beta_symantec_gateway_security = { plugin_version = "1.2beta" # 2006-03-10: 1.1beta: added support for German years. # 2006-03-26: 1.2beta: added support for operations containing spaces. -GMF # This log format is based on a text export of a binary data file on the SGS/SEF device. # To use "remotelogfile8.exe" to extract the text log from the binary data: # 1. Browse to "http://www.symantec.com/search/" # 2. search for document "2004021815290054" # To use the "flatten8" utility to extract the text log from the binary data: # 1. Review page 102 of "Symantec™ Security Gateways - Reference Guide" - Version 8, this is an excerpt: # Flatten utility # The flatten8 utility is shipped on the included CD and lets you perform simple log file management from # the command-line. The flatten8 utility reads in the log message information from the system’s XML files, # and then parses in real-time the binary log file, substituting the actual error text message for its binary # counterpart. # Most often, this utility is used to convert the binary log file to a more usable format for a third party utility, # such as an ASCII text editor. This utility is also used to review the most recent messages, or directed to # show just statistics messages. # # usage: flatten8 [-h] [-r|-s|-D] [-f] [-u seconds] [-t n] [-x xmlpath] log file ... # # Where: # # -h Print this message and exit. # -r Only has an effect when -s is used. Do reverse lookups on IP addresses. # -s Output stats only. # -D Do not print out error information. # -f Follow output. (Binary files, default interval 2 seconds). # -u Follow update interval in seconds. (Implies -f). # -t Tail the last 'n' log messages. # -x Next argument specifies path to XML dictionary files. This argument should not need to be used, as the XML files # are placed in the default location during installation. # Format log_file_format value log.format.format_label = "Symantec Security Gateways Log Format (SGS 2.0/3.0 & SEF 8.0) (BETA)" # This log is the following type log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "firewall" log.format.treat_brackets_as_quotes = "false" log.format.ignore_format_lines = "true" # We use this to recognise the format and "auto-detect". log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, '^[A-Z][a-z][a-z] [0-9][0-9], [0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\.[0-9][0-9][0-9] [0-9a-z_.-]+ [a-zA-Z0-9]+\\\\[[0-9]+\\\\]( INFORMATIONAL | NOTICE | WARNING | )[0-9]+: ') ` log.format.parse_only_with_filters = "true" log.format.allow_spaces_in_listed_field_values = "false" # Log fields log.fields = { date = "" time = "" logging_device = "" service = "" duration = "" authentication_result = "" id = "" sent = "" received = "" bytes = "" source_interface = "" source_ip.type = "host" source_port = "" source_name = "" server_source = "" server_source_port = "" destination_interface = "" destination_ip = "" destination_port = "" destination_name = "" client_destination = "" url = { type = "page" hierarchy_dividers = "/?" left_to_right = true leading_divider = "false" } # url result = "" protocol = "" rule_id = "" message_type = "" message = "" operation = "" status = "" state = "" rule = "" pid = "" notes = "" adapter = "" alert_destination_mac_addr = "" alert_source_mac_addr = "" class = "" consolidated_message = "" count = "" cve = "" end_time = "" family = "" flag = "" flow_cookie = "" host = "" interface = "" interface_id = "" interval = "" ip_code = "" ip_protocol = "" level = "" outcome = "" packet = "" payload_left_offset = "" payload_right_offset = "" policy_tag = "" program_name = "" reliability = "" request = "" resource = "" response = "" start_time = "" string_value = "" title = "" type = "" vendor = "" vlan_id = "" month = "" user = "" setting = "" key = "" revision = "" domain = "" client_port = "" related_id = "" server = "" ip_address = "" license_exp_date = "" feature_id = "" license_type = "" product = "" version = "" detail = "" } # log.fields log.filter_initialization = ` # Initialize German-to-English month translation map (the rest of the months are the same in both languages) v.german_months.Mrz = 'Mar'; v.german_months.Mai = 'May'; v.german_months.Okt = 'Oct'; v.german_months.Dez = 'Dec'; ` # Log Parsing Filters log.parsing_filters.parse = ` # e.g., Jan 23, 2006 00:00:16.283 172.23.1.5 kernel[28518] 20146: Packet dropped by interface, input packet filter, Interface=eth1, Source IP=23.168.127.015, Destination IP=212.168.124.6, IP Code=TCP, Flag=SYN, Source Port=4294, Destination Port=135 # e.g., Jan 31, 2006 00:00:00.218 beaver1.pch.gc.ca httpd[16249] INFORMATIONAL 10487: Connection completed, Source IP=164.33.1.42, Destination IP=16.9.245.101, Source Port=1841, Destination Port=80, Source Name=164.33.1.42, Destination Name=blackberry.sk, Target=http://www.somewhere.net/no/url/specified.xsl, Operation=GET, Source Interface=eth0, Destination Interface=eth1, Protocol=http, Rule=11, Duration=0, ID=d7WVW, Sent=179, Received=2441, Bytes=2620, Server Source=18.103.196.130, Server Source Port=38825, Result=200 OK if (matches_regular_expression(current_log_line(), '^([A-Za-z]+ [0-9]+, [0-9]+) ([0-9:]+)\\\.