# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. watchguard = { plugin_version = "2.0" info.1.manufacturer = "Watchguard" info.1.device = "Firebox" info.1.version.1 = "x1000" # 2007-03-12 - 2.0 - KBB - Updated syntax and enhanced support for format with TCP flags: # - Renamed field "parameter" to "flags". # - Added support for multiple flags on a line. # - A file with flags on all lines will now autodetect. # The name of the log format log.format.format_label = "Watchguard Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "(deny|allow) +[^ ]+ +[a-z0-9:]+ +[0-9]+ +[a-z]+ +[0-9]+ +[0-9]+ +[0-9.]+ +[0-9.]+ +[0-9]+ +[0-9]+ +([a-z]+ )*\\([^:]+\\)" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { process = "" process_no = "" permission = "" direction = "" port_name = "" packet_len = "" protocol = "" header_len = "" time_to_live = "" source_ip = "" destination_ip = "" source_port = "" destination_port = "" #parameter = "" flags = "" message = "" } # log.fields # # Log Parsing Filters # example with tcp flags: #2007-01-06 00:00:09 Local0.Debug 172.11.11.11 firewalld[117]: allow in eth0:1 48 tcp 20 115 11.11.11.11 11.11.11.12 1379 25 syn (Filtered-SMTP) #2007-01-06 00:00:32 Local0.Info 172.11.11.11 firewalld[117]: deny in eth0:1 40 tcp 20 44 12.12.12.12 12.12.12.13 47528 25 fin ack (blocked site) log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '^[0-9]*([0-9][0-9]/[0-9][0-9]/[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[ ]+(.*)')) then ( set_collected_field('', 'date', normalize_date($1, 'mm/dd/yy')); set_collected_field('', 'time', $2); v.syslog_message = $3; ); if (matches_regular_expression(v.syslog_message, '([^ ]+) +([^ ]+) +([a-z0-9:]+) +([0-9]+) +([a-z]+) +([0-9]+) +([0-9]+) +([0-9.]+) +([0-9.]+) +([0-9]+) +([0-9]+) ([a-z ]*)\\\\(([^:]+)\\\\)')) then ( set_collected_field('', 'permission', $1); set_collected_field('', 'direction', $2); set_collected_field('', 'port_name', $3); set_collected_field('', 'packet_len', $4); set_collected_field('', 'protocol', $5); set_collected_field('', 'header_len', $6); set_collected_field('', 'time_to_live', $7); set_collected_field('', 'source_ip', $8); set_collected_field('', 'destination_ip', $9); set_collected_field('', 'source_port', $10); set_collected_field('', 'destination_port', $11); v.flags = $12; set_collected_field('', 'message', $13); # throw away extra spaces - prevents problems with filters and gets (empty) when empty if (matches_regular_expression(v.flags, '^ *([^ ][a-z ]+[^ ]) *$')) then ( v.flags = $1; ); else if (matches_regular_expression(v.flags, ' +')) then ( v.flags = ''; ); set_collected_field('', 'flags', v.flags); accept_collected_entry('', false); ); ` # Database fields database.fields = { permission = "" direction = "" port_name = "" protocol = "" source_ip = "" destination_ip = "" source_port = "" destination_port = "" #parameter = "" flags = "" message = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters database.numerical_fields = { hits = { default = true requires_log_field = false entries_field = true } # hits visitors = { requires_log_field = true log_field = "source_ip" type = "unique" } # visitors } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # watchguard