# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. zentyal_syslog = { plugin_version = "1.0" # 2014-10-2 - 1.0 - Lew - support for Zentyal syslog format info.1.manufacturer = "Zentyal" info.1.device = "Unix Syslog" info.1.version.1 = "1.0" # The name of the log format log.format.format_label = "Zentyal Syslog" log.miscellaneous.log_data_type = "syslog" log.miscellaneous.log_format_type = "syslog_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^ *<*[0-9X]*>*[A-Za-z][A-Za-z][A-Za-z] [0-9 ]?[0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\.*[0-9]* [^ ]* " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = "" time = "" logging_device = "" daemon = "" pid = "" syslog_message = "" daemon_message = "" message = "" firewall = "" msg_id = "" firewall = "" decision = "" in_interface = "" out_interface = "" srcmac = "" dstmac = "" src_ip = "" dst_ip = "" length = "" tos = "" prec = "" ttl = "" id = "" flag = "" proto = "" spt = "" dpt = "" window = "" res = "" control_bits = "" urgent_pointer = "" mark = "" type = "" code = "" icmpsrcip = "" icmpdestip = "" icmp_tot_len = "" icmp_tos = "" icmp_prec = "" icmp_ttl = "" icmp_id = "" icmp_proto = "" icmp_spt = "" icmp_dpt = "" icmp_hdr_len = "" } # log.fields # At initialization time, get the last line from the previous build, in case we need it for "repeated" lines log.filter_initialization_syslog = ` string last_log_line_pathname = volatile.database_directory . "main" . internal.directory_divider . "last_log_line.txt"; string last_log_line; if (file_exists(last_log_line_pathname)) then ( last_log_line = read_file(last_log_line_pathname); ); ` # At finialization time, save the last line of this build log.filter_finalization_syslog = ` write_file(last_log_line_pathname, last_log_line); ` # Log Parsing Filters log.parsing_filters = { year_from_filename = { label = "" comment = "" value = " if (matches_regular_expression(current_log_pathname(), '((20|19)[0-9][0-9])\\\\.log')) then log.processing.default_log_date_year = $1; " disabled = false } # year_from_filename # Parse out the syslog fields syslog_1 = { label = "syslog_1" comment = "" value = ` v.syslog_message = ''; # get date, time and logging device if (matches_regular_expression(current_log_line(), '^([A-Z][a-z][a-z] [0-9 ]?[0-9]) ([0-9:]*) ([^ ]*) (.*)$')) then ( set_collected_field('', 'date', normalize_date($1, 'mmm dd')); set_collected_field('', 'time', $2); set_collected_field('', 'logging_device', $3); set_collected_field('', 'syslog_message', $4); v.syslog_message = $4; ); # Jul 4 07:57:46 ipip-hotspot snort[23103]: Run time for packet processing was 87099.417024 seconds #if (matches_regular_expression(current_log_line(), '^([A-Z][a-z][a-z] [0-9 ]?[0-9]) ([0-9:]*) ([^ ]*) ([^ ]*)\\\\[([0-9]*)\\\\]: (.*)$')) then ( if (matches_regular_expression(v.syslog_message, '([^ ]*)\\\\[([0-9]*)\\\\]: (.*)$')) then ( set_collected_field('', 'daemon', $1); set_collected_field('', 'pid', $2); set_collected_field('', 'daemon_message', $3); v.syslog_message = $3; accept_collected_entry('', false); # If this is a 'last message repeated' line, take the previous line and insert it into the log data stream that many times. if (matches_regular_expression(v.syslog_message, '^last message repeated ([0-9]+) times')) then ( for (int i = 0; i < $1; i++) ( set_subnode_value('volatile.log_line_insertions', i, last_log_line); ) ); # if last message repeated # If it's a normal line, extract it normally else ( while (starts_with(v.syslog_message, ' ')) v.syslog_message = substr(v.syslog_message, 1); while (matches_regular_expression(v.syslog_message, '^(.