# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. blue_coat_w3_c = { plugin_version = "1.2.1" info.1.manufacturer = "Bluecoat" info.1.device = "W3C (ELFF)" info.1.version.1 = "" # 2006-11-06 - 1.0.1 - KBB - Fixed bug preventing correct parsing of logs with date and time # fields instead of localtime field - fixed bug correcting parsing of localtime field. # 2006-07-31 - 1.0.2 - GMF - Fixed bug which caused a "none" report to be created when certain fields were # present. # 2006-08-01 - 1.0.3 - GMF - Fixed time-taken field to use milliseconds # 2008-05-29 - 1.0.4 - GMF - Restored c-supplier-name database field and report # 2009-02-09 - 1.0.5 - GMF - Bumped time-taken field up to float, to represent larger numbers # 2009-04-28 - 1.0.6 - GMF - Added support for cs-referer field, to extract search engine information # 2009-06-03 - 1.0.7 - GMF - Added support for location database field # 2010-07-16 - 1.1 - GMF - Removed x_by_y reports--they were not appearing in the report menu, so were # not useful. # 2010-10-14 - 1.1.1 - MSG - Edited info lines. # 2010-10-21 - 1.1.2 - KBB - Made duplicate log.filter labels unique. # 15/05/2013 - 1.1.3 - gas - added support for timestamp field, changed auto-detect so that SGOS version isn't required and made parse_localtime a required field type # 2013-09-09 - 1.2 - GMF - Added referrer tracking; added Gateway Reports snapon # 2013-09-09 - 1.2.1 - GMF - Removed duplicate "simply referrer" filter # example format with date time ##Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-path cs-uri-query cs-username s-hierarchy s-supplier-name cs(Content-Type) cs(User-Agent) sc-filter-result sc-filter-category x-virus-id s-ip s-sitename #2006-10-17 13:03:48 184 10.99.99.99 200 TCP_MISS 491 364 GET http there.ie /images_ei/sms_b.gif - podriant DIRECT there.ie - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" PROXIED none - 192.99.99.99 SG-HTTP-Service # example format with localtime ##Fields: localtime time-taken c-ip s-action sc-status sc-bytes cs-method cs-uri cs-username s-hierarchy s-supplier-name cs(Content-Type) #[04/Mar/2003:12:43:08 -0600] 1 10.99.99.99 TCP_AUTH_REDIRECT 307 319 GET http://www.here.com/there/index.html - DIRECT - - # The name of the log format log.format.format_label = "Blue Coat W3C Log Format (ELFF)" log.miscellaneous.log_data_type = generic_w3c log.miscellaneous.log_format_type = "web_server" log.format.server_type = firewall # The log is in this format if any of the first ten lines match this regular expression # 2008-05-29 - GMF - Added support for version 5 #log.format.autodetect_regular_expression = "^#Software: SGOS [2345]\." log.format.autodetect_regular_expression = "^#Software: SGOS" # Literal apostrophes can appear in field values, and should not be treated as quotes log.format.treat_apostrophes_as_quotes = false # added 7/Nov/2006 to work with localtime field with GMT offset in brackets - KBB log.format.treat_brackets_as_quotes = true # Don't track these fields as discrete database fields # auto_setup.omit_database_fields = sc_bytes,cs_bytes,duration,time_taken,s_sitename log.fields = { url = { type = "page" } } log.filter_initialization = `v.parse_localtime = false;` # This handles #Fields lines, and creates log and database fields from them log.filter_preprocessor = ` if (matches_regular_expression(current_log_line(), '^#Fields: (.*)$')) then ( string fields = $1; string fieldname; v.logfieldindex = 1; string numerical_fields = "profiles." . internal.profile_name . ".database.numerical_fields"; # This subroutine creates a database field subroutine(create_database_field(string fieldname), ( #echo("create_database_field: " . fieldname); debug_message("create_database_field(" . fieldname . ")\n"); string databasefieldpath = "profiles." . internal.profile_name . ".database.fields." . fieldname; (databasefieldpath . "") = ""; node databasefield = databasefieldpath; # set_subnode_value(databasefield, "label", fieldname); databasefield; )); subroutine(create_log_field(string fieldname, string type, bool withindex), ( debug_message("create_log_field(" . fieldname . "; type=" . type . ")\n"); string logfieldpath = "profiles." . internal.profile_name . ".log.fields." . fieldname; (logfieldpath . "") = ""; node logfield = logfieldpath; # set_subnode_value(logfield, "label", fieldname); if (withindex) then ( set_subnode_value(logfield, "index", v.logfieldindex); v.logfieldindex++; ); set_subnode_value(logfield, "subindex", 0); if (type ne '') then set_subnode_value(logfield, "type", type); logfield; )); # Assume there isn't a localtime field until we see one. v.parse_localtime = false; # Extract the fields on at a time while (matches_regular_expression(fields, '^([^ ]+) (.