racf_security = { plugin_version = "1.0beta" # The name of the log format log.format.format_label = "RACF Security Log Format" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+\\.[0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9] +RACF REPORT" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" log.format.discard_expired_entries = false # Log fields log.fields = { date = "" time = "" sysid = "" job = "" user_name = "" step = "" # group = "" terminal_id = "" terminal_level = "" event = "" qual = "" jobid = "" userdata = "" owner = "" auth = "" reason = "" session = "" jesinput = "" exenode = "" appl = "" terminal = "" dataset = "" genprof = "" volume = "" intent = "" allowed = "" token_status = "" level = "" events = "" } # log.fields log.filter_initialization = ` v.other_variables = 'firsttime'; ` # Log Parsing Filters log.parsing_filters.parse_syslog = ` # If this is the start of a new entry, accept the previous entry; if it's the end of the file, accept the final entry. if (matches_regular_expression(current_log_line(), '^[0-9]([0-9][0-9])\\\\.[0-9]([0-9][0-9]) ([0-9:]+) ([^ ]+) +([^ ]+) +([^ ]+) +([^ ]*) +([0-9]+) +([0-9]+) +([0-9]+) +([^ ].*)$') or (current_log_line() eq char_to_ascii(26))) then ( # Collect the fields from the previous "other variables" section if (v.other_variables ne 'firsttime') then ( v.remainder = v.other_variables; while (matches_regular_expression(v.remainder, '^([A-Z ]+)=\\\\(([^)]*)\\\\)(.*)$') or matches_regular_expression(v.remainder, '^([A-Z ]+)=([^,]*)(.*)$')) ( v.name = replace_all(lowercase($1), ' ', '_'); v.value = $2; set_collected_field('', v.name, v.value); v.remainder = $3; if (starts_with(v.remainder, ',')) then v.remainder = substr(v.remainder, 1); ); ); # if not first time # Accept the previous entry set_collected_field('', 'events', 1); accept_collected_entry('', false); ); if (matches_regular_expression(current_log_line(), '^([0-9][0-9][0-9])\\\\.([0-9][0-9][0-9]) ([0-9:]+) ([^ ]+) +([^ ]+) +([^ ]+) +([^ ]*) +([0-9]+) +([0-9]+) +([0-9]+) +([^ ].*)$')) then ( # set_collected_field('', 'date', normalize_date($1 . '/' . $2, 'mm/dd')); set_collected_field('', 'date', substr(epoc_to_date_time(date_time_to_epoc('01/Jan/2' . $1 . ' 00:00:00') + (($2 - 1) * 24*60*60)), 0, 11)); set_collected_field('', 'time', $3); set_collected_field('', 'sysid', $4); set_collected_field('', 'job', $5); set_collected_field('', 'step', $6); set_collected_field('', 'terminal_id', $7); set_collected_field('', 'terminal_level', $8); set_collected_field('', 'event', $9); set_collected_field('', 'qual', $10); v.other_variables = ''; ); # Extract the name if (matches_regular_expression(current_log_line(), '^ ([A-Z]+ [A-Z]+) ')) then ( set_collected_field('', 'user_name', $1); ); # Extract final fields if (matches_regular_expression(current_log_line(), '^.............................................................. (.*)$')) then ( if (v.other_variables eq '') then ( v.other_variables = $1; ); else if (ends_with(v.other_variables, '=')) then ( v.other_variables .= $1; ); else if (ends_with(v.other_variables, ',')) then ( v.other_variables .= $1; ); else ( v.other_variables .= ',' . $1; ) ); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" sysid = "" job = "" user_name = "" step = "" # group = "" terminal_id = "" terminal_level = "" event = "" qual = "" jobid = "" userdata = "" owner = "" auth = "" reason = "" session = "" jesinput = "" exenode = "" appl = "" terminal = "" dataset = "" genprof = "" volume = "" intent = "" allowed = "" token_status = "" level = "" } # database.fields database.numerical_fields = { events.default = true } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # racf_security