# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. checkpoint = { plugin_version = "1.0" info.1.manufacturer = "OSSEC" info.1.device = "Checkpoint" info.1.version.1 = "2.8.1" # 20014-09-24 - 1.0 - Lew - initial version # The name of the log format log.format.format_label = "OSSEC Checkpoint" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression # Jul 29 00:00:00 172.16.0.12 FireWall-1: 27Jul2014 13:21:16 accept fw1 >External rule: 156; rule_uid: {AC43DDDB-559E-43B9-9009-D21C40802FC9}; rule_name: untrust-to-web-248; service_id: http; src: 202.46.61.104; dst: 27.131.161.148; proto: tcp; xlatedst: Host_10.80.10.18; NAT_rulenum: 19; NAT_addtnl_rulenum: 1; product: VPN-1 & FireWall-1; service: http; s_port: 54003; log.format.autodetect_regular_expression = "^[A-Z][a-z]* [0-9]* [0-9:]* [0-9.]* [^ ]* [0-9]*[A-Z][a-z]*[0-9]* [0-9:]* [^ ]* [^ ]* [ ]* >[^ ]* rule: [0-9]*; rule_uid: [^ ]*; rule_name: [^ ]*; service_id: [^ ]*; src: [^ ]*; dst: [^ ]*; proto: [^ ]*; xlate[^ ]*: [^ ]*; NAT_rulenum: [0-9]*; NAT_addtnl_rulenum: [0-9]*; product: [^;]*; service: [^ ]*; s_port: [0-9]*;$" # This regular expression is used to parse the log fields out of the log entry # http://regex101.com/r/iW5rS5/2 # log.format.parsing_regular_expression = "^[A-Z][a-z]* [0-9]* [0-9:]* ([0-9.]*) ([^ ]*) ([0-9]*[A-Z][a-z]*[0-9]*) ([0-9:]*) ([^ ]*) ([^ ]*) [ ]* >([^ ]*) rule: ([0-9]*); rule_uid: {([^ ]*)}; rule_name: ([^ ]*); service_id: ([^ ]*); src: ([^ ]*); dst: ([^ ]*); proto: ([^ ]*); xlate[^ ]*: ([^ ]*); NAT_rulenum: ([0-9]*); NAT_addtnl_rulenum: ([0-9]*); product: ([^;]*); service: ([^ ]*); s_port: ([0-9]*);$" # Use parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "ddmmmyyyy" log.format.time_format = "hh:mm:ss" # Log fields log.fields = { ip_address = { type = "host" } # ip_address firewall_name = "" date = { type = "date" dividers = "" left_to_right = false leading_divider = "false" } # date_time time = { type = "time" dividers = "" left_to_right = false leading_divider = "false" } # date_time accept = "" fw_name = "" request_type = "" rule_number = "" rule_uid = "" rule_name = "" service_id = "" icmp = "" icmp_type = "" icmp_code = "" src = "" dst = "" proto = "" xlatesrc = "" xlatedst = "" nat_rulenum = "" nat_addtnl_rulenum = "" message_info = "" product = "" service = "" s_port = "" } # log.fields # Log Parsing Filters log.parsing_filters = { parse = { label = "parse" comment = "" value = " if (matches_regular_expression(current_log_line(), '^[A-Z][a-z]* [0-9]* [0-9:]* ([0-9.]*) ([^ ]*) ([0-9]*[A-Z][a-z]*[0-9]*) ([0-9:]*) ([^ ]*) ([^ ]*) [ ]* >([^ ]*) rule: ([0-9]*); rule_uid: {([^ ]*)}; rule_name: ([^ ]*); service_id: ([^ ]*); src: ([^ ]*); dst: ([^ ]*); proto: ([^ ]*); xlatesrc: ([^ ]*); NAT_rulenum: ([0-9]*); NAT_addtnl_rulenum: ([0-9]*); product: ([^;]*); service: ([^ ]*); s_port: ([0-9]*);$')) then ( set_collected_field('', 'ip_address', $1); set_collected_field('', 'firewall_name', $2); set_collected_field('', 'date', $3); set_collected_field('', 'time', $4); set_collected_field('', 'accept', $5); set_collected_field('', 'fw_name', $6); set_collected_field('', 'request_type', $7); set_collected_field('', 'rule_number', $8); set_collected_field('', 'rule_uid', $9); set_collected_field('', 'rule_name', $10); set_collected_field('', 'service_id', $11); set_collected_field('', 'src', $12); set_collected_field('', 'dst', $13); set_collected_field('', 'proto', $14); set_collected_field('', 'xlatesrc', $15); set_collected_field('', 'nat_rulenum', $16); set_collected_field('', 'nat_addtnl_rulenum', $17); set_collected_field('', 'product', $18); set_collected_field('', 'service', $19); set_collected_field('', 's_port', $20); accept_collected_entry('', false); ) else if (matches_regular_expression(current_log_line(), '^[A-Z][a-z]* [0-9]* [0-9:]* ([0-9.]