beta_cisco_pix = { # CiscoPIX # The name of the log format log.format.format_label = "Cisco PIX Log Format (BETA)" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "%(PIX|SEC|IDS|FW|AUTH|IKE|PPTP)[^ ]*: " log.format.autodetect_lines = "200" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # A log entry is called an event statistics.miscellaneous.entry_name = "events" # Log fields log.fields = { source_ip.type = "host" source_hostname = "" destination_ip = "" destination_hostname = "" source_port = "" destination_port = "" destination_service = "" source_side = "" destination_side = "" interface = "" page = "" operation = "" message_code = "" # destination_bytes = "" protocol = "" flags = "" bytes = "" faddr_host = "" faddr_port = "" faddr_service = "" gaddr_host = "" gaddr_port = "" gaddr_service = "" laddr_host = "" laddr_port = "" laddr_service = "" duration = "" access_group = "" page.type = "page" message = "" user = "" command = "" type = "" direction = "" list = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` # Parse leading date/time # Oct 08 2005 04:32:54: if (matches_regular_expression(v.syslog_message, '^([A-Z][a-z][a-z]) ([0-9][0-9]) ([0-9][0-9][0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]): (.*)$')) then ( set_collected_field('', 'date', $2 . '/' . $1 . '/' . $3); set_collected_field('', 'time', $4); v.syslog_message = $5; ); # Parse out the message code if (matches_regular_expression(v.syslog_message, '^%([^:]+): (.*)$')) then ( set_collected_field('', 'message_code', $1); v.message = $2; v.from = ''; v.to = ''; # Handle Built lines # if (matches_regular_expression(v.message, '^(Built) (inbound|outbound|dynamic) (TCP|UDP|ICMP) connection [0-9]+ for (.*)$')) then ( if (matches_regular_expression(v.message, '^(Built) (.*)$')) then ( set_collected_field('', 'operation', $1); v.message = $2; # Extract the direction, if any if (matches_regular_expression(v.message, '^(inbound|outbound|dynamic) (.*)$')) then ( set_collected_field('', 'direction', $1); v.message = $2; ); # Extract the protocol if (matches_regular_expression(v.message, '^(TCP|UDP|ICMP) (.*)$')) then ( set_collected_field('', 'protocol', $1); v.message = $2; ); # Discard "connection for" if (matches_regular_expression(v.message, '^connection for (.*)$')) then v.message = $1; else if (matches_regular_expression(v.message, '^connection [0-9]+ for (.*)$')) then v.message = $1; v.from_to = v.message; # Extract "from" and "to" parts of the message v.to_index = index(v.from_to, ' to '); if (v.to_index != -1) then ( v.from = substr(v.from_to, 0, v.to_index); v.to = substr(v.from_to, v.to_index + 4); ) # Extract faddr/gaddr/laddr information from the message else if (matches_regular_expression(v.from_to, '^faddr ([0-9.]+)/([0-9]+) gaddr ([0-9.]+)/([0-9]+) laddr ([0-9.]+)/([0-9]+)')) then ( set_collected_field('', 'faddr_host', $1); set_collected_field('', 'faddr_port', $2); set_collected_field('', 'gaddr_host', $3); set_collected_field('', 'gaddr_port', $4); set_collected_field('', 'laddr_host', $5); set_collected_field('', 'laddr_port', $6); ); # if faddr/laddr/gaddr ) # Built # handle No route to IP from IP else if (matches_regular_expression(v.message, 'No route to ([0-9.]+) from ([0-9.]+)')) then ( set_collected_field('', 'source_ip', $1); set_collected_field('', 'destination_ip', $2); ) # Handle Deny lines else if (matches_regular_expression(v.message, '^(Deny) (tcp|udp|icmp) src (.