# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. firepass_ssl_vpn = { plugin_version = "1.2" info.1.manufacturer = "F5" info.1.device = "FirePass 4100 SSL VPN" info.1.version = "" # 2007-11-26 - 1.0 - KBB - Initial creation # 2007-12-17 - 1.0.1 - KBB - Fixed bug caused by typo # 2009-07-29 - 1.1 - Benson Chung - Added support for three more message types # 2009-08-13 - 1.2 - GMF - Added support for fp_usage_log, and a couple new messages from fp_app_log # The name of the log format log.format.format_label = "FirePass SSL VPN Log Format" log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = '^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+--(\\[[0-9]{2}/[0-9]{2}/[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2}\\]){1,2}"?(sid|logon)=[^;]+;' # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = "" time = "" interface_ip = "" sid = "" group = "" logon = "" message = "" agent_os = "" user_agent.type = "agent" passed = "" valid = "" protocol = "" content_type = "" server_addr = "" home_address = "" nonstandard_port = "" desktop_dns = "" session_status = "" action = "" administrator_action_id = "" destination_host = "" destination_ip = "" destination_port = "" duration = "" operating_system = "" web_browser = "" } # log.fields # Log Parsing Filters # Note that the four log types (fp_app_log, fp_browser_log, fp_sess_log, fp_logon_log, fp_usage_Log) # are processed separately. Small differences between them make this clearer. # Processing order is important. # There is a fourth log type, fp_usage_log, but a sample is not available. log.parsing_filters.parse = ` v.line = current_log_line(); # fp_app_log if (matches_regular_expression(v.line, '^([0-9.]+)--\\\\[([0-9]{2}/[0-9]{2}/[0-9]{4}) ([0-9]{2}:[0-9]{2}:[0-9]{2})\\\\]"(.*[^"])"?$')) then ( v.date = $2; v.time = $3; set_collected_field('', 'interface_ip', $1); set_collected_field('', 'date', v.date); set_collected_field('', 'time', v.time); collect_listed_fields('', $4, ';', '=', ''); v.sid = get_collected_field('', 'sid'); v.message = get_collected_field('', 'message'); # Do this here because not every type has a message. Comment out to find new message types. set_collected_field('', 'message', '[omitted]'); # This anonymized example has been shortened, but it illustrates how these lines are often cut off. #55.155.155.155--[10/23/2007 20:30:02]"sid=0306138ba58e666710c6fd0d5dc28a5d;logon=009990;group=Special-Group;message=Open AppTunnel to app0:211 app1.hello.com:80 app2.hello.com:80 app3.hello. if (matches_regular_expression(v.message, '^Open +AppTunnel to [^:]+:[0-9]+')) then ( set_collected_field('', 'action', "Open AppTunnel"); #set_collected_field('', 'message', '(omitted)'); # Debug ); #55.155.155.155--[10/23/2007 20:30:52]"sid=0306138ba58e666710c6fd0d5dc28a5d;logon=009990;group=Special-Group;message=AppTunnel connection to xyz.hello.com(10.0.55.55):80 terminated else if (matches_regular_expression(v.message, '^AppTunnel connection +to ([^(]+)\\\\(([0-9.]+)\\\\):([0-9]+) terminated')) then ( set_collected_field('', 'action', "Open AppTunnel termination"); set_collected_field('', 'destination_host', $1); set_collected_field('', 'destination_ip', $2); set_collected_field('', 'destination_port', $3); v.start_date = get_collected_field(v.sid, 'date'); v.start_time = get_collected_field(v.sid, 'time'); int start_time_epoc = date_time_to_epoc(normalize_date(v.start_date, 'auto') . ' ' . v.start_time); int end_time_epoc = date_time_to_epoc(normalize_date(v.date, 'auto') . ' ' . v.time); set_collected_field('', 'duration', end_time_epoc - start_time_epoc); #set_collected_field('', 'message', '(omitted)'); # Debug ); #55.155.155.155--[10/23/2007 20:30:47]"sid=0306138ba58e666710c6fd0d5dc28a5d;logon=009990;group=Special-Group;message=Open AppTunnel connection to xyz.hello.com(10.0.55.55):80 else if (matches_regular_expression(v.message, '^Open AppTunnel connection +to ([^(]+)\\\\(([0-9.]+)\\\\):([0-9]+)')) then ( set_collected_field('', 'action', "Open AppTunnel connection"); set_collected_field('', 'destination_host', $1); set_collected_field('', 'destination_ip', $2); set_collected_field('', 'destination_port', $3); set_collected_field(v.sid, 'date', v.date); set_collected_field(v.sid, 'time', v.time); #set_collected_field('', 'message', '(omitted)'); # Debug ); #55.155.155.155--[01/22/2009 18:26:41]"sid=42862efdd9ff1d2c4635235714af65b1;logon=deloitte;group=Default;message=Open Network Access Connection using remote IP address 192.168.192.127 else if (matches_regular_expression(v.message, '^Network Access: dialing (.