net_screen = { # The name of the log format log.format.format_label = "NetScreen Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = " NetScreen device_id=" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # an entry in this log is an event statistics.miscellaneous.entry_name = "events" # Log fields log.fields = { device_id = { label = "$lang_stats.field_labels.device_id" type = "flat" index = 0 subindex = 0 } # device_id security_level = { label = "$lang_stats.field_labels.security_level" type = "flat" index = 0 subindex = 0 } # security_level message = { label = "$lang_stats.field_labels.message" type = "flat" index = 0 subindex = 0 } # message start_time = { label = "$lang_stats.field_labels.start_time" type = "flat" index = 0 subindex = 0 } # start_time duration = { label = "$lang_stats.field_labels.duration" type = "flat" index = 0 subindex = 0 } # duration policy_id = { label = "$lang_stats.field_labels.policy_id" type = "flat" index = 0 subindex = 0 } # policy_id service = { label = "$lang_stats.field_labels.service" type = "flat" index = 0 subindex = 0 } # service protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol direction = { label = "$lang_stats.field_labels.direction" type = "flat" index = 0 subindex = 0 } # direction action = { label = "$lang_stats.field_labels.action" type = "flat" index = 0 subindex = 0 } # action sent = { label = "$lang_stats.field_labels.sent" type = "flat" index = 0 subindex = 0 } # sent rcvd = { label = "$lang_stats.field_labels.rcvd" type = "flat" index = 0 subindex = 0 } # rcvd bytes = { label = "$lang_stats.field_labels.bytes" type = "flat" index = 0 subindex = 0 } # bytes src = { label = "$lang_stats.field_labels.src" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # src dst = { label = "$lang_stats.field_labels.dst" type = "flat" index = 0 subindex = 0 } # dst src_port = { label = "$lang_stats.field_labels.src_port" type = "flat" index = 0 subindex = 0 } # src_port dst_port = { label = "$lang_stats.field_labels.dst_port" type = "flat" index = 0 subindex = 0 } # dst_port src_zone = { label = "$lang_stats.field_labels.src_zone" type = "flat" index = 0 subindex = 0 } # src_zone dst_zone = { label = "$lang_stats.field_labels.dst_zone" type = "flat" index = 0 subindex = 0 } # dst_zone translated_ip = { label = "$lang_stats.field_labels.translated_ip" type = "flat" index = 0 subindex = 0 } # translated_ip port = { label = "$lang_stats.field_labels.port" type = "flat" index = 0 subindex = 0 } # port icmp_type = { label = "$lang_stats.field_labels.icmp_type" type = "flat" index = 0 subindex = 0 } # icmp_type interface = { label = "$lang_stats.field_labels.interface" type = "flat" index = 0 subindex = 0 } # interface user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 } # user } # log.fields # Log Parsing Filters log.parsing_filters = { parse = { label = "parse" comment = "" value = " if (matches_regular_expression(v.syslog_message, '()NetScreen device_id=([^ ]+) *\\\\[([^]]+)\\\\]([^:]+): *(.*)$')) then ( v.key = $1; set_collected_field(v.key, 'device_id', $2); set_collected_field(v.key, 'user', $3); set_collected_field(v.key, 'security_level', $4); v.listed_fields = $5; v.listed_fields = replace_first(v.listed_fields, 'src zone=', 'src_zone='); v.listed_fields = replace_first(v.listed_fields, 'dst zone=', 'dst_zone='); v.listed_fields = replace_first(v.listed_fields, 'translated ip=', 'translated_ip='); v.listed_fields = replace_first(v.listed_fields, 'src-xlated ip=', 'translated_ip='); v.listed_fields = replace_first(v.listed_fields, 'icmp type=', 'icmp_type='); if (matches_regular_expression(v.listed_fields, '[^=]+=[^ ]+ [^=]+=')) then ( collect_listed_fields(v.key, v.listed_fields, ' ', '=', 'proto=protocol')) else ( set_collected_field(v.key, 'message', v.listed_fields) ); if (matches_regular_expression(get_collected_field(v.key, 'start_time'), '([0-9]+-[0-9]+-[0-9]+) ([0-9]+:[0-9]+:[0-9]+)')) then ( v.st_date = $1; v.st_time = $2; v.date = normalize_date(v.st_date, 'yyyy-mm-dd'); set_collected_field(v.key, 'start_time', v.date . ' ' . v.st_time); ); accept_collected_entry(v.key, false); ); else if (matches_regular_expression(v.syslog_message, '()NetScreen device_id=([^ ]+) *([^:]+): *(.