# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. eventreporter = { plugin_version = "1.0.1" info.1.manufacturer = "Adiscon" info.1.device = "EventReporter (v.7)" info.1.version.1 = "7" # 2006-03-36: 1.0beta: initial support. -DWG [ this line added by GMF ] # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy # 2010-11-03 - 1.0.1 - MSG - Edited info lines. # Supports Event Reporter version 7 # The name of the log format log.format.format_label = "Event Reporter Logs (version 7)" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = " EvntSLog: " # Use parsing filters to extract data log.format.parse_only_with_filters = "true" log.format.allow_spaces_in_listed_field_values = "false" # Log fields log.fields = { source = "" severity = "" event_code = "" message = "" authentication_package = "" caller_domain = "" caller_logon_id = "" caller_process_id = "" caller_user_name = "" cerficate_issuer_name = "" certificate_serial_number = "" certificate_thumbprint = "" client_address = "" domain = "" failure_code = "" logon_guid = "" logon_id = "" logon_process = "" logon_type = "" pre_authentication_type = "" result_code = "" service_id = "" service_name = "" source_network_address = "" source_port = "" supplied_realm_name = "" ticket_encryption_type = "" ticket_options = "" transited_services = "" user_domain = "" user_id = "" user_name = "" workstation_name = "" } # log.fields log.filter_initialization = ` node token; string quoted_message; string varval; int i; string parse_error_code; # Initialize all field name 'anchors' for the quoted portion of the event code message. # Field names listed are in reverse order of appearance from the log data. For example, value of # v.e538.3 appears first in the quoted message, but last in the node. The field names are # used as anchors to parse the message starting at the end of the message and back tracking to # allow for collection of field values that contain spaces e.g. "field name: this is my value" v.e538.0 = 'Logon Type'; v.e538.1 = 'Logon ID'; v.e538.2 = 'Domain'; v.e538.3 = 'User Name'; v.e540.0 = 'Source Port'; v.e540.1 = 'Source Network Address'; v.e540.2 = 'Transited Services'; v.e540.3 = 'Caller Process ID'; v.e540.4 = 'Caller Logon ID'; v.e540.5 = 'Caller Domain'; v.e540.6 = 'Caller User Name'; v.e540.7 = 'Logon GUID'; v.e540.8 = 'Workstation Name'; v.e540.9 = 'Authentication Package'; v.e540.10 = 'Logon Process'; v.e540.11 = 'Logon Type'; v.e540.12 = 'Logon ID'; v.e540.13 = 'Domain'; v.e540.14 = 'User Name'; v.e672.0 = 'Certificate Thumbprint'; v.e672.1 = 'Certificate Serial Number'; v.e672.2 = 'Certificate Issuer Name'; v.e672.3 = 'Client Address'; v.e672.4 = 'Pre-Authentication Type'; v.e672.5 = 'Ticket Encryption Type'; v.e672.6 = 'Result Code'; v.e672.7 = 'Ticket Options'; v.e672.8 = 'Service ID'; v.e672.9 = 'Service Name'; v.e672.10 = 'User ID'; v.e672.11 = 'Supplied Realm Name'; v.e672.12 = 'User Name'; v.e673.0 = 'Transited Services'; v.e673.1 = 'Logon GUID'; v.e673.2 = 'Failure Code'; v.e673.3 = 'Client Address'; v.e673.4 = 'Ticket Encryption Type'; v.e673.5 = 'Ticket Options'; v.e673.6 = 'Service ID'; v.e673.7 = 'Service Name'; v.e673.8 = 'User Domain'; v.e673.9 = 'User Name'; v.e674.0 = 'Client Address'; v.e674.1 = 'Ticket Encryption Type'; v.e674.2 = 'Ticket Options'; v.e674.3 = 'Service ID'; v.e674.4 = 'Service Name'; v.e674.5 = 'User Domain'; v.e674.6 = 'User Name'; v.e675.0 = 'Client Address'; v.e675.1 = 'Failure Code'; v.e675.2 = 'Pre-Authentication Type'; v.e675.3 = 'Service Name'; v.e675.4 = 'User ID'; v.e675.5 = 'User Name'; ` # log.filter_initialization # # Log Parsing Filters log.parsing_filters = { # This parsing filter matches on event codes (538|540|672|673|674|675) # We parse the beginning of the line up to the (event code) first, then we parse the # quoted message portion of the line starting from the end in a loop, and backtrack, using field # name 'anchors' specified in the initialization step to handle the case where a field # value contains spaces e.g. "field name anchor: this is the value" parse = ` if ( matches_regular_expression(v.syslog_message, '^EvntSLog: RealSource:"([^"]+)" [0-9]+: (\\\\[.*\\\\]) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([0-9]+): (.*) \\\\((538|540|672|673|674|675)\\\\) - "(.*)"') ) then ( set_collected_field('', 'source', $1); set_collected_field('', 'severity', $2); set_collected_field('', 'date', $5 . '/' . $4 . '/' . $7 ); set_collected_field('', 'event_code', $9); quoted_message=$10; parse_error_code = "v.e" . $9; if ( node_exists(parse_error_code) ) then ( foreach token parse_error_code ( i = index( quoted_message, " " . node_value(token) . ": " ); if (i >= 0) then ( varval = substr( quoted_message, i + length(node_value(token)) + 3 ); quoted_message = substr( quoted_message, 0, i+1 ); set_collected_field( "", replace_all( lowercase(node_value(token)), " ", "_" ), varval ) ); ); set_collected_field('', 'message', replace_all(quoted_message, ":", "") ); ); accept_collected_entry( '', false); ); ` #parse } # log.parsing_filters # Database fields database.fields = { source = "" severity = "" event_code = "" message = "" authentication_package = "" client_address = "" domain = "" failure_code = { label = "$lang_stats.field_labels.fail_reason" } logon_process = "" logon_type = "" service_id = "" service_name = "" source_network_address = "" source_port = "" ticket_encryption_type = "" ticket_options = "" user_domain = "" user_id = "" user_name = "" workstation_name = "" } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry # convert_logon_id = { # label = "Convert Logon ID" # comment = "" # value = "logon_id = replace_all(replace_all(logon_id, '(', '['), ')', ']')" # } # convert_logon_id } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source = true severity = true event_code = true message = true authentication_package = true client_address = true domain = true failure_code = true logon_process = true logon_type = true pre_authentication_type = true service_id = true service_name = true source_network_address = true source_port = true supplied_realm_name = true ticket_encryption_type = true ticket_options = true user_domain = true user_id = true user_name = true workstation_name = true } # report_groups } # create_profile_wizard_options } # eventreporter