# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. barracuda_waf_access_with_header = { plugin_version = "1.0.0" info.1.manufacturer = "Barracuda" info.1.device = "Web Application Firewall (Access) (With Field Header)" info.1.version = "7.5" # 2012-06-06 - 1.0 - GMF - Initial implementation. # The name of the log format log.format.format_label = "Barracuda WAF Access Log Format (With Field Header)" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" #Timestamp Client_IP Client_Port Application_IP Application_Port Server_IP Server_Port Method Protocol URL Version Login_ID Host Referer HTTP_Status Cache_Hit Bytes_Sent Bytes_Received Time_Taken Server_Time Protected_Field WF_Matched_Field Profile_Matched_Field Response_Type_Field Session_ID Query Cookie # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^ [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]" log.format.date_format = "auto" log.format.time_format = "auto" # This handles field header lines, and creates log and database fields from them log.filter_preprocessor = ` if (matches_regular_expression(current_log_line(), '^[A-Z][a-z]+ [A-Z]')) then ( string fields = current_log_line(); string fieldname; v.logfieldindex = 1; string numerical_fields = "profiles." . internal.profile_name . ".database.numerical_fields"; # This subroutine creates a database field subroutine(create_database_field(string fieldname), ( #echo("create_database_field: " . fieldname); debug_message("create_database_field(" . fieldname . ")\n"); string databasefieldpath = "profiles." . internal.profile_name . ".database.fields." . fieldname; (databasefieldpath . "") = ""; node databasefield = databasefieldpath; # set_subnode_value(databasefield, "label", fieldname); databasefield; )); subroutine(create_log_field(string fieldname, string type, bool withindex), ( debug_message("create_log_field(" . fieldname . "; type=" . type . ")\n"); string logfieldpath = "profiles." . internal.profile_name . ".log.fields." . fieldname; (logfieldpath . "") = ""; node logfield = logfieldpath; # set_subnode_value(logfield, "label", fieldname); if (withindex) then ( set_subnode_value(logfield, "index", v.logfieldindex); v.logfieldindex++; ); set_subnode_value(logfield, "subindex", 0); if (type ne '') then set_subnode_value(logfield, "type", type); logfield; )); # Extract the fields on at a time while (matches_regular_expression(fields, '^([^ ]+) (.*)$')) ( string unconverted_fieldname = $1; fields = $2; # Clean up the field name fieldname = ''; for (int i = 0; i < length(unconverted_fieldname); i++) ( string c = lowercase(substr(unconverted_fieldname, i, 1)); if (!matches_regular_expression(c, '^[a-z0-9]$')) then c = '_'; fieldname .= c; ); while (matches_regular_expression(fieldname, '^(.*)_$')) fieldname = $1; # Get the log field type string log_field_type = ''; if (fieldname eq 'url') then ( log_field_type = 'page'; ); if (fieldname eq 'referer') then log_field_type = 'url'; if (fieldname eq 'client_ip') then log_field_type = 'host'; # Create the log field create_log_field(fieldname, log_field_type, true); # If we're creating a profile, create the database fields too. if (node_exists("volatile.creating_profile")) then ( # Handle localtime by creating date_time and derived database fields if (fieldname eq "timestamp") then ( create_log_field('date', '', false); create_log_field('time', '', false); create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); # ("profiles." . internal.profile_name . ".log.parsing_filters.parse_localtime.disabled") = false; ); # if localtime # Create derived field for agent else if (fieldname eq "client_ip") then ( create_database_field('client_ip'); create_database_field('location'); ); # Create derived fields for referrer else if (fieldname eq "refeer") then ( create_database_field('search_engine'); create_database_field('search_phrase'); ); # Create derived file type field else if (fieldname eq "url") then ( create_database_field('file_type'); ); # Don't add a database field for numerical fields else if (subnode_exists(numerical_fields, fieldname)) then ( debug_message("Not adding numerical field: " . fieldname . "\n"); ); # Create a normal database field else create_database_field(fieldname); ); # if creating profile ); # while another field # Don't parse the #Fields line as a data line 'reject'; ); # if #Fields # Don't parse any other # lines as data lines else if (starts_with(current_log_line(), '#')) then ( 'reject'; ); ` # Extract date and time from timestamp log.parsing_filters.parse_timestamp = { value = ` if (matches_regular_expression(timestamp, '^([0-9-]+)_([0-9][0-9]:[0-9][0-9]:[0-9][0-9])')) then ( date = $1; time = $2; ); ` } database.numerical_fields = { events = { default = true } bytes_sent = { default = false integer_bits = 64 display_format_type = "bandwidth" } bytes_received = { default = true integer_bits = 64 display_format_type = "bandwidth" } time_taken = { default = false integer_bits = 64 display_format_type = duration_milliseconds } # time_taken server_time = { default = false integer_bits = 64 display_format_type = duration_milliseconds } # server_time } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options } # barracuda_waf_access_with_header