# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. astaro_security_gateway = { plugin_version = "2.2" info.1.manufacturer = "Astaro" info.1.device = "Security Gateway" info.1.version.1 = "7" # 2008-06-04 - 1.0 - GMF - Initial implementation # 2008-06-04 - 2.0 - GMF - Added support for proxy format # 2009-06-04 - 2.1 - MSG - Added support for an ignored log field in the first position # 2011-02-16 - 2.2 - MSG - Removed the caret anchoring ulogd to the befinning of a line to support a preceding timestamp # The name of the log format log.format.format_label = "Astaro Security Gateway Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` # Handle firewall lines, e.g. # 2008:04:01-00:00:38 (none) ulogd[2897]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" dstmac="00:11:22:33:44:55" srcmac="aa:bb:cc:dd:ee:ff" srcip="12.34.56.78" dstip="98.76.54.32" proto="6" length="48" tos="0x00" prec="0x00" ttl="116" srcport="2105" dstport="1433" tcpflags="SYN" matches_regular_expression(volatile.log_data_line, 'ulogd[[][0-9]+[]]: id="[^"]*".*fwrule.*initf') or # Handle proxy lines, e.g. # 2008:03:24-00:02:21 (none) httpproxy[12924]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="12.34.56.78" user="" statuscode="200" cached="0" profile="profile_1" filteraction="action_REF_DefaultHTTPCFFAction" size="11404" time="129 ms" request="0xabcdef00" url="http://somewhere.com/pathname/of/url.html?query" error="" category="0910" categoryname="General News / Newspapers / Magazines" matches_regular_expression(volatile.log_data_line, 'httpproxy[[][0-9]+[]]: id="[^"]*".*srcip=.*statuscode=') ` # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { id = "" severity = "" sys = "" sub = "" name = "" action = "" fwrule = "" initf = "" dstmac = "" srcmac = "" srcip.type = "host" dstip = "" proto = "" tos = "" prec = "" ttl = "" srcport = "" dstport = "" srcsvc = "" dstsvc = "" tcpflags = "" # proxy user = "" statuscode = "" cached = "" profile = "" filteraction = "" request = "" method = "" url.type = "page" file_type = "" worm = "" error = "" category = "" categoryname = "" events = "" bytes = "" firewall_events = "" hits = "" page_views = "" response_time = "" } # log.fields log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '^[()a-z0-9]+ (.*)$')) then v.syslog_message = $1; # Handle firewall lines # 2011-02-16 - 2.2 - MSG - Removed the caret anchoring ulogd to the befinning of a line to support a preceding timestamp if (matches_regular_expression(v.syslog_message, 'ulogd[[][0-9]+[]]: (id=.*)$')) then ( collect_listed_fields('', $1, ' ', '=', 'length=bytes'); # Convert protocol numbers if (get_collected_field('', 'proto') == 6) then set_collected_field('', 'proto', 'tcp'); else if (get_collected_field('', 'proto') == 17) then set_collected_field('', 'proto', 'udp'); else if (get_collected_field('', 'proto') == 1) then set_collected_field('', 'proto', 'icmp'); # Look up services set_collected_field('', 'dstsvc', get_collected_field('', 'dstport') . '_' . get_collected_field('', 'proto')); if (subnode_exists('rewrite_rules.services', get_collected_field('', 'dstsvc'))) then set_collected_field('', 'dstsvc', node_value(subnode_by_name("rewrite_rules.services", get_collected_field('', 'dstsvc')))); set_collected_field('', 'srcsvc', get_collected_field('', 'srcport') . '_' . get_collected_field('', 'proto')); if (subnode_exists('rewrite_rules.services', get_collected_field('', 'srcsvc'))) then set_collected_field('', 'srcsvc', node_value(subnode_by_name("rewrite_rules.services", get_collected_field('', 'srcsvc')))); set_collected_field('', 'events', 1); set_collected_field('', 'firewall_events', 1); accept_collected_entry('', false); ); # if firewall # Handle proxy lines, e.g. # 2008:03:24-00:02:21 (none) httpproxy[12924]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="12.34.56.78" user="" statuscode="200" cached="0" profile="profile_1" filteraction="action_REF_DefaultHTTPCFFAction" size="11404" time="129 ms" request="0xabcdef00" url="http://somewhere.com/pathname/of/url.html?query" error="" category="0910" categoryname="General News / Newspapers / Magazines" if (matches_regular_expression(v.syslog_message, '^httpproxy[[][0-9]+[]]: (id=.*)$')) then ( collect_listed_fields('', $1, ' ', '=', 'size=bytes|time=response_time'); set_collected_field('', 'events', 1); set_collected_field('', 'hits', 1); accept_collected_entry('', false); ); # if proxy ` # Database fields database.fields = { id = "" severity = "" sys = "" sub = "" name = "" action = "" fwrule = "" initf = "" dstmac = "" srcmac = "" srcip = "" location = "" dstip = "" proto = "" tos = "" prec = "" ttl = "" srcport = "" dstport = "" srcsvc = "" dstsvc = "" tcpflags = "" # proxy user = "" statuscode = "" cached = "" profile = "" filteraction = "" method = "" request = "" url = "" file_type = "" worm = "" error = "" category = "" categoryname = "" } # database.fields # Log Filters log.filters = { remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query categorize = { label = "$lang_admin.log_filters.categorize_hits_label" comment = "$lang_admin.log_filters.categorize_hits_comment" value = ` if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then ( ) else ( page_views = 1; ) ` } # categorize simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url } # log.filters database.numerical_fields = { events = { default = true } # events firewall_events = { default = true } # firewall_events hits = { default = true } # events page_views = { default = true } # page_views bytes = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes unique_source_ips = { default = false log_field = "srcip" type = "unique" } # unique_source_ips response_time = { type = "int" integer_bits = 64 display_format_type = "duration_milliseconds" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" severity = "" sys = "" sub = "" name = "" action = "" content_group = { url = "" file_type = "" category = "" categoryname = "" } # content_group source_group = { srcmac = "" srcip = "" srcport = "" srcsvc = "" location = "" user = "" } # source_group destination_group = { dstmac = "" dstip = "" dstport = "" dstsvc = "" } # destination_group filtering_group = { fwrule = "" filteraction = "" } # filtering_group other_group = { ttl = "" proto = "" prec = "" worm = "" spider = "" method = "" request = "" cached = "" id = "" statuscode = "" profile = "" tcpflags = "" initf = "" tos = "" error = "" } # other_group } # report_groups } # create_profile_wizard_options } # astaro_security_gateway