# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. aventail_web_access_syslog_required = { plugin_version = "1.0" info.1.manufacturer = "Aventail" info.1.device = "SSL VPN" info.1.version = "" info.2.manufacturer = "SonicWall" info.2.device = "Aventail SSL VPN" info.2.version = "9.0" # 2009-11-04 - 1.0 - KBB - Identical to version 1.2 of aventail_web_access.cfg, from which syslog # support was backed out in version 1.3. All changes should be duplicated in both plug-ins. # The name of the log format log.format.format_label = "Aventail Web Access (Syslog Required) Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression # example with syslog: #2007-02-06 15:13:14 Local4.Info 10.1.11.11 Feb 6 15:17:25 syslog-ng@totaventail-aventail1 local4.info logger: 222.222.222.222 - (split)@(Local) [06/Feb/2007:11:19:36 +0700] "GET http://127.0.0.1:8085/workplace/assets/aventail/progMid_fill.gif HTTP/1.1" 200 852 #log.format.autodetect_regular_expression = "^[^ ]* [^ ]* .* \\[../.../....:..:..:...*\\] \"[A-Z]* [^ ]* HTTP[^\"]*\" [0-9]* [-0-9]* *$" log.format.autodetect_regular_expression = '\\[../.../....:..:..:...*\\] "[A-Z]* [^ ]* HTTP[^"]*" [0-9]* [-0-9]*' # log.format.autodetect_expression = ` #matches_regular_expression(volatile.log_data_line, '\\[../.../....:..:..:...*\\] "[A-Z]* [^ ]* HTTP[^"]*" [0-9]* [-0-9]* *$') or #matches_regular_expression(volatile.log_data_line, '\\[../.../....:..:..:...*\\] "[A-Z]* [^ ]* HTTP[^"]*" [0-9]* [-0-9]* "[^"]"$') #` log.format.autodetect_lines = 10000 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "dd/mmm/yyyy:hh:mm:ss" log.format.time_format = "dd/mmm/yyyy:hh:mm:ss" # Log fields log.fields = { hostname.type = "host" server_domain = "" authenticated_user = "" date_time = "" method = "" page.type = "page" protocol = "" server_response = "" size = "" realm = "" group = "" type = "" } # log.fields # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" method = "" #protocol = "" page = { suppress_bottom = 9 display_format_type = "page" } # page file_type = "" worm = "" hostname = "" domain_description = "" location = { suppress_bottom = 3 } # location authenticated_user = "" server_response = "" realm = "" group = "" type = "" } # database.fields # Log Parsing Filters log.parsing_filters.parse = ` #2007-02-06 15:13:14 Local4.Info 10.1.11.11 Feb 6 15:17:25 syslog-ng@totaventail-aventail1 local4.info logger: 222.222.222.222 - (split)@(Local) [06/Feb/2007:11:19:36 +0700] "GET http://127.0.0.1:8085/workplace/assets/aventail/progMid_fill.gif HTTP/1.1" 200 852 # strip additional syslog entry (one or more specific Unix syslog formats) # (note several optional elements at end of syslog - this works because the beginning of the # Aventail part is so specific - if we support more types of log entries, this will need to change) if (matches_regular_expression(v.syslog_message, '[A-Z][a-z][a-z] [ 0-9]{0,1}[0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+ [^ ]* *[^ ]* *([^ ]+ [^ ]+ (-|\\\\(.*\\\\)) \\\\[../.../....:..:..:...*\\\\] ".*)$')) then ( v.syslog_message = $1; ); #122.22.2.2 - - [19/Oct/2009:19:37:55 +0000] "GET / HTTP/1.1" 302 344 "-" #122.22.2.2 - - [19/Oct/2009:19:37:55 +0000] "GET /favicon.ico HTTP/1.1" 404 209 "-" if (matches_regular_expression(v.syslog_message, '([^ ]+) ([^ ]+) (.*) \\\\[(../.../....:..:..:..)[^]]*\\\\] "([A-Z]+) ([^ ]+) ([A-Z]+[^"]*)" ([0-9]*) ([-0-9]*)')) then ( set_collected_field('', 'hostname', $1); set_collected_field('', 'server_domain', $2); set_collected_field('', 'authenticated_user', $3); set_collected_field('', 'date_time', $4); set_collected_field('', 'method', $5); set_collected_field('', 'page', $6); set_collected_field('', 'protocol', $7); set_collected_field('', 'server_response', $8); set_collected_field('', 'size', $9); accept_collected_entry('', false); ); ` # Log Filters log.filters = { realm_no_user = { label = "get realm from user string" comment = "get realm from user string" value = "if contains(authenticated_user,')@(') then realm = substr(authenticated_user, index(authenticated_user,')@(')+3, length(authenticated_user)-index(authenticated_user,')@(')-4);" } # realm_no_user strip_realm_from_user = { label = "authenticated user" comment = "authenticated user" value = "if contains(authenticated_user,')@(') then