stats.field_labels.resource" log_field = "resource" type = "string" suppress_top = 0 suppress_bottom = 2 } # resource protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol rule_id = { label = "$lang_stats.field_labels.rule_id" log_field = "rule_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule_id program_name = { label = "$lang_stats.field_labels.program_name" log_field = "program_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # program_name status = { label = "$lang_stats.field_labels.status" log_field = "status" type = "string" suppress_top = 0 suppress_bottom = 2 } # status state = { label = "$lang_stats.field_labels.state" log_field = "state" type = "string" suppress_top = 0 suppress_bottom = 2 } # state } # database.fields # Log Filters log.filters = { remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (matches_regular_expression(url, '^(.*\\\\?).*$')) then url = $1 . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" # sessions_event_field = true } # page_views visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # visitors bytes = { label = "$lang_stats.field_labels.bytes" default = false requires_log_field = true log_field = "bytes" type = "float" display_format_type = "bandwidth" } # bytes sent = { label = "$lang_stats.field_labels.sent" default = false requires_log_field = true log_field = "sent" type = "float" display_format_type = "bandwidth" } # sent received = { label = "$lang_stats.field_labels.received" default = false requires_log_field = true log_field = "received" type = "float" display_format_type = "bandwidth" } # received duration = { label = $lang_stats.field_labels.duration default = false requires_log_field = true type = int display_format_type = duration_milliseconds } # duration } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { source_interface = true source_ip = true source_port = true source_name = true user = true } destination_group = { destination_interface = true destination_ip = true destination_port = true destination_name = true } server_group = { server_ip = true service = true server_source_port = true } content_group = { url = true file_type = true worm = true } other_group = { type = true subtype = true authentication_result = true id = true operation = true resource = true protocol = true rule_id = true program_name = true status = true state = true } } # report_groups } # create_profile_wizard_options not_supported = { } # not_supported } # symantec_enterprise_firewall8