# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. rsa_securid_runtime = { plugin_version = "1.0" # 2012-07-13 - 1.0 - Benson - Initial Creation info.1.manufacturer = "RSA" info.1.device = "SecurID Audit Runtime Log Format" info.1.version.1 = "" # The name of the log format log.format.format_label = "RSA SecurID Audit Runtime Log Format" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "application" # This regular expression is used to parse the log fields out of the log entry # audit_runtime log format #2/25/12 1:36:03 AM GMT,2/25/12 9:36:03 AM CST,192.168.221.151,b226859f97dda8c002683e933c3a80bc,1d826a3b97dda8c001113f196609a6f0,192.168.221.40,audit.runtime.AuthLogRequestHandler,1,AUTH_LOG_REQUEST,23003,2,AUTH_LOG_SYNTAX_ERROR,SYSTEM,-9223372036854775265,SYSTEM,SYSTEM,SYSTEM,SYSTEM,SYSTEM,SYSTEM,36107ce797dda8c002853819794cb552,000000000000000000001000e0011000,192.168.221.40,My_mail_server,1,,,,,,,1,,,,,,,,,VERIFIED # audit_admin log format #2/24/12 6:01:31 AM GMT,2/24/12 2:01:31 PM CST,192.168.221.151,adf3355097dda8c0026eed2c71ec3278,1d826a3b97dda8c001113f196609a6f0,192.168.221.40,min.com.rsa.authmgr.internal.admin.tokenmgt.impl.c,3,AM_CLEAR_TOKEN_PIN,20011,0,,adf0d55497dda8c0028641bc8e6090e0-TZXjG9I8Jf7A,-9223372036854775314,,000000000000000000001000d0021000,000000000000000000001000d0011000,000000000000000000001000e0011000,admin,Admin,Admin,110,3f74eefc97dda8c00363f795f3e1fa4b,SYSTEM,000000000000000000001000e0011000,000110551027,0,SYSTEM,SYSTEM,SYSTEM,UNKNOWN,admin,UNKNOWN log.format.autodetect_regular_expression = "^[0-9/]+ [0-9:]+ [A|P]M GMT,[0-9/]+ [0-9:]+ [A|P]M CST," # This regular expression is used to parse the log fields out of the log entry log.format.parsing_regular_expression = "^([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)$" log.format.date_format = "m/d/yy" log.format.time_format = "h:mm:ss AM/PM" log.format.field_separator = "," # Log fields log.fields = { gmt_time.index = 1 cst_time.index = 2 ip1.index = 3 s1.index = 4 s2.index = 5 ip2.index = 6 process.index = 7 code1.index = 8 action.index = 9 event_id.index = 10 code2.index = 11 result.index = 12 arg1.index = 13 arg2.index = 14 arg3.index = 15 arg4.index = 16 arg5.index = 17 username.index = 18 first_name.index = 19 last_name.index = 20 arg6.index = 21 arg7.index = 22 ip3.index = 23 arg8.index = 24 arg9.index = 25 arg10.index = 26 source.index = 27 arg12.index = 28 arg13.index = 29 arg14.index = 30 arg15.index = 31 arg16.index = 32 arg17.index = 33 arg18.index = 34 arg19.index = 35 arg20.index = 36 arg21.index = 37 contact.index = 38 arg23.index = 39 arg24.index = 40 arg25.index = 41 date = "" time = "" events = "" } # log.fields log.parsing_filters.parse = ` # Extract date and time from gmt_time if (matches_regular_expression(gmt_time, '^([0-9/]+) ([0-9:]+ [A|P]M) GMT')) then ( date = $1; time = $2; ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" ip1 = "" #s1 = "" #s2 = "" ip2 = "" process = "" code1 = "" action = "" event_id = "" code2 = "" result = "" #arg1 = "" #arg2 = "" #arg3 = "" #arg4 = "" #arg5 = "" username = "" first_name = "" last_name = "" #arg6 = "" #arg7 = "" ip3 = "" arg8 = "" arg9 = "" #arg10 = "" source = "" #arg12 = "" arg13 = "" arg14 = "" arg15 = "" arg16 = "" #arg17 = "" #arg18 = "" #arg19 = "" #arg20 = "" #arg21 = "" contact = "" #arg23 = "" #arg24 = "" arg25 = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = true entries_field = true } # events } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # rsa_securid_runtime