# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. iwsva = { plugin_version = "1.0" info.1.manufacturer = "Trend Micro" info.1.device = "IWSVA" info.1.version.1 = "6.5" # 20014-09-24 - 1.0 - Lew - initial version # The name of the log format log.format.format_label = "Trend Micro IWSVA" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "network_device" log.format.autodetect_regular_expression = "^[A-Z][a-z]* [0-9]* [0-9:]* [0-9.]* [^ ]*: <.*> \\\\[[^|]*\\\\|[^ ]*] .* tk_username=[^,]*,tk_url=[^,]*,tk_size=[^,]*,tk_date_field=[^,]*,tk_protocol=[^,]*,tk_mime_content=[^,]*,tk_server=[^,]*,tk_client_ip=[^,]*,tk_server_ip=[^,]*,tk_domain=[^,]*,tk_path=[^,]*,tk_file_name=[^,]*,tk_operation=[^,]*,tk_uid=[^,]*,tk_category=[^,]*,tk_category_type=.*$" # Use parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = { type = "date" dividers = "" left_to_right = false leading_divider = "false" } # date_time time = { type = "time" dividers = "" left_to_right = false leading_divider = "false" } # date_time ip_address = { type = "host" } # ip_address fw_name = "" dow = "" date_time_2 = "" timezone = "" event_type = "" event_level = "" event_message = "" username = "" date_field = "" protocol = "" url = "" malicious_entity = "" file_name = "" entity_name = "" action = "" scan_type = "" blocked_by = "" rule_name = "" opp_id = "" group_name = "" category = "" uid = "" filter_action = "" size = "" protocol = "" mime_content = "" server = "" client_ip = "" server_ip = "" domain = "" path = "" file_name = "" operation = "" category_type = "" local_field = "" user = "" description = "" } # log.fields # Log Parsing Filters log.parsing_filters = { parse = { label = "parse" comment = "" value = ` v.log_line = current_log_line(); v.found_type = 0; if (matches_regular_expression(v.log_line, '^([A-Z][a-z]* [0-9]* [0-9:]*) ([0-9.]*) ([^ ]*): <([A-Z][a-z]*), ([0-9]* [A-Z][a-z]* [0-9]*) ([0-9:]*),([A-Z]*)> \\\\[([^|]*)\\\\|([^ ]*)] (.*) (tk_user.*=.*)$')) then ( set_collected_field('', 'date_time_2', $1); set_collected_field('', 'ip_address', $2); set_collected_field('', 'fw_name', $3); set_collected_field('', 'dow', $4); set_collected_field('', 'date', $5); set_collected_field('', 'time', $6); set_collected_field('', 'timezone', $7); set_collected_field('', 'event_type', $8); set_collected_field('', 'event_level', $9); set_collected_field('', 'event_message', $10); v.remaining_line = $11; v.found_type = 1; ); else if (matches_regular_expression(v.log_line, '^([^ ]* [^\t]*)\t([^\t]*)\t([0-9.]*)\t([^:]*): <([A-Z][a-z]*), ([0-9]* [A-Z][a-z]* [0-9]*) ([0-9:]*),([A-Z]*)> \\\\[([^|]*)\\\\|([^ ]*)] (.*) (tk_user.*=.*)$')) then ( set_collected_field('', 'date_time_2', $1); set_collected_field('', 'local_field', $2); set_collected_field('', 'ip_address', $3); set_collected_field('', 'fw_name', $4); set_collected_field('', 'dow', $5); set_collected_field('', 'date', $6); set_collected_field('', 'time', $7); set_collected_field('', 'timezone', $8); set_collected_field('', 'event_type', $9); set_collected_field('', 'event_level', $10); set_collected_field('', 'event_message', $11); v.remaining_line = $12; v.found_type = 2; ); if (v.found_type > 0) then ( if (matches_regular_expression(v.remaining_line, 'tk_username=([^,]*),tk_date_field=([^,]*),tk_protocol=([^,]*),tk_url=([^,]*),tk_malicious_entity=([^,]*),tk_file_name=([^,]*),tk_entity_name=([^,]*),tk_action=([^,]*),tk_scan_type=([^,]*),tk_blocked_by=([^,]*),tk_rule_name=([^,]*),tk_opp_id=([^,]*),tk_group_name=([^,]*),tk_category=([^,]*),tk_uid=([^,]*),tk_filter_action=([^,]*)$')) then ( set_collected_field('', 'username', $1); set_collected_field('', 'date_field', $2); set_collected_field('', 'protocol', $3); set_collected_field('', 'url', $4); set_collected_field('', 'malicious_entity', $5); set_collected_field('', 'file_name', $6); set_collected_field('', 'entity_name', $7); set_collected_field('', 'action', $8); set_collected_field('', 'scan_type', $9); set_collected_field('', 'blocked_by', $10); set_collected_field('', 'rule_name', $11); set_collected_field('', 'opp_id', $12); set_collected_field('', 'group_name', $13); set_collected_field('', 'category', $14); set_collected_field('', 'uid', $15); set_collected_field('', 'filter_action', $16); ); else if (matches_regular_expression(v.remaining_line, 'tk_username=([^,]*),tk_url=(.*),tk_size=([^,]*),tk_date_field=([^,]*),tk_protocol=([^,]*),tk_mime_content=([^,]*),tk_server=([^,]*),tk_client_ip=([^,]*),tk_server_ip=([^,]*),tk_domain=([^,]*),tk_path=(.*),tk_file_name=(.*),tk_operation=([^,]*),tk_uid=([^,]*),tk_category=([^,]*),tk_category_type=([^,]*)$')) then ( set_collected_field('', 'username', $1); set_collected_field('', 'url', $2); set_collected_field('', 'size', $3); set_collected_field('', 'date_field', $4); set_collected_field('', 'protocol', $5); set_collected_field('', 'mime_content', $6); set_collected_field('', 'server', $7); set_collected_field('', 'client_ip', $8); set_collected_field('', 'server_ip', $9); set_collected_field('', 'domain', $10); set_collected_field('', 'path', $11); set_collected_field('', 'file_name', $12); set_collected_field('', 'operation', $13); set_collected_field('', 'uid', $14); set_collected_field('', 'category', $15); set_collected_field('', 'category_type', $16); v.file_name = $12; # strip the [object], items from the file name if (matches_regular_expression(v.file_name, '(\\\\[object\\\\],)*(.