*)$')) then ( set_collected_field('', 'action', "Network Access: dialing"); set_collected_field('', 'destination_host', $1); set_collected_field(v.sid, 'date', v.date); set_collected_field(v.sid, 'time', v.time); #set_collected_field('', 'message', '(omitted)'); # Debug ); #55.155.155.155--[01/22/2009 18:26:41]"sid=42862efdd9ff1d2c4635235714af65b1;logon=deloitte;group=Default;message=Open Network Access Connection using remote IP address 192.168.192.127 else if (matches_regular_expression(v.message, '^Network Access Connection terminated')) then ( set_collected_field('', 'action', "Network Access Connection terminated"); set_collected_field(v.sid, 'date', v.date); set_collected_field(v.sid, 'time', v.time); #set_collected_field('', 'message', '(omitted)'); # Debug ); #55.155.155.155--[01/22/2009 18:26:41]"sid=42862efdd9ff1d2c4635235714af65b1;logon=deloitte;group=Default;message=Open Network Access Connection using remote IP address 192.168.192.127 else if (matches_regular_expression(v.message, '^Open Network Access Connection using remote IP address ([0-9.]+)')) then ( set_collected_field('', 'action', "Open Network Access connection"); set_collected_field('', 'destination_ip', $1); set_collected_field(v.sid, 'date', v.date); set_collected_field(v.sid, 'time', v.time); #set_collected_field('', 'message', '(omitted)'); # Debug ); #12.34.56.78--[07/29/2009 11:40:52]"sid=12344d5f1400ccb81b91ceafb2bbfedb;logon=user;group=Default;message=[964054] Access menu Logs else if (matches_regular_expression(v.message, '^[[]([0-9]+)[]] (Access menu .*)$')) then ( set_collected_field('', 'administrator_action_id', $1); set_collected_field('', 'action', $2); set_collected_field(v.sid, 'date', v.date); set_collected_field(v.sid, 'time', v.time); #set_collected_field('', 'message', '(omitted)'); # Debug ); #12.34.56.78--[07/29/2009 12:01:56]"sid=12341a1866e4c7f4da4e6e8054fba935;logon=abcdef;group=Default;message=Accessing http://somewhere.com/ else if (matches_regular_expression(v.message, '^Accessing (.*)$')) then ( set_collected_field('', 'action', 'Accessing URL'); set_collected_field('', 'destination_host', $1); set_collected_field(v.sid, 'date', v.date); set_collected_field(v.sid, 'time', v.time); #set_collected_field('', 'message', '(omitted)'); # Debug ); # Explicitly set these to empty so they won't be derived as unknown. set_collected_field('', 'web_browser', '(empty)'); set_collected_field('', 'operating_system', '(empty)'); accept_collected_entry('', false); ); # fp_app_log # fp_sess_log #55.155.155.155--[10/23/2007 20:29:53][10/23/2007 20:42:46]"sid=0306138ba58e666710c6fd0d5dc28a5d;logon=456789;group=Bird;home_address=;protocol=HTTPS;nonstandard_port=0;content_type=HTML;desktop_dns=;desktop_dns=;server_addr=:0;"2 #55.155.155.55--[10/24/2007 18:44:18][// ::]"sid=9566695496a6c52cda0c6c5991c7d39a;logon=007011;group=Remote-Stores;home_address=;protocol=HTTPS;nonstandard_port=0;content_type=HTML;desktop_dns=;desktop_dns=;server_addr=:0;"1 else if (matches_regular_expression(v.line, '^([0-9.]+)--\\\\[([0-9]{2}/[0-9]{2}/[0-9]{4}) ([0-9]{2}:[0-9]{2}:[0-9]{2})\\\\]\\\\[([0-9]{0,2}/[0-9]{0,2}/[0-9]{0,4}) ([0-9]{0,2}:[0-9]{0,2}:[0-9]{0,2})\\\\]"(.*[^"])"([0-9]+)$')) then ( v.date = $2; v.time = $3; v.end_date = $4; v.end_time = $5; v.status_code = $7; set_collected_field('', 'interface_ip', $1); set_collected_field('', 'date', v.date); set_collected_field('', 'time', v.time); collect_listed_fields('', $6, ';', '=', ''); # Get duration from start and end times. Skip bogus date_time. if (v.end_date ne '//' and v.end_time ne '::') then ( int start_time_epoc = date_time_to_epoc(normalize_date(v.date, 'auto') . ' ' . v.time); int end_time_epoc = date_time_to_epoc(normalize_date(v.end_date, 'auto') . ' ' . v.end_time); set_collected_field('', 'duration', end_time_epoc - start_time_epoc); ); if (node_exists('lang_stats.log_formats.firepass_ssl_vpn.session_status')) then ( v.status_name = node_value(subnode_by_name('lang_stats.log_formats.firepass_ssl_vpn.session_status', v.status_code)); if (v.status_name eq '') then ( v.status_name = "unknown"; ); set_collected_field('', 'session_status', v.status_name . " (" . v.status_code . ")"); ); else ( set_collected_field('', 'session_status', v.status_code); ); # Explicitly set these to empty so they won't be derived as unknown. set_collected_field('', 'web_browser', '(empty)'); set_collected_field('', 'operating_system', '(empty)'); accept_collected_entry('', false); ); # fp_sess_log # fp_browser_log #55.155.155.155--[10/23/2007 20:29:53][10/23/2007 20:42:46]"sid=0306138ba58e666710c6fd0d5dc28a5d;logon=009999;group=Rodent-Reptile;agent_OS=WinXP;user_agent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) else if (matches_regular_expression(v.line, '^([0-9.]