# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sonic_wall_tz_170 = { plugin_version = "1.0.1" # 17/May/2006 - KBB - 1.0beta - first version # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy # 2011-07-19 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "SonicWall" info.1.device = "TZ 170 Firewall" info.1.version.1 = "" # The name of the log format log.format.format_label = "Sonicwall TZ 170 Firewall" log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "firewall" #11/04/2006 08:45:38.352 - Notice - TCP connection dropped - 72.132.222.221, 3288, OPT - 72.132.23.225, 445, OPT - TCP SMB #11/04/2006 08:47:27.320 - Notice - UDP packet dropped - 92.129.129.62, 31260, OPT - 72.132.42.125, 1026, OPT - UDP Port: 1026 #11/04/2006 08:53:04.080 - Notice - UDP packet dropped - 72.132.42.121, 3204, OPT - 232.252.252.220, 1900 - UDP Port: 1900 #11/04/2006 08:57:51.784 - Alert - Possible port scan dropped - 63.32.233.321, 80, WAN - 132.138.3.37, 4528, LAN - TCP scanned port list, 4524, 4525, 4526, 4527, 4529 #11/03/2006 12:03:43.480 - Info - SonicWALL initializing - - #11/03/2006 12:03:52.912 - Info - SonicWALL activated - - #11/03/2006 12:15:59.016 - Info - Administrator logged out - inactivity timer expired - 122.122.269.28, 0, WAN (admin) - 122.128.2.224, 443, LAN - # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+/[0-9]+/[0-9]+ [0-9]+:[0-9]+:[0-9]+\\.[0-9]+ - [A-Z][a-z]+ - [A-Za-z ]* - [0-9.]+, [0-9]+, [^ ]+ - [0-9.]+, [0-9]+" # The regular expression to parse lines # One regular expression not enough due to lines like third in example above and scanned port lists which are broken up # to decrease the number of unique destination descriptions #log.format.parsing_regular_expression = "^([0-9]+/[0-9]+/[0-9]+) ([0-9]+:[0-9]+:[0-9]+)\\.[0-9]+ - ([A-Z][a-z]+) - ([A-Za-z ]*) - ([0-9.]+), ([0-9]+), ([^ ]+) - ([0-9.]+), ([0-9]+), ([^ ]+) - ?(.*) ?$" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # All log field parsing will be done using the parsing filters #log.format.parse_only_with_filters = "true" statistics.miscellaneous.entry_name = "events" # Log fields log.fields = { date = "" time = "" message_type = "" action = "" source_ip = { type = "host" } source_port = "" source_network = "" destination_ip = "" destination_port = "" destination_network = "" destination_description = "" scanned_port_list = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), "^([0-9]+/[0-9]+/[0-9]+) ([0-9]+:[0-9]+:[0-9]+)\\\\.[0-9]+ - ([A-Z][a-z]+) - ([A-Za-z ]*) - ([0-9.]+), ([0-9]+), ([^ ]+) - ([0-9.]+), ([0-9]+), ([^ ]+) - ?(.*) ?$")) then ( date = $1; time = $2; message_type = $3; action = $4; source_ip = $5; source_port = $6; source_network = $7; destination_ip = $8; destination_port = $9; destination_network = $10; destination_description = $11; v.destination_description = $11; if (matches_regular_expression(v.destination_description, '^([A-Z]+ scanned port list), (.*)$')) then ( destination_description = $1; scanned_port_list = $2; ); ); else if (matches_regular_expression(current_log_line(), "^([0-9]+/[0-9]+/[0-9]+) ([0-9]+:[0-9]+:[0-9]+)\\\\.[0-9]+ - ([A-Z][a-z]+) - ([A-Za-z ]*) - ([0-9.]+), ([0-9]+), ([^ ]+) - ([0-9.]+), ([0-9]+) - ?(.*) ?$")) then ( date = $1; time = $2; message_type = $3; action = $4; source_ip = $5; source_port = $6; source_network = $7; destination_ip = $8; destination_port = $9; destination_description = $10; ); ` # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" message_type = "" action = "" source_ip = "" location = "" source_port = "" source_network = "" destination_ip = "" destination_port = "" destination_network = "" destination_description = "" scanned_port_list = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events unique_source_ips = { log_field = "source_ip" type = "unique" } # unique_source_ips } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" action = true message_type = true source_group = { source_ip = true source_port = true source_network = true location = true } destination_group = { destination_ip = true destination_port = true destination_network = true destination_description = true scanned_port_list = true } } # report_groups } # create_profile_wizard_options } # sonic_wall_tz_170