*) ([^ ]*) ([0-9]*[A-Z][a-z]*[0-9]*) ([0-9:]*) ([^ ]*) ([^ ]*) [ ]* >([^ ]*) rule: ([0-9]*); rule_uid: {([^ ]*)}; rule_name: ([^ ]*); service_id: ([^ ]*); src: ([^ ]*); dst: ([^ ]*); proto: ([^ ]*); xlatedst: ([^ ]*); NAT_rulenum: ([0-9]*); NAT_addtnl_rulenum: ([0-9]*); product: ([^;]*); service: ([^ ]*); s_port: ([0-9]*);$')) then ( set_collected_field('', 'ip_address', $1); set_collected_field('', 'firewall_name', $2); set_collected_field('', 'date', $3); set_collected_field('', 'time', $4); set_collected_field('', 'accept', $5); set_collected_field('', 'fw_name', $6); set_collected_field('', 'request_type', $7); set_collected_field('', 'rule_number', $8); set_collected_field('', 'rule_uid', $9); set_collected_field('', 'rule_name', $10); set_collected_field('', 'service_id', $11); set_collected_field('', 'src', $12); set_collected_field('', 'dst', $13); set_collected_field('', 'proto', $14); set_collected_field('', 'xlatedst', $15); set_collected_field('', 'nat_rulenum', $16); set_collected_field('', 'nat_addtnl_rulenum', $17); set_collected_field('', 'product', $18); set_collected_field('', 'service', $19); set_collected_field('', 's_port', $20); accept_collected_entry('', false); ) else if (matches_regular_expression(current_log_line(), '^[A-Z][a-z]* [0-9]* [0-9:]* ([0-9.]*) ([^ ]*) ([0-9]*[A-Z][a-z]*[0-9]*) ([0-9:]*) ([^ ]*) ([^ ]*) [ ]* >([^ ]*) rule: ([0-9]*); rule_uid: {([^ ]*)}; service_id: ([^ ]*); src: ([^ ]*); dst: ([^ ]*); proto: ([^ ]*); product: ([^;]*); service: ([^ ]*); s_port: ([0-9]*);$')) then ( set_collected_field('', 'ip_address', $1); set_collected_field('', 'firewall_name', $2); set_collected_field('', 'date', $3); set_collected_field('', 'time', $4); set_collected_field('', 'accept', $5); set_collected_field('', 'fw_name', $6); set_collected_field('', 'request_type', $7); set_collected_field('', 'rule_number', $8); set_collected_field('', 'rule_uid', $9); set_collected_field('', 'service_id', $10); set_collected_field('', 'src', $11); set_collected_field('', 'dst', $12); set_collected_field('', 'proto', $13); set_collected_field('', 'product', $14); set_collected_field('', 'service', $15); set_collected_field('', 's_port', $16); accept_collected_entry('', false); ) else if (matches_regular_expression(current_log_line(), '^[A-Z][a-z]* [0-9]* [0-9:]* ([0-9.]*) ([^ ]*) ([0-9]*[A-Z][a-z]*[0-9]*) ([0-9:]*) ([^ ]*) ([^ ]*) [ ]* >([^ ]*) service_id: ([^ ]*); ICMP: ([^;]*); src: ([^ ]*); dst: ([^ ]*); proto: ([^ ]*); ICMP Type: ([^ ]*); ICMP Code: ([^ ]*); xlatedst: ([^ ]*); NAT_rulenum: ([0-9]*); NAT_addtnl_rulenum: ([0-9]*); rule: ([0-9]*); message_info: ([^;]*); product: ([^;]*);$')) then ( set_collected_field('', 'ip_address', $1); set_collected_field('', 'firewall_name', $2); set_collected_field('', 'date', $3); set_collected_field('', 'time', $4); set_collected_field('', 'accept', $5); set_collected_field('', 'fw_name', $6); set_collected_field('', 'request_type', $7); set_collected_field('', 'service_id', $8); set_collected_field('', 'icmp', $9); set_collected_field('', 'src', $10); set_collected_field('', 'dst', $11); set_collected_field('', 'proto', $12); set_collected_field('', 'icmp_type', $13); set_collected_field('', 'icmp_code', $14); set_collected_field('', 'xlatedst', $15); set_collected_field('', 'nat_rulenum', $16); set_collected_field('', 'nat_addtnl_rulenum', $17); set_collected_field('', 'rule_number', $18); set_collected_field('', 'message_info', $19); set_collected_field('', 'product', $20); accept_collected_entry('', false); ) " } # parse } # log.parsing_filters # Database fields database.fields = { ip_address = { type = "string" } # ip_address date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day accept = "" fw_name = "" request_type = "" rule_number = "" rule_uid = "" rule_name = "" service_id = "" icmp = "" icmp_type = "" icmp_code = "" src = "" dst = "" proto = "" xlatesrc = "" xlatedst = "" nat_rulenum = "" nat_addtnl_rulenum = "" message_info = "" product = "" service = "" s_port = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "hostname" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { src = "" xlatesrc = "" s_port = "" } destination_group = { dst = "" xlatedst = "" } rule_group = { rule_number = "" rule_uid = "" rule_name = "" nat_rulenum = "" nat_addtnl_rulenum = "" } icmp_group = { icmp = "" icmp_type = "" icmp_code = "" } other_group = { accept = "" fw_name = "" request_type = "" service_id = "" proto = "" message_info = "" product = "" service = "" } } # report_groups } # create_profile_wizard_options } # checkpoint