# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. windows_2003_dns = { plugin_version = "1.6.1" info.1.manufacturer = "Microsoft" info.1.device = "DNS Server" info.1.version = "Windows 2000" # OS version info.1.version = "Windows 2003" # OS version info.1.version = "Windows 2008" # OS version # - 1.0 - GMF - Initial creation # 2008-03-12 - 1.1 - KBB - Added support for version with date in first field. Changed # autodetect_regular_expression to be more flexible. # 2008-06-02 - 1.2 - KBB - Added flags_hex to reports. Added check of flags value of all spaces, which # means no flags. Now no flags is set to (empty). Also made number of spaces before the response code # variable, since the length of a response code can vary and it is a fixed position format. # 2008-11-13 - 1.3 - MSG - Added support for an optional Packet ID field, before the protocol field # 2009-06-01 - GMF - Flattened remote_ip # 2010-03-08 - gas - added support for Windows 2000 logs # 2011-08-11 - KBB - added support for Windows 2008 logs plus new date format # 2011-09-19 - 1.5 - MSG - Added support for single digit hour in time stamp. # 2013-08-20 - 1.6 - gas - Added support for mm/dd or dd/mm; and for lowercase am/pm # 2014-03-03 - 1.6.1 - GMF - Fixed use of date order snapon # The name of the log format log.format.format_label = "Windows 2000/2003/2008 DNS Log Format" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression #20080129 11:48:37 770 PACKET UDP Rcv 22.222.222.22 bf90 Q [1000 NOERROR] (3)www(4)here(3)com(0) #8/15/2011 10:26:04 AM 1268 PACKET 00000000042FC5A0 UDP Snd 10.1.222.222 20fc R Q [8085 A DR NOERROR] A (12)sewrac03_vip(4)wfsi(4)priv(0) #log.format.autodetect_regular_expression = "^[0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9A-F][0-9A-F][0-9A-F] EVENT " #log.format.autodetect_regular_expression = "[0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9A-F][0-9A-F][0-9A-F] (EVENT|PACKET) +" log.format.autodetect_regular_expression = "[0-9]*[0-9]:[0-9][0-9]:[0-9][0-9]( [APap][.][Mm][.])? [0-9A-F]+ (EVENT|PACKET) +" log.format.autodetect_lines = "100" # This regular expression is used to parse the log fields out of the log entry #log.format.parsing_regular_expression = "^([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) (...) ([^ ]+) +(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\[(....) (....) ([^]]*)\\] (.*)$" #log.format.date_format = "dd/mmm/yyyy" #log.format.date_format = "yyyymmdd" #log.format.date_format = "auto" log.format.time_format = "auto" log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" } # date time = { label = "$lang_stats.field_labels.time" type = "time" } # time packet_id = "" protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" } # protocol direction = { label = "$lang_stats.field_labels.direction" type = "flat" } # direction remote_ip = { # label = "$lang_stats.field_labels.remote_ip" type = "host" # hierarchy_dividers = "." # left_to_right = false # leading_divider = "false" } # remote_ip xid = { label = "$lang_stats.field_labels.xid" type = "flat" } # xid type = { label = "$lang_stats.field_labels.type" type = "flat" } # type opcode = { label = "$lang_stats.field_labels.opcode" type = "flat" } # opcode flags_hex = "" # not in database flags = { label = "$lang_stats.field_labels.flags" type = "flat" } # flags response_code = { label = "$lang_stats.field_labels.response_code" type = "flat" } # response_code question_name = { label = "$lang_stats.field_labels.question_name" type = "flat" } # question_name } # log.fields log.parsing_filters.parse = ` #if (matches_regular_expression(current_log_line(), '^([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) (...) ([^ ]+) +(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\\\[(....) (....) ([^]]*)\\\\] (.*)$')) then ( v.line = current_log_line(); if (matches_regular_expression(v.line, '^([0-9]+/[0-9]+/[0-9]{4}) ([0-9]*[0-9]:.*)')) then ( set_collected_field('', 'date', $1); v.line = $2; ); # This is yyyyddmm not yyyymmdd, so auto can't be used, so split it up. else if (matches_regular_expression(v.line, '^([0-9]{4})([0-9]{2})([0-9]{2}) ([0-9]*[0-9]:.*)')) then ( set_collected_field('', 'date', $1 . '/' . $2 . '/' . $3); v.line = $4; ); # Backward compatibility to format with no date else if (matches_regular_expression(v.line, '^[0-9]*[0-9]:[0-9][0-9]:[0-9][0-9] ')) then ( set_collected_field('', 'date', substr(epoc_to_date_time(now()), 0, 11)); ); #8/15/2011 10:26:04 AM 1268 PACKET 00000000042FC5A0 UDP Snd 10.1.222.222 20fc R Q [8085 A DR NOERROR] A (12)sewrac03_vip(4)wfsi(4)priv(0) #20080528 09:45:48 1B0 PACKET UDP Snd 10.222.222.222 cdb5 R Q [8081 DR NOERROR] (2)80(2)27(2)24(3)216(7)in-addr(4)arpa(0) #20080528 09:45:48 870 PACKET UDP Snd 10.222.222.223 04b6 R Q [8385 A DR NXDOMAIN] (16)1751-uv42604zrap(7)broward(3)k12(2)fl(2)us(0) #20081110 13:15:53 3C0 PACKET 02A6DB90 UDP Rcv 192.111.111.110 8f9f R Q [0080 NOERROR] A (8)server01(10)mathmajors(3)com(0) #if (matches_regular_expression(v.line, '([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) (...) ([^ ]+) +([0-9A-Fa-f]+)? *(Rcv|Snd) (TCP|UDP) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\[(....) (....) +([^]]*)\\] (.