[0-9]+ ([^ ]+) ([^[]+)\\\\[[0-9]+\\\\] (.*)$')) then ( v.date = $1; set_collected_field('', 'time', $2); set_collected_field('', 'logging_device', $3); set_collected_field('', 'service', $4); v.message = $5; # Handle German month names if (matches_regular_expression(v.date, '^([A-Z][a-z][a-z])( .*)$')) then ( v.translated_month = node_value(subnode_by_name('v.german_months', $1)); if (v.translated_month ne '') then v.date = v.translated_month . $2; ); set_collected_field('', 'date', v.date); v.listed_fields = ''; if (matches_regular_expression(v.message, '^[0-9]+: ([^,]+), ([^,]+),[ ](.*)$')) then ( set_collected_field('', 'message_type', $1); set_collected_field('', 'message', $2); v.listed_fields = $3; ); else if (matches_regular_expression(v.message, '^[0-9]+: ([^,]+),[ ](.*)$')) then ( set_collected_field('', 'message_type', $1); v.listed_fields = $2; ); else if (matches_regular_expression(v.message, ' ([A-Z]+) [0-9]+: (.*)$')) then ( set_collected_field('', 'message_type', $1); v.listed_fields = $2; ); collect_listed_fields('', v.listed_fields, ', ', '=', 'Target=url|Date=license_exp_date'); accept_collected_entry('', false); ); ` # Database fields database.fields = { ## Some fields are commented out to work around a MySQL limit of 61 joins per query, in the Log Detail report. ## If not using MySQL, or is using Sawmill 8 or later, you can uncomment these. date_time = "" day_of_week = "" hour_of_day = "" logging_device = "" service = "" duration = "" authentication_result = "" id = "" sent = "" received = "" bytes = "" source_interface = "" source_ip = "" source_port = "" source_name = "" server_source = "" server_source_port = "" destination_interface = "" destination_ip = "" destination_port = "" destination_name = "" client_destination = "" url = "" result = "" protocol = "" rule_id = "" message_type = "" message = "" operation = "" status = "" state = "" rule = "" pid = "" # notes = "" adapter = "" # alert_destination_mac_addr = "" # alert_source_mac_addr = "" class = "" consolidated_message = "" # count = "" # cve = "" # end_time = "" family = "" flag = "" # flow_cookie = "" host = "" interface = "" interface_id = "" interval = "" ip_code = "" ip_protocol = "" level = "" outcome = "" packet = "" # payload_left_offset = "" # payload_right_offset = "" policy_tag = "" program_name = "" # reliability = "" request = "" resource = "" response = "" # start_time = "" # string_value = "" title = "" type = "" # vendor = "" # vlan_id = "" # month = "" user = "" setting = "" # key = "" # revision = "" domain = "" client_port = "" related_id = "" server = "" ip_address = "" # license_exp_date = "" # feature_id = "" # license_type = "" # product = "" # version = "" # detail = "" } # database.fields # Log Filters log.filters = { simplify_url = { label = 'simplify_url' comment = 'simplify_url' value = `if (matches_regular_expression(url, '^([^:]+://[^/]+)')) then url = $1 . '(truncated)'; else if(matches_regular_expression(url, '^([^/]+)')) then url = $1 . '(truncated)';` } # simplify_url simplify_id = { label = 'simplify_id' comment = 'simplify_id' value = `id = ''` } # simplify_id mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "source_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events sent = { type = "float" display_format_type = "bandwidth" } # sent received = { type = "float" display_format_type = "bandwidth" } # received bytes = { type = "float" display_format_type = "bandwidth" } # bytes duration = { type = "float" display_format_type = "duration_compact" } # duration } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" hour_of_day = true day_of_week = true logging_device = true message_type = true message = true notes = true consolidated_message = true adapter = true operation = true protocol = true status = true state = true rule = true rule_id = true authentication_result = true license_type = true license_exp_date = true feature_id = true product = true version = true source_group = { source_ip = true source_port = true source_name = true source_interface = true user = true client_port = true ip_address = true } content_group = { url = true file_type = true } destination_group = { destination_ip = true destination_port = true destination_name = true destination_interface = true client_destination = true } server_group = { server_source = true server_source_port = true server = true domain = true service = true } other_group = { id = true result = true pid = true alert_destination_mac_addr = true alert_source_mac_addr = true class = true count = true cve = true family = true flag = true flow_cookie = true host = true interface = true interface_id = true interval = true ip_code = true ip_protocol = true level = true outcome = true packet = true payload_left_offset = true payload_right_offset = true policy_tag = true program_name = true reliability = true request = true resource = true response = true string_value = true title = true type = true vendor = true vlan_id = true setting = true key = true revision = true related_id = true } # other_group } # report_groups } # create_profile_wizard_options } # beta_symantec_gateway_security