forti_gate_space_sep = { # The name of the log format log.format.format_label = "FortiGate Space Separated Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9] device_id=[^ ]+ log_id=[^ ]+ " # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Entries are called accesses statistics.miscellaneous.entry_name = "accesses" # Log fields log.fields = { device_id = { label = "$lang_stats.field_labels.device_id" type = "flat" index = 0 subindex = 0 } # device_id log_id = { label = "$lang_stats.field_labels.log_id" type = "flat" index = 0 subindex = 0 } # log_id type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type subtype = { label = "$lang_stats.field_labels.subtype" type = "flat" index = 0 subindex = 0 } # subtype priority = { label = "$lang_stats.field_labels.priority" type = "flat" index = 0 subindex = 0 } # priority sn = { label = "$lang_stats.field_labels.sn" type = "flat" index = 0 subindex = 0 } # sn duration = { label = "$lang_stats.field_labels.duration" type = "flat" index = 0 subindex = 0 } # duration policy_id = { label = "$lang_stats.field_labels.policy_id" type = "flat" index = 0 subindex = 0 } # policy_id attack_id = { label = "$lang_stats.field_labels.attack_id" type = "flat" index = 0 subindex = 0 } # attack_id source_ip = { label = "$lang_stats.field_labels.source_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # source_ip source_hostname = { label = "$lang_stats.field_labels.source_hostname" type = "flat" index = 0 subindex = 0 } # source_hostname source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port source_interface = { label = "$lang_stats.field_labels.source_interface" type = "flat" index = 0 subindex = 0 } # source_interface destination_ip = { label = "$lang_stats.field_labels.destination_ip" type = "flat" index = 0 subindex = 0 } # destination_ip destination_hostname = { label = "$lang_stats.field_labels.destination_hostname" type = "flat" index = 0 subindex = 0 } # destination_hostname destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port destination_interface = { label = "$lang_stats.field_labels.destination_interface" type = "flat" index = 0 subindex = 0 } # destination_interface translated_ip = { label = "$lang_stats.field_labels.translated_ip" type = "flat" index = 0 subindex = 0 } # translated_ip translated_port = { label = "$lang_stats.field_labels.translated_port" type = "flat" index = 0 subindex = 0 } # translated_port icmp_id = { label = "$lang_stats.field_labels.icmp_id" type = "flat" index = 0 subindex = 0 } # icmp_id icmp_type = { label = "$lang_stats.field_labels.icmp_type" type = "flat" index = 0 subindex = 0 } # icmp_type icmp_code = { label = "$lang_stats.field_labels.icmp_code" type = "flat" index = 0 subindex = 0 } # icmp_code status = { label = "$lang_stats.field_labels.status" type = "flat" index = 0 subindex = 0 } # status protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol service = { label = "$lang_stats.field_labels.service" type = "flat" index = 0 subindex = 0 } # service message = { label = "$lang_stats.field_labels.message" type = "flat" index = 0 subindex = 0 } # message send = { label = "$lang_stats.field_labels.send" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # send received = { label = "$lang_stats.field_labels.received" type = "flat" index = 0 subindex = 0 } # received send_packets = { label = "$lang_stats.field_labels.send_packets" type = "flat" index = 0 subindex = 0 } # send_packets received_packets = { label = "$lang_stats.field_labels.received_packets" type = "flat" index = 0 subindex = 0 } # received_packets } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse out the space-separated, =-divided variables 1 = { label = "1" comment = "" value = "collect_listed_fields_using_regexp('()(device_id=.*)$', ' ', '=', 'time=devicetime|date=devicedate|device_id=device_id|log_id=log_id|pri=priority|policyid=policy_id|attack_id=attack_id|src=source_ip|srcname=source_hostname|src_port=source_port|src_int=source_interface|dst=destination_ip|dstname=destination_hostname|dst_port=destination_port|dst_int=destination_interface|tran_ip=translated_ip|tran_port=translated_port|icmp_id=icmp_id|icmp_type=icmp_type|icmp_code=icmp_code|proto=protocol|rcvd=received|sent_pkt=send_packets|rcvd_pkt=received_packets')" } # 1 # Accept this entry 2 = { label = "2" comment = "" value = "accept_collected_entry_using_regexp('()', false)" } # 2 } # log.parsing_filters # Database fields database.fields = { device_id = { label = "$lang_stats.field_labels.device_id" log_field = "device_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # device_id type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type subtype = { label = "$lang_stats.field_labels.subtype" log_field = "subtype" type = "string" suppress_top = 0 suppress_bottom = 2 } # subtype priority = { label = "$lang_stats.field_labels.priority" log_field = "priority" type = "string" suppress_top = 0 suppress_bottom = 2 } # priority duration = { label = "$lang_stats.field_labels.duration" log_field = "duration" type = "string" suppress_top = 0 suppress_bottom = 2 } # duration policy_id = { label = "$lang_stats.field_labels.policy_id" log_field = "policy_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # policy_id source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip source_hostname = { label = "$lang_stats.field_labels.source_hostname" log_field = "source_hostname" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_hostname source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port source_interface = { label = "$lang_stats.field_labels.source_interface" log_field = "source_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_interface destination_ip = { label = "$lang_stats.field_labels.destination_ip" log_field = "destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_ip destination_hostname = { label = "$lang_stats.field_labels.destination_hostname" log_field = "destination_hostname" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_hostname destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port destination_interface = { label = "$lang_stats.field_labels.destination_interface" log_field = "destination_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_interface translated_ip = { label = "$lang_stats.field_labels.translated_ip" log_field = "translated_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # translated_ip translated_port = { label = "$lang_stats.field_labels.translated_port" log_field = "translated_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # translated_port icmp_type = { label = "$lang_stats.field_labels.icmp_type" log_field = "icmp_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # icmp_type icmp_code = { label = "$lang_stats.field_labels.icmp_code" log_field = "icmp_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # icmp_code status = { label = "$lang_stats.field_labels.status" log_field = "status" type = "string" suppress_top = 0 suppress_bottom = 2 } # status protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol service = { label = "$lang_stats.field_labels.service" log_field = "service" type = "string" suppress_top = 0 suppress_bottom = 2 } # service } # database.fields # Log Filters log.filters = { # Use "source IP" as the visitor id mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # visitors send = { label = "$lang_stats.field_labels.send" default = false requires_log_field = true log_field = "send" type = "float" display_format_type = "bandwidth" } # send } # database.numerical_fields create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" device_id = true type = true subtype = true priority = true duration = true policy_id = true source_ip = true source_hostname = true source_port = true source_interface = true destination_ip = true destination_hostname = true destination_port = true destination_interface = true translated_ip = true translated_port = true icmp_type = true icmp_code = true status = true protocol = true service = true } # report_groups } # create_profile_wizard_options not_supported = { pageviews = true sessionpages = true } # not_supported } # forti_gate_space_sep