*)')) then ( set_collected_field('', 'operation', $1); set_collected_field('', 'protocol', uppercase($2)); v.from_to = $3; # Extra "from" and "to" parts of the message v.to_index = index(v.from_to, ' dst '); if (v.to_index != -1) then ( v.from = substr(v.from_to, 0, v.to_index); v.to = substr(v.from_to, v.to_index + 5); # Get access-group from the end of the line v.by_access_group_index = index(v.to, ' by access-group '); if ((v.by_access_group_index != -1) and (matches_regular_expression(v.to, ' by access-group "([^"]+)"'))) then ( v.to = substr(v.to, 0, v.by_access_group_index); set_collected_field('', 'access_group', $1); ) ) # if to_index != -1 ) # Deny ## Parse out alternate-format Deny inbound lines #collect_fields_using_regexp('()(Deny) (inbound) .*(tcp|udp|icmp) ', '*KEY*,operation,direction,protocol'); # Handle Teardown lines else if (matches_regular_expression(v.message, '^(Teardown) (TCP|UDP) connection (.*)')) then ( set_collected_field('', 'operation', $1); set_collected_field('', 'protocol', $2); v.from_to = $3; # Discard connection number, if any if (matches_regular_expression(v.from_to, '^[0-9]+ (.*)$')) then v.from_to = $1; # Discard "for" if (matches_regular_expression(v.from_to, '^for (.*)$')) then v.from_to = $1; # Handle faddr/laddr/gaddr syntax if (matches_regular_expression(v.from_to, '^faddr ([0-9.]+)/([0-9]+) gaddr ([0-9.]+)/([0-9]+) laddr ([0-9.]+)/([0-9]+)(.*)$')) then ( set_collected_field('', 'faddr_host', $1); set_collected_field('', 'faddr_port', $2); set_collected_field('', 'gaddr_host', $3); set_collected_field('', 'gaddr_port', $4); set_collected_field('', 'laddr_host', $5); set_collected_field('', 'laddr_port', $6); v.remainder = $7; ); # if faddr/laddr/gaddr # Handle for/to syntax else ( # Extract "from" and "to" parts of the message v.to_index = index(v.from_to, ' to '); if (v.to_index != -1) then ( v.from = substr(v.from_to, 0, v.to_index); v.to = substr(v.from_to, v.to_index + 4); ); # Extract duration, bytes, and flags from end of line (end of v.to) v.duration_index = index(v.to, ' duration '); if (v.duration_index != -1) then ( v.remainder = substr(v.to, v.duration_index); v.to = substr(v.to, 0, v.duration_index); ) # if duration ); # if for/to # Handle duration/flags section at end of line if (matches_regular_expression(v.remainder, '^ duration ([0-9:]+) (.*)$')) then ( set_collected_field('', 'duration', $1); v.remainder = $2; if (matches_regular_expression(v.remainder, '^bytes ([0-9]+) (.*)$')) then ( set_collected_field('', 'bytes', $1); set_collected_field('', 'flags', replace_first(replace_first($2, ')', ']'), '(', '[')); ) # if bytes and flags else if (matches_regular_expression(v.remainder, '^bytes ([0-9]+)$')) then ( set_collected_field('', 'bytes', $1); ) # if just bytes ) # extract duration ) # Teardown # Handle "Portmapped translation built" lines else if (matches_regular_expression(v.message, '^(Portmapped translation built) for (.*)$')) then ( set_collected_field('', 'operation', $1); v.for = $2; # Handle laddr/gaddr syntax if (matches_regular_expression(v.for, '^gaddr ([0-9.]+)/([0-9]+) laddr ([0-9.]+)/([0-9]+)')) then ( set_collected_field('', 'gaddr_host', $1); set_collected_field('', 'gaddr_port', $2); set_collected_field('', 'laddr_host', $3); set_collected_field('', 'laddr_port', $4); ); # if laddr/gaddr ) # Portmapped translation built # Handle "No translation group found" lines else if (matches_regular_expression(v.message, '^(No translation group found) for (tcp|udp|icmp) ')) then ( set_collected_field('', 'operation', $1); set_collected_field('', 'protocol', uppercase($2)); ) # Handle "Accessed URL" else if (contains(v.message, ' Accessed URL ')) then ( set_collected_field('', 'operation', 'Accessed URL'); v.accessed_url_index = index(v.message, ' Accessed URL '); v.source = substr(v.message, 0, v.accessed_url_index); v.url = substr(v.message, v.accessed_url_index + 14); # Extract source information if (matches_regular_expression(v.source, '^([0-9.]