*)$')) ( string unconverted_fieldname = $1; fields = $2; # Clean up the field name fieldname = ''; for (int i = 0; i < length(unconverted_fieldname); i++) ( string c = lowercase(substr(unconverted_fieldname, i, 1)); if (!matches_regular_expression(c, '^[a-z0-9]$')) then c = '_'; fieldname .= c; ); while (matches_regular_expression(fieldname, '^(.*)_$')) fieldname = $1; # Get the log field type string log_field_type = ''; if (fieldname eq 'cs_uri_path') then ( log_field_type = 'page'; ("profiles." . internal.profile_name . ".log.fields.url.type") = 'flat'; ); if (fieldname eq 'cs_user_agent') then log_field_type = 'agent'; # if (fieldname eq 'cs_referer') then # log_field_type = 'url'; # Create the log field create_log_field(fieldname, log_field_type, true); if (fieldname eq "localtime") then v.parse_localtime = true; # If we're creating a profile, create the database fields too. if (node_exists("volatile.creating_profile")) then ( # Handle localtime by creating date_time and derived database fields if (fieldname eq "localtime") then ( create_log_field('date', '', false); create_log_field('time', '', false); create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); # ("profiles." . internal.profile_name . ".log.parsing_filters.parse_localtime.disabled") = false; ); # if localtime # Handle timestamp by creating date_time and derived database fields else if (fieldname eq "timestamp") then ( create_log_field('date', '', false); create_log_field('time', '', false); create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); ); # if timestamp # Handle date by creating date_time and derived database fields else if (fieldname eq "date") then ( create_log_field('localtime', '', false); # placeholder - 7/Nov/2006 - KBB create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); # ("profiles." . internal.profile_name . ".log.parsing_filters.parse_localtime.disabled") = true; ); # if date else if (fieldname eq "time") then ( create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); # ("profiles." . internal.profile_name . ".log.parsing_filters.parse_localtime.disabled") = true; ); # if time # Create derived field for agent else if (fieldname eq "cs_user_agent") then ( create_database_field('operating_system'); create_database_field('web_browser'); ); # Create derived field for agent else if (fieldname eq "c_ip") then ( create_database_field('c_ip'); create_database_field('location'); ); # Create derived fields for referrer # else if (fieldname eq "cs_referer") then ( # create_database_field('cs_referer'); # create_database_field('search_engine'); # create_database_field('search_phrase'); # ); # Create derived file type field else if (fieldname eq "cs_uri_path") then ( create_database_field('file_type'); ); # Don't add a database field for numerical fields # else if (subnode_exists('database.fields', fieldname)) then ( else if (subnode_exists(numerical_fields, fieldname)) then ( debug_message("Not adding numerical field: " . fieldname . "\n"); ); # Create a normal database field else create_database_field(fieldname); ); # if creating profile ); # while another field # Don't parse the #Fields line as a data line 'reject'; ); # if #Fields # Don't parse any other # lines as data lines else if (starts_with(current_log_line(), '#')) then ( 'reject'; ); ` # Extract date and time from localtime log.parsing_filters.parse_timestamp = { # disabled = true value = ` if (matches_regular_expression(timestamp, '([0-9.]