# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. watchguard_firebox_xcore_eseries = { plugin_version = "2.1" info.1.manufacturer = "Watchguard" info.1.device = "Firebox X Core e-Series" info.1.version.1 = "x750e" # 2008-08-20 - GMF - 1.0 - Initial plug-in creation # 2008-08-25 - GMF - 1.5 - Enhanced to handle a variant format # 2012-01-31 - GMF - 2.0 - Added support for several new variants and fields # 2013-07-01 - GMF - 2.1 - Added support for variant https-proxy lines. # The name of the log format log.format.format_label = "Watchguard Firebox X Core e-Series Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression # 2008-06-19 22:43:40 Local3.Error 12.34.56.78 2008-06-19 22:59:25 WG_X750e cfm[1981]: pri="3" msg_id="0F03-0053" msg="[cfm] processing ABORT: [w4c0r0h0] 98.76.54.43:36825 -> 87.65.43.21:21 [A r]" # 2008-06-19 22:43:40 Local3.Debug 12.34.56.78 2008-06-19 22:59:25 WG_X750e pri="2" msg="sm_cmd:241 B:0:0 Initiated abort" # 2008-06-19 16:29:13 Local1.Debug 12.34.56.78 2008-06-19 16:44:58 WG_X750e disp="Deny" pri="1" policy="Outgoing-00" src_ip="11.11.11.11" dst_ip="22.22.22.22" pr="80/udp" src_port="1181" dst_port="80" src_intf="3-ToFortinet" dst_intf="0-External" rc="105" msg="denied (send reset)" pckt_len="1022" ttl="127" log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+( disp=[^ ]+)? ") or # Another format: # 2012-01-25 13:33:01 Local1.Warning 192.168.10.1 Jan 25 13:33:01 Abc_X750e firewall: Allow tun0 1-Trusted 73 udp 20 127 1.2.3.4 5.6.7.8 52367 53 (Allow SSLVPN-Users-00) matches_regular_expression(volatile.log_data_line, "[A-Z][a-z][a-z] +[0-9]+ +[0-9]+:[0-9][0-9]:[0-9][0-9] [^ ]+ firewall: Allow") or # And yet another (from the same log as line above): # 2012-01-25 13:33:01 Local1.Info 192.168.10.1 Jan 25 13:33:01 Abc_X750e http-proxy[2234]: Allow 1-Trusted 7-MTS DSL tcp 1.2.3.4 5.6.7.8 4950 80 msg="ProxyAvScan: HTTP Header content type match" proxy_act="HTTP-Client.5" rule_name="text/*" content_type="text/plain" (HTTP-proxy-00) matches_regular_expression(volatile.log_data_line, "[A-Z][a-z][a-z] +[0-9]+ +[0-9]+:[0-9][0-9]:[0-9][0-9] [^ ]+ https?-proxy[[][0-9]+[]]: Allow") ` # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields - id,time,fw,pri,rule,src,dst,proto,sport,dport,indev,inport,rc,msg log.fields = { device_name = "" pri = "" msg_id = "" event_type = "" operation = "" interface = "" protocol = "" src_ip = "" src_port = "" src_intf = "" dst_ip = "" dst_port = "" dst_intf = "" policy = "" pr = "" rc = "" pckt_len = "" ttl = "" msg = "" proxy_act = "" rcvd_bytes = "" offset = "" win = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # 2008-06-19 16:29:13 Local1.Debug 12.34.56.78 2008-06-19 16:44:58 WG_X750e disp="Deny" pri="1" policy="Outgoing-00" src_ip="11.11.11.11" dst_ip="22.22.22.22" pr="80/udp" src_port="1181" dst_port="80" src_intf="3-ToFortinet" dst_intf="0-External" rc="105" msg="denied (send reset)" pckt_len="1022" ttl="127" if (matches_regular_expression(v.syslog_message, '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([^ ]+)( disp=[^ ]+)? +[^ ]* ?pri="([^"]+)" (.*)')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'device_name', $3); set_collected_field('', 'pri', $5); v.remainder = $6; collect_listed_fields('', v.remainder, ' ', '=', ''); if (matches_regular_expression(v.remainder, '^msg_id="([^"]+)" (.*)')) then ( set_collected_field('', 'msg_id', $1); v.remainder = $2; ); if (matches_regular_expression(v.remainder, '^msg="([^"]+)"')) then ( v.msg = $1; set_collected_field('', 'msg', $1); # [cfm] submitting READ: [w4c0r0h0] 12.34.56.78:26671 -> 23.45.67.89:21 [B] if (matches_regular_expression(v.msg, '^[[]([^]]+)[]] (submitting|processing|priority submitting) ([^:]+): [[]+([^]]+)[]] ([0-9.]