+)--\\\\[([0-9]{2}/[0-9]{2}/[0-9]{4}) ([0-9]{2}:[0-9]{2}:[0-9]{2})\\\\]\\\\[([0-9]{2}/[0-9]{2}/[0-9]{4}) ([0-9]{2}:[0-9]{2}:[0-9]{2})\\\\]"(.*[^"])"?$')) then ( v.date = $2; v.time = $3; v.end_date = $4; v.end_time = $5; set_collected_field('', 'interface_ip', $1); set_collected_field('', 'date', v.date); set_collected_field('', 'time', v.time); collect_listed_fields('', $6, ';', '=', ''); # Get duration from start and end times. int start_time_epoc = date_time_to_epoc(normalize_date(v.date, 'auto') . ' ' . v.time); int end_time_epoc = date_time_to_epoc(normalize_date(v.end_date, 'auto') . ' ' . v.end_time); set_collected_field('', 'duration', end_time_epoc - start_time_epoc); # Get web browser, operating system information from the user_agent field. get_user_agent_info(get_collected_field('', 'user_agent')); set_collected_field('', 'web_browser', volatile.web_browser); set_collected_field('', 'operating_system', volatile.operating_system); accept_collected_entry('', false); ); # fp_browser_log # fp_usage_log #[07/29/2009 11:40:23][user]"sid=123456d5f1400ccb81b91ceafb2bbfedb;logon=abcde;group=Default;time=1442; else if (matches_regular_expression(v.line, '^[[]([0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[]][[]([^]]+)[]]"sid=([^;]+);logon=([^;]+);group=([^;]+);time=([0-9]+);')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'user', $3); set_collected_field('', 'sid', $4); set_collected_field('', 'logon', $5); set_collected_field('', 'group', $6); set_collected_field('', 'duration', $7); accept_collected_entry('', false); ); # fp_usage_log # fp_logon_log # This one has to be last because it has no quotes and will pick up end_times with the fields. #55.155.155.155--[10/23/2007 20:29:53]logon=0096996;valid=yes;passed=yes;User-Agent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) else if (matches_regular_expression(v.line, '^([0-9.]+)--\\\\[([0-9]{2}/[0-9]{2}/[0-9]{4}) ([0-9]{2}:[0-9]{2}:[0-9]{2})\\\\](.*[^"])"?$')) then ( set_collected_field('', 'interface_ip', $1); set_collected_field('', 'date', $2); set_collected_field('', 'time', $3); collect_listed_fields('', $4, ';', '=', ''); # Get web browser, operating system information from the user_agent field. get_user_agent_info(get_collected_field('', 'user_agent')); set_collected_field('', 'web_browser', volatile.web_browser); set_collected_field('', 'operating_system', volatile.operating_system); accept_collected_entry('', false); ); # fp_logon_log ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" interface_ip = "" sid = "" group = "" logon = "" message = "" #user_agent = "" #agent_os = "" # derived field is better: "Windows XP" instead of "WinXP" passed = "" valid = "" protocol = "" content_type = "" #server_addr = "" # unused in log per documenation #home_address = "" # unused in log sample and not mentioned in documentation #nonstandard_port = "" # unused in log sample and not mentioned in documentation #desktop_dns = "" # unused in log sample and not mentioned in documentation action = "" administrator_action_id = "" destination_host = "" destination_ip = "" destination_port = "" session_status = "" operating_system = "" web_browser = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry # strip_message = { # label = '$lang_admin.log_filters.strip_message_label' # comment = '$lang_admin.log_filters.strip_message_comment' # value = "message = '[omitted]'" # } # strip_message } # log.filters database.numerical_fields = { accesses = { default = true requires_log_field = false entries_field = true } # accesses duration = { requires_log_field = false type = "int" integer_bits = 64 display_format_type = "duration_compact" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # firepass_ssl_vpn