*)'))then ( set_collected_field('', 'file_name', $2); v.file_name = $2; ); # strip the remaining [object] item from the file name if (matches_regular_expression(v.file_name, '(\\\\[object\\\\])*(.*)'))then ( set_collected_field('', 'file_name', $2); ); ); else if (matches_regular_expression(v.remaining_line, 'tk_user=([^;]*);tk_date_field=([^;]*);tk_description=([^;]*)$')) then ( set_collected_field('', 'user', $1); set_collected_field('', 'date_field', $2); set_collected_field('', 'description', $3); ); else if (matches_regular_expression(v.remaining_line, 'tk_username=([^,]*),tk_url=([^,]*),tk_size=([^,]*),tk_date_field=([^,]*),tk_protocol=([^,]*),tk_mime_content=([^,]*),tk_server=([^,]*),tk_client_ip=([^,]*),tk_server_ip=([^,]*),tk_domain=([^,]*),tk_path=([^,]*),tk_file_name=([^,]*)')) then ( set_collected_field('', 'username', $1); set_collected_field('', 'url', $2); set_collected_field('', 'size', $3); set_collected_field('', 'date_field', $4); set_collected_field('', 'protocol', $5); set_collected_field('', 'mime_content', $6); set_collected_field('', 'server', $7); set_collected_field('', 'client_ip', $8); set_collected_field('', 'server_ip', $9); set_collected_field('', 'domain', $10); set_collected_field('', 'path', $11); set_collected_field('', 'file_name', $12); ); # line ends with ... - some items missing, so get what we can else if (matches_regular_expression(v.remaining_line, '(.*)...')) then ( v.remaining_line = $1; if (matches_regular_expression(v.remaining_line, 'tk_username=([^,]*),(.*)$')) then ( set_collected_field('', 'username', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_url=(.*),(.*)$')) then ( set_collected_field('', 'url', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_size=([^,]*),(.*)$')) then ( set_collected_field('', 'size', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_date_field=([^,]*),(.*)$')) then ( set_collected_field('', 'date_field', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_protocol=([^,]*),(.*)$')) then ( set_collected_field('', 'protocol', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_mime_content=([^,]*),(.*)$')) then ( set_collected_field('', 'mime_content', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_server=([^,]*),(.*)$')) then ( set_collected_field('', 'server', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_client_ip=([^,]*),(.*)$')) then ( set_collected_field('', 'client_ip', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_server_ip=([^,]*),(.*)$')) then ( set_collected_field('', 'server_ip', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_domain=([^,]*),(.*)$')) then ( set_collected_field('', 'domain', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_path=([^,]*),(.*)$')) then ( set_collected_field('', 'path', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_file_name=([^,]*),(.*)$')) then ( set_collected_field('', 'file_name', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_operation=([^,]*),(.*)$')) then ( set_collected_field('', 'operation', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_uid=([^,]*),(.*)$')) then ( set_collected_field('', 'uid', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_category=([^,]*),(.*)$')) then ( set_collected_field('', 'category', $1); v.remaining_line = $2; ); if (matches_regular_expression(v.remaining_line, 'tk_category_type=([^,]*)$')) then ( set_collected_field('', 'category_type', $1); ); ); accept_collected_entry('', false); ) ` } # parse } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day ip_address = "" fw_name = "" dow = "" date_time_2 = "" timezone = "" event_type = "" event_level = "" event_message = "" username = "" date_field = "" protocol = "" url = "" malicious_entity = "" file_name = "" entity_name = "" action = "" scan_type = "" blocked_by = "" rule_name = "" opp_id = "" group_name = "" category = "" uid = "" filter_action = "" size = "" protocol = "" mime_content = "" server = "" client_ip = "" server_ip = "" domain = "" path = "" file_name = "" operation = "" category_type = "" local_field = "" user = "" description = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "hostname" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" more_date_group = { dow = "" date_time_2 = "" timezone = "" date_field = "" } # more_date_group event_info_group = { event_type = "" event_level = "" event_message = "" } # event_info_group ip_host_group = { ip_address = "" client_ip = "" server_ip = "" fw_name = "" server = "" domain = "" } # ip_host_group user_group = { username = "" uid = "" group_name = "" user = "" } # user_group } # report_groups } # create_profile_wizard_options } # iwsva