authenticated_user = substr(authenticated_user, 1, index(authenticated_user,')@(')-1);" } # strip_realm_from_user strip_parens_from_user = { label = "strip parens from user" comment = "can't see user name in authenticated users report if starts with (" value = "if starts_with(authenticated_user,'(') then authenticated_user = substr(authenticated_user, 1, length(authenticated_user)-2);" } # strip_parens_from_user not_authenticated = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "$lang_admin.log_filters.not_authenticated_comment" value = "if (authenticated_user eq '-') then authenticated_user = '(not authenticated)';" } # not_authenticated (moved to after stripping () from (user name) ... this shouldn't appear in auth_users report) not_authenticated_2 = { label = "not authenticated 2" comment = "mark 'empty' user as '(not authenticated)'" value = "if (authenticated_user eq 'empty') then authenticated_user = '(not authenticated)';" } # not_authenticated_2 default_realm = { label = "mark default realm" comment = "mark default realm" value = "if ((realm eq '(empty)') and (authenticated_user ne '(not authenticated)')) then realm = 'default realm';" } # default_realm populate_group = { label = "populate group" comment = "This filter can be changed in order to group users" value = "group = 'Default';" } # populate_group set_page_for_worm = { label = "$lang_admin.log_filters.set_page_for_worm_label" comment = "$lang_admin.log_filters.set_page_for_worm_comment" value = "if (starts_with(worm, '(')) then '' else page = '(worm)';" } # set_page_for_worm remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(page, '?')) then page = substr(page, 0, index(page, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then page = substr(page, 0, last_index(page, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry server_responses = { #value = "node rule;foreach rule 'rewrite_rules.server_responses' (if (matches_regular_expression(server_response, node_value(subnode_by_name(rule, 'regexp')))) then (server_response = server_response . ' (' . expand(node_value(subnode_by_name(rule, 'result'))) . ')'; last; ); );" value = "server_response = server_response . ' (' . node_value(subnode_by_name('lang_stats.log_formats.http_server_responses', server_response)) . ')';" disabled = "false" label = "Server Responses" comment = "This rewrites the server responses in plain text" } # server_responses ## clean_users = { ## value = ` ## node rule; ## if (node_exists('rewrite_rules.user_lookup')) then ( ## foreach rule 'rewrite_rules.user_lookup' (if (contains(authenticated_user, '='.node_value(subnode_by_name(rule, 'regexp')).',')) then (authenticated_user = expand(node_value(subnode_by_name(rule, 'result'))); last; ); ); ## ); ## ` ## disabled = "false" ## label = "LDAP to user name" ## comment = "This rewrites the user_name field to the user's name, if in ldap format (contains '=extranet_id,' )" ## } # clean_users set_type = { label = "Set type based on page or method" comment = "" disabled = "false" value = ` if (contains(page, '/workplace/')) then ( type = "WorkPlace"; ); else if (contains(page, '/preauth/') or contains(page, 'EPCmicro')) then ( type = "EPC - Pre-authentication"; ); else if (contains(page, '/postauth/')) then ( type = "EPC - Post authentication"; ); else if (contains(page, '/__api__/')) then ( type = "Logon API Usage"; ); else if (method eq 'CONNECT') then ( type = "OD Proxy / Connect Mobile"; ); else ( type = "Translation"; ); ` } } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "authenticated_user" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { hits = { default = true } # hits page_views = { default = true requires_log_field = false } # page_views visitors = { default = true requires_log_field = true log_field = "hostname" type = "unique" } # visitors size = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { page = true file_type = true } visitor_demographics_group = { hostname = true domain_description = true location = true } users_group = { authenticated_user = true realm = true group = true } server_response = true method = true worm = true #protocol = true type = true } # report_groups } # create_profile_wizard_options } # aventail_web_access_syslog_required