# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. instagate = { plugin_version = "1.1.1" # 2010-10-01 - 1.1.2 - MSG - Edited info lines. info.1.manufacturer = "eSoft " info.1.device = "Instagate Firewall/VPN" info.1.version.1 = "EX2" info.1.version.2 = "PRO" info.1.version.3 = "xSPl" # - - 1.0 - Initial creation # 2008-07-10 - KBB - 1.1 - Fixed bug in second category filter. Relaxed autodection to support # the secureaccess.log format which allows no scheme before the page and has no fields after size. # The fields after size are only in access.log, per # http://www.esoft.com/service/UserGuides/InstaGate/InstaGate_User_Guide.pdf # (This will now detect common access files, but I don't see a way around that.) # Changed label to include "Access / Secure Access", since InstaGate has other log formats. # 2008-11-28 -GMF - 1.1.1 - Added $ to end of regexp so it doesn't detect Apache Combined. Apache Combined is too common a # format for this to be triggered by it. If there can be fields after size, we can add # additional detection expressions to look for the specific fields which can occur; but in # the example shown below, there are no fields after size. # The name of the log format log.format.format_label = "Instagate Access / Secure Access Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #192.168.11.11 - admin [28/Jun/2006:11:37:28 -0400] "GET /eat.php?fruit=gooseberry HTTP/1.1" 200 380 #log.format.autodetect_regular_expression = "^[^ ]+ [^ ]+ [^ ]+ \\[../.../....:..:..:.. [+-][0-9][0-9][0-9][0-9]\\] \\\"[A-Z]* [^:]*://[^ ]* [^\"]+\\\" [-0-9]+ [-0-9]+ [^:]+:[^ ]+ [^ ]+ [^ ]+$" log.format.autodetect_regular_expression = '^[^ ]+ [^ ]+ [^ ]+ \\[../.../....:..:..:.. [+-][0-9][0-9][0-9][0-9]\\] "[A-Z]* [^ ]* [^"]+" [-0-9]+ [-0-9]+$' # Treat fields surrounded by square brackets (e.g. the date/time field) as a single quoted field. log.format.treat_brackets_as_quotes = "true" log.format.common_log_format = "true" # The format of dates and times in this log log.format.date_format = "dd/mmm/yyyy:hh:mm:ss" log.format.time_format = "dd/mmm/yyyy:hh:mm:ss" # Log fields log.fields = { browsing_host = { label = "$lang_stats.field_labels.browsing_host" type = "host" index = 1 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # browsing_host authenticated_user = { label = "$lang_stats.field_labels.authenticated_user" type = "flat" index = 2 subindex = 0 } # authenticated_user date_time = { label = "$lang_stats.field_labels.date_time" type = "date_time" index = 4 subindex = 1 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date_time operation = { label = "$lang_stats.field_labels.operation" type = "flat" index = 5 subindex = 1 } # operation url = { label = "$lang_stats.field_labels.url" type = "page" index = 5 subindex = 2 hierarchy_dividers = "/?" left_to_right = true leading_divider = "true" } # url protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 5 subindex = 3 } # protocol server_response = { label = "$lang_stats.field_labels.server_response" type = "response" index = 6 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # server_response size = { label = "$lang_stats.field_labels.size" type = "size" index = 7 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # size cache_response = { label = "$lang_stats.field_labels.cache_response" type = "flat" index = 8 subindex = 0 } # cache_response result = { label = "$lang_stats.field_labels.result" type = "flat" index = 9 subindex = 0 } # result category = { label = "$lang_stats.field_labels.category" type = "flat" index = 10 subindex = 0 } # category cat2 = { label = "$lang_stats.field_labels.cat2" type = "flat" index = 11 subindex = 0 } # cat2 cat3 = { label = "$lang_stats.field_labels.cat3" type = "flat" index = 12 subindex = 0 } # cat3 } # log.fields # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day browsing_host = { label = "$lang_stats.field_labels.browsing_host" log_field = "browsing_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # browsing_host url = { label = "$lang_stats.field_labels.url" log_field = "url" type = "string" suppress_top = 1 suppress_bottom = 3 } # url file_type = { label = "$lang_stats.field_labels.file_type" log_field = "file_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # file_type worm = { label = "$lang_stats.field_labels.worm" log_field = "worm" type = "string" suppress_top = 0 suppress_bottom = 2 } # worm authenticated_user = { label = "$lang_stats.field_labels.authenticated_user" log_field = "authenticated_user" type = "string" suppress_top = 0 suppress_bottom = 2 } # authenticated_user protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol server_response = { label = "$lang_stats.field_labels.server_response" log_field = "server_response" type = "string" suppress_top = 0 suppress_bottom = 2 } # server_response cache_response = { label = "$lang_stats.field_labels.cache_response" log_field = "cache_response" type = "string" suppress_top = 0 suppress_bottom = 2 } # cache_response result = { label = "$lang_stats.field_labels.result" log_field = "result" type = "string" suppress_top = 0 suppress_bottom = 2 } # result category = { label = "$lang_stats.field_labels.category" log_field = "category" type = "string" suppress_top = 0 suppress_bottom = 2 } # category } # database.fields # Log Filters log.filters = { # DO NOT REMOVE THESE OR THE CATEGORY FIELD WILL ONLY SHOW THE FIRST WORD # Combine fields 10, 11 and 12 (they are the same field but separated by a space # so Sawmill treats them a separate fields) and remove (empty) and set empty fields as (empty) 0 = "category = '' . category . ' ' . cat2; category = '' . category . ' ' . cat3;" 1 = { label = "1" comment = "" value = "category = replace_all(category, '(empty)', '');" } # 1 2 = { label = "2" comment = "" value = "if (matches_regular_expression(category, '^[ ]*$')) then category = '(empty)';" } # 2 remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views not_authenticated = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "$lang_admin.log_filters.not_authenticated_comment" value = "if (authenticated_user eq '-') then authenticated_user = '(not authenticated)';" } # not_authenticated mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "authenticated_user" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { hits = { label = "$lang_stats.field_labels.hits" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # hits page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" } # page_views visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "authenticated_user" type = "unique" display_format_type = "integer" } # visitors size = { label = "$lang_stats.field_labels.size" default = false requires_log_field = true log_field = "size" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" browsing_host = true url = true file_type = true worm = true authenticated_user = true protocol = true server_response = true cache_response = true result = true category = true } # report_groups } # create_profile_wizard_options } # instagate