# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. watchguard_firebox_cluster_traffic = { plugin_version = "1.0" # 2011-11-10 - 1.0 - KBB - Initial creation. Only reports on HTTP Requests. info.1.manufacturer = "Watchguard" info.1.device = "Firebox (Cluster Traffic)" info.1.version.1 = "x550e" # The name of the log format log.format.format_label = "Watchguard Firebox Cluster Traffic" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #131966787,,908659236A134,1007,139668090,1,0,6,HTTP-proxy.Usagers-00,http/tcp,192.9.209.209,4820,99.99.199.99,80,0.0.0.0,0,0.0.0.0,0,Trusted,External,525,0,0,,HTTP-Client.Usagers,,,,rcvd_bytes=183,sent_bytes=184,src_user=admin01@Swimmers,op=GET,dstname=runners.skiers.ca,arg=/getSkierID.php?/x26V:1/x26D:CAUCA21092005-256/x26P:DBFDBCBAJCAAFNCFGEEFEEDDDDDDDDCDDD01,tr,HTTP Request,,2011-10-18 00:01:22 log.format.autodetect_regular_expression = `(,rcvd_bytes=|,sent_bytes=|,src_user=|,dstname=).*HTTP Request,,[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}$` log.format.autodetect_lines = 500 log.format.parse_only_with_filters = "true" # Use auto format for date and time log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = "" time = "" events = "" src_ip = "" src_port = "" dst_ip = "" dst_port = "" zone = "" side = "" rcvd_bytes = "" sent_bytes = "" src_user = "" op = "" dst_name = "" file_path = "" } # log.fields log.parsing_filters.parse = ` # Ignoring other types of events for now. Starting with the eleventh field. #131966787,,908659236A134,1007,139668090,1,0,6,HTTP-proxy.Usagers-00,http/tcp,192.9.209.209,4820,99.99.199.99,80,0.0.0.0,0,0.0.0.0,0,Trusted,External,525,0,0,,HTTP-Client.Usagers,,,,rcvd_bytes=183,sent_bytes=184,src_user=admin01@Swimmers,op=GET,dstname=runners.skiers.ca,arg=/getSkierID.php?/x26V:1/x26D:CAUCA21092005-256/x26P:DBFDBCBAJCAAFNCFGEEFEEDDDDDDDDCDDD01,tr,HTTP Request,,2011-10-18 00:01:22 if (matches_regular_expression(current_log_line(), ',([0-9.]+),([0-9]+),([0-9.]+),([0-9]+),[0-9.]+,[0-9]+,[0-9.]+,[0-9]+,([^,]+),([^,]+),[^,]*,[^,]*,[^,]*,[^,]*,[^,]*,[^,]*,[^,]*,[^,]*,(rcvd_bytes=.*dstname=.*),[^,]*,HTTP Request,[^,]*,([0-9]{4}-[0-9]{2}-[0-9]{2}) ([0-9]{2}:[0-9]{2}:[0-9]{2})')) then ( set_collected_field('', 'src_ip', $1); set_collected_field('', 'src_port', $2); set_collected_field('', 'dst_ip', $3); set_collected_field('', 'dst_port', $4); set_collected_field('', 'zone', $5); set_collected_field('', 'side', $6); set_collected_field('', 'date', $8); set_collected_field('', 'time', $9); collect_listed_fields('', $7, ',', '=', 'arg=file_path|dstname=dst_name'); accept_collected_entry('', false); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" time = "" src_ip = "" src_port = "" dst_ip = "" dst_port = "" zone = "" side = "" src_user = "" op = "" dst_name = "" file_path = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events unique_source_ips = { label = "$lang_stats.field_labels.unique_source_ips" default = false requires_log_field = true log_field = "src" type = "unique" display_format_type = "integer" } # unique_source_ips sent_bytes = { default = false type = "int" integer_bits = 64 display_format_type = "bandwidth" } # sent_bytes rcvd_bytes = { default = false type = "int" integer_bits = 64 display_format_type = "bandwidth" } # rcvd_bytes } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # watchguard_firebox_cluster_traffic