# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. array_spx = { plugin_version = "2.1" info.1.manufacturer = "Array Networks" info.1.device = "SPX 3000 VPN" info.1.version.1 = "Rel.SP.8.4.4.2" info.1.version.2 = "Rel.SP.8.4.4.1 Build 4" # 2008-06-04 - 1.0 - GMF - Initial implementation. This implements support for only the urlaccesslog (there are at least 4 other formats which are not yet supported) # 2010-08-12 - 2.0.0 - Benson - Fixed for full WELF log format support. # 2010-08-20 - 2.0.1 - Benson - Update for older firmware SP.8.4.4.1 Build 4 # 2012-02-08 - 2.1 - GMF - Added support for missing field before id=; added message omit filter. # The name of the log format log.format.format_label = "Array Networks SPX WELF Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression # 2007-05-11 16:58:47 Local0.Info 12.34.56.78 May 11 17:03:41 AN id=ArraySP time="2007-5-11 17:03:41" fw=AN pri=6 user=someone type=mgmt msg="CLI cmd "sh run" success code 0" # 2010-08-10 14:24:44 Local0.Info 10.1.1.12 Aug 10 15:03:01 AN id=ArrayOS time="2010-8-10 15:03:01" fw=AN pri=6 vpn=intranet proto=http src=10.1.0.3 sport=47562 dstname=localhost arg=/ op=GET result=302 type=vpn msg="Request on port 80 redirected to port 443" # 2010-08-20 15:09:12 Local7.Info 192.168.0.11 Aug 20 15:10:54 GMT(+0000) SPX3000 id=ArrayOS time="2010-8-20 15:10:54" fw=SPX3000 pri=6 user=array src=192.168.5.28 sport=1059 type=mgmt msg="CLI cmd "show log config" success code 0" log.format.autodetect_regular_expression = "id=(ArraySP|ArrayOS) " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { id = "" log_type = "" fwtime = "" fw = "" pri = "" vpn = "" user = "" proto = "" src = "" sport = "" dst = "" dport = "" dstname = "" arg = "" op = "" result = "" rcvd = "" sent = "" type = "" message = "" events = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # Lines may not have the initial [^ ]+ section; they might go straight to id=: # <134>Jan 17 15:39:02 SSLVPN-GW1 id=ArrayOS time="2012-1-17 15:39:02" fw=SSLVPN-GW1 pri=6 user=root type=mgmt msg="CLI cmd "show statistics virtual" success code 1800" 172.31.2.83 17/01 21:13:25.006 #if (matches_regular_expression(v.syslog_message, '[^ ]+ (id=.*) msg=(.*)$')) then ( if (matches_regular_expression(v.syslog_message, '(id=.*) msg=(.*)$')) then ( collect_listed_fields('', $1, ' ', '=', 'time=fwtime'); set_collected_field('', 'message', $2); # Define log type if (matches_regular_expression($2, 'Authorized access')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'CLI cmd')) then (set_collected_field('', 'log_type', 'CLI');); else if (matches_regular_expression($2, 'Request on port 80 redirected to port 443')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'URL')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Authentication successful')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'valid session')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Session has expired')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'idletime')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'logged')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Backend connection')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'clientapp:')) then (set_collected_field('', 'log_type', 'ClientApp');); else if (matches_regular_expression($2, 'Killed an expired session')) then (set_collected_field('', 'log_type', 'MGMT');); else if (matches_regular_expression($2, 'vpn:')) then (set_collected_field('', 'log_type', 'VPN');); else if (matches_regular_expression($2, 'AAA authentication')) then (set_collected_field('', 'log_type', 'Mail Proxy');); else if (matches_regular_expression($2, 'SSL [client|driver|handshake|backend|tunnel]')) then (set_collected_field('', 'log_type', 'SSL');); else if (matches_regular_expression($2, 'Invalid request')) then (set_collected_field('', 'log_type', 'HTTP');); else if (matches_regular_expression($2, 'Authentication failed (.*)')) then ( while ( matches_regular_expression($1, 'host check') or matches_regular_expression($1, 'credentials rejected') or matches_regular_expression($1, 'internal') or matches_regular_expression($1, 'sessions') or matches_regular_expression($1, 'username') or matches_regular_expression($1, 'SSL') ) (set_collected_field('', 'log_type', 'HTTP');) ); else (set_collected_field('', 'log_type', 'Misc')); # convert date and time if (matches_regular_expression(get_collected_field('', 'fwtime'), '^([0-9-]+) ([0-9:]+)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); # 2010-08-11 14:02:41 Local0.Notice 10.1.1.12 Aug 11 14:41:20 AN DNS: All nameservers - down. # Other log types else if (matches_regular_expression(v.syslog_message, '[^ ] DNS: (.*)$')) then ( set_collected_field('', 'log_type', 'DNS'); set_collected_field('', 'message', $1); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ` # Database fields database.fields = { id = "" log_type = "" #fwtime = "" fw = "" pri = "" vpn = "" user = "" proto = "" src = "" sport = "" dst = "" dport = "" dstname = "" arg = "" op = "" result = "" type = "" message = "" } # database.fields # Log Filters log.filters = { omit_message = { label = "Omit message field to keep database size down" #LM comment = "" value = "message = '[omitted]'" } # omit_message } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events rcvd = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } sent = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options } # array_spx