*)(\\\\^M| )$')) v.syslog_message = $1; if (matches_regular_expression(current_log_pathname(), '([0-1][0-9]-[0-3][0-9]-[21][09][0-9][0-9])')) then set_collected_field('', 'date', $1); # Remember the log line, in case we get a "last message repeated" line next last_log_line = current_log_line(); ); # if non-repeated line ); # Jul 4 07:57:46 ipip-hotspot kernel: [9234999.704470] (stuff) #else if (matches_regular_expression(current_log_line(), '^([A-Z][a-z][a-z] [0-9 ]?[0-9]) ([0-9:]*) ([^ ]*) ([^ ]*): \\\\[([0-9]*.[0-9]*)\\\\] (.*)$')) then ( else if (matches_regular_expression(v.syslog_message, '^([^ ]*): \\\\[([0-9]*.[0-9]*)\\\\] (.*)$')) then ( set_collected_field('', 'daemon', $1); set_collected_field('', 'msg_id', $2); v.syslog_message = $3; # now look for variations of this type of message with parts like this # zentyal-firewall drop IN=vlan16 OUT=eth1 MAC=00:07:e9:2f:7f:89:a4:c3:61:7f:9e:54:08:00 SRC=172.16.2.33 DST=58.27.86.43 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=10893 DF PROTO=TCP if (matches_regular_expression(v.syslog_message, '^([^ ]*) ([^ ]*) IN=([^ ]*) OUT=([^ ]*) MAC=([^ ]*) SRC=([^ ]*) DST=([^ ]*) LEN=([^ ]*) TOS=([^ ]*) PREC=([^ ]*) TTL=([^ ]*) ID=([^ ]*) (.*)')) then ( set_collected_field('', 'firewall', $1); set_collected_field('', 'decision', $2); set_collected_field('', 'in_interface', $3); set_collected_field('', 'out_interface', $4); set_collected_field('', 'srcmac', substr($5, 0, 20)); set_collected_field('', 'dstmac', substr($5, 21, 20)); set_collected_field('', 'src_ip', $6); set_collected_field('', 'dst_ip', $7); set_collected_field('', 'length', $8); set_collected_field('', 'tos', $9); set_collected_field('', 'prec', $10); set_collected_field('', 'ttl', $11); set_collected_field('', 'id', $12); v.syslog_message = $13; # now check for flag & proto values # DF PROTO=TCP if (matches_regular_expression(v.syslog_message, '^([^ ]*) PROTO=([^ ]*) (.*)$')) then ( set_collected_field('', 'flag', $1); set_collected_field('', 'proto', $2); v.syslog_message = $3; ); # this has no flag, just proto # PROTO=ICMP else if (matches_regular_expression(v.syslog_message, '^PROTO=([^ ]*) (.*)$')) then ( set_collected_field('', 'proto', $1); v.syslog_message = $2; ); # see if it's like this # SPT=52418 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 if (matches_regular_expression(v.syslog_message, 'SPT=([^ ]*) DPT=([^ ]*) WINDOW=([^ ]*) RES=([^ ]*) (.*) URGP=([^ ]*) MARK=([^ ]*)')) then ( set_collected_field('', 'spt', $1); set_collected_field('', 'dpt', $2); set_collected_field('', 'window', $3); set_collected_field('', 'res', $4); set_collected_field('', 'control_bits', $5); set_collected_field('', 'urgent_pointer', $6); set_collected_field('', 'mark', $7); ); # or this # TYPE=3 CODE=3 [SRC=192.168.1.6 DST=189.40.64.15 LEN=62 TOS=0x00 PREC=0x00 TTL=115 ID=9640 PROTO=UDP SPT=4169 DPT=8517 LEN=42 ] MARK=0x1 else if (matches_regular_expression(v.syslog_message, 'TYPE=([^ ]*) CODE=([^ ]*) \\\\[(.