# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. microsoft_dhcp_syslog = { plugin_version = "1.1.1" # 2012-08-13 - Benson - 1.0 - Initial creation # 2012-11-09 - GMF - 1.1 - Added support for missing syslog; added support for empty fields; commented out Chinese log filter # 2012-11-16 - GMF - 1.1.1 - Fixed date extraction from message. info.1.manufacturer = "Microsoft" info.1.device = "Windows DHCP Server" info.1.version.1 = "2003" info.1.version.2 = "2008" # The name of the log format log.format.format_label = "Microsoft Windows DHCP Server Log Format" log.miscellaneous.log_data_type = "syslog_optional" log.miscellaneous.log_format_type = "application" # 2012-08-09 10:55:34 local2.info twtpedc01 Process Name[info] 11,08/08/12,16:27:31,§ó·s,10.129.220.130,A0163601.topco-global.com,24EC9928E396, # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = `matches_regular_expression(volatile.log_data_line, "[0-9]+,[0-9/]+,[0-9:]+,[^,]+,[0-9.]+,[^,]*,[0-9A-F]*,")` log.format.autodetect_lines = 100 # log.format.date_format = "dd/mm/yy" # log.format.time_format = "hh:mm:ss" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { id = "" date_time = "" description = "" ip_address = "" hostname = "" mac_address = "" events = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` #11,10/26/12,00:05:06,Renew,10.17.87.6,ABC-PC.def.edu,00242C9912B1,,2398965116,0,,, #10,10/26/12,00:00:31,Assign,10.17.131.107,,4001C6679E81,,1803751690,0,,, if (matches_regular_expression(v.syslog_message, '^([0-9]+),([0-9/]+),([0-9:]+),([^,]*),([0-9.]*),([^,]*),([0-9A-F]*),')) then ( set_collected_field('', 'id', $1); # 2012-11-16 - GMF - We can't check for date='' here because no_syslog sets it to the current date. Just use the date from the message, always. # if (get_collected_field('', 'date') eq '') then ( set_collected_field('', 'date', normalize_date($2, 'mm/dd/yy')); set_collected_field('', 'time', $3); # ); set_collected_field('', 'description', $4); set_collected_field('', 'ip_address', $5); set_collected_field('', 'hostname', $6); set_collected_field('', 'mac_address', $7); accept_collected_entry('', false); ); ` # Database fields database.fields = { id = "" date_time = "" description = "" ip_address = "" hostname = "" mac_address = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry # Uncomment to get Traditional Chinese descriptions of event ID # event_id = { # value = "id = id . ' (' . node_value(subnode_by_name('rewrite_rules.windows_dhcp_event_id_cht', id)) . ')';" # disabled = "false" # label = "Event ID" # comment = "This rewrites the Event ID in plain text" # } # server_responses } # log.filters database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups snapons = { # Add the standard reports add_standard_reports = { name = "add_standard_reports" label = "add_standard_reports" snapon = "add_standard_reports" } # add_standard_reports } # snapons } # create_profile_wizard_options } # microsoft_dhcp_syslog