# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. utm_web_application_firewall = { plugin_version = "1.0" # 2014-03-12 - GMF - 1.0 - Initial implementation info.1.manufacturer = "Sophos" info.1.device = "UTM Web Application Firewall" info.1.version.1 = "" # The name of the log format log.format.format_label = "Sophos UTM Web Application Firewall Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #2014:03:01-00:00:02 Window-1 reverseproxy: srcip="12.34.56.78" localip="98.76.54.32" size="1088" user="-" host="23.45.67.89" method="GET" statuscode="200" reason="-" extra="-" time="5273" url="/dir/file.html" server="abc.here.com" referer="-" cookie="-" set-cookie="-" log.format.autodetect_regular_expression = "^[0-9][0-9][0-9][0-9]:[0-9][0-9]:[0-9][0-9]-[0-9][0-9]:[0-9][0-9]:[0-9][0-9] ([^ ]+) reverseproxy: " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" srcip = "" localip = "" size = "" user = "" host = "" method = "" statuscode = "" reason = "" extra = "" time_taken = "" url = "" server = "" referer = "" cookie = "" set_cookie = "" accesses = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), "^([0-9][0-9][0-9][0-9]:[0-9][0-9]:[0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([^ ]+) reverseproxy: (.*)$")) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); collect_listed_fields('', $4, ' ', '=', 'time=time_taken'); set_collected_field('', 'url', 'http://' . get_collected_field('', 'server') . get_collected_field('', 'url')); accept_collected_entry('', false); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" srcip = "" localip = "" user = "" host = "" method = "" statuscode = "" reason = "" extra = "" time_taken = "" url = "" server = "" referer = "" cookie = "" set_cookie = "" } # database.fields # Log Filters log.filters = { simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url simplify_referrer = { label = "$lang_admin.log_filters.simplify_referrer_label" comment = "$lang_admin.log_filters.simplify_referrer_comment" value = "if (referer eq '-') then referer = '(no referrer)' else if (matches_regular_expression(referer, '^([^:]+://[^/]+/)')) then referer = $1 . '(omitted)'" } # simplify_referrer mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { default = true entries_field = true } # accesses size = { integer_bits = 64 display_format_type = "bandwidth" } # size time_taken = { integer_bits = 64 display_format_type = duration_milliseconds default = true } # time_taken } # database.numerical_fields log.field_options = { sessions_page_field = "referer" sessions_visitor_id_field = "srcip" sessions_event_field = "accesses" } # log.field_options create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups snapons = { # Attach a top_level_domain snapon top_level_domain = { snapon = "top_level_domain" name = "top_level_domain" label = "$lang_admin.snapons.top_level_domain.label" parameters = { url_field.parameter_value = "referer" field_name = { parameter_value = "$lang_admin.field_labels.top_level_domain" final_node_name = "top_level_domain" } } # parameters } # top_level_domain omit_cookie = { name = "Omit cookie" label = "Omit cookie" snapon = "omit_field" parameters = { field.parameter_value = "cookie" } # parameters } # omit_cookie omit_set_cookie = { name = "Omit set_cookie" label = "Omit set_cookie" snapon = "omit_field" parameters = { field.parameter_value = "set_cookie" } # parameters } # omit_set_cookie # Attach a gateway_reports snapon gateway_reports = { snapon = "gateway_reports" name = "gateway_reports" label = "$lang_admin.snapons.gateway_reports.label" parameters = { # user_field.parameter_value = "user" user_field.parameter_value = "srcip" have_category_field.parameter_value = false # category_field.parameter_value = "category" host_field.parameter_value = "top_level_domain" page_views_field.parameter_value = "accesses" bytes_in_field.parameter_value = "size" sort_by_field.parameter_value = "accesses" } # parameters } # gateway_reports geo_location = { snapon = "geo_location" name = "geo_location" label = "$lang_admin.snapons.geo_location.label" parameters = { ip_address_field.parameter_value = "srcip" } # parameters } # geo_location } # snapons } # create_profile_wizard_options } # utm_web_application_firewall