# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. forefront_thread_management_gateway_tsv = { plugin_version = "1.0" info.1.manufacturer = "Microsoft" info.1.device = "Forefront Threat Management Gateway (Tab-separated)" info.1.version.1 = "2010" # 2013-11-22 - 1.0 - GMF - Initial creation # The name of the log format log.format.format_label = "Microsoft Forefront Threat Management Gateway (Tab-separated)" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^Client Agent Authenticated Client" # Logs fields are separated by tabs log.format.field_separator = " " # This handles header lines (assuming they always start with Client Agent), and creates log and database fields from them log.filter_preprocessor = ` if (matches_regular_expression(current_log_line(), '^(Client Agent .*)$')) then ( string fields = $1; string fieldname; v.logfieldindex = 1; string numerical_fields = "profiles." . internal.profile_name . ".database.numerical_fields"; # This subroutine creates a database field subroutine(create_database_field(string fieldname), ( #echo("create_database_field: " . fieldname); debug_message("create_database_field(" . fieldname . ")\n"); string databasefieldpath = "profiles." . internal.profile_name . ".database.fields." . fieldname; (databasefieldpath . "") = ""; node databasefield = databasefieldpath; # set_subnode_value(databasefield, "label", fieldname); databasefield; )); subroutine(create_log_field(string fieldname, string type, bool withindex), ( debug_message("create_log_field(" . fieldname . "; type=" . type . ")\n"); string logfieldpath = "profiles." . internal.profile_name . ".log.fields." . fieldname; (logfieldpath . "") = ""; node logfield = logfieldpath; # set_subnode_value(logfield, "label", fieldname); if (withindex) then ( set_subnode_value(logfield, "index", v.logfieldindex); v.logfieldindex++; ); set_subnode_value(logfield, "subindex", 0); if (type ne '') then set_subnode_value(logfield, "type", type); logfield; )); # Extract the fields on at a time (separated by tabs) while (matches_regular_expression(fields, '^([^ ]+) (.*)$')) ( string unconverted_fieldname = $1; fields = $2; # Clean up the field name fieldname = ''; for (int i = 0; i < length(unconverted_fieldname); i++) ( string c = lowercase(substr(unconverted_fieldname, i, 1)); if (!matches_regular_expression(c, '^[a-z0-9]$')) then c = '_'; fieldname .= c; ); while (matches_regular_expression(fieldname, '^(.*)_$')) fieldname = $1; # Get the log field type string log_field_type = ''; if (fieldname eq 'original_client_ip') then log_field_type = 'host'; # Create the log field create_log_field(fieldname, log_field_type, true); # If we're creating a profile, create the database fields too. if (node_exists("volatile.creating_profile")) then ( # Handle date by creating date_time and derived database fields if (fieldname eq "gmt_log_time") then ( create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); # ("profiles." . internal.profile_name . ".log.parsing_filters.parse_localtime.disabled") = true; ); # if date # else if (fieldname eq "time") then ( # create_database_field('date_time'); # create_database_field('day_of_week'); # create_database_field('hour_of_day'); # ); # if time # Create derived field for agent else if (fieldname eq "original_client_ip") then ( create_database_field('original_client_ip'); # create_database_field('location'); ); # Don't add a database field for numerical fields else if (subnode_exists(numerical_fields, fieldname)) then ( debug_message("Not adding numerical field: " . fieldname . "\n"); ); # Create a normal database field else create_database_field(fieldname); ); # if creating profile ); # while another field # Don't parse the #Fields line as a data line 'reject'; ); # if #Fields # Don't parse any other # lines as data lines else if (starts_with(current_log_line(), '#')) then ( 'reject'; ); ` # Log fields log.fields = { date = "" time = "" # original_client_ip.type = "host" } # log.fields # Database fields database.fields = { # date = "" # time = "" # day_of_week = "" # hour_of_day = "" } # database.fields log.parsing_filters.parse_gmt_log_file = { value = ` if (matches_regular_expression(gmt_log_time, '^([0-9/]+) (.*)$')) then ( date = $1; time = $2; ); ` requires_fields = { gmt_log_time = true } # requires_fields } # log.parsing_filters.parse_gmt_log_file # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events # unique_client_ips = { # log_field = "c_ip" # type = "unique" # } # unique_client_ips bytes_sent = { integer_bits = 64 display_format_type = "bandwidth" } # bytes_sent bytes_received = { integer_bits = 64 display_format_type = "bandwidth" } # bytes_received processing_time = { integer_bits = 64 display_format_type = duration_milliseconds } # processing_time } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" client_group = { client_ip = true client_agent = true authenticated_client = true original_client_ip = true client_username = true client_application_sha1_hash = true client_application_trust_state = true client_application_internal_name = true client_application_product_name = true client_application_product_version = true client_application_file_version = true client_application_original_file_name = true client_fqdn = true forefront_tmg_client_version = true source_port = true } # client_group destination_group = { destination_host_name = true url_destination_host_name = true destination_ip = true destination_port = true destination_network = true } # destination_group content_group = { url_categorization_reason = true url = true url_category = true content_delivery_method = true } # content_group uag_group = { uag_array_id = true uag_version = true uag_module_id = true uag_id = true uag_severity = true uag_type = true uag_event_name = true uag_session_id = true uag_trunk_name = true uag_service_name = true uag_error_code = true } other_group = { service = true referring_server = true transport = true http_method = true filter_information = true mime_type = true object_source = true cache_information = true error_information = true session_type = true bidirectional = true network_interface = true raw_ip_header = true raw_payload = true location = true authentication_server = true internal_service_info_log_field = true log_time = true protocol = true action = true overridden_rule = true nis_scan_result = true nis_signature = true nis_application_protocol = true rule = true result_code = true http_status_code = true source_network = true server_name = true log_record_type = true malware_inspection_action = true malware_inspection_result = true threat_name = true threat_level = true malware_inspection_duration__msec = true nat_address = true } # other_group } # report_groups } # create_profile_wizard_options } # forefront_thread_management_gateway_tsv