# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. cisco_vpnconcentrator_commas_mmddyyyy = { plugin_version = "1.0.3" info.1.manufacturer = "Cisco Systems" info.1.device = "VPN Concentrator (mmddyyyy)" info.1.version.1 = "" # 2006/Jun/22: 1.0.1 - KBB - Added support for disconnect lines without # a "Session type" # 2010:02:05 - 1.0.2 - gas - removed duration field from database.fields # 2010:02:05 - - gas - changed duration to detect hh:mm:ss string and convert to seconds # 2010-10-26 - 1.0.3 - MSG - Edited info lines. # Cisco VPN Concentrator (Comma separated - MMDDYYYY) # sessions, hits, bandwidth, pageviews, and visitors. # The name of the log format log.format.format_label = "Cisco VPN Concentrator (Comma separated - MMDDYYYY)" log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "[0-9]*,../../....,..:..:..\\....,SEV=[0-9]+,[A-Z]+/[0-9]+,RPT=[0-9]+,[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" log.format.autodetect_lines = "50" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # There's no maximum duration or session timeout-- sessions just timeout # when the connection is terminated. statistics.miscellaneous.maximum_session_duration = "0" statistics.miscellaneous.session_timeout = "0" statistics.miscellaneous.session_logout_regexp = "( disconnected: |" # An entry is an event statistics.miscellaneous.entry_name = "events" log.format.date_format = "mm/dd/yyyy" log.format.time_format = "hh:mm:ss" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # time action = { label = "$lang_stats.field_labels.action" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # action bytes_xmt = { label = "$lang_stats.field_labels.bytes_xmt" type = "flat" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # bytes_xmt bytes_rcv = { label = "$lang_stats.field_labels.bytes_rcv" type = "flat" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # bytes_rcv class = { label = "$lang_stats.field_labels.class" type = "flat" index = 0 subindex = 0 } # class client_ip = { label = "$lang_stats.field_labels.client_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # client_ip duration = { label = "$lang_stats.field_labels.duration" type = "flat" index = 0 subindex = 0 } # duration encryption = { label = "$lang_stats.field_labels.encryption" type = "flat" index = 0 subindex = 0 } # encryption event_ip = { label = "$lang_stats.field_labels.event_ip" type = "flat" index = 0 subindex = 0 } # event_ip group = { label = "$lang_stats.field_labels.group" type = "flat" index = 0 subindex = 0 } # group port = { label = "$lang_stats.field_labels.port" type = "flat" index = 0 subindex = 0 } # port protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol reason = { label = "$lang_stats.field_labels.reason" type = "flat" index = 0 subindex = 0 } # reason server_ip = { label = "$lang_stats.field_labels.server_ip" type = "flat" index = 0 subindex = 0 } # server_ip session_type = { label = "$lang_stats.field_labels.session_type" type = "flat" index = 0 subindex = 0 } # session_type severity = { label = "$lang_stats.field_labels.severity" type = "flat" index = 0 subindex = 0 } # severity user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 is_sessions_visitor_id = true } # user } # log.fields # # Log Parsing Filters log.parsing_filters = { # parse out the header fields header = { label = "header" comment = "" value = " if (matches_regular_expression(current_log_line(), '^[0-9]+,(../../....),(..:..:..)\\\\....,SEV=([0-9]+),([^/]+)/[0-9]+,RPT=[0-9]+,([0-9\\\\.]+),(.*User \\\\[)([^]]*)(\\\\].*)$')) then ( volatile.message = $6 . $7 . $8; volatile.user = $7; set_collected_field(volatile.user, 'date', $1); set_collected_field(volatile.user, 'time', $2); set_collected_field(volatile.user, 'severity', $3); set_collected_field(volatile.user, 'class', $4); set_collected_field(volatile.user, 'event_ip', $5); if (matches_regular_expression(volatile.message, 'Authentication successful: handle = [0-9 ]+ server = ([0-9\\\\. ]+) user = ([a-z_]+)')) then ( set_collected_field(volatile.user, 'server_ip', $1); set_collected_field(volatile.user, 'user', $2); ); else if (matches_regular_expression(volatile.message, 'Group \\\\[([^]]+)\\\\] User \\\\[([^]]+)\\\\] User \\\\(([^)]+)\\\\) (authenticated).')) then ( set_collected_field(volatile.user, 'group', $1); set_collected_field(volatile.user, 'user', $2); set_collected_field(volatile.user, 'action', $3); ); else if (matches_regular_expression(volatile.message, 'Received remote Proxy Host data in ID Payload:Address ([0-9\\\\.]