# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. netgear_fvl328_syslog_required = { plugin_version = "1.0.1" # 2006/August/11: 1.0.0beta: initial creation - KBB # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy # 2011-07-07 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Netgear" info.1.device = "FVL328 (logging to syslog)" info.1.version.1 = "" # The name of the log format log.format.format_label = "Netgear FVL328 Log Format (logging to syslog)" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = '\\(FVL328-.*- Source:[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+,[0-9]+\\[[^]]*\\] ,[^-]* - Destination:' #) # User parsing filters to extract data from lines log.format.parse_only_with_filters = "true" # Log fields log.fields = { type = "" action = "" source_ip.type = host source_port = "" source_network = "" host_mac_address = "" destination_ip = "" destination_url = "" destination_port = "" destination_network = "" rule = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # lines without the word "packet" are login attempts, blocked accesses, admin activities, etc if (matches_regular_expression(v.syslog_message, '[pP]acket')) then ( set_collected_field('', 'packets', 1); ); if (matches_regular_expression(v.syslog_message, '([0-9]{4} [A-Z][a-z][a-z] [0-9 ]?[0-9]) ([0-9]{2}:[0-9]{2}:[0-9]{2}) \\\\([A-Za-z0-9-]+\\\\) [0-9.]+ (.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); v.line = $3; #Jul 17 00:00:03 192.168.99.99 2006 Jul 17 02:10:28 (FVL328-2b-b6-a0) 99.99.99.91 UDP Packet - Source:99.99.99.99,53[DNS] ,WAN - Destination:99.99.99.92,32768 ,LAN [Drop] - [Inbound Default rule match] #Aug 4 06:26:32 robby 2005 Aug 04 05:27:22 (FVL328-1a-a8-12) 99.99.99.99 TCP Packet - Source:99.99.99.91,1547 ,WAN - Destination:99.99.99.92,6881 ,LAN [Drop] - [Inbound Default rule match] #Jul 17 00:48:00 192.168.99.99 2006 Jul 17 02:58:25 (FVL328-2b-b6-a0) 99.99.99.91 UDP Packet - Source:99.99.99.92,500 ,WAN - Destination:99.99.99.93,500 ,LAN [Forward] - [Inbound rule match] #Jul 17 00:44:25 192.168.99.99 2006 Jul 17 02:54:51 (FVL328-2b-b6-a0) 99.99.99.91 TCP Packet - Source:99.99.99.92,6000 ,WAN - Destination:99.99.99.93,8080 ,LAN [Forward] - [Inbound rule match] #Jul 17 08:20:13 192.168.99.99 2006 Jul 17 10:30:42 (FVL328-2b-b6-a0) 99.99.99.99 IP Packet [Type Field:47] - Source:192.168.199.99 -Destination:99.99.99.91 - [Drop] #Jul 17 07:11:26 192.168.99.99 2006 Jul 17 09:21:52 (FVL328-2b-b6-a0) 99.99.99.99 Attempt to access blocked site - Source:192.168.199.99,LAN - Destination:www.wee-mee.com/messengertab/en-,WAN - [Block] #Jul 17 07:11:28 192.168.99.99 2006 Jul 17 09:21:59 (FVL328-2b-b6-a0) 99.99.99.99 Access site - Source:192.168.199.99,LAN - Destination:alerts.national-lottery.co.uk,WAN - [Forward] #Jul 18 13:13:24 192.168.99.99 2006 Jul 18 15:24:16 (FVL328-2b-b6-a0) 99.99.99.99 TCP Packet - Source:99.99.99.91,20[FTP Data] ,WAN - Destination:99.99.99.92,2201 ,LAN [Forward] - [Inbound rule match] #Aug 4 14:40:22 robby 2005 Aug 04 13:41:14 (FVL328-1a-a8-12) 125.125.125.125 Administrator Interface Connecting[TCP] - Source:123.123.123.123,6000 - Destination:124.124.124.124,3389 - [Drop] if (matches_regular_expression(v.line, '([^-]*) - Source:(.*) - ?Destination:(.*) - \\\\[([^]]+)\\\\]')) then ( set_collected_field('', 'type', $1); v.src_info = $2; v.dest_info = $3; v.rule = $4; v.dest = ""; v.action = ""; if (matches_regular_expression(v.src_info, '([0-9\\\\.]+),([^,]*[^ ,])( ,|,)([^ ,]+)')) then ( set_collected_field('', 'source_ip', $1); set_collected_field('', 'source_port', $2); set_collected_field('', 'source_network', $4); ); else if (matches_regular_expression(v.src_info, '([0-9\\\\.]+),([0-9][^ ,]+)')) then ( set_collected_field('', 'source_ip', $1); set_collected_field('', 'source_port', $2); ); else if (matches_regular_expression(v.src_info, '([0-9\\\\.]+),([^ ,]+)')) then ( set_collected_field('', 'source_ip', $1); set_collected_field('', 'source_network', $2); ); else if (matches_regular_expression(v.src_info, '^([^ ,]+)$')) then ( set_collected_field('', 'source_ip', $1); ); if (matches_regular_expression(v.dest_info, '([^,]+),([^ ,]+)( ,|,)([^ ,]+)(.*)')) then ( v.dest = $1; set_collected_field('', 'destination_port', $2); set_collected_field('', 'destination_network', $4); v.action = $5; if (matches_regular_expression(v.action, ' \\\\[([^]]+)\\\\]')) then ( set_collected_field('', 'action', $1); ); ); else if (matches_regular_expression(v.dest_info, '([^,]+),([0-9][^ ,]+)')) then ( v.dest = $1; set_collected_field('', 'destination_port', $2); ); else if (matches_regular_expression(v.dest_info, '([^,]+),([^ ]+)')) then ( v.dest = $1; set_collected_field('', 'destination_network', $2); ); else if (matches_regular_expression(v.dest_info, '^([^ ,]+)$')) then ( v.dest = $1; ); if (matches_regular_expression(v.dest, '^([0-9\\\\.]