# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. aar_report = { plugin_version = "1.3" info.1.manfacturer = "SonicWALL Aventail" info.1.device = "XML Report" info.1.version.1 = "" # 2012-02-24 - GMF - 1.0 - Initial plug-in creation # 2012-04-24 - GMF - 1.1 - Added Zone Placement report # 2012-04-25 - GMF - 1.2 - Added Failed Device Profile, Concurrent Users, and Failed user authentications reports. # 2012-05-11 - GMF - 1.3 - Added Concurrent Users report # The name of the log format log.format.format_label = "SonicWALL Aventail XML Report" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_data_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = '^$' log.format.parse_only_with_filters = true # Log fields log.fields = { date = "" time = "" event_type = "" # fields long_username = "" zone_name = "" artifact_name = "" device_profile_name = "" details = "" # fields realm_name = "" failed_device_profiles = "" failed_authentications = "" successful_authentications = "" concurrent_users = "" } # log.fields log.filter_initialization = ` string fieldName; string fieldValue; int usersHourlyTimestamp; bool inUsersHourly = false; ` log.parsing_filters.parse = ` if (false) then ( ); # Detect when we're in the section else if (matches_regular_expression(current_log_line(), "^ *")) then inUsersHourly = true; else if (matches_regular_expression(current_log_line(), "^ *")) then inUsersHourly = false; # Handle lines else if (matches_regular_expression(current_log_line(), '^ *([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])T([0-9][0-9]:[0-9][0-9]:[0-9][0-9])')) then ( usersHourlyTimestamp = date_time_to_epoc(normalize_date($1, 'auto') . ' ' . $2); ); # # get the timestamp of users_hourly else if (inUsersHourly and (matches_regular_expression(current_log_line(), '^ *([0-9]+)'))) then ( # Add this concurrent users event, for this timestamp set_collected_field('', 'date', substr(epoc_to_date_time(usersHourlyTimestamp), 0, 11)); set_collected_field('', 'time', substr(epoc_to_date_time(usersHourlyTimestamp), 12)); set_collected_field('', 'concurrent_users', $1); accept_collected_entry('', false); # Go back one hour for the next timestamp usersHourlyTimestamp -= (60*60); ); # if users_hourly timestamp # Handle else if (matches_regular_expression(current_log_line(), '^ *([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); # # Handle event opening lines, e.g. # else if (matches_regular_expression(current_log_line(), '^ <([^/][^>]+)>')) then ( set_collected_field('', 'event_type', $1); if ($1 eq 'failedDeviceProfile') then set_collected_field('', 'failed_device_profiles', 1); else if ($1 eq 'failedAuthentication') then set_collected_field('', 'failed_authentications', 1); else if ($1 eq 'successfulAuthentication') then set_collected_field('', 'successful_authentications', 1); ); # event opening # Handle name/value lines like: # EquipmentID - ActiveSync - Registered" else if (matches_regular_expression(current_log_line(), '^ <([^>]+)>([^<]+)<')) then ( fieldName = $1; fieldValue = $2; # Convert names like deviceProfileName to device_profile_name while (matches_regular_expression(fieldName, '^([a-z_]+)([A-Z])(.*)$')) fieldName = $1 . '_' . lowercase($2) . $3; set_collected_field('', fieldName, fieldValue); ); # if name/value line # Accept on end-of-event lines, e.g. # #else if (matches_regular_expression(current_log_line(), '^ <(failedDeviceProfile)>')) else if (matches_regular_expression(current_log_line(), '^ fields long_username = "" zone_name = "" artifact_name = "" device_profile_name = "" details = "" } # database.fields # Log Filters log.filters = { } # log.filters database.numerical_fields = { failed_device_profiles = { default = true } # failed_device_profiles failed_authentications = { default = true } # failed_authentications successful_authentications = { default = true } # successful_authentications concurrent_users = { default = true aggregation_operator = "max" } # concurrent_users } # database.numerical_fields create_profile_wizard_options = { report_groups = { date_time_group = "" zone_placement = { # filter = "http_status within '404'" columns = { 0.field_name = "zone_name" 1.field_name = "long_username" 2.field_name = "successful_authentications" } sort_by = successful_authentications subtable = true } # zone_placement failed_device_profile = { filter = "event_type within 'failedDeviceProfile'" columns = { 0.field_name = "long_username" 1.field_name = "details" 2.field_name = "failed_device_profiles" } sort_by = "failed_device_profiles" subtable = true } # zone_placement concurrent_users = { report_elements = { concurrent_users_day = { show_header_bar = true type = "overview" date_filter.df = "recent1day" columns = { 0.field_name = "concurrent_users" } } # concurrent_users_day concurrent_users_week = { show_header_bar = true type = "overview" date_filter.df = "recent1week" columns = { 0.field_name = "concurrent_users" } } # concurrent_users_week concurrent_users_month = { show_header_bar = true type = "overview" date_filter.df = "recent1month" columns = { 0.field_name = "concurrent_users" } } # concurrent_users_month } # report_elements } # concurrent_users failed_user_authentication = { filter = "event_type within 'failedAuthentication'" columns = { 0.field_name = "long_username" 1.field_name = "failed_authentication" } sort_by = "failed_authentication" subtable = true } # zone_placement } # report_groups } # create_profile_wizard_options } # aar_report