# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. aventail_client_server_access = { plugin_version = "3.3" info.1.manfacturer = "SonicWALL" info.1.device = "Aventail Client/server Access" info.1.version.1 = "" # 2006-09-05 - GMF - 1.1 - Changed log_data_type to network_device instead of syslog_required, # and changed parsing to use current_log_line() instead of v.syslog_message. # 2006-09-13 - GMF - 1.2 - Cleaned up log fields; added date/time fields. # 2006-09-26 - GMF - 1.3 - Added session tracking # 2006-09-26 - GMF - 1.4 - Moved session tracking under Connect Proxy and Connect Tunnel groups # 2006-10-25 - GMF - 1.5 - Switched to tagged report names. # 2007-12-11 - GMF - 1.6 - Fixed a bug where realms were not extracted properly # 2009-10-08 - 1.7 - KBB - Added support for new log format with ' "-"' at the end of each line. # 2010-01-13 - 1.7.1 - KBB - Removed sessions reports from Connect Tunnel at the request of Sonic Wall. # 2010-03-11 - 1.8 - KBB - We now know what the new field is. Added equipment_id field, parsing and # expanded values in lang_stats.cfg. Added protocol and dn fields and parsing of their values from # the method and user_name fields. # 2010-10-07 - 1.8.1 - GMF - Hard-coded a few variable in English, because AAR doesn't have the lang_stats variables # 2010-10-12 - 1.8.2 - GMF - Changed all report_field values in column in report, to field_name--report_field doesn't work in Sawmill 7, which is what AAR is based on. # 2012-01-24 - 2.0 - GMF - Added gateway_reports snapon # 2012-02-03 - 3.0 - GMF - Switched away from using separate filters on reports for the three report groups, to using separate numerical fields to track flow, tunnel, and connect proxy events. # 2012-02-07 - 3.1 - GMF - Removed connect proxy (no longer supported, according to SonicWall). Removed session analysis (requested by SonicWall). Switched to 64-bit int for large integer fields. Split duration into tunnel duration and flow duration. # 2012-02-27 - 3.2 - GMF - Split source_host and virtual_ip into separate fields. # 2012-05-08 - 3.3 - GMF - Removed virtual_ip from gateway reports, as requested by SonicWall in ThreadID:1223441. Added SonicWALL to name. Added field associations for source_host and virtual_ip. # The name of the log format log.format.format_label = "SonicWALL Aventail Client/server Access Log Format" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_data_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression #10.4.6.128:1121 - "(NLizard)@(Full Network Access) (CN=Lizard\, Ned,OU=Employee Accounts,OU=User Accounts,OU=Rockmoss,DC=corp,DC=rocksitters,DC=com)" "23/Sep/2009:13:34:01.428 -0400" 1.1 Flow:TCP 10.1.44.44:445 0 1315 3629 11 #10.4.6.170:3698 - "(NLizard)@(Full Network Access) (CN=Lizard\, Ned,OU=Employee Accounts,OU=User Accounts,OU=RockMoss,DC=corp,DC=rocksitters,DC=com)" "01/Oct/2009:08:04:01.614 -0400" 1.1 flow:udp 10.1.44.44:389 0 0 193 300 "-" log.format.autodetect_regular_expression = '[0-9\\.]+:[0-9]+ [^ ]+ "[^"]*" "../.../....:..:..:..\\.[0-9]+ [\\+\\-]...." [^ ]+ [^ ]+ [^:]+:[^ ]+ [^ ]+ [^ ]+ [^ ]+ [^ ]+' # Treat fields surrounded by square brackets (e.g. the date/time field) as a single quoted field. log.format.ignore_quotes = "false" #log.format.treat_brackets_as_quotes = "false" log.format.common_log_format = "false" # statistics.miscellaneous = { # maximum_session_duration = "0" # session_timeout = "0" # remove_reloads_from_sessions = "false" # } # statistics.miscellaneous #log.format.parsing_regular_expression = "^([0-9\.]+):([0-9]+) ([^ ]+) \\"([^\\"]+)\\" \\"(../.../....):(..:..:..)\.[0-9]+ (\+....)\\" ([^ ]+) ([^ ]+) ([^:]+):([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)$" #log.format.parsing_regular_expression = '^([0-9\\.]+):[0-9]+ ([^ ]+) "([^"]+)" "(../.../....:..:..:..)\\.[0-9]+ (\\+....)" ([^ ]+) ([^ ]+) ([^:]+):([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)$' # Log fields log.fields = { date = "" time = "" source_host.type = "host" virtual_ip = "" auth_method = "" user_name = "" timezone = "" version = "" method = "" protocol = "" dest_host = "" dest_port = "" status = "" bytes_in = "" bytes_out = "" tunnel_duration = "" flow_duration = "" realm = "" group = "" dn = "" equipment_id = "" } # log.fields log.parsing_filters.parse = ` v.message = current_log_line(); if (matches_regular_expression(v.message, '^[A-Z][a-z][a-z] [0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]* [^ ]* [^:]+: (.*)$')) then v.message = $1; #192.168.111.111:1288 - "(somesuser)@(SOME_WHERE) (uid=somesuser,ou=Users,dc=lizard,dc=mouse)" "03/Dec/2009:12:40:00.624 -0800" 1.1 tunnel 171.1.1.111:0 0 512 3761 3981 W"-" #if (matches_regular_expression(v.message, '^([0-9\\.]+):[0-9]+ ([^ ]+) "([^"]*)" "(../.../....):(..:..:..)\\.[0-9]+ ([\\+\\-]....)" ([^ ]+) ([^ ]+) ([^:]+):([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)')) then ( if (matches_regular_expression(v.message, '^([0-9\\.]