+)$')) then ( set_collected_field('', 'destination_ip', v.dest); ); else ( set_collected_field('', 'destination_url', v.dest); ); if (matches_regular_expression(v.rule, '(Forward|Drop|Receive|Block)') and (v.action eq "")) then ( set_collected_field('', 'action', v.rule); ); else ( set_collected_field('', 'rule', v.rule); ); ); #Jul 17 02:02:46 192.168.99.99 2006 Jul 17 04:13:13 (FVL328-2b-b6-a0) 99.99.99.99 Receive DHCP request packet, request: ip address: 192:168:100:213 , host address: 00:d0:b7:66:0a:1a #Jul 17 02:02:49 192.168.99.99 2006 Jul 17 04:13:13 (FVL328-2b-b6-a0) 99.99.99.99 Send DHCP ACK packet acked: ip address: 192:168:100:213 , host address: 00:d0:b7:66:0a:1a else if (matches_regular_expression(v.line, '((Send|Receive) [^:]+): ip address: ([0-9:]+) , host address: ([0-9a-f:]+)')) then ( set_collected_field('', 'type', $1); set_collected_field('', 'source_ip', replace_all($3, ':', '.')); set_collected_field('', 'host_mac_address', $4); ); #Jul 17 12:38:37 192.168.99.99 2006 Jul 17 14:49:06 (FVL328-2b-b6-a0) 99.99.99.99 Administrator login fail, Password error - IP:192.168.199.99 #Jul 17 12:39:38 192.168.99.99 2006 Jul 17 14:50:02 (FVL328-2b-b6-a0) 99.99.99.99 Administrator login successful - IP:192.168.199.99 #Jul 17 12:45:47 192.168.99.99 2006 Jul 17 14:56:12 (FVL328-2b-b6-a0) 99.99.99.99 Login screen timed out - IP:192.168.199.99 else if (matches_regular_expression(v.line, '(Administrator log[^-]+|Log[^-]+) - IP:([0-9\.]+)')) then ( set_collected_field('', 'type', $1); set_collected_field('', 'source_ip', $2); ); #Jul 19 22:04:12 192.168.99.99 2006 Jul 20 00:15:24 (FVL328-2b-b6-a0) 99.99.99.99 Administrator Action - Inbound Policy to Service [HTTP] is changed to Disable else if (matches_regular_expression(v.line, '(Administrator Action) - ([^-]+)')) then ( set_collected_field('', 'type', $1); set_collected_field('', 'action', $2); ); accept_collected_entry('', false); ); # the two remaining expressions were in netgear_security_syslog_required.cfg and match examples on # netgear website for fvl328, though possibly not for syslog - we have no sample data to test them # so I have left them as they were as a fail safe - modified only to accept different protocols - KBB #else if (matches_regular_expression(v.syslog_message, '(TCP Packet) - Source:([0-9.]+),([^ ]+) Destination:([0-9.]+),([^ ]+) - \\\\[([^]]+)\\\\]')) then ( else if (matches_regular_expression(v.syslog_message, '([A-Z]+ Packet) - Source:([0-9.]+),([^ ]+) Destination:([0-9.]+),([^ ]+) - \\\\[([^]]+)\\\\]')) then ( set_collected_field('', 'type', $1); set_collected_field('', 'source_ip', $2); set_collected_field('', 'source_port', $3); set_collected_field('', 'destination_ip', $4); set_collected_field('', 'destination_port', $5); set_collected_field('', 'rule', $6); accept_collected_entry('', false); ); # These examples from NetGear document http://www.netgearinc.co.jp/support/pdf/fvl328_manual.pdf #Wed, 2002-05-22 07:15:15 - TCP packet dropped - Source:64.12.47.28,4787,WAN - Destination:134.177.0.11,21,LAN - [Inbound Default rule match] #Sun, 2002-05-22 12:50:33 - UDP packet dropped - Source:64.12.47.28,10714,WAN - Destination:134.177.0.11,6970,LAN - [Inbound Default rule match] #Sun, 2002-05-22 21:02:53 - ICMP packet dropped - Source:64.12.47.28,0,WAN - Destination:134.177.0.11,0,LAN - [Inbound Default rule match] #else if (matches_regular_expression(v.syslog_message, '(TCP Packet|TCP packet dropped) - Source:([0-9.]+),([^ ]+) ([^ ]+) - Destination:([0-9.]+),([^ ]+) ([^ ]+) - \\\\[([^]]+)\\\\]')) then ( else if (matches_regular_expression(v.syslog_message, '([A-Z]+ Packet|[A-Z]+ packet dropped) - Source:([0-9.]+),([^ ]+) ([^ ]+) - Destination:([0-9.]+),([^ ]+) ([^ ]+) - \\\\[([^]]+)\\\\]')) then ( set_collected_field('', 'type', $1); set_collected_field('', 'source_ip', $2); set_collected_field('', 'source_port', $3); set_collected_field('', 'source_network', $4); set_collected_field('', 'destination_ip', $5); set_collected_field('', 'destination_port', $6); set_collected_field('', 'destination_network', $7); set_collected_field('', 'rule', $8); accept_collected_entry('', false); ); ` # Database fields database.fields = { type = "" action = "" source_ip = "" source_port = "" source_network = "" host_mac_address = "" destination_ip = "" destination_url = "" destination_port = "" destination_network = "" rule = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events packets = { default = true requires_log_field = false } # packets visitors = { requires_log_field = true log_field = "source_ip" type = "unique" } # visitors } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # netgear_fvl328_syslog_required