# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. aventail_web_access = { plugin_version = "1.6" info.1.manfacturer = "Aventail" info.1.device = "Web Access SSL VPN [AAR plug-in 1.6]" info.1.version = "" info.2.manfacturer = "SonicWall" info.2.device = "Web Access SSL VPN [AAR plug-in 1.6]" info.2.version = "9.0" # 2007-02-12 - 1.1beta - KBB - added syslog support and stripping of layered syslogs # 2006-09-20 - 1.0beta - KBB - updated syntax, eliminated rewrite of user names, added sessions, # added method and type reports, added new server responses and moved them to lang_stats.cfg, # improved efficiency of replacing server response codes with text # version: 0.1 last modified: dmcculloch 1/6/2005 # 2007-09-11 - 1.1 - KBB - renumbered per new beta policy # 2009-10-26 - 1.2 - KBB - Added support for an extra field at the end, (ignored for now). # (It appears that the autodetect_expression would have supported it, but not the parsing.) # 2009-11-04 - 1.3 - KBB - Backed out syslog support, which will be continued in # aventail_web_access_syslog_required.cfg. # 2011-01-17 - 1.4 - GMF - Integrated changes from version 1.0.1av: splitting of username from full LDAP user # 2011-11-16 - 1.4.1 - GMF - Stripped parentheses from full_ldap_user, so parenthesized users appear in reports. # 2011-11-29 - GMF - 1.5 - As requested by SonicWALL in ThreadID:1214836, remove the splitting of username, and just reporting the whole third field as authenticated_username (and removing full_ldap_user field entirely). # 2012-01-09 - GMF - 1.6 - Fixed issue with detection of realms, which were looking for parentheses were there are now square brackets. # The name of the log format log.format.format_label = "Aventail Web Access Log Format [AAR plug-in 1.6]" log.miscellaneous.log_data_type = "http_access" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression #222.222.222.222 - (split)@(Local) [06/Feb/2007:11:19:36 +0700] "GET http://127.0.0.1:8085/workplace/assets/aventail/progMid_fill.gif HTTP/1.1" 200 852 #166.66.6.6 - - [19/Oct/2009:20:43:31 +0000] "GET /claire_fontaine HTTP/1.1" 200 2102 "-" log.format.autodetect_regular_expression = '\\[../.../....:..:..:...*\\] "[A-Z]* [^ ]* HTTP[^"]*" [0-9]* [-0-9]*' # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "dd/mmm/yyyy:hh:mm:ss" log.format.time_format = "dd/mmm/yyyy:hh:mm:ss" # Log fields log.fields = { hostname.type = "host" server_domain = "" authenticated_user = "" # 2011-11-29 - GMF - 1.5 - As requested by SonicWALL in ThreadID:1214836, remove the splitting of username, and just reporting the whole third field as authenticated_username (and removing full_ldap_user field entirely). # full_ldap_user = "" date_time = "" method = "" page.type = "page" protocol = "" server_response = "" size = "" realm = "" group = "" type = "" } # log.fields # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" method = "" #protocol = "" page = { suppress_bottom = 9 display_format_type = "page" } # page file_type = "" worm = "" hostname = "" domain_description = "" location = { suppress_bottom = 3 } # location authenticated_user = "" # 2011-11-29 - GMF - 1.5 - As requested by SonicWALL in ThreadID:1214836, remove the splitting of username, and just reporting the whole third field as authenticated_username (and removing full_ldap_user field entirely). # full_ldap_user = "" server_response = "" realm = "" group = "" type = "" } # database.fields # Log Parsing Filters log.parsing_filters.parse = ` #122.22.2.2 - - [19/Oct/2009:19:37:55 +0000] "GET / HTTP/1.1" 302 344 "-" #122.22.2.2 - - [19/Oct/2009:19:37:55 +0000] "GET /favicon.ico HTTP/1.1" 404 209 "-" if (matches_regular_expression(current_log_line(), '([^ ]+) ([^ ]+) (.*) \\\\[(../.../....:..:..:..)[^]]*\\\\] "([A-Z]+) ([^ ]+) ([A-Z]+[^"]*)" ([0-9]*) ([-0-9]*)')) then ( set_collected_field('', 'hostname', $1); set_collected_field('', 'server_domain', $2); # set_collected_field('', 'authenticated_user', $3); v.user_info = $3; set_collected_field('', 'date_time', $4); set_collected_field('', 'method', $5); set_collected_field('', 'page', $6); set_collected_field('', 'protocol', $7); set_collected_field('', 'server_response', $8); set_collected_field('', 'size', $9); # 2011-11-29 - GMF - 1.5 - As requested by SonicWALL in ThreadID:1214836, remove the splitting of username, and just reporting the whole third field as authenticated_username # # Split out username from full LDAP user, in a line like this: # # 121.121.139.204 - (demo)@(Vanilla) (CN=demo,CN=Users,DC=internal,DC=yoursslvpn,DC=com) [18/Mar/2009:07:15:34-0700] "POST /__extraweb__authen HTTP/1.1" 302 252 "-" # if (matches_regular_expression(v.user_info, '^([(].*[)]) ([(].