+) *Protocol ([0-9 ]+) Port ([0-9]+)')) then ( set_collected_field(volatile.user, 'client_ip', $1); set_collected_field(volatile.user, 'protocol', $2); set_collected_field(volatile.user, 'port', $3); ); else if (matches_regular_expression(volatile.message, 'IKE Remote Peer configured for SA: ([^ ]+)')) then ( set_collected_field(volatile.user, 'encryption', $1); ); else if (matches_regular_expression(volatile.message, 'disconnected: Session Type: ([^ ]+) Duration: ([0-9:]+) *Bytes xmt: ([0-9]+) *Bytes rcv: ([0-9]+) *Reason: (.*)$')) then ( set_collected_field(volatile.user, 'session_type', $1); # 1.0.2 - my guess is that Cisco have changed this value from milliseconds to hh:mm:ss, so we need to change this - gas # set_collected_field(volatile.user, 'duration', $2); set_collected_field(volatile.user, 'duration', (substr($2, 0, index($2, ':'))*60*60)+(substr($2, index($2, ':')+1, 2)*60)+substr($2, last_index($2, ':')+1)); set_collected_field(volatile.user, 'bytes_xmt', $3); set_collected_field(volatile.user, 'bytes_rcv', $4); set_collected_field(volatile.user, 'reason', $5); accept_collected_entry(volatile.user, false); ); #43647,04/06/2006,13:35:55.490,SEV=4,AUTH/28,RPT=4179,177.27.7.17,User [roland.parker] disconnected: Duration: 0:04:54 Bytes xmt: 1480 Bytes rcv: 2160 Reason: User Requested else if (matches_regular_expression(volatile.message, 'disconnected: Duration: ([0-9:]+) *Bytes xmt: ([0-9]+) *Bytes rcv: ([0-9]+) *Reason: (.*)$')) then ( # 1.0.2 - my guess is that Cisco have changed this value from milliseconds to hh:mm:ss, so we need to change this - gas # set_collected_field(volatile.user, 'duration', $1); set_collected_field(volatile.user, 'duration', (substr($1, 0, index($1, ':'))*60*60)+(substr($2, index($1, ':')+1, 2)*60)+substr($1, last_index($1, ':')+1)); set_collected_field(volatile.user, 'bytes_xmt', $2); set_collected_field(volatile.user, 'bytes_rcv', $3); set_collected_field(volatile.user, 'reason', $4); accept_collected_entry(volatile.user, false); ); ); " } } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day client_ip = { label = "$lang_stats.field_labels.client_ip" log_field = "client_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # client_ip user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user group = { label = "$lang_stats.field_labels.group" log_field = "group" type = "string" suppress_top = 0 suppress_bottom = 2 } # group # 1.0.2 - this is duplication and shouold only appear in database.numerical_fields - gas # duration = { # label = "$lang_stats.field_labels.duration" # log_field = "duration" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # duration encryption = { label = "$lang_stats.field_labels.encryption" log_field = "encryption" type = "string" suppress_top = 0 suppress_bottom = 2 } # encryption session_type = { label = "$lang_stats.field_labels.session_type" log_field = "session_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # session_type severity = { label = "$lang_stats.field_labels.severity" log_field = "severity" type = "string" suppress_top = 0 suppress_bottom = 2 } # severity class = { label = "$lang_stats.field_labels.class" log_field = "class" type = "string" suppress_top = 0 suppress_bottom = 2 } # class action = { label = "$lang_stats.field_labels.action" log_field = "action" type = "string" suppress_top = 0 suppress_bottom = 9 } # action event_ip = { label = "$lang_stats.field_labels.event_ip" log_field = "event_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # event_ip port = { label = "$lang_stats.field_labels.port" log_field = "port" type = "string" suppress_top = 0 suppress_bottom = 2 } # port protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol reason = { label = "$lang_stats.field_labels.reason" log_field = "reason" type = "string" suppress_top = 0 suppress_bottom = 2 } # reason server_ip = { label = "$lang_stats.field_labels.server_ip" log_field = "server_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # server_ip } # database.fields # Log Filters log.filters = { # Convert SEV to english 1 = { label = "1" comment = "" value = "convert_field_map('severity', '1->Fault(1)|2->Warning/Severe(2)|3->Warning/Serious(3)|4->Information/Low(4)|5->Information/Med(5)|6->Information/High(6)|7->Debug/Low(7)|8->Debug/Med(8)|9->Debug/High(9)|10->Packet Decode/High(10)|11->Packet Decode/Low(11)|12->Packet Decode/Header_Hex(12)|13->Packet Decode/Packet_Hex(13)')" } # 1 # Convert CLASS to english 2 = { label = "2" comment = "" value = "convert_field_map('class', 'AUTH->Authentication|AUTHDBG->Authentication debugging|AUTHDECODE->Authentication protocol decoding|AUTOUPDATE->Autoupdate subsystem|BMGT->Bandwidth management subsystem|BMGTDBG->Bandwidth management debugging|CAPI->Cryptography subsystem|CERT->Digital certificates subsystem including SCEP|CONFIG->Configuration subsystem|DHCP->DHCP subsystem|DHCPDBG->DHCP debugging|DHCPDECODE->DHCP decoding|DM->Data Movement subsystem|DNS->DNS subsystem|DNSDBG->DNS debugging|DNSDECODE->DNS decoding|EVENT->Event subsystem|EVENTDBG->Event subsystem debugging|EVENTMIB->Event MIB changes|EXPANSIONCARD->Expansion card (module) subsystem|FILTER->Filter subsystem|FILTERDBG->Filter debugging|FSM->Finite State Machine subsystem (for debugging)|FTPD->FTP daemon subsystem|GENERAL->NTP subsystem and other general events|GRE->GRE subsystem|GREDBG->GRE debugging|GREDECODE->GRE decoding|HARDWAREMON->Hardware monitoring (fans, temperature, voltages, etc.)|HTTP->HTTP subsystem|IKE->ISAKMP/Oakley (IKE) subsystem|IKEDBG->ISAKMP/Oakley (IKE) debugging|IKEDECODE->ISAKMP/Oakley (IKE) decoding|IP->IP router subsystem|IPDBG->IP router debugging|IPDECODE->IP packet decoding|IPSEC->IP Security subsystem|IPSECDBG->IP Security debugging|IPSECDECODE->IP Security decoding|L2TP->L2TP subsystem|L2TPDBG->L2TP debugging|L2TPDECODE->L2TP decoding|LBSSF->Load Balancing subsystem|MIB2TRAP->MIB-II trap subsystem: SNMP MIB-II traps|OSPF->OSPF subsystem|PPP->PPP subsystem|PPPDBG->PPP debugging|PPPDECODE->PPP decoding|PPTP->PPTP subsystem|PPTPDBG->PPTP debugging|PPTPDECODE->PPTP decoding|PSH->Operating system command shell|PSOS->Embedded real-time operating system|QUEUE->System queue|REBOOT->System rebooting|RM->Resource Manager subsystem|SMTP->SMTP event handling|SNMP->SNMP trap subsystem|SSH->SSH subsystem|SSL->SSL subsystem|SYSTEM->Buffer, heap, and other system utilities|TCP->TCP subsystem|TELNET->Telnet subsystem|TELNETDBG->Telnet debugging|TELNETDECODE->Telnet decoding|TIME->System time (clock)|VRRP->VRRP subsystem|XML->XML ')" } # 2 mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events unique_users = { label = "$lang_stats.field_labels.unique_users" default = false requires_log_field = true log_field = "user" type = "unique" display_format_type = "integer" } # unique_users bytes_xmt = { label = "$lang_stats.field_labels.bytes_xmt" default = false requires_log_field = true log_field = "bytes_xmt" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_xmt bytes_rcv = { label = "$lang_stats.field_labels.bytes_rcv" default = false requires_log_field = true log_field = "bytes_rcv" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_rcv duration = { label = $lang_stats.field_labels.duration default = false requires_log_field = true type = int # 1.0.2 - this is now seconds - gas # display_format_type = duration_milliseconds display_format_type = duration_compact } # duration } # database.numerical_fields create_profile_wizard_options = { # date_time_tracking = true # host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" client_ip = true user = true group = true encryption = true session_type = true severity = true class = true action = true event_ip = true port = true protocol = true reason = true server_ip = true } # report_groups } # create_profile_wizard_options # not_supported = { # pageviews = true # sessionpages = true # } # not_supported } # cisco_vpnconcentrator_commas_mmddyyyy