+)(.*)$')) then ( set_collected_field('', 'source_ip', $1); v.source = $2; if (matches_regular_expression(v.source, '^ \\\\([^)]+\\\\)$')) then set_collected_field('', 'source_hostname', $1); ); # Extract page information if (matches_regular_expression(v.url, '^([^:]+):(.*)$')) then ( v.destination = $1; set_collected_field('', 'page', $2); ); # Extract destination information if (matches_regular_expression(v.destination, '^([0-9.]+)(.*)$')) then ( set_collected_field('', 'destination_ip', $1); v.destination = $2; if (matches_regular_expression(v.destination, '^ \\\\([^)]+\\\\)$')) then set_collected_field('', 'destination_hostname', $1); ); ); # if Accessed URL ## Parse out alternate-format Deny lines #collect_fields_using_regexp('() (Deny) (tcp|udp|icmp) ', '*KEY*,operation,protocol'); ## Parse out Deny lines (without access group) #collect_fields_using_regexp('() (Deny) (tcp|udp|TCP) ([a-z ]*) ', '*KEY*,operation,protocol,type'); ## Parse out the Inbound TCP connection denied lines #collect_fields_using_regexp('()(Inbound) (TCP) (connection denied) ', '*KEY*,direction,protocol,operation'); ## Parse out the ICMP packet denied lines #collect_fields_using_regexp('()(ICMP) packet type [0-9]+ (denied) ', '*KEY*,protocol,operation'); ## Parse Teardown local-host #collect_fields_using_regexp(' ()(Teardown local-host) ([^:]*):([^/ ]*)/*([0-9]*) duration ([0-9:]+)', '*KEY*,operation,source_side,source_ip,source_port,duration'); ## Parse out the Built UDP connection lines #collect_fields_using_regexp('()(Built) (UDP)', '*KEY*,operation,protocol'); ## Parse out the Teardown UDP connection lines #collect_fields_using_regexp('()(Teardown) ([^ ]*) ', '*KEY*,operation,protocol'); ## Parse out the interface #collect_fields_using_regexp('() interface ([^\\']*)', '*KEY*,interface'); ## Parse out the flags #collect_fields_using_regexp('() flags ([A-Z ]* [^ ]*)', '*KEY*,flags'); ## Parse out the bytes field #collect_fields_using_regexp('() bytes ([0-9]*)', '*KEY*,bytes'); ## Parse out the duration field #collect_fields_using_regexp('() duration ([0-9:]*)', '*KEY*,duration'); ## Parse from/to info #collect_fields_using_regexp('() from ([.0-9]*) to ([0-9.]*) ', '*KEY*,source_ip,destination_ip'); ## Parse for/to or from/to lines with unresolved hostnames #collect_fields_using_regexp('() f(or|rom) ([a-zA-Z0-9]+):([^:/ ]*)/*([0-9]*) to ([a-zA-Z0-9]+):([^:/ ]*)/*([0-9]*) ', '*KEY*,dummy,source_side,source_ip,source_port,destination_side,destination_ip,destination_port'); ## Parse src/dst or from/to lines with resolved hostname #collect_fields_using_regexp(' ()(from|src) ([a-zA-Z0-9]+):([0-9.]*) \\\\(([^)]*)\\\\) /*([0-9]*) (to|dst) ([a-zA-Z0-9]+):([0-9.]*) \\\\(([^)]*)\\\\) /*([0-9]*)', '*KEY*,dummy,source_side,source_ip,source_hostname,source_port,dummy,destination_side,destination_ip,destination_hostname,destination_port'); ## Parse src/dst lines with just IPs or just hostnames #collect_fields_using_regexp(' ()src ([a-zA-Z0-9]+):([0-9.A-Za-z_]*)/*([0-9]*) dst ([a-zA-Z0-9]+):([0-9.A-Za-z_]*)/*([0-9]*)', '*KEY*,source_side,source_ip,source_port,destination_side,destination_ip,destination_port'); ## Parse src/dest lines #collect_fields_using_regexp(' ()src ([0-9.]+) *([0-9]*) dest ([0-9.]+) *([0-9]*)', '*KEY*,source_ip,source_port,destination_ip,destination_port'); ## Parse out the source/destination IP/port #collect_fields_using_regexp('() from ([0-9.]*)/([0-9]*) to ([0-9.]*)/([0-9]*)', '*KEY*,source_ip,source_port,destination_ip,destination_port'); ## Parse out the source/destination IP/hostname/port #collect_fields_using_regexp('() from ([0-9.]