# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. peoplesoft_appserver = { plugin_version = "1.3" # 2006-04-14: 1.0: Initial plug-in -GMF # 2011-07-11 - 1.0.1 - MSG - Edited info lines. # 2012-07-02 - 1.1 - MSG - Added a Message field and a Stream ID field for new variant. # 2013-11-20 - 1.2 - GMF - Added support for a variant # 2013-11-26 - 1.3 - GMF - Added tracking of successful/failed authentications; fixed a bug with extracting "Returning context" lines; added hostname extraction info.1.manufacturer = "PeopleSoft" info.1.device = "AppServer" info.1.version.1 = "" # The name of the log format log.format.format_label = "PeopleSoft AppServer Log Format" log.miscellaneous.log_data_type = "web_server" log.miscellaneous.log_format_type = "web_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "^[A-Z]+\\.[0-9]+ \\([0-9]+\\) \\[[0-9][0-9]/[0-9][0-9]/[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] ") or #PSAPPSRV.22640 (5077) [2013-11-20T00:01:05.061 GetCertificate](3) Detected time zone is EST matches_regular_expression(volatile.log_data_line, "^[A-Z]+\\.[0-9]+ \\([0-9]+\\) \\[[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9][.][0-9][0-9][0-9] ") ` # log.format.date_format = "mm/dd/yy" log.fields = { event_type = "" date = "" time = "" operation = "" id = "" lang = "" token = "" identifier = "" email_address = "" browser = "" message = "" stream_id = "" hostname = "" events = "" successful_authentications = "" failed_authentications = "" } # log.fields log.parsing_filters.parse = ` v.remainder = ''; if (matches_regular_expression(current_log_line(), "^([A-Z]+)\\\\.[0-9]+ \\\\([0-9]+\\\\) \\\\[([0-9/]+) ([0-9:]+) ([^]]+)\\\\]\\\\([0-9]+\\\\) (.*)$")) then ( event_type = $1; date = normalize_date($2, "mm/dd/yy"); time = $3; operation = $4; v.remainder = $5; ); #PSAPPSRV.22640 (5077) [2013-11-20T00:01:05.105 GetCertificate](3) Sign on PeopleCode authentication succeeded for user ABC.DEF@pool-12-34-56-78.here.com. else if (matches_regular_expression(current_log_line(), "^([A-Z]+)[.][0-9]+ [(][0-9]+[)] [[]([0-9-]+)T([0-9:]+)[.][0-9]+ [^ ]+[]][(][0-9]+[)] (.*)$")) then ( event_type = $1; date = $2; time = $3; operation = $4; v.remainder = $5; ); else if (matches_regular_expression(current_log_line(), "^([A-Z]+)[.][0-9]+ [(][0-9]+[)] [[]([0-9-]+)T([0-9:]+)[.][0-9]+ (.*)$")) then ( event_type = $1; date = $2; time = $3; operation = $4; v.remainder = $5; ); if (operation ne '') then ( if (matches_regular_expression(operation, '^([^ ]+) ([^ ]*)$')) then ( email_address = $1; operation = $2; ); else if (matches_regular_expression(operation, '^([^ ]+) \\\\(([^)]*)\\\\) ([^ ]*)$')) then ( email_address = $1; browser = $2; operation = $3; ); #PSAPPSRV.22640 (5077) [2013-11-20T00:01:05.105 GetCertificate](3) Sign on PeopleCode authentication succeeded for user ABC.DEF@pool-12-34-56-78.here.com. else if (matches_regular_expression(operation, '^Sign on [^ ]+ authentication succeeded for user ([^@]+)@(.*)[.]$')) then ( identifier = $1; hostname = $2; successful_authentications = 1; ); #PSAPPSRV.22640 (5077) [2013-11-20T00:01:05.105 GetCertificate](3) Sign on PeopleCode authentication succeeded for user ABC.DEF@pool-12-34-56-78.here.com. else if (matches_regular_expression(operation, '^Sign on [^ ]+ authentication failed for user ([^@]+)@(.*)[.]$')) then ( identifier = $1; hostname = $2; failed_authentications = 1; ); # # PeopleSoft ID and Password authentication failed. Invalid user abc@12.34.56.78 # else if (matches_regular_expression(operation, '^PeopleSoft ID and Password authentication failed. Invalid user ([^@]+)@(.*)[.]$')) then ( # identifier = $2; # hostname = $3; # failed_authentications = 1; # ); # # # PeopleSoft Token authentication failed: token has expired: GUEST@131.125.11.1 # else if (matches_regular_expression(operation, '^PeopleSoft Token authentication failed: token has expired: ([^@]+)@(.*)$')) then ( # identifier = $2; # hostname = $3; # failed_authentications = 1; # ); if (matches_regular_expression(operation, "^Returning context. ID=([^,]+), Lang=([^,]+), Token=([^ ]+) ?(.*)$")) then ( id = $1; lang = $2; token = $3; identifier = $4; ); else if (matches_regular_expression(operation, "^Returning context. ID=([^,]+), Lang=([^,]+), UStreamId=([^,]+), Token=([^ ]+) ?(.*)$")) then ( id = $1; lang = $2; stream_id = $3; token = $4; identifier = $5; ); #PSAPPSRV.14446 (14499) [2013-11-20T00:15:13.145 GetCertificate](3) Returning context. ID=ABC.DEF, Lang=ENG, UStreamId=001511145_14446.19999, Token=H9PRD/2013-11-19-19.15.13.780021/ABC.DEF/ENG/rPTAJ+uFIX4h8LXUuOL/Zggoxqk= # else if (matches_regular_expression(v.remainder, "^Returning context. else message = v.remainder; events = 1; ); ` database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" operation = "" id = "" lang = "" token = "" identifier = "" hostname = "" email_address = "" browser = "" message = "" stream_id = "" } # database.fields database.numerical_fields = { events = { default = true entries_field = true } # events successful_authentications = "" failed_authentications = "" } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # peoplesoft_appserver