+):([0-9]+) -> ([0-9.]+):([0-9]+)')) then ( set_collected_field('', 'event_type', $2); set_collected_field('', 'operation', $3); set_collected_field('', 'interface', $4); set_collected_field('', 'src_ip', $5); set_collected_field('', 'src_port', $6); set_collected_field('', 'dst_ip', $7); set_collected_field('', 'dst_port', $8); # Simplify the message, now that we've extracted the complex values from it in to separate fields set_collected_field('', 'msg', '[' . $1 . '] ' . $2 . ' ' . $3 . ' [' . $4 . '] [remainder parsed to separate fields]'); # Copy off anything after DATA in the operation (e.g., DATA(23) becomes DATA). if (matches_regular_expression(get_collected_field('', 'operation'), '^DATA')) then set_collected_field('', 'operation', 'DATA'); ); # if src -> dest format ); # if msg # Chop off the extra information from ICMP error messages. if (matches_regular_expression(get_collected_field('', 'msg'), "^(icmp error with data)") or matches_regular_expression(get_collected_field('', 'msg'), "^(dynamic connection)")) then set_collected_field('', 'msg', $1 . ' [remainder parsed to separate fields]'); accept_collected_entry('', false); ); # if matches line format # Handle firewall lines # 2012-01-25 13:33:01 Local1.Warning 192.168.10.1 Jan 25 13:33:01 Abc_X750e firewall: Allow tun0 1-Trusted 73 udp 20 127 1.2.3.4 5.6.7.8 52367 53 (Allow SSLVPN-Users-00) else if (matches_regular_expression(v.syslog_message, "[A-Z][a-z][a-z] +[0-9]+ +[0-9]+:[0-9][0-9]:[0-9][0-9] [^ ]+ (firewall): ([^ ]+) ([^ ]*) ([^ ]+) ([^ ]+) (udp) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) [(]([^)]*)[)]")) then ( set_collected_field('', 'event_type', $1); set_collected_field('', 'operation', $2); set_collected_field('', 'interface', $3); # set_collected_field('', '?', $4); # set_collected_field('', '?', $5); set_collected_field('', 'protocol', $6); # set_collected_field('', '?', $7); # set_collected_field('', '?', $8); set_collected_field('', 'src_ip', $9); set_collected_field('', 'dst_ip', $10); set_collected_field('', 'src_port', $11); set_collected_field('', 'dst_port', $12); set_collected_field('', 'policy', $13); accept_collected_entry('', false); ); # firewall # Handle firewall lines (TCP) # 2012-01-25 13:33:01 Local1.Info 192.168.10.1 Jan 25 13:33:00 Winnipeg_X750e firewall: Allow 1-Trusted 7-MTS DSL 52 tcp 20 127 1.2.3.4 5.6.7.8 57965 995 offset 8 S 2706692985 win 32 (Outgoing-00) else if (matches_regular_expression(v.syslog_message, "[A-Z][a-z][a-z] +[0-9]+ +[0-9]+:[0-9][0-9]:[0-9][0-9] [^ ]+ (firewall): ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) (tcp) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) offset ([0-9]+) [^ ]+ ([0-9]+) win ([0-9]+) [(]([^)]*)[)]")) then ( #[f]: Matching 'Jan 25 13:33:15 Winnipeg_X750e firewall: Deny 1-Trusted 0-MTS Fiber 78 udp 20 127 192.168.11.231 192.168.1.2 137 137 (SMB 135-139.1-00)' with regular expression '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9 set_collected_field('', 'event_type', $1); set_collected_field('', 'operation', $2); set_collected_field('', 'interface', $3); # set_collected_field('', '?', $4); # set_collected_field('', '?', $5); # set_collected_field('', '?', $6); set_collected_field('', 'protocol', $7); # set_collected_field('', '?', $8); # set_collected_field('', '?', $9); set_collected_field('', 'src_ip', $10); set_collected_field('', 'dst_ip', $11); set_collected_field('', 'src_port', $12); set_collected_field('', 'dst_port', $13); set_collected_field('', 