# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. wsftp_xml = { plugin_version = "1.0" # 2013-05-19 - 1.0 - GMF - Initial creation info.1.manufacturer = "Ipswitch" info.1.device = "WS_FTP (XML)" info.1.version.1 = "" # The name of the log format log.format.format_label = "Ipswitch WS_FTP (XML)" log.miscellaneous.log_data_type = "ftp" log.miscellaneous.log_format_type = "ftp_server" # The log is in this format if any of the first ten lines match this regular expression # 20130508-00:55:50 log.format.autodetect_regular_expression = "^ [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9]:[0-9][0-9]:[0-9][0-9]" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" description = "" service = "" sessionid = "" type = "" severity = "" user = "" host = "" lstnconnaddr = "" cliconnaddr = "" cmd = "" params = "" errnum = "" sguid = "" pathname = "" events = "" downloads = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.remainder = current_log_line(); while ((matches_regular_expression(v.remainder, '^ <([^>]+)>([^<]+)]+>(.*)$')) or (matches_regular_expression(v.remainder, '^ <([^>]+)>()]+>(.*)$'))) ( v.fieldname = $1; v.fieldvalue = $2; v.remainder = $3; if (v.fieldname eq 'log_time') then ( if (matches_regular_expression(v.fieldvalue, '^([0-9][0-9][0-9][0-9])([0-9][0-9])([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9])')) then ( set_collected_field('', 'date', $1 . '-' . $2 . '-' . $3); set_collected_field('', 'time', $4); ); ); # if log_file else set_collected_field('', v.fieldname, v.fieldvalue); ); # while v.remainder # Accept on /entry if (matches_regular_expression(v.remainder, '^ ')) then ( if (get_collected_field('', 'cmd') eq 'RETR') then ( set_collected_field('', 'downloads', 1); if (matches_regular_expression(get_collected_field('', 'params'), '^