+):[0-9]+ ([^ ]+) "([^"]*)" "(../.../....):(..:..:..)\\.[0-9]+ ([\\+\\-]....)" ([^ ]+) ([^ ]+) ([^:]+):([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)( (.*))?')) then ( v.host = $1; set_collected_field('', 'auth_method', $2); set_collected_field('', 'user_name', replace_all(replace_all($3, '(', '['), ')', ']')); set_collected_field('', 'date', $4); set_collected_field('', 'time', $5); set_collected_field('', 'timezone', $6); v.version = $7; set_collected_field('', 'version', $7); v.method = lowercase($8); set_collected_field('', 'method', v.method); set_collected_field('', 'dest_host', $9); set_collected_field('', 'dest_port', $10); set_collected_field('', 'status', $11); set_collected_field('', 'bytes_in', $12); set_collected_field('', 'bytes_out', $13); v.duration = $14; # set_collected_field('', 'realm', $15); # The fields referenced on these two lines are not in the log. # set_collected_field('', 'group', $16); # The the values are set in filters from the user_name. v.equipment_id = $16; if (matches_regular_expression(v.method, '^([^:]+):(.*)$')) then ( v.method = $1; set_collected_field('', 'method', $1); set_collected_field('', 'protocol', $2); ); if (v.method eq "flow") then ( set_collected_field('', 'virtual_ip', v.host); set_collected_field('', 'flow_events', 1); set_collected_field('', 'flow_duration', v.duration); ); else if (v.method eq "tunnel") then ( set_collected_field('', 'source_host', v.host); set_collected_field('', 'tunnel_flows', 1); set_collected_field('', 'tunnel_duration', v.duration); ); if (matches_regular_expression(v.equipment_id, '^([A-Z])?"([^"]*)"$')) then ( v.equipment_type = $1; v.equipment_id = $2; if (v.equipment_type eq '') then v.equipment_type = 'unspecified'; if (v.equipment_id eq '-') then v.equipment_id = ''; else v.equipment_id = " " . v.equipment_id; if (node_exists('lang_stats.log_formats.aventail_client_server_access.equipment_type') and node_exists('lang_stats.log_formats.aventail_client_server_access.equipment_type.' . v.equipment_type)) then ( v.equipment_type = node_value(subnode_by_name('lang_stats.log_formats.aventail_client_server_access.equipment_type', v.equipment_type)); ); else ( v.equipment_type = "Mobile Phone"; ); set_collected_field('', 'equipment_id', v.equipment_type . v.equipment_id); ); else ( set_collected_field('', 'equipment_id', v.equipment_id); ); accept_collected_entry('', false); ); ` # Track sessions, based on user_name and dest_host. # log.field_options = { # # sessions_page_field = "dest_host" # sessions_visitor_id_field = "user_name" # sessions_event_field = "connections" # # } # log.field_options # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" source_host = { display_format_type = "hostname" } # source_host (should the display_format_type be hostname? was source_host) virtual_ip = "" dest_host = ""# (dft s/b hostname if anything) dest_port = "" user_name = "" # 2012-04-02 - GMF - Removed per SonicWall request, ThreadID:1223441 # auth_method = "" # timezone = "" # version = "" # method = "" status = "" protocol = "" realm = "" group = "" dn = "" location = { #label = "location" log_field = "location" type = "string" suppress_top = 0 suppress_bottom = 3 } # location # domain_description = { # #label = "domain description" # log_field = "domain_description" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # domain_description equipment_id = "" } # database.fields # Log Filters log.filters = { realm_no_user = { label = "get realm from user string" comment = "get realm from user string" value = ` if contains(user_name, ']@[') then realm = substr(user_name, index(user_name, ']@[')+3, length(user_name) - index(user_name, ']@[') - 4); ` } # realm_no_user dn_from_user = { label = "get dn from user string" comment = "get dn from user string" value = ` if contains(user_name, '] [') then dn = substr(user_name, index(user_name, '] [')+3, length(user_name) - index(user_name, '] [') - 4); ` } # dn_from_user # we have no example of a dn without a realm strip_realm_from_user = { label = "strip realm and dn from user name, dn from realm" comment = "strip realm and dn from user name" value = ` if contains(user_name, ']@[') then user_name = substr(user_name, 1, index(user_name, ']@[') - 1); if contains(realm, '] [') then realm = substr(realm, 0, index(realm, '] [')); ` } # strip_realm_from_user # parens are now changed to brackets # this will only happen if there was no realm or dn strip_parens_from_user = { # label = "strip parens from user" # comment = "can't see user name in authenticated users report if starts with (" # value = "if starts_with(user_name,'(') then user_name = substr(user_name, 1, length(user_name)-2);" label = "strip brackets from user" comment = "clean up user name, remove brackets" value = ` if starts_with(user_name,'[') then user_name = substr(user_name, 1, length(user_name) - 2); ` } # strip_parens_from_user