# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. tivoli_access_manager_webseal = { plugin_version = "1.0" # 2006-09-29 - 1.0beta - KBB - initial creation # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy and changed name from # beta_tivoli_access_manager_webseal.cfg # The name of the log format log.format.format_label = "IBM Tivoli Access Manager WebSEAL Log Format" log.miscellaneous.log_data_type = "http_access" log.miscellaneous.log_format_type = "web_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = '^'); ); else ( greater_than_index = index(v.line, '>'); ); if (isMultiLineTag and (greater_than_index == -1)) then ( # Process attributes of multi-line tag, or CDATA contents if (isCDATA) then ( current_value .= v.line . "\n"; ); else ( v.attr = v.line; while (matches_regular_expression(v.attr, '^[ ]*([^ ]+)="([^"]*)"(.*)$')) ( v.key = $1; v.value = $2; v.attr = $3; # Report the proposed field name and value v.field_name = replace_first(xml_tag_stack, ignoreTags, ''); v.field_name = replace_all(v.field_name, '//', '_'); # multi_line_tag_name is on the stack already v.field_name .= '_' . v.key; if (matches_regular_expression(v.field_name, '^_(.*)$')) then ( v.field_name = $1; ); #echo("\n----------------------\n#type attribute"); #echo("tag_name '" . multi_line_tag_name . "'"); #echo("v.field_name '" . lowercase(v.field_name) . "'"); #echo("v.value '" . v.value . "'"); # Put this value in the log entry set_collected_field('', lowercase(v.field_name), v.value); ); ); ); else ( # Finish with a multi line tag if (isMultiLineTag) then ( v.rest_of_tag = substr(v.line, 0, greater_than_index); # Process remaining attributes or CDATA contents if (isCDATA) then ( current_value .= substr(v.rest_of_tag, 0, greater_than_index) . "\n"; isCDATA = false; greater_than_index = greater_than_index + 2; ); else ( v.attr = v.rest_of_tag; while (matches_regular_expression(v.attr, '^[ ]*([^ ]+)="([^"]*)"(.*)$')) ( v.key = $1; v.value = $2; v.attr = $3; # Report the proposed field name and value v.field_name = replace_first(xml_tag_stack, ignoreTags, ''); v.field_name = replace_all(v.field_name, '//', '_'); # multi_line_tag_name is on the stack already v.field_name .= '_' . v.key; if (matches_regular_expression(v.field_name, '^_(.*)$')) then ( v.field_name = $1; ); #echo("\n----------------------\n#type attribute"); #echo("tag_name '" . multi_line_tag_name . "'"); #echo("v.field_name '" . lowercase(v.field_name) . "'"); #echo("v.value '" . v.value . "'"); # Put this value in the log entry set_collected_field('', lowercase(v.field_name), v.value); ); # Pop the tag off the stack if it turns out to be single if (ends_with(v.rest_of_tag, '/')) then ( xml_tag_stack = substr(xml_tag_stack, 0, length(xml_tag_stack) - length(multi_line_tag_name) - 2); ); ); isMultiLineTag = false; multi_line_tag_name = ""; # Continue reading the rest of the line begin_ptr = greater_than_index + 1; ); while (begin_ptr < line_length) ( # Find the first tag in this line int less_than_index = index(v.line, '<', begin_ptr); #echo("Setting less_than_index " . less_than_index); # debug # If there are no tags in this line, the whole line is part of the current value # (Note that nested tags with text, such as in html ( text text text text) # will give pecular results because current value of nested tags will not be in value of # outer tags.) if (less_than_index == -1) then ( current_value .= substr(v.line, begin_ptr) . "\n"; begin_ptr = line_length; #echo("No tags - set begin_ptr " . begin_ptr); # debug #echo("current_value *" . current_value . "*"); # debug ); # Found a tag else ( #echo("Found a tag v.line=*" . substr(v.line, begin_ptr) . "*"); # debug string tag_name = ""; # Everything up to the tag is part of the current value current_value .