# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. network_guardian = { plugin_version = "1.0" # 2012-10-17 - 1.0 - GMF - Initial creation info.1.manufacturer = "Smoothwall" info.1.device = "Network Guardian and Advanced Firewall" info.1.version.1 = "2.9" # The name of the log format log.format.format_label = "Smoothwall Network Guardian and Advanced Firewall" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" #{ "blocked" : false, "canpersist" : true, "clienthostname" : "", "clientid" : "12.34.56.78", "clientip" : "12.34.56.78", "containsadverts" : false, "destdomain" : "clients5.google.com", "groupmap" : { "11" : "PCA Users" }, "httpcode" : 200, "https" : false, "method" : "GET", "mitmed" : false, "producerid" : "9238ebe95f194d63a453d92cb5c626f2", "quotainfo" : { "duration" : "3600", "interval" : "600", "resettime" : "14400" }, "reqbody" : [ ], "reqheaders" : { "user-agent" : "Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322)" }, "requesttags" : [ "user-agent: Interactive", "urlcategory: proxy", "urlcategory: Web Search", "Protocol: HTTP" ], "requesttagsinfo" : { "urlcategory: Web Search" : [ ".google.com", ".google.com" ], "urlcategory: proxy" : [ ".google.com", ".google.com" ], "user-agent: Interactive" : [ "^(?:Mozilla|Opera)\/" ] }, "respbody" : [ { "contenttype" : "image\/gif", "disposition" : "", "size" : "43", "tagset" : [ "extcategory: Safe Content Filetypes", "mimecategory: Safe Content Filetypes", "mimecategory: Web Content", "Body processors: finished" ], "tagsetinfo" : { "extcategory: Safe Content Filetypes" : [ "(?i)\\.gif$" ], "mimecategory: Safe Content Filetypes" : [ "(?i)^image\\\/gif$" ], "mimecategory: Web Content" : [ "(?i)^image\\\/gif$" ] } } ], "ruleid" : "{\"action\":\"allow\",\"reason\":\"\",\"policyline\":\"5 (SmoothWall::Settings::Guardian::Policy)\",\"tags\":[\"group: 11\",null]}", "sessionid" : 7755163, "successful" : true, "tagset" : [ "localip: 98.76.54.32", "primarygroup: 11", "username: stb4583", "group: 11", "localport: 800", "auth: finished" ], "tagsetinfo" : { }, "time" : "1349535758.977317", "transactionid" : 1, "transparent" : false, "url" : "http:\/\/clients5.google.com\/images\/cleardot.gif", "visibleip" : "98.76.54.32" } log.format.autodetect_regular_expression = '^[{] "blocked" : (true|false), ' log.format.parse_only_with_filters = true # Log fields log.fields = { date_time = "" blocked = "" canpersist = "" clienthostname = "" clientip.type = "host" clientid = "" containsadverts = "" destdomain = "" groupmap = "" httpcode = "" https = "" method = "" mitmed = "" producerid = "" quotainfo = "" reqbody = "" reqheaders = "" requesttags = "" requesttagsinfo = "" respbody = "" tagsetinfo = "" ruleid = "" sessionid = "" successful = "" tagset = "" # subfields of tagset localip = "" primarygroup = "" username = "" group = "" localport = "" auth = "" tagsetinfo = "" # time date = "" time = "" transactionid = "" transparent = "" url = { type = "page" hierarchy_dividers = "/?" left_to_right = true leading_divider = "true" } # url visibleip = "" accesses = "" page_views = "" } # log.fields log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), "^[{] (.*) [}]$")) then v.remainder = $1; while ( matches_regular_expression(v.remainder, '^"([a-z]+)" : [[] [{] (.+) [}] []], (.*)$') or #"ruleid" : "{\"action\":\"allow\",\"reason\":\"\",\"policyline\":\"5 (SmoothWall::Settings::Guardian::Policy)\",\"tags\":[\"group: 11\",null]}" matches_regular_expression(v.remainder, '^"([a-z]+)" : "[{]([^}]+)[}]", (.*)$') or matches_regular_expression(v.remainder, '^"([a-z]+)" : [{] ([^}]+) [}], (.*)$') or matches_regular_expression(v.remainder, '^"([a-z]+)" : [[] ([^]]+) []], (.*)$') or matches_regular_expression(v.remainder, '^"([a-z]+)" : "([^"]*)", (.