*) \\\\(([^)]*)\\\\) /([0-9]*) to ([0-9.]*) \\\\(([^)]*)\\\\) /([0-9]*) ', '*KEY*,source_ip,source_hostname,source_port,destination_ip,destination_hostname,destination_port'); ## Parse out the faddr/laddr/gaddr info #collect_fields_using_regexp('() faddr ([^/]*)/([^ ]*) ', '*KEY*,faddr_host,faddr_port'); ## Parse out gaddr/laddr info #collect_fields_using_regexp('() gaddr ([^/]*)/([^ ]*) laddr ([^/]*)/([^ ]*)', '*KEY*,gaddr_host,gaddr_port,laddr_host,laddr_port'); ## Parse out global/local lines #collect_fields_using_regexp('() global ([^/]*)/([^ ]*) local ([^/]*)/([^ ]*)', '*KEY*,gaddr_host,gaddr_port,laddr_host,laddr_port'); ## Parse out the "Accessed URL" lines #collect_fields_using_regexp('() ([0-9.]*) (Accessed URL) ([^:]*):([^\\']*)', '*KEY*,source_ip,operation,destination_ip,page'); ## Parse out the "Accessed URL" lines with resolved hostnames #collect_fields_using_regexp('() ([0-9.]*) \\\\(([^)]*)\\\\) (Accessed URL) ([^:]*) \\\\(([^)]*)\\\\) :([^\\']*)', '*KEY*,source_ip,source_hostname,operation,destination_ip,destination_hostname,page'); ## Parse out the "Accessed URL" lines #collect_fields_using_regexp('() (Accessed URL) ([^\\']*)', '*KEY*,operation,url'); ## Parse a tcp|udp list line #collect_fields_using_regexp('()(list) ([^ ]*) (permitted|denied) (tcp|udp) ([0-9.]*) *\\\\(*([^)]*)\\\\)* *\\\\(([0-9]*)\\\\).*-> ([0-9.]*) *\\\\(*([^)]*)\\\\)* *\\\\(([0-9]*)\\\\), [0-9]* packet', '*KEY*,type,list,operation,protocol,source_ip,source_hostname,source_port,destination_ip,destination_hostname,destination_port'); ## Parse a access-list line with sides and IPs #collect_fields_using_regexp('()(access-list) ([^ ]*) (permitted|denied) (tcp|udp) ([^/]+)/([0-9.]*)\\\\(([0-9]*)\\\\) -> ([^/]+)/([0-9.]*)\\\\(([0-9]*)\\\\)', '*KEY*,type,list,operation,protocol,source_side,source_ip,source_port,destination_side,destination_ip,destination_port'); ## Parse a tcp|udp list line #collect_fields_using_regexp('()(tcp|udp) (connection denied) by (outbound list) ([^ ]*)', '*KEY*,protocol,operation,type,list'); ## Parse a icmp list line #collect_fields_using_regexp('()(list) ([0-9]*) (permitted|denied) (icmp) ([0-9.]*).*-> ([0-9.]*) ', '*KEY*,type,list,operation,protocol,source_ip,destination_ip'); ## Parse a route add line #collect_fields_using_regexp('()(RT): (add) ([0-9.]*) ([0-9.]*) via ([0-9.]*), isis metric \\\\[([0-9]*/[0-9]*)\\\\]', '*KEY*,type,operation,destination_ip,netmask,router,metric'); ## Parse a route delete line #collect_fields_using_regexp('()(RT): (delete route) to ([0-9.]*) via ([0-9.]*), isis metric \\\\[([0-9]*/[0-9]*)\\\\]', '*KEY*,type,operation,destination_ip,router,metric'); ## Parse a delete subnet route line #collect_fields_using_regexp('()(RT): (delete subnet route) to ([0-9.]*) ([0-9.]*)', '*KEY*,type,operation,destination_ip,subnet'); ## Parse a no routes line #collect_fields_using_regexp('()(RT): (no routes) to ([0-9.]*)', '*KEY*,type,operation,destination_ip'); ## Parse an FW-3/4 line; put the full error in message #collect_fields_using_regexp('()%FW-[34][^:]*: ([^\\']*)', '*KEY*,message'); ## Parse an FW-3 line with initiator info #collect_fields_using_regexp('()%FW-3[^:]*: (.*)\\\\(total ([0-9]*) chars\\\\) from initiator \\\\(([0-9.]*):([0-9]*)', '*KEY*,message,bytes,source_ip,source_port'); ## Parse an FW-6 line #if (matches_regular_expression(v.syslog_message, '%FW-6[^:]*: (Stop http session): initiator \\\\(([0-9.]+):([0-9]+)\\\\) sent ([0-9]+) bytes -- responder \\\\(([0-9.]