# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. web_gateway = { plugin_version = "1.2" # 2012-08-15 - 1.0 - GMF - Initial creation # 2012-10-05 - 1.1 - GMF - Categorized reports # 2013-09-19 - 1.2 - GMF - Added support for server_ip field (new in log format of version 7.2) info.1.manufacturer = "McAfee" info.1.device = "Web Gateway" info.1.version.1 = "7.1" info.1.version.2 = "7.2.0.7.0" # The name of the log format log.format.format_label = "McAfee Web Gateway" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "proxy_server" # The log is in this format if any of the first ten lines match this regular expression. # 2013-09-19 - GMF - New versions ( v.7.2.0.7.0 ) include server_ip; older versions don't. ##time_stamp "auth_user" src_ip server_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res" log.format.autodetect_regular_expression = `^#time_stamp "auth_user" src_ip ` # Log fields log.fields = { date = "" time = "" auth_user = "" src_ip = { type = "host" } # src_ip server_ip = "" status_code = "" operation = "" url = { type = "page" hierarchy_dividers = "/?" left_to_right = true leading_divider = "true" } # url protocol = "" categories = "" rep_level = "" media_type = "" bytes_to_client = "" user_agent = { type = "agent" } virus_name = "" block_res = "" } # log.fields log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^[[]([0-9]+/[A-Za-z]+/[0-9]+):([0-9:]+) [^]]+[]] "([^"]*)" ([^ ]+) ([0-9]+) "([A-Z]+) ([^ ]+) ?([^"]*)" "([^"]*)" "([^"]*)" "([^"]*)" ([0-9]+) "([^"]*)" "([^"]*)" "([^"]*)"')) then ( date = $1; time = $2; auth_user = $3; src_ip = $4; status_code = $5; operation = $6; url = $7; protocol = $8; categories = $9; rep_level = $10; media_type = $11; bytes_to_client = $12; user_agent = $13; virus_name = $14; block_res = $15; ); else if (matches_regular_expression(current_log_line(), '^[[]([0-9]+/[A-Za-z]+/[0-9]+):([0-9:]+) [^]]+[]] "([^"]*)" ([^ ]+) ([^ ]+) ([0-9]+) "([A-Z]+) ([^ ]+) ?([^"]*)" "([^"]*)" "([^"]*)" "([^"]*)" ([0-9]+) "([^"]*)" "([^"]*)" "([^"]*)"')) then ( date = $1; time = $2; auth_user = $3; src_ip = $4; server_ip = $5; status_code = $6; operation = $7; url = $8; protocol = $9; categories = $10; rep_level = $11; media_type = $12; bytes_to_client = $13; user_agent = $14; virus_name = $15; block_res = $16; ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" auth_user = "" src_ip = "" location = "" server_ip = "" status_code = "" operation = "" url = { suppress_top = 1 suppress_bottom = 3 } # url file_type = "" worm = "" protocol = "" categories = "" rep_level = "" media_type = "" web_browser = "" operating_system = "" virus_name = "" block_res = "" } # database.fields # Log Filters log.filters = { remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views not_authenticated = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "$lang_admin.log_filters.not_authenticated_comment" value = "if (auth_user eq '-') then auth_user = '(not authenticated)';" } # not_authenticated mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "src_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" } # page_views unique_source_ips = { requires_log_field = true log_field = "src_ip" type = "unique" } # unique_source_ips bytes_to_client = { requires_log_field = true integer_bits = 64 display_format_type = "bandwidth" } # bytes_to_client } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { url = true file_type = true media_type = true } source_group = { src_ip = true auth_user = true location = true } # source_group visitor_systems_group = { web_browser = true operating_system = true } # visitor_systems_group other_group = { block_res = true virus_name = true status_code = true operation = true worm = true protocol = true categories = true rep_level = true } # visitor_systems_group } # report_groups snapons = { # Attach a top_level_domain snapon top_level_domain = { snapon = "top_level_domain" name = "top_level_domain" label = "$lang_admin.snapons.top_level_domain.label" parameters = { url_field.parameter_value = "url" field_name = { parameter_value = "$lang_admin.field_labels.top_level_domain" final_node_name = "top_level_domain" } } # parameters } # top_level_domain # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { # user_field.parameter_value = "auth_user" user_field.parameter_value = "src_ip" have_client_ip.parameter_value = false # client_ip_field.parameter_value = "src_ip" have_category_field.parameter_value = true category_field.parameter_value = "categories" host_field.parameter_value = "top_level_domain" # have_additional_field.parameter_value = true # additional_field.parameter_value = "virtual_ip" page_views_field.parameter_value = "page_views" have_bytes_in_field.parameter_value = true bytes_in_field.parameter_value = "bytes_to_client" have_bytes_out_field.parameter_value = false # bytes_out_field.parameter_value = "bytes_out" have_duration_field.parameter_value = false # duration_field.parameter_value = "tunnel_duration" sort_by_field.parameter_value = "page_views" } # parameters } # gateway_reports # 2013-02-06 - GMF - Now added in gateway_reports # # Add the standard reports # add_standard_reports = { # name = "add_standard_reports" # label = "add_standard_reports" # snapon = "add_standard_reports" # } # add_standard_reports } # snapons } # create_profile_wizard_options } # web_gateway