# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. a10_ax_auth = { plugin_version = "1.0" # 2012-09-06 - Benson - 1.0 - Initial creation info.1.manufacturer = "A10 Networks" info.1.device = "AX Series Authentication" info.1.version.1 = "1.0" # The name of the log format log.format.format_label = "A10 Networks AX Series Authentication Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "application" # The log is in this format if any of the first ten lines match this regular expression #User "admin" with session ID 1 successfully saved the running configuration #A web session for user "admin" from 10.129.200.62 has been opened. Session ID assigned is 1 #Session ID 1 for user "admin" from 10.129.200.62 has timed out #Running configuration successfully saved by user "admin" using Session ID 3 #Local authentication failed(user: admin): Admin password error #A cli session for user "admin" from 10.129.200.62 has been opened. Session ID assigned is 2. #The user, admin, from the remote host, 172.16.100.68, failed in the CLI authentication. # log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "a10logd: \\[[A-Z]+\\]<[0-9]+>") ` # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { log_type = "" log_level = "" ip_address = "" user = "" session_id = "" action = "" message = "" events = "" } # log.fields #User "admin" with session ID 1 successfully saved the running configuration #Running configuration successfully saved by user "admin" using Session ID 3 #A web session for user "admin" from 10.129.200.62 has been opened. Session ID assigned is 1 #A cli session for user "admin" from 10.129.200.62 has been opened. Session ID assigned is 2. #Session ID 1 for user "admin" from 10.129.200.62 has timed out #Local authentication failed(user: admin): Admin password error #The user, admin, from the remote host, 172.16.100.68, failed in the CLI authentication. # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, 'a10logd: \\[([SYSTEM]+)\\]<([0-9]+)> (.*)')) then ( v.message = $3; set_collected_field('', 'log_type', $1); set_collected_field('', 'log_level', $2); set_collected_field('', 'message', $3); if (matches_regular_expression(v.message, 'User \\"([^"]+)\\" with session ID ([0-9]+) successfully saved the running configuration')) then ( set_collected_field('', 'user' , $1); set_collected_field('', 'session_id' , $2); set_collected_field('', 'action' , 'running configuration saved'); ); else if (matches_regular_expression(v.message, 'Running configuration successfully saved by user \\"([^"]+)\\" using Session ID ([0-9]+)')) then ( set_collected_field('', 'user' , $1); set_collected_field('', 'session_id' , $2); set_collected_field('', 'action' , 'running configuration saved '); ); else if (matches_regular_expression(v.message, 'A ([a-z]+) session for user \\"([^"]+)\\" from ([0-9.]+) has been ([^.]+). Session ID assigned is ([0-9]+)')) then ( set_collected_field('', 'user' , $2); set_collected_field('', 'ip_address' , $3); set_collected_field('', 'session_id' , $5); set_collected_field('', 'action' , $1 . ' session ' . $4); ); else if (matches_regular_expression(v.message, 'Session ID ([0-9]+) for user \\"([^"]+)\\" from ([0-9.]+) has timed out')) then ( set_collected_field('', 'session_id' , $1); set_collected_field('', 'user' , $2); set_collected_field('', 'ip_address' , $3); set_collected_field('', 'action' , 'session timed out'); ); else if (matches_regular_expression(v.message, 'Session ID ([0-9]+) is now closed')) then ( set_collected_field('', 'session_id' , $1); set_collected_field('', 'action' , 'session closed'); ); else if (matches_regular_expression(v.message, 'Local authentication failed\\(user: ([^)]+)\\): (.*)')) then ( set_collected_field('', 'user' , $1); set_collected_field('', 'action' , 'authentication failed by ' . $2); ); else if (matches_regular_expression(v.message, 'The user, ([^,]+), from the remote host, ([0-9.]+), failed in the ([^ ]+) authentication.')) then ( set_collected_field('', 'user' , $1); set_collected_field('', 'ip_address' , $2); set_collected_field('', 'action' , $3 . ' authentication failed'); ); #AX ready to reboot at 09:03:49 CST Sat Aug 11 2012. Reason: Upgrade. else if (matches_regular_expression(v.message, 'AX ready to reboot at ([0-9:]+ [A-Z]+ [A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9]+ [0-9+])(.*)')) then ( set_collected_field('', 'action' , 'reboot'); v.message = $2; if (matches_regular_expression(v.message, '. Reason: (.*)')) then ( set_collected_field('', 'action' , 'reboot for '. $1); ); ); accept_collected_entry('', false); ); ` # Database fields database.fields = { log_type = "" log_level = "" ip_address = "" user = "" session_id = "" action = "" message = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups snapons = { # Add the standard reports add_standard_reports = { name = "add_standard_reports" label = "add_standard_reports" snapon = "add_standard_reports" } # add_standard_reports } # snapons } # create_profile_wizard_options } # a10_ax_auth