# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. trend_micro_control_manager2014 = { plugin_version = "1.0" # 2014-12-04 - 1.0 - Lew - Made a whole new version, much different from old one info.1.manufacturer = "Trend Micro" info.1.device = "Control Manager 2014" info.1.version.1 = "" # The name of the log format log.format.format_label = "Trend Micro Control Manager 2014" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "network_device" log.format.ignore_format_lines = true # new format with header lines removed log.format.autodetect_expression = ` (matches_regular_expression(volatile.log_data_line, '^[0-9-]+ [0-9:]+\t[^\t]*\t[^\t]*\t[A-Za-z]* [0-9: ]* TMCM:[^ ]* Security product="[^"]*" Security product node ="[^"]*" Security product IP="[^"]*" Event time="[^"]*" Virus="[^"]*" Action taken="[^"]*" Result="[^"]*" Infection destination="[^"]*" Infection destination IP="[^"]*" Infection source="[^"]*" Infection source IP="[^"]*" Destination IP="[^"]*" Source IP="[^"]*" Domain="[^"]*"$')) ` log.format.autodetect_lines = 1 # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { date = "" time = "" facility = "" priority = "" device = "" event_time_1 = "" event_type = "" security_product = "" security_product_node = "" security_product_ip = "" event_time_2 = "" virus = "" action_taken = "" result = "" infect_destination = "" infect_destination_ip = "" infect_source = "" infect_source_ip = "" destination_ip = "" source_ip = "" domain = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9-]+) ([0-9:]+)\t([^.]*).([^\t]*)\t([^\t]*)\t([A-Za-z]* [0-9: ]*) TMCM:([^ ]*) Security product="([^"]*)" Security product node ="([^"]*)" Security product IP="([^"]*)" Event time="([^"]*)" Virus="([^"]*)" Action taken="([^"]*)" Result="([^"]*)" Infection destination="([^"]*)" Infection destination IP="([^"]*)" Infection source="([^"]*)" Infection source IP="([^"]*)" Destination IP="([^"]*)" Source IP="([^"]*)" Domain="([^"]*)"$')) then ( date = $1; time = $2; facility = $3; priority = $4; device = $5; event_time_1 = $6; event_type = $7; security_product = $8; security_product_node = $9; security_product_ip = $10; event_time_2 = $11; virus = $12; action_taken = $13; result = $14; infect_destination = $15; infect_destination_ip = $16; infect_source = $17; infect_source_ip = $18; destination_ip = $19; source_ip = $20; domain = $21; ) # if not format line ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" facility = "" priority = "" device = "" event_time_1 = "" event_type = "" security_product = "" security_product_node = "" security_product_ip = "" event_time_2 = "" virus = "" action_taken = "" result = "" infect_destination = "" infect_destination_ip = "" infect_source = "" infect_source_ip = "" destination_ip = "" source_ip = "" domain = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1' } # mark_entry } # log.filters database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # trend_micro_control_manager2014