# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. fortigate_300 = { plugin_version = "1.0" info.1.manufacturer = "Fortinet" info.1.device = "Fortigate 300 Series" info.1.version.1 = "300c" # firmware v4.0 mr3" # 2014-03-24 - 1.0 - GMF - Initial creation; based on forti_gate_traffic # The name of the log format log.format.format_label = "FortiGate 300 Series Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] log_id=[^ ]+ " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" #2014-03-14 15:48:26 log_id=0317013312 type=webfilter subtype=ftgd_allow pri=notice vd="root" policyid=126 intf_policyid=0 identidx=7 serial=59136668 user="ABC" group="FSSO_Unblocked" src=12.34.56.78 sport=1455 src_port=1455 src_int="DATA for ABC" dst=23.45.67.89 dport=80 dst_port=80 dst_int="port2" service="http" hostname="page.somewhere.com" carrier_ep="N/A" profiletype="Webfilter_Profile" profilegroup="N/A" profile="FSSO_Unblocked" status="passthrough" req_type="referral" url="/dir/page.html" sent=757 rcvd=467 msg="URL belongs to an allowed category in policy" method=domain class=0 class_desc="N/A" cat=17 cat_desc="Advertising" # Log fields log.fields = { date = "" time = "" log_id = "" type = "" subtype = "" pri = "" vd = "" policyid = "" intf_policyid = "" identidx = "" serial = "" user = "" group = "" src = "" sport = "" src_port = "" src_int = "" dst = "" dport = "" dst_port = "" dst_int = "" service = "" hostname = "" carrier_ep = "" profiletype = "" profilegroup = "" profile = "" status = "" req_type = "" url = "" sent = "" rcvd = "" msg = "" method = "" class = "" class_desc = "" cat = "" cat_desc = "" accesses = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); if (matches_regular_expression(v.line, '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])[ ,]([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) (.*)')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); v.line = $3; collect_listed_fields('', v.line, ' ', '=', ''); accept_collected_entry('', false); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" log_id = "" type = "" subtype = "" pri = "" vd = "" policyid = "" identidx = "" intf_policyid = "" serial = "" user = "" group = "" src = "" sport = "" src_port = "" src_int = "" dst = "" dport = "" dst_port = "" dst_int = "" service = "" hostname = "" carrier_ep = "" profiletype = "" profilegroup = "" profile = "" status = "" req_type = "" url = "" sent = "" rcvd = "" msg = "" method = "" class = "" class_desc = "" cat = "" cat_desc = "" } # database.fields # Log Filters log.filters = { build_url = { label = "build URL" comment = "build the URL from parts" value = "url = service . '://' . hostname . url" } # build_url simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' entries_field = "true" value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { default = true entries_field = true } # accesses sent = { integer_bits = 64 display_format_type = "bandwidth" } # sent rcvd = { default = true integer_bits = 64 display_format_type = "bandwidth" } # rcvd } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" actions_group = { type = true subtype = true pri = true status = true } source_group = { src = true src_port = true sport = true src_int = true user = true group = true } destination_group = { dst = true hostname = true dst_port = true dport = true dst_int = true } content_group = { cat = true cat_desc = true url = true req_type = true } profile_group = { profiletype = true profilegroup = true profile = true } policies_group = { policyid = true intf_policyid = true } other_group = { identidx = true serial = true status = true service = true log_id = true vd = true rule = true carrier_ep = true msg = true method = true class = true class_desc = true } } # report_groups snapons = { # Attach a top_level_domain snapon top_level_domain = { snapon = "top_level_domain" name = "top_level_domain" label = "$lang_admin.snapons.top_level_domain.label" parameters = { url_field.parameter_value = "url" field_name = { parameter_value = "$lang_admin.field_labels.top_level_domain" final_node_name = "top_level_domain" } } # parameters } # top_level_domain # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { user_field.parameter_value = "user" # user_field.parameter_value = "source_ip" have_category_field.parameter_value = true category_field.parameter_value = "category" host_field.parameter_value = "top_level_domain" page_views_field.parameter_value = "accesses" bytes_in_field.parameter_value = "rcvd" sort_by_field.parameter_value = "accesses" } # parameters } # gateway_reports } # snapons } # create_profile_wizard_options } # fortigate_300