beta_praudit = { # The name of the log format log.format.format_label = "praudit Log Format (BETA)" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^header,[0-9]+,[0-9]+,[^,]+,[^,]*,[A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9].* [0-9]+ msec" log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" } # log.fields log.parsing_filters.parse = ` #header,94,2,AUE_ssh,,Fri Jan 28 16:53:58 CST 2005, + 510 msec if (matches_regular_expression(current_log_line(), '^header,[0-9]*,[0-9]*,([^,]*),([^,]*),[A-Z][a-z][a-z] ([A-Z][a-z][a-z]) ([0-9][0-9]) ([0-9]+:[0-9][0-9]:[0-9][0-9]) [A-Z]+ ([0-9]+),')) then ( set_collected_field('', 'audit_event_id', $1); set_collected_field('', 'id_modifier', $2); set_collected_field('', 'date', $4 . '/' . $3 . '/' . $6); set_collected_field('', 'time', $5); ) #subject,beckford,beckford,sysadmin,beckford,sysadmin,550,550,0 2190 192.168.254.11 else if (matches_regular_expression(current_log_line(), '^subject,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([0-9]*),([0-9]*),(.*)$')) then ( set_collected_field('', 'invariant_audit_id', $1); set_collected_field('', 'effective_user_id', $2); set_collected_field('', 'effective_group_id', $3); set_collected_field('', 'real_user_id', $4); set_collected_field('', 'real_group_id', $5); set_collected_field('', 'process_id', $6); set_collected_field('', 'audit_session_id', $7); set_collected_field('', 'terminal_id', $8); ) #text,invalid password or publickey else if (matches_regular_expression(current_log_line(), '^text,(.*)$')) then ( set_collected_field('', 'text', $1); ) #return,failure: Interrupted system call,-1 else if (matches_regular_expression(current_log_line(), '^return,([^,]*),(-*[0-9]+)$')) then ( set_collected_field('', 'return_message', $1); set_collected_field('', 'return_code', $2); accept_collected_entry('', false); ) ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "hostname" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" } # report_groups } # create_profile_wizard_options } # beta_praudit