'offset', $14); # set_collected_field('', '?', $15); set_collected_field('', 'win', $16); set_collected_field('', 'policy', $17); accept_collected_entry('', false); ); # firewall # Handle firewall lines (ICMP) # 2012-01-25 13:33:00 Local1.Warning 192.168.10.1 Jan 25 13:33:00 Winnipeg_X750e firewall: Allow 1-Trusted 0-MTS Fiber 84 icmp 20 63 192.168.10.236 192.168.20.10 8 0 id=42564 seq=0 (DVCP-BOVPN-Allow-out) else if (matches_regular_expression(v.syslog_message, "[A-Z][a-z][a-z] +[0-9]+ +[0-9]+:[0-9][0-9]:[0-9][0-9] [^ ]+ (firewall): ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) (icmp) ([0-9]+) ([0-9]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) id=([0-9]+) seq=([0-9]+) [(]([^)]*)[)]")) then ( #[f]: Matching 'Jan 25 13:33:15 Winnipeg_X750e firewall: Deny 1-Trusted 0-MTS Fiber 78 udp 20 127 192.168.11.231 192.168.1.2 137 137 (SMB 135-139.1-00)' with regular expression '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9 set_collected_field('', 'event_type', $1); set_collected_field('', 'operation', $2); set_collected_field('', 'interface', $3); # set_collected_field('', '?', $4); # set_collected_field('', '?', $5); # set_collected_field('', '?', $6); set_collected_field('', 'protocol', $7); # set_collected_field('', '?', $8); # set_collected_field('', '?', $9); set_collected_field('', 'src_ip', $10); set_collected_field('', 'dst_ip', $11); set_collected_field('', 'src_port', $12); set_collected_field('', 'dst_port', $13); set_collected_field('', 'id', $14); set_collected_field('', 'seq', $15); set_collected_field('', 'policy', $16); accept_collected_entry('', false); ); # firewall (icmp) # If http-proxy # note in following line, field seems to be "7-MTS DSL" (containing space), which is challenging to parse. Using ^" # 2012-01-25 13:33:01 Local1.Info 192.168.10.1 Jan 25 13:33:01 Abc_X750e http-proxy[2234]: Allow 1-Trusted 7-MTS DSL tcp 1.2.3.4 5.6.7.8 4950 80 msg="ProxyAvScan: HTTP Header content type match" proxy_act="HTTP-Client.5" rule_name="text/*" content_type="text/plain" (HTTP-proxy-00) # 2013-05-02 04:29:34 Local1.Info 10.10.11.6 May 2 04:29:34 Firebox https-proxy[2083]: Allow 1-Trusted 7-Cox tcp 10.10.11.201 216.115.223.200 1810 443 msg="HTTPS Request" proxy_act="HTTPS-Client.1" rcvd_bytes="0" (HTTPS-proxy-00) else if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] +[0-9]+ +[0-9]+:[0-9][0-9]:[0-9][0-9] [^ ]+ (https?-proxy)[[][0-9]+[]]: ([^ ]+) ([^ ]+) ([^"]+) ([a-z]+) ([0-9.a-f:]+) ([0-9.a-f:]+) ([0-9]+) ([0-9]+) (.*) [(]([^ ]+)[)]')) then ( set_collected_field('', 'event_type', $1); set_collected_field('', 'operation', $2); # set_collected_field('', '?', $3); set_collected_field('', '?', $4); set_collected_field('', 'protocol', $5); set_collected_field('', 'src_ip', $6); set_collected_field('', 'dst_ip', $7); set_collected_field('', 'src_port', $8); set_collected_field('', 'dst_port', $9); set_collected_field('', 'policy', $11); collect_listed_fields('', $10, ",", "=", ""); accept_collected_entry('', false); ); # if http-proxy ` # Database fields database.fields = { device_name = "" pri = "" msg_id = "" event_type = "" operation = "" interface = "" protocol = "" src_ip = "" src_port = "" src_intf = "" dst_ip = "" dst_port = "" dst_intf = "" policy = "" pr = "" rc = "" ttl = "" msg = "" proxy_act = "" offset = "" # win = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events rcvd_bytes = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } pckt_len = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { device_name = true pri = true msg_id = true msg = true } # report_groups } # create_profile_wizard_options } # watchguard_firebox_xcore_eseries