+)')) then ( date = normalize_date($1, 'seconds_since_jan1_1970'); time = normalize_time($1, 'seconds_since_jan1_1970'); ); ` requires_fields = { timestamp = true } } # Extract date and time from localtime log.parsing_filters.parse_localtime = { # disabled = true value = ` # echo("v.parse_localtime=" . " " . v.parse_localtime); if (v.parse_localtime) then ( # opening bracket removed because treat_brackets_as_quotes is now true # so that a GMT offset after the date and time is not taken as the next field #[04/Mar/2003:12:43:22 -0600] 211 10.99.99.99 TCP_MISS 200 8600 GET http://www.here.com/there/images/pineforest.jpg jones DIRECT www.here.com image/jpeg #if (matches_regular_expression(localtime, '^\\\\[([0-9]+/[A-Za-z]+/[0-9]+):([0-9]+:[0-9]+:[0-9]+)')) then ( if (matches_regular_expression(localtime, '([0-9]{2}/[A-Za-z]+/[0-9]{4}):([0-9]+:[0-9]+:[0-9]+)')) then ( date = $1; time = $2; ); ); ` requires_fields = { localtime = true } } # Get web browser, operating system, web browser, and spider information from the user-agent field. log.parsing_filters.derive_from_user_agent = { value = `get_user_agent_info(replace_all(cs_user_agent, '+', ' ')); web_browser = volatile.web_browser; operating_system = volatile.operating_system; spider = volatile.spider; ` requires_fields = { cs_user_agent = true } } # # Get search engine and search phrase information from the referrer field (before it gets simplified). # log.parsing_filters.compute_se_sp = { # value = `if (get_search_engine_info(cs_referer)) then ( # search_engine = volatile.search_engine; # search_phrase = volatile.search_phrase; #); #` # requires_fields = { # cs_referer = true # } # } # Log Filters log.filters = { set_url = { label = "Set URL from cs_host" value = "url = cs_host;" comment = "Set the hostname as the URL" # KBB - 2010-10-21 - it's safe to do this and the next one of both fields exist # disabled = true requires_fields = { url = true cs_host = true # KBB - 2010-10-21 - a false here does not mean don't do the filter if the field is present # cs_uri_scheme = false # cs_badvalue1 = true } } # set_url set_url_two = { label = "Set URL from cs_uri_scheme and cs_host" value = "url = cs_uri_scheme . '://' . cs_host;" comment = "Append scheme to the host, set as URL" requires_fields = { url = true cs_host = true cs_uri_scheme = true # cs_badvalue2 = true } } # set_url_two set_url3 = { label = "Set URL from cs_uri_stem" value = "url = cs_uri_stem;" comment = "Use cs_uri_stem to set the URL. Note that the domain may not be included in the string for transparent proxies." requires_fields = { url = true cs_uri_stem = true # cs_host = false # cs_uri_path = false } } # set_url3 set_url_from_uri = { label = "Set URL from cs_uri" value = " if (url eq '(empty)') then url = cs_uri; if (matches_regular_expression(url, '^([a-z]+://[^/]+/)')) then url = $1; " comment = "Use the cs_uri field to get the URL; and chop off everything after the hostname to keep the database simple" requires_fields = { cs_uri = true url = true } } # log_full_url log_full_url = { disabled = true label = "Track Full URL" value = "if (cs_uri_path ne '-') then url = url . cs_uri_path;" comment = "Include full path information in the URL" requires_fields = { cs_uri_path = true url = true } } # log_full_url active_content_url = { disabled = false label = "Active Content URLs" value = "if ((file_type eq 'CAB') or (file_type eq 'OCX') or (file_type eq 'ZIP') or (file_type eq 'EXE') or (file_type eq 'ISO') or (file_type eq 'COM') or (file_type eq 'DLL') or (file_type eq 'RAR')) then url = url . cs_uri_path;" comment = "Include full path information in the URL for downloads and active content" requires_fields = { cs_uri_path = true url = true file_type = true } } # active_content_url nobytes_on_deny = { disabled = false label = "nobytes_on_deny" value = "if (s_action eq 'TCP_DENIED') then sc_bytes = 0" comment = "This filter drops bytes for denied requests so that they don't affect overall bandwidth statistics" requires_fields = { s_action = true sc_bytes = true } } # nobytes_on_deny strip_query = { disabled = true label = "Strip Query" value = "if (starts_with(cs_uri_query, '?')) then cs_uri_query = substr(cs_uri_query, 1);" comment = "Strip off leading ? from query" requires_fields = { cs_uri_query = true } } # strip_query include_query = { disabled = true label = "Append Query" value = "if (cs_uri_query ne '-') then url = url . '?' . cs_uri_query;" comment = "Appends query string to the url" requires_fields = { cs_uri_query = true url = true } } # include_query # This filter replaces url parameters (page.html?param1+param2+...) with ?