*)$')) then ( v.key = $1; set_collected_field(v.key, 'device_id', $2); set_collected_field(v.key, 'security_level', $3); v.listed_fields = $4; v.listed_fields = replace_first(v.listed_fields, 'src zone=', 'src_zone='); v.listed_fields = replace_first(v.listed_fields, 'dst zone=', 'dst_zone='); v.listed_fields = replace_first(v.listed_fields, 'translated ip=', 'translated_ip='); v.listed_fields = replace_first(v.listed_fields, 'src-xlated ip=', 'translated_ip='); v.listed_fields = replace_first(v.listed_fields, 'icmp type=', 'icmp_type='); if (matches_regular_expression(v.listed_fields, '[^=]+=[^ ]+ [^=]+=')) then ( collect_listed_fields(v.key, v.listed_fields, ' ', '=', 'proto=protocol')) else ( set_collected_field(v.key, 'message', v.listed_fields) ); if (matches_regular_expression(get_collected_field(v.key, 'start_time'), '([0-9]+-[0-9]+-[0-9]+) ([0-9]+:[0-9]+:[0-9]+)')) then ( v.st_date = $1; v.st_time = $2; v.date = normalize_date(v.st_date, 'yyyy-mm-dd'); set_collected_field(v.key, 'start_time', v.date . ' ' . v.st_time); ); accept_collected_entry(v.key, false); ); " } # parse } # log.parsing_filters # Database fields database.fields = { device_id = { label = "$lang_stats.field_labels.device_id" log_field = "device_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # device_id start_time = { label = "$lang_stats.field_labels.start_time" log_field = "start_time" type = "string" suppress_top = 0 suppress_bottom = 2 } # start_time service = { label = "$lang_stats.field_labels.service" log_field = "service" type = "string" suppress_top = 0 suppress_bottom = 2 } # service policy_id = { label = "$lang_stats.field_labels.policy_id" log_field = "policy_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # policy_id protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol security_level = { label = "$lang_stats.field_labels.security_level" log_field = "security_level" type = "string" suppress_top = 0 suppress_bottom = 2 } # security_level message = { label = "$lang_stats.field_labels.message" log_field = "message" type = "string" suppress_top = 0 suppress_bottom = 2 } # message action = { label = "$lang_stats.field_labels.action" log_field = "action" type = "string" suppress_top = 0 suppress_bottom = 2 } # action src = { label = "$lang_stats.field_labels.src" log_field = "src" type = "string" suppress_top = 0 suppress_bottom = 2 } # src dst = { label = "$lang_stats.field_labels.dst" log_field = "dst" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst src_port = { label = "$lang_stats.field_labels.src_port" log_field = "src_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # src_port dst_port = { label = "$lang_stats.field_labels.dst_port" log_field = "dst_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst_port src_zone = { label = "$lang_stats.field_labels.src_zone" log_field = "src_zone" type = "string" suppress_top = 0 suppress_bottom = 2 } # src_zone dst_zone = { label = "$lang_stats.field_labels.dst_zone" log_field = "dst_zone" type = "string" suppress_top = 0 suppress_bottom = 2 } # dst_zone translated_ip = { label = "$lang_stats.field_labels.translated_ip" log_field = "translated_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # translated_ip port = { label = "$lang_stats.field_labels.port" log_field = "port" type = "string" suppress_top = 0 suppress_bottom = 2 } # port icmp_type = { label = "$lang_stats.field_labels.icmp_type" log_field = "icmp_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # icmp_type user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events rcvd = { label = "$lang_stats.field_labels.rcvd" default = false requires_log_field = true log_field = "rcvd" type = "float" display_format_type = "bandwidth" } # rcvd sent = { label = "$lang_stats.field_labels.sent" default = false requires_log_field = true log_field = "sent" type = "float" display_format_type = "bandwidth" } # sent bytes = { label = "$lang_stats.field_labels.bytes" default = false requires_log_field = false type = "float" display_format_type = "bandwidth" } # bytes duration = { label = "$lang_stats.field_labels.duration" default = false requires_log_field = true log_field = "duration" type = "float" display_format_type = "duration_compact" } # duration } # database.numerical_fields log.filters = { calc_total_bandwidth = { label = "$lang_stats.field_labels.bytes" comment = "$lang_stats.field_labels.bytes" value = "bytes = sent + rcvd;" position = "0" } # calc_total_bandwidth mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' position = "1" } # mark_entry } # log.filters create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" policy_id = true device_id = true start_time = true service = true protocol = true security_level = true user = true message = true action = true src = true dst = true src_port = true dst_port = true src_zone = true dst_zone = true translated_ip = true port = true icmp_type = true } # report_groups } # create_profile_wizard_options not_supported = { sessions = true pageviews = true visitors = true } # not_supported } # net_screen