# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. icap = { plugin_version = "1.0" # 2014-06-04 - 1.0 - GMF - Initial implementation info.1.manufacturer = "ICAP" info.1.device = "Internet Content Adaptation Protocol" info.1.version.1 = "" # The name of the log format log.format.format_label = "ICAP (Internet Content Adaptation Protocol) Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "internet_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = 'C-ICAP[[][0-9-]+[]]: ' # Setting this to false allows setting field variables without using collect/accept log.format.parse_only_with_filters = "true" # Log fields log.fields = { client_ip = "" event_type = "" server_response = "" url = "" matched_cat = "" action_4_cat = "" action = "" } # log.fields log.parsing_filters.parse = ` #May 12 08:53:15 abc100 C-ICAP[-1]: 08:53:15 +0800, 12.34.56.78 REQMOD 200 http://malware.com/index.html [MatchedCat: category-domains-malware] [Action4cat: category-domains-malware] [Action: BLOCKED] if (matches_regular_expression(v.syslog_message, '^C-ICAP[[][^]]+[]]: ([0-9:]+) ([0-9+]+), ([0-9.a-f:]+) ([^ ]+) ([0-9]+) ([^ ]+) [[]MatchedCat: ([^]]+)[]] [[]Action4cat: ([^]]+)[]] [[]Action: ([^]]+)[]]')) then ( # set_collected_field('', 'time', $1); set_collected_field('', 'client_ip', $3); set_collected_field('', 'event_type', $4); set_collected_field('', 'server_response', $5); set_collected_field('', 'url', $6); set_collected_field('', 'matched_cat', $7); set_collected_field('', 'action_4_cat', $8); set_collected_field('', 'action', $9); accept_collected_entry('', false); ); ` # Database fields database.fields = { client_ip = "" event_type = "" server_response = "" url = "" matched_cat = "" action_4_cat = "" action = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "browsing_host" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { default = false requires_log_field = false entries_field = true } # events # page_views = { # default = true # requires_log_field = false # } # page_views unique_client_ips = { log_field = "client_ip" type = "unique" } # unique_client_ips } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups snapons = { # Attach a top_level_domain snapon top_level_domain = { snapon = "top_level_domain" name = "top_level_domain" label = "$lang_admin.snapons.top_level_domain.label" parameters = { url_field.parameter_value = "url" field_name = { parameter_value = "$lang_admin.field_labels.top_level_domain" final_node_name = "top_level_domain" } } # parameters } # top_level_domain # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { url_field.parameter_value = "url" user_field.parameter_value = "client_ip" # user_field.parameter_value = "source_ip" have_category_field.parameter_value = true category_field.parameter_value = "matched_cat" host_field.parameter_value = "top_level_domain" page_views_field.parameter_value = "events" have_bytes_in_field.parameter_value = false # bytes_in_field.parameter_value = "size" sort_by_field.parameter_value = "events" } # parameters } # gateway_reports } # snapons } # create_profile_wizard_options } # icap