(parameters), to simplify the url hierarchy simplify_query = { disabled = true label = "simplify_query" value = "if (matches_regular_expression(url, '^(.*\\?).*\\$')) then url = '\\$1(parameters)';" comment = "replace query parameters to simplify the URL hierarchy" requires_fields = { url = true cs_uri_stem = true } } # simplify_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" requires_fields = { file_type = true page_views = true } } # detect_page_views # detect_page_views2 = { # label = '$lang_admin.log_filters.detect_page_views_label' ## comment = '$lang_admin.log_filters.detect_page_views_comment' # value = "if starts_with(rs_content_type, 'text/html') then page_views = 1; else page_views = 0;" # requires_fields = { # page_views = true # rs_content_type = true # } # } # detect_page_views2 # This filter strips off the filename for non-page-views, to improve performance strip_non_page_views = { disabled = true label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" requires_fields = { page_views = true url = true } } # strip_non_page_views # Mark this as a hit mark_as_hit = { label = "mark_as_hit" comment = "marks this request as a hit" value = "hits = 1;" requires_fields = { hits = true } } # mark_as_hit } # log.filters # Always include a "url" field in the log and database log.fields.url = { type = "page" label = "URL" index = 999 subindex = 999 hierarchy_dividers = "" left_to_right_hierarchy = "true" leading_divider = "false" case_sensitive = "false" } # url log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "c_ip" sessions_event_field = "page_views" } database.fields.url = { label = "url" type = "string" log_field = "url" suppress_top = "1" suppress_bottom = "3" always_include_leaves = "false" } # url # File type database field database.fields.file_type = { label = "file type" log_field = "file_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # file_type # Force there to be host and date_time fields in advance, so we get prompted for day-by-day and bottom-level log.fields.c_ip = { type = "host" label = "$lang_stats.field_labels.c_ip" index = "1" subindex = "0" hierarchy_dividers = "." left_to_right_hierarchy = "false" leading_divider = "false" case_sensitive = "false" } # c_ip log.fields.date_time = { label = "$lang_stats.field_labels.date_time" type = "date_time" derived_from_1 = "date" derived_from_2 = "time" index = "0" subindex = "0" } # date_time # add a worm database field database.fields.worm = { label = "worm" log_field = "worm" type = "string" suppress_top = 0 suppress_bottom = 2 } # worm database.numerical_fields = { hits = { label = $lang_stats.field_labels.hits default = false requires_log_field = false type = int display_format_type = integer entries_field = true } # hits page_views = { label = $lang_stats.field_labels.page_views default = true requires_log_field = false type = int display_format_type = integer } # page_views visitors = { label = $lang_stats.field_labels.visitors default = false requires_log_field = true log_field = c_ip type = unique display_format_type = integer } # visitors cs_bytes = { label = $lang_stats.field_labels.cs_bytes default = false requires_log_field = true type = float display_format_type = bandwidth } # cs_bytes sc_bytes = { label = $lang_stats.field_labels.sc_bytes default = false requires_log_field = true type = float display_format_type = bandwidth } # sc_bytes time_taken = { label = $lang_stats.field_labels.time_taken default = false requires_log_field = true type = float display_format_type = duration_milliseconds } # time_taken } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true host_tracking = true ######### START OF FINAL_STEP CODE final_step = ` include "templates.admin.profiles.setup_reports_util"; string profile = "profiles." . volatile.new_profile_name; # Remove non-essential database fields to reduce size and complexity # avoids creating reports for these items # 2008-05-29 - GMF - Uncommented s-supplier-name, because a customer wanted it # 2009-06-03 - GMF - Commented location. delete_database_field(profile, 'cs_uri_query'); delete_database_field(profile, 's_hierarchy'); #delete_database_field(profile, 's_supplier_name'); #delete_database_field(profile, 'location'); delete_database_field(profile, 'spider'); delete_database_field(profile, 'domain_description'); delete_database_field(profile, 'cs_uri_path'); delete_database_field(profile, 'cs_uri_stem'); delete_database_field(profile, 'cs_uri_port'); delete_database_field(profile, 'cs_uri'); delete_database_field(profile, 's_ip'); delete_database_field(profile, 'cs_content_type'); # Start with the standard reports based on remaining DB fields add_standard_reports(profile); # Set sessions defaults (profile . ".statistics.miscellaneous.session_timeout") = "240"; (profile . ".statistics.miscellaneous.remove_reloads_from_sessions") = "false"; # enable date column on log detail report (profile . ".statistics.reports.log_detail.report_elements.log_detail.columns.date_time.report_field") = "date_time"; (profile . ".statistics.reports.log_detail.report_elements.log_detail.columns.date_time.visible") = "true"; node dbfield = profile . ".database.fields"; node reports = profile . ".statistics.reports"; string reportname = "none"; # create a category variable - set it to the category type in use with this log format string category = "none"; if (node_exists(dbfield . ".sc_filter_category")) then category = "sc_filter_category"; else if (node_exists(dbfield . ".cs_category")) then category = "cs_category"; # category related reports and report options if (category ne 'none') then ( # # create a user-action-category xrefgroup # add_field_to_xref_group(profile, "xrefgroup1", "date_time"); # add_field_to_xref_group(profile, "xrefgroup1", "page_views"); # add_field_to_xref_group(profile, "xrefgroup1", "cs_username"); # add_field_to_xref_group(profile, "xrefgroup1", category); # add_field_to_xref_group(profile, "xrefgroup1", "sc_filter_result"); # add_field_to_xref_group(profile, "xrefgroup1", "sc_bytes"); # add_field_to_xref_group(profile, "xrefgroup1", "cs_bytes"); # add_field_to_xref_group(profile, "xrefgroup1", "visitors"); # add_field_to_xref_group(profile, "xrefgroup1", "time_taken"); # add_field_to_xref_group(profile, "xrefgroup1", "hits"); # # # create a domain to category xref group # add_field_to_xref_group(profile, "domain_category", "date_time"); # add_field_to_xref_group(profile, "domain_category", "cs_host"); # add_field_to_xref_group(profile, "domain_category", "cs_username"); # add_field_to_xref_group(profile, "domain_category", category); # add_field_to_xref_group(profile, "domain_category", "page_views"); # add_field_to_xref_group(profile, "domain_category", "sc_bytes"); # add_field_to_xref_group(profile, "domain_category", "cs_bytes"); # add_field_to_xref_group(profile, "domain_category", "visitors"); # add_field_to_xref_group(profile, "domain_category", "time_taken"); # add_field_to_xref_group(profile, "domain_category", "hits"); # Add a Pie Chart to the Content Categories Report # set to page views by default, change to sc_bytes if it exists node scfgraph = profile . ".statistics.reports." . category . ".report_elements." . category; (scfgraph . ".show_graph") = true; (scfgraph . ".graph.pie_chart") = true; (scfgraph . ".graph.image_width") = 300; (scfgraph . ".graph.image_height") = 300; if node_exists(dbfield . ".sc_bytes") then (scfgraph . ".graph.numerical_fields.sc_bytes") = true; else if node_exists(dbfield . ".page_views") then (scfgraph . ".graph.numerical_fields.page_views") = true; # Add multi-column reports including category info # if (node_exists(dbfield . ".cs_username")) then ( # add_table_report_element(profile, "category_by_user", "Categories by User", "category_by_user", "Categories by User", "cs_username", category, "page_views", "page_views", "descending"); # add_table_report_element(profile, "users_by_category", "Users by Category", "users_by_category", "Users by Category", category, "cs_username", "page_views", "page_views", "descending"); # reportname = ".category_by_user."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "cs_host"; # string reportname = ".cs_username."; ## (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "domains_by_category"; # reportname = ".users_by_category."