# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. barracuda_waf_access_with_extended_info = { plugin_version = "2.1" info.1.manufacturer = "Barracuda" info.1.device = "Web Application Firewall (Access with extended info)" info.1.version = "7.4.0.022" # 2014-04-09 - 1.0 - WC - Initial implementation. # 2014-04-16 - 2.0 - GMF - Various fixes/enhancements # 2014-04-17 - 2.1 - GMF - Added time_taken and server_time, and parsing of the line format that contains them # The name of the log format log.format.format_label = "Barracuda WAF Access Log With Extended Info Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "web_server" # The log is in this format if any of the first ten lines match this regular expression #GMF fixed regexp; changed character class to [+-], added extra space after time zone, put literal dots in character class, added + to server_port log.format.autodetect_regular_expression = "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9][.][0-9]+ [+-][0-9]+ [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ [0-9]+ [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ [0-9]+ " log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = "" time = "" client_ip = "" client_port = "" server_ip = "" server_port = "" login_id = "" method = "" http_status = "" certificate_user = "" query = "" application_ip = "" application_port = "" host = "" url = "" referrer = "" bytes_sent = "" bytes_received = "" proxy_ip = "" proxy_port = "" agent = "" accesses = "" # GMF Added these two fields time_taken = "" server_time = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` #2012-07-06 03:20:52 local0.info 10.10.10.10 2012-07-06 03:20:52.456 -0400 66.249.72.150 61848 192.168.1.10 80 "-" GET 200 "-" loc=items_detail&data%5Bhistory%5D=2050;002;20000;20100;&data%5Bcatalog%5D=1&data%5Bitemcode%5D=712089 10.10.10.44 80 excess.stuff.com /01/index.php "-" 11698 346 66.249.72.150 61848 "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" # GMF Same changes to regular expression as above (autodetect) #if (matches_regular_expression(v.syslog_message, '([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9].[0-9]+) [\+|-][0-9]+ ([0-9]+.[0-9]+.[0-9]+.[0-9]+) ([0-9]+) ([0-9]+.[0-9]+.[0-9]+.[0-9]) ([0-9]+) (.*)$')) then ( if (matches_regular_expression(v.syslog_message, '([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9][.][0-9]+) [+-][0-9]+ ([0-9]+[.][0-9]+[.][0-9]+[.][0-9]+) ([0-9]+) ([0-9]+[.][0-9]+[.][0-9]+[.][0-9]+) ([0-9]+) (.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'client_ip', $3); set_collected_field('', 'client_port', $4); set_collected_field('', 'server_ip', $5); set_collected_field('', 'server_port', $6); v.message = $7; # GMF Added separte clasue for long format # Longer format with two extra fields #2014-04-09 09:12:25 local1.info 10.10.10.10 2014-04-09 09:12:25.696 -0400 68.16.231.211 55437 192.168.1.10 443 "-" POST 200 "-" id=8b124a19-a955-40fc-a3a8-0429c17069ba&clientPerformance=&clientProbes=&popup=1& 10.10.10.44 443 orbit.stuff.com /mini-profiler-resources/results https://orbit.stuff.com/ShoppingCart 1050 3635 68.16.231.211 55437 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 47 6 \n if (matches_regular_expression(v.message, '^([^ ]+) ([A-Z]+|[a-z]+) ([0-9]+) ([^ ]+) ([^ ]+) ([0-9]+[.][0-9]+[.][0-9]+[.][0-9]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([0-9]+[.][0-9]+[.][0-9]+[.][0-9]+) ([0-9]+) "([^"]+)" ([0-9]+) ([0-9]+)')) then ( set_collected_field('', 'login_id', $1); set_collected_field('', 'method', $2); set_collected_field('', 'http_status', $3); set_collected_field('', 'certificate_user', $4); set_collected_field('', 'query', $5); set_collected_field('', 'application_ip', $6); set_collected_field('', 'application_port', $7); set_collected_field('', 'host', $8); set_collected_field('', 'url', $9); set_collected_field('', 'referrer', $10); set_collected_field('', 'bytes_sent', $11); set_collected_field('', 'bytes_received', $12); set_collected_field('', 'proxy_ip', $13); set_collected_field('', 'proxy_port', $14); set_collected_field('', 'agent', $15); set_collected_field('', 'time_taken', $16); set_collected_field('', 'server_time', $17); ); #"-" GET 200 "-" "-" 172.18.218.37 443 www.wilmar.com /Quote/ViewDetail/5425382 https://www.wilmar.com/Quote/MyQuotes 30511 2564 68.196.250.220 1533 "Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0 # GMF Added ^ to start for efficiency, changed literal . to [.], changed the quoted field to "([^"]+)" # if (matches_regular_expression(v.message, '([^ ]+) ([A-Z]+|[a-z]+) ([0-9]+) ([^ ]+) ([^ ]+) ([0-9]+.