stonegate = { # The name of the log format log.format.format_label = "Stonegate Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "\"[0-9]+\\.[0-9]+\\.[0-9][0-9][0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9]\",\"[0-9]+\",\"[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\"" # Log fields log.fields = { log_id = { label = "$lang_stats.field_labels.log_id" type = "flat" index = 0 subindex = 0 } # log_id node_id = { label = "$lang_stats.field_labels.node_id" type = "flat" index = 0 subindex = 0 } # node_id facility = { label = "$lang_stats.field_labels.facility" type = "flat" index = 0 subindex = 0 } # facility type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type event = { label = "$lang_stats.field_labels.event" type = "flat" index = 0 subindex = 0 } # event action = { label = "$lang_stats.field_labels.action" type = "flat" index = 0 subindex = 0 } # action protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol source_ip = { label = "$lang_stats.field_labels.source_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # source_ip destination_ip = { label = "$lang_stats.field_labels.destination_ip" type = "flat" index = 0 subindex = 0 } # destination_ip source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port rule_id = { label = "$lang_stats.field_labels.rule_id" type = "flat" index = 0 subindex = 0 } # rule_id nat_source_ip = { label = "$lang_stats.field_labels.nat_source_ip" type = "flat" index = 0 subindex = 0 } # nat_source_ip nat_destination_ip = { label = "$lang_stats.field_labels.nat_destination_ip" type = "flat" index = 0 subindex = 0 } # nat_destination_ip nat_source_port = { label = "$lang_stats.field_labels.nat_source_port" type = "flat" index = 0 subindex = 0 } # nat_source_port nat_destination_port = { label = "$lang_stats.field_labels.nat_destination_port" type = "flat" index = 0 subindex = 0 } # nat_destination_port flags = { label = "$lang_stats.field_labels.flags" type = "flat" index = 0 subindex = 0 } # flags source_interface = { label = "$lang_stats.field_labels.source_interface" type = "flat" index = 0 subindex = 0 } # source_interface protocol_agent = { label = "$lang_stats.field_labels.protocol_agent" type = "flat" index = 0 subindex = 0 } # protocol_agent alert_name = { label = "$lang_stats.field_labels.alert_name" type = "flat" index = 0 subindex = 0 } # alert_name syslog_message = { label = "$lang_stats.field_labels.syslog_message" type = "flat" index = 0 subindex = 0 } # syslog_message icmp_type = { label = "$lang_stats.field_labels.icmp_type" type = "flat" index = 0 subindex = 0 } # icmp_type icmp_code = { label = "$lang_stats.field_labels.icmp_code" type = "flat" index = 0 subindex = 0 } # icmp_code icmp_id = { label = "$lang_stats.field_labels.icmp_id" type = "flat" index = 0 subindex = 0 } # icmp_id ipsec_spi = { label = "$lang_stats.field_labels.ipsec_spi" type = "flat" index = 0 subindex = 0 } # ipsec_spi rtt = { label = "$lang_stats.field_labels.rtt" type = "flat" index = 0 subindex = 0 } # rtt time_elapsed = { label = "$lang_stats.field_labels.time_elapsed" type = "flat" index = 0 subindex = 0 } # time_elapsed bytes_transferred = { label = "$lang_stats.field_labels.bytes_transferred" type = "flat" index = 0 subindex = 0 } # bytes_transferred bytes_received = { label = "$lang_stats.field_labels.bytes_received" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # bytes_received authenticated_name = { label = "$lang_stats.field_labels.authenticated_name" type = "flat" index = 0 subindex = 0 } # authenticated_name source_vlan = { label = "$lang_stats.field_labels.source_vlan" type = "flat" index = 0 subindex = 0 } # source_vlan destination_vlan = { label = "$lang_stats.field_labels.destination_vlan" type = "flat" index = 0 subindex = 0 } # destination_vlan firewall_engine_id = { label = "$lang_stats.field_labels.firewall_engine_id" type = "flat" index = 0 subindex = 0 } # firewall_engine_id info_message = { label = "$lang_stats.field_labels.info_message" type = "flat" index = 0 subindex = 0 } # info_message } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse out the fields 1 = { label = "1" comment = "" value = "collect_fields_using_regexp('()\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\",\"([^\"]*)\"', '*KEY*,dummy,log_id,node_id,facility,type,event,action,protocol,source_ip,destination_ip,source_port,destination_port,rule_id,nat_source_ip,nat_destination_ip,nat_source_port,nat_destination_port,flags,source_interface,protocol_agent,alert_name,syslog_message,icmp_type,icmp_code,icmp_id,ipsec_spi,rtt,time_elapsed,bytes_transferred,bytes_received,authenticated_name,source_vlan,destination_vlan,firewall_engine_id,info_message')" } # 1 # Accept this line 2 = { label = "2" comment = "" value = "accept_collected_entry_using_regexp('()', false)" } # 2 } # log.parsing_filters # Database fields database.fields = { log_id = { label = "$lang_stats.field_labels.log_id" log_field = "log_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # log_id node_id = { label = "$lang_stats.field_labels.node_id" log_field = "node_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # node_id