# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sharetech_firewall = { plugin_version = "1.0.4" info.1.manufacturer = "Sharetech / Abocom" info.1.device = "Firewall" info.1.version.1 = "Sharetech LB-2215" info.1.version.2 = "Sharetech LB 2240" info.1.version.3 = "Abocom MH350" # 2006-09-11 - GMF - 1.0beta - Initial implementation. # 2006-09-28 - GMF - 1.0.1beta - Added support for variant where "kernel" is truncated to "rnel". # 2006-10-04 - GMF - 1.0.2beta - Fixed timestamp issue # 2007-09-14 - 1.0.2 - KBB - renumbered per new beta policy # 2010-05-05 - 1.0.3 - Benson - Fixed not able to parse any log lines, no longer "rnel" supported because that's a bug of syslogd. # 2010-05-13 - 1.0.4 - Benson - Add support for log lines have double space. (that may be a bug of the device) # The name of the log format log.format.format_label = "Sharetech/Abocom Firewall Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # e.g. 2006-09-11 10:27:01 Kernel.Notice 10.10.100.254 kernel: '020831272459 ACCEPT LOG ' SRC=10.10.100.51 DST=208.46.11.26 PROTO=TCP SPT=1142 DPT=1863 LEN=40 WAN=2 DIR=out MARK=201b24315f7e1 (Mon Sep 11 10:27:02 2006) log.format.autodetect_regular_expression = "(kernel): '[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] [A-Z]+ [A-Z]+ '" # Log fields log.fields = { action = "" src.type = "host" dst = "" proto = "" spt = "" dpt = "" len = "" wan = "" dir = "" mark = "" } # log.fields log.parsing_filters.parse = ` # kernel: '090117120951 ACCEPT LOG ' SRC=218.172.127.59 DST=172.16.36.5 PROTO=TCP SPT=1037 DPT=3389 LEN=40 WAN=1 DIR=in MARK=101b24971ca8f (Thu Nov 12 17:00:01 2009) if (matches_regular_expression(v.syslog_message, "([A-Z]+) LOG ' (.*) [(][A-Z][a-z][a-z] ([A-Z][a-z][a-z]) ([0-9]+) ([0-9:]+) ([0-9]+)[)]")) then ( set_collected_field('', 'action', $1); set_collected_field('', 'date', $4 . '/' . $3 . '/' . $6); set_collected_field('', 'time', $5); collect_listed_fields('', $2, ' ', '=', ''); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); # kernel: 'Firewall ACCEPT LOG ' SRC=172.16.33.199 DST=172.16.36.240 PROTO=TCP SPT=54002 DPT=443 LEN=48 (Nov 12 16:00:45 2009) # kernel: 'Firewall DROP LOG ' SRC=63.240.21.173 DST=60.249.250.66 PROTO=ICMP TYPE=8 LEN=64 (Nov 12 16:02:25 2009) else if (matches_regular_expression(v.syslog_message, "([A-Z]+) LOG ' (.*) LEN=([0-9]+) [(]([A-Z][a-z][a-z]) ([0-9]+) ([0-9:]+) ([0-9]+)[)]")) then ( set_collected_field('', 'action', $1); set_collected_field('', 'date', $5 . '/' . $4 . '/' . $7); set_collected_field('', 'time', $6); set_collected_field('', 'len', $3); collect_listed_fields('', $2, ' ', '=', ''); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ` # Database fields database.fields = { action = "" src = "" location = "" dst = "" proto = "" spt = "" dpt = "" len = "" wan = "" dir = "" mark = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events len = { default = true log_field = "len" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # len } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options } # sharetech_firewall