# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. mc_afee_web_shield = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2011-06-22 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "McAfee" info.1.device = "Webshield" info.1.version.1 = "" # sessions, hits, bandwidth, pageviews, and visitors. # The name of the log format log.format.format_label = "McAfee Webshield Log Format" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "internet_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "WebShield SMTP" statistics.miscellaneous.entry_name = "events" # The format of dates and times in this log log.format.date_format = "mmm dd hh:mm:ss yyyy" log.format.time_format = "mmm dd hh:mm:ss yyyy" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date_time = { label = "$lang_stats.field_labels.date_time" type = "date_time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date_time sender = { label = "$lang_stats.field_labels.sender" type = "flat" index = 0 subindex = 0 } # sender recipient_list = { label = "$lang_stats.field_labels.recipient_list" type = "flat" index = 0 subindex = 0 } # recipient_list message_id = { label = "$lang_stats.field_labels.message_id" type = "flat" index = 0 subindex = 0 } # message_id virus = { label = "$lang_stats.field_labels.virus" type = "flat" index = 0 subindex = 0 } # virus type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type size = { label = "$lang_stats.field_labels.size" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # size side = { label = "$lang_stats.field_labels.side" type = "flat" index = 0 subindex = 0 } # side source_ip = { label = "$lang_stats.field_labels.source_ip" type = "flat" index = 0 subindex = 0 } # source_ip action = { label = "$lang_stats.field_labels.action" type = "flat" index = 0 subindex = 0 } # action } # log.fields # # Log Parsing Filters log.parsing_filters = { # Accept a collected field when there is a date/time line 1 = { label = "1" comment = "" value = "accept_collected_entry_using_regexp('^()... ... [0-9 ][0-9] [0-9:]* [0-9]*', false)" } # 1 # Parse out the date/time, type 2 = { label = "2" comment = "" value = "collect_fields_using_regexp('^()... (... [0-9 ][0-9] [0-9:]* [0-9]*) *([A-Z :]*)$', '*KEY*,date_time,type')" } # 2 # Parse out the Sender: 3 = { label = "3" comment = "" value = "collect_fields_using_regexp('^() Sender: <([^>]+)>', '*KEY*,sender')" } # 3 # Parse out the Recipient list:: 4 = { label = "4" comment = "" value = "collect_fields_using_regexp('^() Recipient list: <([^>]+)>', '*KEY*,recipient_list')" } # 4 # Parse out the MessageID: 5 = { label = "5" comment = "" value = "collect_fields_using_regexp('^() MessageID: (.+)$', '*KEY*,message_id')" } # 5 # Parse out the Virus: 6 = { label = "6" comment = "" value = "collect_fields_using_regexp('^() Virus: (.+)$', '*KEY*,virus')" } # 6 # Parse out the Source IP & Side: 7 = { label = "7" comment = "" value = "collect_fields_using_regexp('^() Received from IP address: ([0-9.]*) \\\\((.*)\\\\)$', '*KEY*,source_ip,side')" } # 7 # Parse out the Action: 8 = { label = "8" comment = "" value = "collect_fields_using_regexp('^() Action: (.+)$', '*KEY*,action')" } # 8 # Parse out the size: 9 = { label = "9" comment = "" value = "collect_fields_using_regexp('^() Size: ([0-9]*) ', '*KEY*,size')" } # 9 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day sender = { label = "$lang_stats.field_labels.sender" log_field = "sender" type = "string" suppress_top = 0 suppress_bottom = 2 } # sender recipient_list = { label = "$lang_stats.field_labels.recipient_list" log_field = "recipient_list" type = "string" suppress_top = 0 suppress_bottom = 2 } # recipient_list virus = { label = "$lang_stats.field_labels.virus" log_field = "virus" type = "string" suppress_top = 0 suppress_bottom = 2 } # virus source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type side = { label = "$lang_stats.field_labels.side" log_field = "side" type = "string" suppress_top = 0 suppress_bottom = 2 } # side action = { label = "$lang_stats.field_labels.action" log_field = "action" type = "string" suppress_top = 0 suppress_bottom = 2 } # action } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events size = { label = "$lang_stats.field_labels.size" default = false requires_log_field = true log_field = "size" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" sender = true recipient_list = true virus = true source_ip = true type = true side = true action = true } # report_groups } # create_profile_wizard_options not_supported = { individualhosts = true sessions = true visitors = true pageviews = true } # not_supported } # mc_afee_web_shield