facility = { label = "$lang_stats.field_labels.facility" log_field = "facility" type = "string" suppress_top = 0 suppress_bottom = 2 } # facility type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type event = { label = "$lang_stats.field_labels.event" log_field = "event" type = "string" suppress_top = 0 suppress_bottom = 2 } # event action = { label = "$lang_stats.field_labels.action" log_field = "action" type = "string" suppress_top = 0 suppress_bottom = 2 } # action protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip destination_ip = { label = "$lang_stats.field_labels.destination_ip" log_field = "destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_ip source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port rule_id = { label = "$lang_stats.field_labels.rule_id" log_field = "rule_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule_id nat_source_ip = { label = "$lang_stats.field_labels.nat_source_ip" log_field = "nat_source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # nat_source_ip nat_destination_ip = { label = "$lang_stats.field_labels.nat_destination_ip" log_field = "nat_destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # nat_destination_ip nat_source_port = { label = "$lang_stats.field_labels.nat_source_port" log_field = "nat_source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # nat_source_port nat_destination_port = { label = "$lang_stats.field_labels.nat_destination_port" log_field = "nat_destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # nat_destination_port flags = { label = "$lang_stats.field_labels.flags" log_field = "flags" type = "string" suppress_top = 0 suppress_bottom = 2 } # flags source_interface = { label = "$lang_stats.field_labels.source_interface" log_field = "source_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_interface protocol_agent = { label = "$lang_stats.field_labels.protocol_agent" log_field = "protocol_agent" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol_agent alert_name = { label = "$lang_stats.field_labels.alert_name" log_field = "alert_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # alert_name syslog_message = { label = "$lang_stats.field_labels.syslog_message" log_field = "syslog_message" type = "string" suppress_top = 0 suppress_bottom = 2 } # syslog_message icmp_type = { label = "$lang_stats.field_labels.icmp_type" log_field = "icmp_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # icmp_type icmp_code = { label = "$lang_stats.field_labels.icmp_code" log_field = "icmp_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # icmp_code icmp_id = { label = "$lang_stats.field_labels.icmp_id" log_field = "icmp_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # icmp_id ipsec_spi = { label = "$lang_stats.field_labels.ipsec_spi" log_field = "ipsec_spi" type = "string" suppress_top = 0 suppress_bottom = 2 } # ipsec_spi rtt = { label = "$lang_stats.field_labels.rtt" log_field = "rtt" type = "string" suppress_top = 0 suppress_bottom = 2 } # rtt authenticated_name = { label = "$lang_stats.field_labels.authenticated_name" log_field = "authenticated_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # authenticated_name source_vlan = { label = "$lang_stats.field_labels.source_vlan" log_field = "source_vlan" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_vlan destination_vlan = { label = "$lang_stats.field_labels.destination_vlan" log_field = "destination_vlan" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_vlan firewall_engine_id = { label = "$lang_stats.field_labels.firewall_engine_id" log_field = "firewall_engine_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # firewall_engine_id info_message = { label = "$lang_stats.field_labels.info_message" log_field = "info_message" type = "string" suppress_top = 0 suppress_bottom = 2 } # info_message } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters database.numerical_fields = { hits = { label = "$lang_stats.field_labels.hits" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # hits visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # visitors bytes_received = { label = "$lang_stats.field_labels.bytes_received" default = false requires_log_field = true log_field = "bytes_received" type = "float" display_format_type = "bandwidth" } # bytes_received } # database.numerical_fields create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" log_id = true node_id = true facility = true type = true event = true action = true protocol = true source_ip = true destination_ip = true source_port = true destination_port = true rule_id = true nat_source_ip = true nat_destination_ip = true nat_source_port = true nat_destination_port = true flags = true source_interface = true protocol_agent = true alert_name = true syslog_message = true icmp_type = true icmp_code = true icmp_id = true ipsec_spi = true rtt = true authenticated_name = true source_vlan = true destination_vlan = true firewall_engine_id = true info_message = true } # report_groups } # create_profile_wizard_options not_supported = { sessionpages = true pageviews = true } # not_supported } # stonegate