*)$') or matches_regular_expression(v.remainder, '^"([a-z]+)" : ([^,]+), (.*)$') or matches_regular_expression(v.remainder, '^"([a-z]+)" : "([^,]+)"$') ) ( v.remainder = $3; if ($1 eq "time") then ( set_collected_field('', 'date', normalize_date($2, 'seconds_since_jan1_1970')); set_collected_field('', 'time', normalize_time($2, 'seconds_since_jan1_1970')); ); else if ($1 eq 'url') then set_collected_field('', 'url', replace_all($2, '\\\\/', '/')); #"localip: 10.96.5.75", "primarygroup: 11", "username: stb4583", "group: 11", "localport: 800", "auth: finished" else if ($1 eq 'tagset') then ( set_collected_field('', $1, $2); v.tagset = $2; while (matches_regular_expression(v.tagset, '^"([a-z]+): ([^"]+)", (.*)$') or matches_regular_expression(v.tagset, '^"([a-z]+): ([^"]+)"$')) ( set_collected_field('', $1, $2); v.tagset = $3; ); ); # if tagset else set_collected_field('', $1, $2); ); # while accept_collected_entry('', false); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" blocked = "" canpersist = "" clienthostname = "" clientip = "" clientid = "" containsadverts = "" destdomain = "" groupmap = "" httpcode = "" https = "" method = "" mitmed = "" # Omitted to simplify database # quotainfo = "" # producerid = "" # reqbody = "" # reqheaders = "" # requesttags = "" # requesttagsinfo = "" # respbody = "" # ruleid = "" # tagset = "" # tagsetinfo = "" localip = "" primarygroup = "" username = "" group = "" localport = "" auth = "" sessionid = "" successful = "" transactionid = "" transparent = "" url = { suppress_top = 1 suppress_bottom = 3 } # url file_type = "" visibleip = "" location = "" } # database.fields # Log Filters log.filters = { detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { default = true entries_field = true } # accesses page_views = "" unique_client_ips = { log_field = "clientip" type = "unique" } # unique_client_ips } # database.numerical_fields log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "client_ip" sessions_event_field = "page_views" } # log.field_options create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { url = true file_type = true destdomain = true } client_group = { clientip = true clientid = true clienthostname = true visibleip = true location = true organization = true isp = true domain = true localip = true primarygroup = true username = true group = true localport = true auth = true } # client_group other_group = { blocked = true canpersist = true containsadverts = true groupmap = true httpcode = true https = true method = true mitmed = true sessionid = true successful = true transactionid = true transparent = true } # other_group } # report_groups snapons = { # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { user_field.parameter_value = "username" have_client_ip.parameter_value = true client_ip_field.parameter_value = "clientip" have_category_field.parameter_value = false # category_field.parameter_value = "category" host_field.parameter_value = "destdomain" # have_additional_field.parameter_value = true # additional_field.parameter_value = "virtual_ip" page_views_field.parameter_value = "accesses" have_bytes_in_field.parameter_value = false # bytes_in_field.parameter_value = "bytes_in" have_bytes_out_field.parameter_value = false # bytes_out_field.parameter_value = "bytes_out" have_duration_field.parameter_value = false # duration_field.parameter_value = "tunnel_duration" sort_by_field.parameter_value = "accesses" } # parameters } # gateway_reports # 2013-02-06 - GMF - Now added in gateway_reports # # Add the standard reports # add_standard_reports = { # name = "add_standard_reports" # label = "add_standard_reports" # snapon = "add_standard_reports" # } # add_standard_reports } # snapons } # create_profile_wizard_options } # network_guardian