# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sgs_400_series = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2011-07-18 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Symantec" info.1.device = "Gateway Security 400 Series" info.1.version.1 = "" # Format log_file_format value log.format.format_label = "Symantec Gateway Security 400 Series Log Format" # This log is the following type log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # We use this to recognise the format and "auto-detect". log.format.autodetect_regular_expression = "(Allowed|Blocked) by (Out|In)bound Rules - src_ip=([^:]+):[0-9]+ - dst_ip=([^:]*):[0-9]+ - " log.format.parse_only_with_filters = "true" # Log fields log.fields = { action = { label = "$lang_stats.field_labels.action" type = "flat" } # action src_ip = { label = "$lang_stats.field_labels.src_ip" type = "host" hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # src_ip src_port = { label = "$lang_stats.field_labels.src_port" type = "flat" } # src_port dst_ip = { label = "$lang_stats.field_labels.dst_ip" type = "flat" } # dst_ip dst_port = { label = "$lang_stats.field_labels.dst_port" type = "flat" } # dst_port protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" } # protocol } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); # get date if available if (matches_regular_expression(v.line, '\\\\[([0-9]{2}/[0-9]{2}/[0-9]{4}) ([0-9]{2}:[0-9]{2}:[0-9]{2})[^]]*\\\\] (.*)')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); v.line = $3; ); if (matches_regular_expression(v.line, '(Allowed|Denied|Blocked)( by Inbound Rules| by Outbound Rules| - Port Scan Attack) - src_ip=([^:]+):([0-9]+) - dst_ip=([^:]+):([0-9]+) - (.*)$')) then ( set_collected_field('', 'action', $1 . $2); set_collected_field('', 'src_ip', $3); set_collected_field('', 'src_port', $4); set_collected_field('', 'dst_ip', $5); set_collected_field('', 'dst_port', $6); set_collected_field('', 'protocol', $7); accept_collected_entry('', false); ); ` # Database fields database.fields = { action = { label = "$lang_stats.field_labels.action" log_field = "action" type = "string" suppress_top = 0 suppress_bottom = 2 } # action src_ip = { label = "$lang_stats.field_labels.src_ip" log_field = "src_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # src_ip dst_ip = { label = "$lang_stats.field_labels.dst_ip" log_field = "dst_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst_ip src_port = { label = "$lang_stats.field_labels.src_port" log_field = "src_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # src_port dst_port = { label = "$lang_stats.field_labels.dst_port" log_field = "dst_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst_port protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" logging_device = true action = true src_ip = true src_port = true dst_ip = true dst_port = true protocol = true } # report_groups } # create_profile_wizard_options not_supported = { sessions = true pageviews = true visitors = true } # not_supported } # sgs_400_series