[0-9]+.[0-9]+.[0-9]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([0-9]+.[0-9]+.[0-9]+.[0-9]+) ([0-9]+) "([^ ]+)" ')) then ( else if (matches_regular_expression(v.message, '^([^ ]+) ([A-Z]+|[a-z]+) ([0-9]+) ([^ ]+) ([^ ]+) ([0-9]+[.][0-9]+[.][0-9]+[.][0-9]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([0-9]+[.][0-9]+[.][0-9]+[.][0-9]+) ([0-9]+) "([^"]+)" ')) then ( set_collected_field('', 'login_id', $1); set_collected_field('', 'method', $2); set_collected_field('', 'http_status', $3); set_collected_field('', 'certificate_user', $4); set_collected_field('', 'query', $5); set_collected_field('', 'application_ip', $6); set_collected_field('', 'application_port', $7); set_collected_field('', 'host', $8); set_collected_field('', 'url', $9); set_collected_field('', 'referrer', $10); set_collected_field('', 'bytes_sent', $11); set_collected_field('', 'bytes_received', $12); set_collected_field('', 'proxy_ip', $13); set_collected_field('', 'proxy_port', $14); set_collected_field('', 'agent', $15); ); set_collected_field('', 'accesses', 1); accept_collected_entry('', false); ); ` # GMF There must be a log filter to populat the accesses field, to count the total number of accesses log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters # Database fields database.fields = { # GMF Rather than separate date and time fields, use date_time for database to provide standard date/time reporting. day_of_week and hour_of_day are handy too. # date = "" # time = "" date_time = "" day_of_week = "" hour_of_day = "" client_ip = "" client_port = "" server_ip = "" server_port = "" login_id = "" method = "" http_status = "" certificate_user = "" query = "" application_ip = "" application_port = "" host = "" url = "" referrer = "" # GMF Byte fields are typically aggregated, and should appear in numerical_fields, not database_fields (or you'll get a report with a row for each unique valueof the bytes_sent field, which is worthless). # bytes_sent = "" # bytes_received = "" proxy_ip = "" proxy_port = "" agent = "" } # database.fields # GMF numerical fields are commented out, but there has to be at least one numerical field, to track the number of events. Below, I have added accesses (could be called events too, sure), and the two bytes fields as well. # database.numerical_fields = { # # events = { # default = true # } # bytes_received = { # default = true # type = "int" # integer_bits = 64 # display_format_type = "bandwidth" # } # # # } # database.numerical_fields database.numerical_fields = { accesses = { default = true entries_field = true } # accesses bytes_sent = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_sent bytes_received = { default = true type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_received # GMF Added these two fields time_taken = { integer_bits = 64 display_format_type = duration_milliseconds default = true } # time_taken server_time = { integer_bits = 64 display_format_type = duration_milliseconds default = true } # server_time } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { #GMF It is typical, though not required, to include at least a Date/time group, to combine the date/time reports until a single group. date_time_group = "" } # report_groups # GMF Added a user_agent_analysis snapon; not essential, but it will report web browsers and operating systems and device information, instead of the horrible ugly user_agent field values. snapons = { # Add the standard reports add_standard_reports = { name = "add_standard_reports" label = "add_standard_reports" snapon = "add_standard_reports" } # add_standard_reports user_agent_analysis = { snapon = "user_agent_analysis" name = "user_agent_analysis" label = "$lang_admin.snapons.user_agent_analysis.label" parameters = { user_agent_field.parameter_value = "agent" page_views_field.parameter_value = "accesses" } # parameters } # user_agent_analysis } # snapons } # create_profile_wizard_options } # barracuda_waf_access_with_extra_info