+):([0-9]+)\\\\) sent ([0-9]+) bytes')) then ( # set_collected_field('', 'operation', $1); # set_collected_field('', 'source_ip', $2); # set_collected_field('', 'source_port', $3); # set_collected_field('', 'bytes', $4); # set_collected_field('', 'destination_ip', $5); # set_collected_field('', 'destination_port', $6); # set_collected_field('', 'destination_bytes', $7); #) ## Parse an AUDIT_TRAIL line #collect_fields_using_regexp('()AUDIT_TRAIL: ([a-z-]*) (session initiator) \\\\(([0-9.]*):([0-9]*)\\\\) sent ([0-9]*) bytes -- responder \\\\(([0-9.]*):([0-9]*)\\\\) sent ([0-9]*) bytes', '*KEY*,protocol,operation,source_ip,source_port,bytes,destination_ip,destination_port,destination_bytes'); ## parse IDS events #collect_fields_using_regexp('() (IDS:.*) from', '*KEY*,message'); ## parse audit cmd lines #collect_fields_using_regexp('() User *\\'([^\\']*)\\' executed cmd: ([^\\']*)', '*KEY*,user,command'); ## Parse out the audit command lines #collect_fields_using_regexp('()User *\\'([^\\']*)\\' executed the \\'([^\\']*)\\' command', '*KEY*,user,command'); ## Parse out the audit operation lines #collect_fields_using_regexp('()User *\\'([^\\']*)\\' executed the \\'([^\\']*)\\' command', '*KEY*,user,command'); ## Parse out the audit operation lines #collect_fields_using_regexp('() (New user added to local dbase|User deleted from local dbase): Uname: ([^ ]*) ', '*KEY*,operation,user'); # Parse "from" information if (matches_regular_expression(v.from, '^([a-zA-Z0-9]+):([^ ]*)/([0-9]+)')) then ( set_collected_field('', 'source_side', $1); set_collected_field('', 'source_ip', $2); set_collected_field('', 'source_port', $3); ); # Parse "to" information if (matches_regular_expression(v.to, '^([a-zA-Z0-9]+):([^ ]*)/([0-9]+)')) then ( set_collected_field('', 'destination_side', $1); set_collected_field('', 'destination_ip', $2); set_collected_field('', 'destination_port', $3); ); # Accept this log entry accept_collected_entry('', false); ) # if message code extracted ` # Database fields database.fields = { operation = "" message = "" message_code = "" protocol = "" source_ip = "" location = "" destination_ip = "" source_hostname = "" destination_hostname = "" source_port = "" destination_port = "" source_side = "" destination_side = "" destination_service = "" interface = "" direction = "" faddr_host = "" faddr_port = "" faddr_service = "" gaddr_host = "" gaddr_port = "" gaddr_service = "" laddr_host = "" laddr_port = "" laddr_service = "" page = "" flags = "" user = "" command = "" type = "" list = "" } # database.fields # Log Filters log.filters = { set_page_for_worm = { label = "$lang_admin.log_filters.set_page_for_worm_label" comment = "$lang_admin.log_filters.set_page_for_worm_comment" value = "if (starts_with(worm, '(')) then '' else page = '[worm]';" } # set_page_for_worm detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((page eq '(empty)') or (file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views # strip_non_page_views = { # label = '$lang_admin.log_filters.strip_non_page_views_label' # comment = '$lang_admin.log_filters.strip_non_page_views_comment' # value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" # } # strip_non_page_views simplify_page = { label = "Simplify page" comment = "This removes page information from the database" value = "page = '(page removed)'" } # simplify_page mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry look_up_service = { label = '$lang_admin.log_filters.look_up_service' comment = '$lang_admin.log_filters.look_up_comment' value = ` destination_service = destination_port . "_" . lowercase(protocol); destination_service = node_value(subnode_by_name("rewrite_rules.services", destination_service)); if (subnode_exists('rewrite_rules.services', destination_service)) then destination_service = node_value(subnode_by_name("rewrite_rules.services", destination_service)); else destination_service = '(unknown)'; ` } # look_up_service look_up_faddr_service = { label = 'Look up faddr service' comment = 'Compute faddr service from faddr port and protocol' value = ` faddr_service = faddr_port . "_" . (if (starts_with(protocol, '.')) then 'tcp' else lowercase(protocol)); if (subnode_exists('rewrite_rules.services', faddr_service)) then faddr_service = node_value(subnode_by_name("rewrite_rules.services", faddr_service)); else faddr_service = '(unknown)'; ` } # look_up_faddr_service look_up_gaddr_service = { label = 'Look up gaddr service' comment = 'Compute gaddr service from gaddr port and protocol' value = ` gaddr_service = gaddr_port . "_" . (if (starts_with(protocol, '.')) then 'tcp' else lowercase(protocol)); if (subnode_exists('rewrite_rules.services', gaddr_service)) then gaddr_service = node_value(subnode_by_name("rewrite_rules.services", gaddr_service)); else gaddr_service = '(unknown)'; ` } # look_up_gaddr_service look_up_laddr_service = { label = 'Look up laddr service' comment = 'Compute laddr service from laddr port and protocol' value = ` laddr_service = laddr_port . "_" . (if (starts_with(protocol, '.')) then 'tcp' else lowercase(protocol)); if (subnode_exists('rewrite_rules.services', laddr_service)) then laddr_service = node_value(subnode_by_name("rewrite_rules.services", laddr_service)); else laddr_service = '(unknown)'; ` } # look_up_laddr_service } # log.filters log.field_options = { sessions_page_field = "destination_ip" sessions_visitor_id_field = "source_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events page_views = { label = "$lang_stats.field_labels.page_views" default = false requires_log_field = false type = "int" display_format_type = "integer" } # page_views unique_source_ips = { label = "$lang_stats.field_labels.unique_source_ips" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # unique_source_ips bytes = { label = "$lang_stats.field_labels.bytes" default = false requires_log_field = true log_field = "bytes" type = "float" display_format_type = "bandwidth" } # bytes # destination_bytes = { # label = "$lang_stats.field_labels.destination_bytes" # default = false # requires_log_field = true # log_field = "destination_bytes" # type = "float" # display_format_type = "bandwidth" # } # destination_bytes duration = { label = $lang_stats.field_labels.duration default = false requires_log_field = true type = int display_format_type = duration_compact } # duration } # database.numerical_fields create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { source_ip = true source_hostname = true source_port = true source_side = true user = true interface = true laddr_host = true laddr_port = true laddr_service = true location = true } destination_group = { destination_ip = true destination_hostname = true destination_port = true destination_side = true page = true faddr_host = true faddr_port = true faddr_service = true gaddr_host = true gaddr_port = true gaddr_service = true destination_service = true destination_ip_by_source_ip = true destination_service_by_source_ip = true faddr_host_by_laddr_host = true faddr_service_by_laddr_host = true gaddr_host_by_laddr_host = true gaddr_service_by_laddr_host = true } other_group = { logging_device = true syslog_priority = true operation = true direction = true message = true message_code = true protocol = true flags = true command = true type = true list = true } } # report_groups } # create_profile_wizard_options } # beta_cisco_pix