# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. symantec_antivirus = { plugin_version = "1.0" info.1.manufacturer = "Symantec" info.1.device = "Antivirus" info.1.version = "9" # 2007-09-14 - 1.0 - KBB - added version number and changed file name from beta_symantec_antivirus.cfg # Supporting Symantec Antivirus 9 # The name of the log format log.format.format_label = "Symantec Antivirus Log Format" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "other" log.format.ignore_format_lines = "true" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "^Date,Event,Computer,User,Scan Type") or matches_regular_expression(volatile.log_data_line, "^Event,Computer,User,Logged By,Date") or matches_regular_expression(volatile.log_data_line, "^Date,Filename,Threat,Threat Type,Action Taken,Computer,User,Original Location,Status,Current Location,Primary Action,Secondary Action,Scan Type,Action Description") or matches_regular_expression(volatile.log_data_line, "^Started On,Completed,Computer,Status,Total files,Infected,Scan Type") ` # The format of dates and times in this log # log.format.date_format = "mm/dd/yyyy" # log.format.time_format = "hh:mm:ss" log.fields = { time = "" event_type = "" started_on = "" completed = "" computer = "" status = "" scan_type = "" logged_by = "" event = "" date = "" filename = "" threat = "" threat_type = "" action_taken = "" computer = "" user = "" original_location = "" status = "" current_location = "" primary_action = "" secondary_action = "" scan_type = "" action_description = "" threats = "" scans = "" events = "" total_files = "" infected_files = "" duration = "" } # log.fields # Start with unknown log format type log.filter_initialization = `v.log_format_type = 0;` log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+ *[AP]*M*),([0-9/]+) ([0-9:]+ *[AP]*M*),([^,]+),([^,]+),([0-9]+),([0-9]+),([^,]+)$')) then ( date = $1; time = $2; v.start_time = normalize_date($1, 'auto') . ' ' . normalize_time($2, 'auto'); v.epoc_start_time = date_time_to_epoc(v.start_time); v.completed_time = normalize_date($3, 'auto') . ' ' . normalize_time($4, 'auto'); v.epoc_completed_time = date_time_to_epoc(v.completed_time); duration = v.epoc_completed_time - v.epoc_start_time; computer = $5; status = $6; total_files = $7; infected_files = $8; scan_type = $9; event_type = "scan"; scans = 1; ) else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+ *[AP]*M*),([^,]+),([^,]+),([^,]+),([^,]+)$')) then ( date = $1; time = $2; event = $3; computer = $4; user = $5; scan_type = $6; event_type = "event"; events = 1; ) else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+ *[AP]*M*),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+)$')) then ( date = $1; time = $2 . ":00"; filename = $3; threat = $4; threat_type = $5; action_taken = $6; computer = $7; user = $8; original_location = $9; status = $10; current_location = $11; primary_action = $12; secondary_action = $13; scan_type = $14; action_description = $15; event_type = "threat"; threats = 1; ) # Format 1: #Event,Computer,User,Logged By,Date #Client has not checked in,1ONLINE,DOMAIN\online_1,System,31/12/2005 23:52:18 else if (matches_regular_expression(current_log_line(), '^Event,Computer,User,Logged By,Date')) then ( v.log_format_type = 1; 'reject'; ) else if ((v.log_format_type == 1) and matches_regular_expression(current_log_line(), '^([^,]+),([^,]+),([^,]+),([^,]+),([0-9]+)/([0-9]+)/([0-9]+) ([0-9:]+ *[APM]*)$')) then ( event = $1; computer = $2; user = $3; logged_by = $4; date = $6 . '/' . $5 . '/' . $7; time = $8; events = 1; ) ` database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" logged_by = "" computer = "" status = "" scan_type = "" event = "" filename = "" threat = "" threat_type = "" action_taken = "" computer = "" user = "" original_location = "" status = "" current_location = "" primary_action = "" secondary_action = "" scan_type = "" action_description = "" } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = true type = "int" display_format_type = "integer" entries_field = true } # events threats = { label = "$lang_stats.field_labels.threats" default = true requires_log_field = true type = "int" display_format_type = "integer" } # threats scans = { label = "$lang_stats.field_labels.scans" default = true requires_log_field = true type = "int" display_format_type = "integer" } # scans total_files = { label = "$lang_stats.field_labels.total_files" default = true requires_log_field = true type = "int" display_format_type = "integer" } # total_files infected_files = { label = "$lang_stats.field_labels.infected_files" default = true requires_log_field = true type = "int" display_format_type = "integer" } # infected_files duration = { label = $lang_stats.field_labels.duration default = false requires_log_field = true type = int display_format_type = duration_compact } # duration } # database.numerical_fields log.filters = { } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" event_type = true computer = true status = true scan_type = true event = { label = "{=capitalize(expand(lang_stats.field_labels.event))=}" columns = { 0.field_name = "event" 1.field_name = "events" } } # event filename = { label = "{=capitalize(expand(lang_stats.field_labels.filename))=}" columns = { 0.field_name = "filename" 1.field_name = "threats" } } # filename threat = { label = "{=capitalize(expand(lang_stats.field_labels.threat))=}" columns = { 0.field_name = "threat" 1.field_name = "threats" } } # threat threat_type = { label = "{=capitalize(expand(lang_stats.field_labels.threat_type))=}" columns = { 0.field_name = "threat_type" 1.field_name = "threats" } } # threat_type action_taken = { label = "{=capitalize(expand(lang_stats.field_labels.action_taken))=}" columns = { 0.field_name = "action_taken" 1.field_name = "threats" } } # action_taken user = { label = "{=capitalize(expand(lang_stats.field_labels.user))=}" columns = { 0.field_name = "user" 1.field_name = "events" 2.field_name = "threats" } } # user original_location = { label = "{=capitalize(expand(lang_stats.field_labels.original_location))=}" columns = { 0.field_name = "original_location" 1.field_name = "threats" } } # original_location current_location = { label = "{=capitalize(expand(lang_stats.field_labels.current_location))=}" columns = { 0.field_name = "current_location" 1.field_name = "threats" } } # current_location primary_action = { label = "{=capitalize(expand(lang_stats.field_labels.primary_action))=}" columns = { 0.field_name = "primary_action" 1.field_name = "threats" } } # primary_action secondary_action = { label = "{=capitalize(expand(lang_stats.field_labels.secondary_action))=}" columns = { 0.field_name = "secondary_action" 1.field_name = "threats" } } # secondary_action action_description = { label = "{=capitalize(expand(lang_stats.field_labels.action_description))=}" columns = { 0.field_name = "action_description" 1.field_name = "threats" } } # action_description computer = true status = true scan_type = true threat_detail = { label = "$lang_stats.menu.reports.threat_detail" columns = { 0.field_name = "date_time" 1.field_name = "filename" 2.field_name = "threat" 3.field_name = "computer" 4.field_name = "threats" } subtable = false } # threat_detail } # report_groups } # create_profile_wizard_options } # symantec_antivirus