*[)])$')) then ( # set_collected_field('', 'authenticated_user', $1); # set_collected_field('', 'full_ldap_user', $2); # ); # else # set_collected_field('', 'full_ldap_user', v.user_info); if (contains(v.user_info, "(")) then v.user_info = replace_all(v.user_info, "(", "["); if (contains(v.user_info, ")")) then v.user_info = replace_all(v.user_info, ")", "]"); set_collected_field('', 'authenticated_user', v.user_info); accept_collected_entry('', false); ); ` # Log Filters log.filters = { realm_no_user = { label = "get realm from user string" comment = "get realm from user string" value = "if contains(authenticated_user,']@[') then realm = substr(authenticated_user, index(authenticated_user,']@[')+3, length(authenticated_user)-index(authenticated_user,']@[')-4);" } # realm_no_user # strip_realm_from_user = { # label = "authenticated user" # comment = "authenticated user" # value = "if contains(authenticated_user,']@[') then authenticated_user = substr(authenticated_user, 1, index(authenticated_user,']@[')-1);" # } # strip_realm_from_user # strip_parens_from_user = { # label = "strip parens from user" # comment = "can't see user name in authenticated users report if starts with (" # value = "if starts_with(authenticated_user,'[') then authenticated_user = substr(authenticated_user, 1, length(authenticated_user)-2);" # } # strip_parens_from_user # 2011-11-29 - GMF - 1.5 - As requested by SonicWALL in ThreadID:1214836, remove the splitting of username, and just reporting the whole third field as authenticated_username (and removing full_ldap_user field entirely). # strip_parens_from_ldap_user = { # label = "strip parens from LDAP user" # comment = "can't see user name in LDAP users report if starts with (" # value = "if starts_with(full_ldap_user,'(') then full_ldap_user = substr(full_ldap_user, 1, length(full_ldap_user)-2);" # } # strip_parens_from_ldap_user not_authenticated = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "$lang_admin.log_filters.not_authenticated_comment" value = "if (authenticated_user eq '-') then authenticated_user = '(not authenticated)';" } # not_authenticated (moved to after stripping () from (user name) ... this shouldn't appear in auth_users report) not_authenticated_2 = { label = "not authenticated 2" comment = "mark 'empty' user as '(not authenticated)'" value = "if (authenticated_user eq 'empty') then authenticated_user = '(not authenticated)';" } # not_authenticated_2 default_realm = { label = "mark default realm" comment = "mark default realm" value = "if ((realm eq '(empty)') and (authenticated_user ne '(not authenticated)')) then realm = 'default realm';" } # default_realm populate_group = { label = "populate group" comment = "This filter can be changed in order to group users" value = "group = 'Default';" } # populate_group set_page_for_worm = { label = "$lang_admin.log_filters.set_page_for_worm_label" comment = "$lang_admin.log_filters.set_page_for_worm_comment" value = "if (starts_with(worm, '(')) then '' else page = '(worm)';" } # set_page_for_worm remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(page, '?')) then page = substr(page, 0, index(page, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then page = substr(page, 0, last_index(page, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry server_responses = { #value = "node rule;foreach rule 'rewrite_rules.server_responses' (if (matches_regular_expression(server_response, node_value(subnode_by_name(rule, 'regexp')))) then (server_response = server_response . ' (' . expand(node_value(subnode_by_name(rule, 'result'))) . ')'; last; ); );" value = "server_response = server_response . ' (' . node_value(subnode_by_name('lang_stats.log_formats.http_server_responses', server_response)) . ')';" disabled = "false" label = "Server Responses" comment = "This rewrites the server responses in plain text" } # server_responses ## clean_users = { ## value = ` ## node rule; ## if (node_exists('rewrite_rules.user_lookup')) then ( ## foreach rule 'rewrite_rules.user_lookup' (if (contains(authenticated_user, '='.node_value(subnode_by_name(rule, 'regexp')).',')) then (authenticated_user = expand(node_value(subnode_by_name(rule, 'result'))); last; ); ); ## ); ## ` ## disabled = "false" ## label = "LDAP to user name" ## comment = "This rewrites the user_name field to the user's name, if in ldap format (contains '=extranet_id,' )" ## } # clean_users set_type = { label = "Set type based on page or method" comment = "" disabled = "false" value = ` if (contains(page, '/workplace/')) then ( type = "WorkPlace"; ); else if (contains(page, '/preauth/') or contains(page, 'EPCmicro')) then ( type = "EPC - Pre-authentication"; ); else if (contains(page, '/postauth/')) then ( type = "EPC - Post authentication"; ); else if (contains(page, '/__api__/')) then ( type = "Logon API Usage"; ); else if (method eq 'CONNECT') then ( type = "OD Proxy / Connect Mobile"; ); else ( type = "Translation"; ); ` } } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "authenticated_user" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { hits = { default = true } # hits page_views = { default = true requires_log_field = false } # page_views visitors = { default = true requires_log_field = true log_field = "hostname" type = "unique" } # visitors size = { default = true type = "float" display_format_type = "bandwidth" } # size } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { page = true file_type = true } visitor_demographics_group = { hostname = true domain_description = true location = true } users_group = { authenticated_user = true # 2011-11-29 - GMF - 1.5 - As requested by SonicWALL in ThreadID:1214836, remove the splitting of username, and just reporting the whole third field as authenticated_username (and removing full_ldap_user field entirely). # full_ldap_user = true realm = true group = true } server_response = true method = true worm = true #protocol = true type = true } # report_groups } # create_profile_wizard_options } # aventail_web_access