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "cs_host"; # # Filter unauthenticated requests from user_by_category report # # Disabled until inverse cross-reference table queries are supported # #(profile . ".statistics.reports.users_by_category.filter.expression") = "not (cs_username within '-')"; # ); # if (node_exists(dbfield . ".c_ip")) then ( # add_table_report_element(profile, "category_by_ip", "Categories by IP", "category_by_ip", "Categories by IP", "c_ip", category, "page_views", "page_views", "descending"); # reportname = ".c_ip."; ## (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "domains_by_category"; # reportname = ".category_by_ip."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "cs_host"; # ); # if (node_exists(dbfield . ".sc_filter_result")) then ( # add_table_report_element(profile, "result_by_category", "Category Actions", "result_by_category", "Category Actions", category, "sc_filter_result", "page_views", "page_views", "descending"); # ); # if (node_exists(dbfield . ".cs_host")) then ( # add_table_report_element(profile, "domains_by_category", "Domains by Category", "domains_by_category", "Domains by Category", category, "cs_host", "page_views", "page_views", "descending"); # reportname = ".individual_sessions."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "domains_by_category"; # ); ); # category related report options # add c_ip to the worm xref group #if (node_exists(dbfield . ".worm")) then ( # add_field_to_xref_group(profile, "worm", "c_ip"); # add_table_report_element(profile, "ip_by_worm", "Worms", "ip_by_worm", "Worms", "worm", "c_ip", "hits", "hits", "descending"); #); # add c_ip to the worm xref group # Add multi-column reports # -------------------------------------------- # Add domain to IP and username # 2010-07-16 - GMF - Commenting these out because they're not in the reports menu, and so are mostly useless. #if (node_exists(dbfield . ".cs_host")) then ( # reportname = ".s_action."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "cs_host"; # if (node_exists(dbfield . ".cs_username")) then ( # add_table_report_element(profile, "domains_by_user", "Domains by User", "domains_by_user", "Domains by User", "cs_username", "cs_host", "page_views", "page_views", "descending"); # add_table_report_element(profile, "users_by_domain", "Users by Domain", "users_by_domain", "Users by Domain", "cs_host", "cs_username", "page_views", "page_views", "descending"); # if (category ne 'none') then ( # reportname = "." . category . "."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "domains_by_user"; # ); # reportname = ".result_by_category."; # if (node_exists(reports . reportname . "report_elements" . reportname)) then # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "domains_by_user"; # reportname = ".cs_host."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "cs_username"; # reportname = ".domains_by_user."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "log_detail"; # reportname = ".users_by_domain."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "log_detail"; # if (node_exists(reports . ".rs_content_type")) then ( # reportname = ".rs_content_type."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "domains_by_user"; # ); # ); # if (node_exists(dbfield . ".c_ip")) then ( # add_table_report_element(profile, "domains_by_ip", "Domains by IP", "domains_by_ip", "Domains by IP", "c_ip", "cs_host", "page_views", "page_views", "descending"); # add_table_report_element(profile, "urls_by_ip", "URLs by IP", "urls_by_ip", "URLs by IP", "c_ip", "url", "page_views", "page_views", "descending"); # add_table_report_element(profile, "ip_by_domain", "IPs by Domain", "ip_by_domain", "IPs by Domain", "cs_host", "c_ip", "page_views", "page_views", "descending"); # reportname = ".domains_by_ip."