*)$')) then ( if (matches_regular_expression(v.line, '([0-9]*[0-9]:[0-9][0-9]:[0-9][0-9]( [APap][.][Mm][.])?) ([0-9A-Z]+) ([^ ]+) +([0-9A-Fa-f]+)? *(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\\\[(....) (....) +([^]]*)\\\\] (.*)$')) then ( set_collected_field('', 'time', $1); set_collected_field('', 'packet_id', $5); set_collected_field('', 'protocol', $6); set_collected_field('', 'direction', $7); set_collected_field('', 'remote_ip', $8); set_collected_field('', 'xid', $9); set_collected_field('', 'type', $10); set_collected_field('', 'opcode', $11); set_collected_field('', 'flags_hex', $12); v.flags = $13; set_collected_field('', 'response_code', $14); set_collected_field('', 'question_name', $15); if (!matches_regular_expression(v.flags, '^ *$')) then ( set_collected_field('', 'flags', v.flags); ); accept_collected_entry('', false); ); ## Windows 2000 DNS logs else if (matches_regular_expression(v.line, '([0-9]*[0-9]:[0-9][0-9]:[0-9][0-9]) (...) ([^ ]+) +([0-9A-Fa-f]+)? *(Rcv|Snd) (TCP|UDP) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\[(....) (....) +([^]]*)\\] (.*)$')) then ( set_collected_field('', 'time', $1); set_collected_field('', 'packet_id', $4); set_collected_field('', 'direction', $5); set_collected_field('', 'protocol', $6); set_collected_field('', 'remote_ip', $7); set_collected_field('', 'xid', $8); set_collected_field('', 'type', $9); set_collected_field('', 'opcode', $10); set_collected_field('', 'flags_hex', $11); v.flags = $12; set_collected_field('', 'response_code', $13); set_collected_field('', 'question_name', $14); if (!matches_regular_expression(v.flags, '^ *$')) then ( set_collected_field('', 'flags', v.flags); ); accept_collected_entry('', false); ); ` log.filters = { fix_question_name = { label = "fix_question_name" comment = "" value = " # Convert (N) sections to dots for legibility while (matches_regular_expression(question_name, '^(.*)\\\\([0-9]+\\\\)(.*)$')) question_name = $1 . '.' . $2; if (starts_with(question_name, '.')) then question_name = substr(question_name, 1); if (ends_with(question_name, '.')) then question_name = substr(question_name, 0, length(question_name) - 1); " } # fix_question_name } # log filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day remote_ip = { # label = "$lang_stats.field_labels.remote_ip" # log_field = "remote_ip" # type = "string" # suppress_top = 0 # suppress_bottom = 2 } # remote_ip domain_description = { label = "$lang_stats.field_labels.domain_description" log_field = "domain_description" type = "string" suppress_top = 0 suppress_bottom = 2 } # domain_description location = { label = "$lang_stats.field_labels.location" log_field = "location" type = "string" suppress_top = 0 suppress_bottom = 3 } # location type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol packet_id = "" direction = { label = "$lang_stats.field_labels.direction" log_field = "direction" type = "string" suppress_top = 0 suppress_bottom = 2 } # direction opcode = { label = "$lang_stats.field_labels.opcode" log_field = "opcode" type = "string" suppress_top = 0 suppress_bottom = 2 } # opcode flags_hex = "" flags = { label = "$lang_stats.field_labels.flags" log_field = "flags" type = "string" suppress_top = 0 suppress_bottom = 2 } # flags response_code = { label = "$lang_stats.field_labels.response_code" log_field = "response_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # response_code question_name = { label = "$lang_stats.field_labels.question_name" log_field = "question_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # question_name } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'lookups = 1;' } # mark_entry } # log.filters database.numerical_fields = { lookups = { label = "$lang_stats.field_labels.lookups" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # lookups unique_remote_ips = { label = "$lang_stats.field_labels.unique_remote_ips" default = false requires_log_field = true log_field = "client" type = "unique" display_format_type = "integer" } # unique_remote_ips } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups snapons = { # Attach date_order_selector, to prompt for the order of dates date_order_selector = { snapon = "date_order_selector" name = "date_order_selector" label = "$lang_admin.snapons.date_order_selector.label" parameters = { select_order = "mm/dd/yyyy" } # parameters parameters_form = { group_1 = { description = "$lang_admin.snapons.date_order_selector.parameters_form.group_1.description" parameters = { date_order = true } # parameters } # group 1 } # parameters_form } # date_order_selector # Add the standard reports add_standard_reports = { name = "add_standard_reports" label = "add_standard_reports" snapon = "add_standard_reports" } # add_standard_reports } # snapons } # create_profile_wizard_options } # windows_2003_dns