= substr(v.line, begin_ptr, less_than_index - begin_ptr); #echo("Setting current_value " . current_value); # debug # Find the close of the tag greater_than_index = index(v.line, '>', less_than_index); #echo("Setting greater_than_index " . greater_than_index); # debug # Get the tag name - Multi-line tag if (greater_than_index == -1) then ( tag_name = substr(v.line, less_than_index + 1); isMultiLineTag = true; begin_ptr = line_length; # skip rest of line #echo("Multi-line tag - set begin_ptr " . begin_ptr); # debug ); # Regular tag else ( tag_name = substr(v.line, less_than_index + 1, greater_than_index - less_than_index - 1); #echo("Set tag_name " . tag_name); # debug # Continue reading the rest of the line begin_ptr = greater_than_index + 1; #echo("Regular tag - set begin_ptr " . begin_ptr); # debug ); # Check for closing tag if (starts_with(tag_name, '/')) then ( # Get the tag name tag_name = substr(tag_name, 1); #echo("Closing tag: " . tag_name . "; value=" . current_value); # debug # Verify that this is the open tag name if (!ends_with(xml_tag_stack, "//" . tag_name)) then error("XML parsing error while processing log data; closing tag '" . tag_name . "' is out of order; stack=" . xml_tag_stack); # Report the proposed field name and value v.field_name = xml_tag_stack; if (starts_with(xml_tag_stack, ignoreTags) and (xml_tag_stack ne ignoreTags)) then ( v.field_name = replace_first(xml_tag_stack, ignoreTags, ''); ); v.field_name = replace_all(v.field_name, '//', '_'); if (matches_regular_expression(v.field_name, '^_(.*)$')) then ( v.field_name = $1; ); #echo("\n----------------------\n#type value"); #echo("tag_name '" . tag_name . "'"); #echo("v.field_name '" . lowercase(v.field_name) . "'"); #echo("current_value '" . current_value . "'"); # Put this value in the log entry set_collected_field('', lowercase(v.field_name), current_value); # Pop the closing tag off the stack xml_tag_stack = substr(xml_tag_stack, 0, length(xml_tag_stack) - length(tag_name) - 2); #echo("Pop - now stack=" . xml_tag_stack); # debug # accept entry if (tag_name eq 'event') then ( #2006-06-28-23:07:44.632+00:00I----- if (matches_regular_expression(get_collected_field('', 'date'), '^([0-9]{4}-[0-9]{2}-[0-9]{2})-([0-9:]+)\.')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); #POST /cgi-bin/program.cgi HTTP/1.1 #1470 #Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) #https://hello.goodbye.org/index.html if (matches_regular_expression(get_collected_field('', 'data'), '([^\n]*)\n([^\n]*)\n([^\n]*)\n([^\n]*)')) then ( set_collected_field('', 'size', $2); set_collected_field('', 'user_agent', $3); set_collected_field('', 'referrer', $4); if (matches_regular_expression($1, '^([^ ]+) (.*) ([^ ]+)$')) then ( set_collected_field('', 'method', $1); set_collected_field('', 'page', $2); set_collected_field('', 'protocol', $3); ); ); accept_collected_entry('', false); ); # # Reset the value for the next tag current_value = ""; ); # if closing tag else ( # single or opening tag # It's a single tag, a CDATA or an xml special tag - don't put it on the stack # Get this info before possibly chopping off '/' below bool isSingleTag = (ends_with(tag_name, '/') or starts_with(tag_name, '!') or # e.g.: starts_with(tag_name, '?')); # e.g.: if (matches_regular_expression(tag_name, '!\\\\[CDATA\\\\[(.*)(\\\\]\\\\])') or matches_regular_expression(tag_name, '!\\\\[CDATA\\\\[(.*)')) then ( current_value .= $1; if (isMultiLineTag) then ( current_value .= "\n"; isCDATA = true; ); ); else ( # Remove and process attributes if (matches_regular_expression(tag_name, '^([^ ]*)( .*)$')) then ( tag_name = $1; v.attr = $2; while (matches_regular_expression(v.attr, '^[ ]*([^ ]+)="([^"]*)"(.*)$')) ( v.key = $1; v.value = $2; v.attr = $3; # Report the proposed field name and value v.field_name = replace_first(xml_tag_stack, ignoreTags, ''); v.field_name = replace_all(v.field_name, '//', '_'); # We know this is an opening tag, but it isn't on the stack yet, (and my never be) v.field_name .= '_' . tag_name . '_' . v.key; if (matches_regular_expression(v.field_name, '^_(.