# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. firewall1_loggrabber_syslog = { plugin_version = "1.1" info.1.manufacturer = "Checkpoint" info.1.device = "Firewall-1 (loggrabber with syslog)" info.1.version.1 = "" # 2012-10-18 - Benson - 1.0 - Initial implementation # 2012-11-02 - Benson - 1.1 - Modify detect expression to be compatible with non-syslog log format # The name of the log format log.format.format_label = "Firewall-1 (fw1-loggrabber with syslog) Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression # Oct 18 19:00:00 sawmill8-x64 fw1-loggrabber[13654]: loc=185520|time=2012-10-19 03:00:01|action=accept|orig=192.168.1.253|i/f_dir=inbound|i/f_name=eth1|has_accounting=0|uuid=<508051b1,00000011,fd01a8c0,0001ffff>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={00000064-0074-0046-BB4E-A2D85B00D86A};mgmt=cpmodule;date=1350584021;policy_name=Standard]|src=112.115.96.199|s_port=42406|dst=220.128.131.228|service=38915|proto=udp|rule=3 log.format.autodetect_regular_expression = "loc=[0-9]+[|]time=[0-9-]+ [0-9:]+[|]action=[a-z]+" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { #loc = "" action = "" orig = "" direction = "" interface = "" #account = "" #uuid = "" product = "" tag = "" db_tag = "" mgmt = "" policy_version = "" policy_name = "" source_ip.type = "host" source_port = "" destination_ip = "" service = "" protocol = "" rule = "" } # log.fields database.fields = { #loc = "" action = "" orig = "" direction = "" interface = "" #uuid = "" product = "" #tag = "" db_tag = "" mgmt = "" policy_version = "" policy_name = "" source_ip = "" source_port = "" location = "" destination_ip = "" service = "" protocol = "" rule = "" } # database.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '(loc=.*$)')) then ( collect_listed_fields('', $1, '|', '=', 'time=msg_date|i/f_dir=direction|i/f_name=interface|has_accounting=account|__policy_id_tag=tag|src=source_ip|s_port=source_port|dst=destination_ip|proto=protocol'); if (matches_regular_expression(get_collected_field('', 'msg_date'), '^([0-9-]+) ([0-9:]+)')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); if (matches_regular_expression(get_collected_field('', 'tag'), 'product=[^[]+\\[(.*)\\]$')) then ( collect_listed_fields('', $1, ';', '=', 'date=policy_version'); v.policy_epoc = get_collected_field('', 'policy_version'); set_collected_field('', 'policy_version', epoc_to_date_time(v.policy_epoc)); ); accept_collected_entry('', false); ); ` # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { default = true requires_log_field = false entries_field = true } # accesses #account = { # default = true # requires_log_field = true # type = "int" # integer_bits = 64 # display_format_type = "integer" #} # account unique_source_ips = { default = false log_field = "source_ip" type = "unique" } # unique_source_ips } # database.numerical_fields create_profile_wizard_options = { final_step = ` include "templates.admin.profiles.setup_reports_util"; string profile = "profiles." . volatile.new_profile_name; # Start with the standard reports based on remaining DB fields add_standard_reports(profile); (profile . '.log.fields.source_ip.type') = 'host'; ` # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # firewall1_loggrabber_syslog