*) \\\\] MARK=([^ ]*)')) then ( set_collected_field('', 'type', $1); set_collected_field('', 'code', $2); v.icmp_fields = $3; set_collected_field('', 'mark', $4); # now check the ICMP fields if (matches_regular_expression(v.icmp_fields, '^SRC=([^ ]*) DST=([^ ]*) LEN=([^ ]*) TOS=([^ ]*) PREC=([^ ]*) TTL=([^ ]*) ID=([^ ]*) PROTO=([^ ]*) SPT=([^ ]*) DPT=([^ ]*) LEN=([^ ]*)')) then ( set_collected_field('', 'icmpsrcip', $1); set_collected_field('', 'icmpdestip', $2); set_collected_field('', 'icmp_tot_len', $3); set_collected_field('', 'icmp_tos', $4); set_collected_field('', 'icmp_prec', $5); set_collected_field('', 'icmp_ttl', $6); set_collected_field('', 'icmp_id', $7); set_collected_field('', 'icmp_proto', $8); set_collected_field('', 'icmp_spt', $9); set_collected_field('', 'icmp_dpt', $10); set_collected_field('', 'icmp_hdr_len', $11); ); ); ); accept_collected_entry('', false); ); # Jul 4 07:57:46 ipip-hotspot kernel: [9234999.704470] (stuff) #else if (matches_regular_expression(current_log_line(), '^([A-Z][a-z][a-z] [0-9 ]?[0-9]) ([0-9:]*) ([^ ]*) ([^ ]*): (.*)$')) then ( else if (matches_regular_expression(v.syslog_message, '^([^ ]*): (.*)$')) then ( set_collected_field('', 'daemon', $1); set_collected_field('', 'daemon_message', $2); v.syslog_message = $3; accept_collected_entry('', false); ); else if (matches_regular_expression(current_log_line(), '^([A-Z][a-z][a-z] [0-9 ]?[0-9]) ([0-9:]*)(.*)')) then ( set_collected_field('', 'date', normalize_date($1, 'mmm dd')); set_collected_field('', 'time', $2); set_collected_field('', 'syslog_message', $3); v.syslog_message = $3; # If this is a 'last message repeated' line, take the previous line and insert it into the log data stream that many times. if (matches_regular_expression(v.syslog_message, '^last message repeated ([0-9]+) times')) then ( for (int i = 0; i < $1; i++) ( set_subnode_value('volatile.log_line_insertions', i, last_log_line); ) ); # if last message repeated # If it's a normal line, extract it normally else ( while (starts_with(v.syslog_message, ' ')) v.syslog_message = substr(v.syslog_message, 1); while (matches_regular_expression(v.syslog_message, '^(.*)(\\\\^M| )$')) v.syslog_message = $1; if (matches_regular_expression(current_log_pathname(), '([0-1][0-9]-[0-3][0-9]-[21][09][0-9][0-9])')) then set_collected_field('', 'date', $1); # Remember the log line, in case we get a "last message repeated" line next last_log_line = current_log_line(); ); # if non-repeated line ); # it matches normal layout ` } # syslog_1 } # log.parsing_filters # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" logging_device = "" daemon = "" syslog_message = "" daemon_message = "" firewall = "" msg_id = "" firewall = "" decision = "" in_interface.label = "Input interface" out_interface.label = "Output interface" srcmac = "" dstmac = "" src_ip = "" dst_ip = "" length = "" tos = "" prec = "" ttl = "" id = "" flag = "" proto = "" spt = "" dpt = "" window = "" res = "" control_bits = "" urgent_pointer = "" mark = "" type = "" code = "" icmpsrcip = "" icmpdestip = "" icmp_tot_len = "" icmp_tos = "" icmp_prec = "" icmp_ttl = "" icmp_id = "" icmp_proto = "" icmp_spt = "" icmp_dpt = "" icmp_hdr_len = "" } # database.fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" daemon_group = { daemon = "" pid = "" daemon_message = "" } kernel_group = { msg_id = "" firewall = "" decision = "" in_interface = "" out_interface = "" srcmac = "" dstmac = "" src_ip = "" dst_ip = "" length = "" tos = "" prec = "" ttl = "" id = "" flag = "" proto = "" type = "" code = "" spt = "" dpt = "" window = "" res = "" control_bits = "" urgent_pointer = "" mark = "" } icmp_group = { icmpsrcip = "" icmpdestip = "" icmp_tot_len = "" icmp_tos = "" icmp_prec = "" icmp_ttl = "" icmp_id = "" icmp_proto = "" icmp_spt = "" icmp_dpt = "" icmp_hdr_len = "" } } # report_groups } # create_profile_wizard_options } # zentyal_syslog