*)$')) then ( v.field_name = $1; ); #echo("\n----------------------\n#type attribute"); #echo("tag_name '" . tag_name . "'"); #echo("v.field_name '" . lowercase(v.field_name) . "'"); #echo("v.value '" . v.value . "'"); # Put this value in the log entry set_collected_field('', lowercase(v.field_name), v.value); ); #echo("After removing attributes from tag_name *" . tag_name . "*"); # debug ); ); # Save (after mods) in case it is single and needs to be # popped from the stack - doesn't hurt to save if not multi-line multi_line_tag_name = tag_name; # It's a single tag, a CDATA or an xml special tag - don't put it on the stack if (isSingleTag) then ( #echo("Single tag: " . tag_name); # debug ); # if single tag # On open tag, remember the tag in the tag stack else ( #echo("Opening tag: *" . tag_name . "*"); # debug xml_tag_stack .= "//" . tag_name; #echo("Push - now stack=" . xml_tag_stack); # debug ); ); # if not closing tag ); # if found a tag #echo("Now v.line=" . substr(v.line, begin_ptr, 100)); # debug #echo("Now v.line=" . substr(v.line, begin_ptr)); # debug ); # while line length ); # if not in the middle of a multi-line tag ` # Get web browser, operating system, web browser, and spider information from the user-agent field. log.parsing_filters.derive_from_user_agent = ` get_user_agent_info(user_agent); web_browser = volatile.web_browser; operating_system = volatile.operating_system; spider = volatile.spider; ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" page.suppress_bottom = 9 protocol = "" user_agent = "" referrer = "" #event_rev = "" #accessor = "" #accessor_name = "" accessor_name_in_rgy = "" accessor_principal = "" accessor_principal_auth = "" accessor_principal_domain = "" accessor_session_id = "" accessor_user_location = "" accessor_user_location_type = "" #data = "" #date = "" #event = "" #originator = "" originator_action = "" originator_blade = "" originator_component = "" originator_component_rev = "" originator_event_id = "" originator_instance = "" originator_location = "" outcome = "" outcome_status = "" #resource_access = "" resource_access_action = "" resource_access_httpmethod = "" resource_access_httpresponse = "" resource_access_httpurl = "" #target = "" target_object = "" target_object_nameinapp = "" target_resource = "" # derived fields file_type = "" location.suppress_bottom = 3 screen_dimensions = "" screen_depth = "" web_browser = "" operating_system = "" referrer_description = "" search_engine = "" search_phrase = "" search_phrase_by_search_engine = "" worm = "" spider = "" } # database.fields # Log filters log.filters = { remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(page, '?')) then page = substr(page, 0, index(page, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then page = substr(page, 0, last_index(page, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events size = { requires_log_field = true log_field = "size" type = "float" display_format_type = "bandwidth" } # size } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" accessor_group = { accessor_name_in_rgy = true accessor_principal = true accessor_principal_auth = true accessor_principal_domain = true accessor_session_id = true accessor_user_location = true accessor_user_location_type = true location = true } originator_group = { originator_action = true originator_blade = true originator_component = true originator_component_rev = true originator_event_id = true originator_instance = true originator_location = true } outcome_group = { outcome = true outcome_status = true } resource_group = { resource_access_action = true resource_access_httpmethod = true resource_access_httpresponse = true resource_access_httpurl = true } target_group = { target_object = true target_object_nameinapp = true target_resource = true } visitor_systems_group = { user_agent = true web_browser = true operating_system = true screen_dimensions = true screen_depth = true } referrer_group = { referrer = true referrer_description = true search_engine = true search_phrase = true search_phrase_by_search_engine = true } content_group = { page = true file_type = true } other_group = { worm = true spider = true protocol = true } } # report_groups } # create_profile_wizard_options } # tivoli_access_manager_webseal