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "log_detail"; # ); #); # 2009-01-22 - GMF - Disabled everything below this point because it is not compatible with v8. # It is certainly possible to make it compatible, but let's see if anyone misses these reports, first (which were created by Blue Coat). # Add ICAP Reports #if (node_exists(dbfield . ".x_virus_id")) then ( # if (node_exists(dbfield . ".c_ip")) then ( # add_table_report_element(profile, "virus_by_ip", "ICAP Virus IP Detail", "virus_by_ip", "ICAP Virus IP Detail", "c_ip", "x_virus_id", "page_views", "page_views", "descending"); # reportname = ".x_virus_id."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "c_ip"; # ); # if (node_exists(dbfield . ".url")) then ( # add_table_report_element(profile, "virus_with_url", "ICAP Virus URL detail", "virus_with_url", "ICAP Virus URL detail", "x_virus_id", "url", "page_views", "page_views", "descending"); # ); # if (node_exists(dbfield . ".cs_username")) then ( # add_table_report_element(profile, "virus_by_user", "ICAP Virus User Detail", "virus_by_user", "ICAP Virus User Detail", "cs_username", "x_virus_id", "page_views", "page_views", "descending"); ## ); # # filter the null value '-' from the x_virus_id reports # # disabled until inverse cross-reference table queries are supported # #(profile . ".statistics.reports.x_virus_id.report_elements.x_virus_id.filter.expression") = "not (x_virus_id within '-')"; # #(profile . ".statistics.reports.virus_by_ip.report_elements.virus_by_ip.filter.expression") = "not (x_virus_id within '-')"; # #(profile . ".statistics.reports.virus_with_url.report_elements.virus_with_url.filter.expression") = "not (x_virus_id within '-')"; # #(profile . ".statistics.reports.virus_by_user.report_elements.virus_by_user.filter.expression") = "not (x_virus_id within '-')"; #); # # ## Create a report displaying authentication failures ## --------------------------------------------------- #if (node_exists(dbfield . ".cs_username")) and (node_exists(dbfield . ".sc_status")) then ( # add_table_report_element(profile, "user_auth_fail", "Authentication Failures", "user_auth_fail", "Authentication Failures", "cs_username", "c_ip", "hits", "hits", "descending"); # # Tailor the filters for the user_auth_fail report # (profile . ".statistics.reports.user_auth_fail.filter.expression") = "((not(cs_username within '-')) and ((sc_status within 407) or (sc_status within 401)))"; # (profile . ".statistics.reports.user_auth_fail.report_elements.user_auth_fail.columns.0.header_label") = "Failed Usernames"; # (profile . ".statistics.reports.user_auth_fail.report_elements.user_auth_fail.sub_table.show_totals_row") = false; # reportname = ".user_auth_fail."; # (reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "log_detail"; #); # # ## Create group based reports and (xrefs currently commented out) if the cs_groups log field exists #if (node_exists(dbfield . ".cs_auth_group")) then ( # if (node_exists(dbfield . "." . category)) then # add_table_report_element(profile, "category_by_group", "Categories by Group", "category_by_group", "Categories by Group", "cs_auth_group", category, "page_views", "page_views", "descending"); # if (node_exists(dbfield . ".cs_host")) then # add_table_report_element(profile, "domain_by_group", "Domains by Group", "domain_by_group", "Domains by Group", "cs_auth_group", "cs_host", "page_views", "page_views", "descending"); # if (node_exists(dbfield . ".cs_username")) then # add_table_report_element(profile, "user_by_group", "Users by Group", "user_by_group", "Users by Group", "cs_auth_group", "cs_username", "page_views", "page_views", "descending"); # #add_field_to_xref_group(profile, "group_user_xref", "date_time"); # #add_field_to_xref_group(profile, "group_user_xref", "cs_auth_groups"); # #add_field_to_xref_group(profile, "group_user_xref", "cs_username"); # #add_field_to_xref_group(profile, "group_user_xref", category); # #add_field_to_xref_group(profile, "group_user_xref", "page_views"); # #add_field_to_xref_group(profile, "group_user_xref", "sc_bytes"); # #add_field_to_xref_group(profile, "group_user_xref", "cs_bytes"); # #add_field_to_xref_group(profile, "group_user_xref", "visitors"); # #add_field_to_xref_group(profile, "group_user_xref", "time_taken"); # #add_field_to_xref_group(profile, "group_user_xref", "hits"); # add_field_to_xref_group(profile, "cs_auth_group", category); #); # # # ## Set Default zoom for hour of day report, cs_username settings # #reportname = ".hour_of_day."; #(reports . reportname . "report_elements" . reportname . "default_report_on_zoom") = "cs_username"; # # ## Filter unauthenticated requests from username reports ## Disabled until inverse cross-reference table queries are supported ##(profile . ".statistics.reports.cs_username.filter.expression") = "not (cs_username within '-')"; ##(profile . ".statistics.reports.users_by_domain.filter.expression") = "not (cs_username within '-')"; # # ##Classify uri-stem or uri-path as page instead of URL #if (node_exists(profile . ".log.fields.cs_uri_stem")) then ( # (profile . ".log.fields.url.type") = "flat"; # (profile . ".log.fields.cs_uri_stem.type") = "page"; #) #else if (node_exists(profile . ".log.fields.cs_uri_path")) then ( # (profile . ".log.fields.url.type") = "flat"; # (profile . ".log.fields.cs_uri_path.type") = "page"; #); ` ######### END OF FINAL_STEP CODE report_groups = { overview = true date_time_group = { date_time = true days = true day_of_week = true hour_of_day = true } security_group = { spider = true x_virus_id = true # virus_by_ip = true # virus_by_user = true virus_with_url = true worm = true # ip_by_worm = true } filtering_group = { category = true cs_category = true cs_categories = true sc_filter_category = true # result_by_category = true # category_by_user = true # category_by_ip = true sc_filter_result = true # domains_by_category = true } content_group = { cs_host = true # domains_by_user = true # domains_by_ip = true # urls_by_ip = true url = true file_type = true s_sitename = true s_computername = true s_ip = true s_supplier_name = true s_hierarchy = true cs_uri_path = true rs_content_type = true } users_group = { user_auth_fail = true c_ip = true # ip_by_domain = true # users_by_domain = true # users_by_category = true domain_description = true location = true cs_username = true cs_user_agent = true } referrer_group = { cs_referer = "" search_phrase = "" search_engine = "" } # referrer_group technical_group = { cs_method = true cs_version = true sc_status = true s_port = true r_port = true s_action = true cs_uri_scheme = true cs_content_type = true web_browser = true operating_system = true } department_group = { cs_auth_group = true # category_by_group = true # user_by_group = true # domain_by_group = true af_site_name = "site name" af_country_code = "country code" af_reporting_region_code = "reporting region code" af_reporting_sector_code = "reporting sector code" af_hyperion_code = "hyperion code" } sessions_group = { sessions_overview = true session_paths = true session_page_paths = true entry_pages = true exit_pages = true session_pages = true session_users = true individual_sessions = true } log_detail = true } # report_groups snapons = { # Attach a top_level_domain snapon top_level_domain = { snapon = "top_level_domain" name = "top_level_domain" label = "$lang_admin.snapons.top_level_domain.label" parameters = { url_field.parameter_value = "url" field_name = { parameter_value = "$lang_admin.field_labels.top_level_domain" final_node_name = "top_level_domain" } } # parameters } # top_level_domain # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { user_field.parameter_value = "cs_username" have_category_field.parameter_value = true category_field.parameter_value = "cs_categories" host_field.parameter_value = "top_level_domain" page_views_field.parameter_value = "page_views" bytes_in_field.parameter_value = "sc_bytes" sort_by_field.parameter_value = "page_views" } # parameters } # gateway_reports # Attach the referrer_analysis snapon referrer_analysis = { snapon = "referrer_analysis" name = "referrer_analysis" label = "$lang_admin.snapons.referrer_analysis.label" prompt_to_attach = true prompt_to_attach_default = false parameters = { referrer_field.parameter_value = "cs_referer" } # parameters requires_database_fields = { cs_referer = true } # requires_database_fields } # referrer_analysis # 2013-02-06 - GMF - Now added in gateway_reports # # Add the standard reports # add_standard_reports = { # name = "add_standard_reports" # label = "add_standard_reports" # snapon = "add_standard_reports" # } # add_standard_reports } # snapons } # create_profile_wizard_options not_supported = { } # not_supported } # blue_coat_w3_c