not_authenticated = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "$lang_admin.log_filters.not_authenticated_comment" value = "if (user_name eq '-') then user_name = '(not authenticated)';" } # not_authenticated (moved to after stripping () from (user name) ... this shouldn't appear in auth_users report) not_authenticated_2 = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "Mark empty users as (not authenticated)" value = "if (user_name eq 'empty') then user_name = '(not authenticated)';" } # not_authenticated_2 default_group = { label = "mark default group" comment = "This filter can be changed to customize user groups" value = "group = 'Default';" } # default_group default_realm = { label = "mark default realm" comment = "mark default realm" value = "if ((realm eq '(empty)') and (user_name ne '(not authenticated)')) then realm = 'default realm';" } # default_realm # mark_entry = { # label = '$lang_admin.log_filters.mark_entry_label' # comment = '$lang_admin.log_filters.mark_entry_comment' # value = 'connections = 1;' # } # mark_entry status = { value = "if (subnode_exists('rewrite_rules.aventail_client_server_status', status)) then status = status . ' (' . node_value(subnode_by_name('rewrite_rules.aventail_client_server_status', status)) . ')'" label = "Status to text" comment = "This rewrites the Client/server status field to plain text" } # status = { # value = "node rule;foreach rule 'rewrite_rules.aventail_client_server_status' (if ((status eq node_value(subnode_by_name(rule, 'regexp')))) then (status = status . ' (' . expand(node_value(subnode_by_name(rule, 'result'))) . ')'; last; ); );" # disabled = "false" # label = "Status to text" # comment = "This rewrites the Client/server status field to plain text" # } # status # clean_users = { # value = "node rule;foreach rule 'rewrite_rules.user_lookup' (if (contains(user_name, '='.node_value(subnode_by_name(rule, 'regexp')).',')) then (user_name = expand(node_value(subnode_by_name(rule, 'result'))); last; ); );" # disabled = "false" # label = "LDAP to user name" # comment = "This rewrites the user_name field to the user's name, if in ldap format (contains '=extranet_id,' )" # } # clean_users } # log.filters database.numerical_fields = { # connections = { # #label = "$lang_stats.field_labels.connections" # #label = "connections" # default = true # requires_log_field = false # type = "int" # display_format_type = "integer" # entries_field = true # } # connections flow_events = { default = true requires_log_field = false entries_field = true } # flow_events tunnel_flows = { default = true requires_log_field = false entries_field = true } # tunnel_flows visitors = { default = true log_field = "user_name" type = "unique" display_format_type = "integer" } # visitors bytes_in = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_in bytes_out = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_out flow_duration = { default = true type = "int" integer_bits = 64 display_format_type = "duration_compact" } # flow_duration tunnel_duration = { default = true type = "int" integer_bits = 64 display_format_type = "duration_compact" } # tunnel_duration } # database.numerical_fields create_profile_wizard_options = { # This shows which numerical fields are related to which non-numerical fields. database_field_associations = { # Virtual IP appears only in "flow" events, so it shouldn't be associated with "tunnel" fields virtual_ip = { flow_events = true visitors = true bytes_in = true bytes_out = true flow_duration = true } # Source Host appears only in "tunnel" events, so it shouldn't be associated with "flow" fields source_host = { tunnel_flows = true visitors = true bytes_in = true bytes_out = true tunnel_duration = true } } # database_field_associations report_groups = { date_time_group = "" } # report_groups snapons = { # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { user_field.parameter_value = "user_name" have_client_ip.parameter_value = true client_ip_field.parameter_value = "source_host" have_category_field.parameter_value = false # category_field.parameter_value = "category" host_field.parameter_value = "dest_host" # have_additional_field.parameter_value = true # additional_field.parameter_value = "virtual_ip" page_views_field.parameter_value = "tunnel_flows" have_bytes_in_field.parameter_value = true bytes_in_field.parameter_value = "bytes_in" have_bytes_out_field.parameter_value = true bytes_out_field.parameter_value = "bytes_out" have_duration_field.parameter_value = true duration_field.parameter_value = "tunnel_duration" sort_by_field.parameter_value = "tunnel_duration" } # parameters } # gateway_reports # Add the standard reports add_standard_reports = { name = "add_standard_reports" label = "add_standard_reports" snapon = "add_standard_reports" } # add_standard_reports } # snapons } # create_profile_wizard_options } # aventail_extranet_access