# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. clavister_sg = { plugin_version = "2.0" # 2012-01-16 - GMF - 1.0 - Initial creation # 2012-01-17 - GMF - 2.0 - Added many more fields, and categorized reports. info.1.manufacturer = "Clavister" info.1.device = "SG" info.1.version.1 = "SG50NFR" # Configuration: Version 214 ; CorePlus Version: 9.15.05.05-15153 # The name of the log format log.format.format_label = "Clavister SG" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "EFW: RULE: " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { prio = "" id = "" rev = "" event = "" action = "" rule = "" recvif = "" srcip.type = "host" destip = "" ipproto = "" ipdatalen = "" srcport = "" destport = "" tcphdrlen = "" syn = "" conn = "" connipproto = "" connrecvif = "" connsrcip = "" connsrcport = "" conndestif = "" conndestip = "" conndestport = "" connnewsrcip = "" connnewsrcport = "" connnewdestip = "" connnewdestport = "" origsent = "" termsent = "" connsrcid = "" conndestid = "" connnewsrcid = "" connnewdestid = "" client_hw = "" client_ip = "" udptotlen = "" iphdrlen = "" type = "" maxresp = "" groupaddr = "" ipaddr = "" iface = "" protocol = "" ack = "" fin = "" user = "" database = "" ip = "" authsystem = "" username = "" access_level = "" userdb = "" server_ip = "" server_port = "" client_port = "" icmptype = "" echoid = "" echoseq = "" shutdown = "" reason = "" config_system = "" corever = "" build = "" uptime = "" cfgfile = "" localcfgver = "" remotecfgver = "" previous_shutdown = "" delay = "" unreach = "" psh = "" rst = "" satdestrule = "" client = "" offer_ip = "" hwsender = "" hwdest = "" arp = "" srcnet = "" destenet = "" remotegw = "" idle_timeout = "" session_timeout = "" groups = "" authrule = "" authagent = "" authevent = "" callid = "" auth = "" mppe = "" assigned_ip = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, 'EFW: [A-Z]+: (.*)$')) then ( collect_listed_fields('', $1, ' ', '=', ''); accept_collected_entry('', false); ); ` # Database fields database.fields = { prio = "" id = "" rev = "" event = "" action = "" rule = "" recvif = "" srcip = "" destip = "" ipproto = "" srcport = "" destport = "" tcphdrlen = "" syn = "" conn = "" connipproto = "" connrecvif = "" connsrcip = "" connsrcport = "" conndestif = "" conndestip = "" conndestport = "" connnewsrcip = "" connnewsrcport = "" connnewdestip = "" connnewdestport = "" origsent = "" termsent = "" connsrcid = "" conndestid = "" connnewsrcid = "" connnewdestid = "" client_hw = "" client_ip = "" udptotlen = "" iphdrlen = "" type = "" maxresp = "" groupaddr = "" ipaddr = "" iface = "" protocol = "" ack = "" fin = "" user = "" database = "" ip = "" authsystem = "" username = "" access_level = "" userdb = "" server_ip = "" server_port = "" client_port = "" icmptype = "" echoid = "" echoseq = "" shutdown = "" reason = "" config_system = "" corever = "" build = "" uptime = "" cfgfile = "" localcfgver = "" remotecfgver = "" previous_shutdown = "" delay = "" unreach = "" psh = "" rst = "" satdestrule = "" client = "" offer_ip = "" hwsender = "" hwdest = "" arp = "" srcnet = "" destenet = "" remotegw = "" idle_timeout = "" session_timeout = "" groups = "" authrule = "" authagent = "" authevent = "" callid = "" auth = "" mppe = "" assigned_ip = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events unique_source_ips = { log_field = "srcip" type = "unique" } # unique_source_ips ipdatalen = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # ipdatalen } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { srcip = "true" srcport = "true" srcnet = "true" } # source_group destination_group = { destip = "true" destport = "true" destenet = "true" } # destination_group server_group = { server_ip = "true" server_port = "true" } # server_group client_group = { client_ip = "true" client_port = "true" client_hw = "true" client = "true" } # client_group connection_group = { conn = "true" connipproto = "true" connrecvif = "true" connsrcip = "true" connsrcport = "true" conndestif = "true" conndestip = "true" conndestport = "true" connnewsrcip = "true" connnewsrcport = "true" connnewdestip = "true" connnewdestport = "true" origsent = "true" termsent = "true" connsrcid = "true" conndestid = "true" connnewsrcid = "true" connnewdestid = "true" } # connection_group other_group = { id = "true" rev = "true" recvif = "true" tcphdrlen = "true" ipproto = "true" syn = "true" udptotlen = "true" iphdrlen = "true" type = "true" maxresp = "true" groupaddr = "true" ipaddr = "true" iface = "true" protocol = "true" ack = "true" fin = "true" user = "true" database = "true" ip = "true" authsystem = "true" username = "true" access_level = "true" userdb = "true" icmptype = "true" echoid = "true" echoseq = "true" shutdown = "true" reason = "true" config_system = "true" corever = "true" build = "true" uptime = "true" cfgfile = "true" localcfgver = "true" remotecfgver = "true" previous_shutdown = "true" delay = "true" unreach = "true" psh = "true" rst = "true" satdestrule = "true" offer_ip = "true" hwsender = "true" hwdest = "true" arp = "true" remotegw = "true" idle_timeout = "true" session_timeout = "true" groups = "true" authrule = "true" authagent = "true" authevent = "true" callid = "true" auth = "true" mppe = "true" assigned_ip = "true" } # other_group } # report_groups } # create_profile_wizard_options } # clavister_sg