symantec_gateway_security = { # This log format is based on a text export of a binary data file on the SGS/SEF device. # To use "remotelogfile8.exe" to extract the text log from the binary data: # 1. Browse to "http://www.symantec.com/search/" # 2. search for document "2004021815290054" # To use the "flatten8" utility to extract the text log from the binary data: # 1. Review page 102 of "Symantec™ Security Gateways - Reference Guide" - Version 8, this is an excerpt: # Flatten utility # The flatten8 utility is shipped on the included CD and lets you perform simple log file management from # the command-line. The flatten8 utility reads in the log message information from the system’s XML files, # and then parses in real-time the binary log file, substituting the actual error text message for its binary # counterpart. # Most often, this utility is used to convert the binary log file to a more usable format for a third party utility, # such as an ASCII text editor. This utility is also used to review the most recent messages, or directed to # show just statistics messages. # # usage: flatten8 [-h] [-r|-s|-D] [-f] [-u seconds] [-t n] [-x xmlpath] log file ... # # Where: # # -h Print this message and exit. # -r Only has an effect when -s is used. Do reverse lookups on IP addresses. # -s Output stats only. # -D Do not print out error information. # -f Follow output. (Binary files, default interval 2 seconds). # -u Follow update interval in seconds. (Implies -f). # -t Tail the last 'n' log messages. # -x Next argument specifies path to XML dictionary files. This argument should not need to be used, as the XML files # are placed in the default location during installation. # Format log_file_format value log.format.format_label = "Symantec Security Gateways Log Format (SGS 2.0/3.0 & SEF 8.0)" # This log is the following type log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "firewall" log.format.treat_brackets_as_quotes = "false" # The format of dates in this log log.format.date_format = "mmm/dd/yyyy" # The format of times in this log log.format.time_format = "auto" # The name of an entry in this log statistics.miscellaneous.entry_name = "events" log.format.ignore_format_lines = "true" # We use this to recognise the format and "auto-detect". log.format.autodetect_regular_expression = "[ ][0-9]*[0-9]*[0-9]*[ ](INFORMATIONAL|NOTICE|WARNING)" log.format.parse_only_with_filters = "true" log.format.allow_spaces_in_listed_field_values = "false" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = true leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time logging_device = { label = "$lang_stats.field_labels.logging_device" type = "flat" index = 0 subindex = 0 } # logging_device service = { label = "$lang_stats.field_labels.service" type = "flat" index = 0 subindex = 0 } # service duration = { label = "$lang_stats.field_labels.duration" type = "flat" index = 0 subindex = 0 } # duration authentication_result = { label = "$lang_stats.field_labels.authentication_result" type = "flat" index = 0 subindex = 0 } # authentication_result id = { label = "$lang_stats.field_labels.id" type = "flat" index = 0 subindex = 0 } # id sent = { label = "$lang_stats.field_labels.sent" type = "flat" index = 0 subindex = 0 } # sent received = { label = "$lang_stats.field_labels.received" type = "flat" index = 0 subindex = 0 } # received bytes = { label = "$lang_stats.field_labels.bytes" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # bytes source_interface = { label = "$lang_stats.field_labels.source_interface" type = "flat" index = 0 subindex = 0 } # source_interface source_ip = { label = "$lang_stats.field_labels.source_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # source_ip source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port source_name = { label = "$lang_stats.field_labels.source_name" type = "flat" index = 0 subindex = 0 } # source_name server_source = { label = "$lang_stats.field_labels.server_source" type = "flat" index = 0 subindex = 0 } # server_source server_source_port = { label = "$lang_stats.field_labels.server_source_port" type = "flat" index = 0 subindex = 0 } # server_source_port destination_interface = { label = "$lang_stats.field_labels.destination_interface" type = "flat" index = 0 subindex = 0 } # destination_interface destination_ip = { label = "$lang_stats.field_labels.destination_ip" type = "flat" index = 0 subindex = 0 } # destination_ip destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port destination_name = { label = "$lang_stats.field_labels.destination_name" type = "flat" index = 0 subindex = 0 } # destination_name client_destination = { label = "$lang_stats.field_labels.client_destination" type = "flat" index = 0 subindex = 0 } # client_destination url = { label = "$lang_stats.field_labels.url" type = "page" index = 0 subindex = 0 hierarchy_dividers = "/?" left_to_right = true leading_divider = "false" } # url result = { label = "$lang_stats.field_labels.result" type = "flat" index = 0 subindex = 0 } # result protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol rule_id = { label = "$lang_stats.field_labels.rule_id" type = "flat" index = 0 subindex = 0 } # rule_id message_type = { label = "$lang_stats.field_labels.message_type" type = "flat" index = 0 subindex = 0 } # message_type message = { label = "$lang_stats.field_labels.message" type = "flat" index = 0 subindex = 0 } # message operation = { label = "$lang_stats.field_labels.operation" type = "flat" index = 0 subindex = 0 } # operation status = { label = "$lang_stats.field_labels.status" type = "flat" index = 0 subindex = 0 } # status state = { label = "$lang_stats.field_labels.state" type = "flat" index = 0 subindex = 0 } # state rule = { label = "$lang_stats.field_labels.rule" type = "flat" index = 0 subindex = 0 } # rule pid = { label = "$lang_stats.field_labels.pid" type = "flat" index = 0 subindex = 0 } # pid notes = { label = "$lang_stats.field_labels.notes" type = "flat" index = 0 subindex = 0 } # notes adapter = { label = "$lang_stats.field_labels.adapter" type = "flat" index = 0 subindex = 0 } # adapter alert_destination_mac_addr = { label = "$lang_stats.field_labels.alert_destination_mac_addr" type = "flat" index = 0 subindex = 0 } # alert_destination_mac_addr alert_source_mac_addr = { label = "$lang_stats.field_labels.alert_source_mac_addr" type = "flat" index = 0 subindex = 0 } # alert_source_mac_addr class = { label = "$lang_stats.field_labels.class" type = "flat" index = 0 subindex = 0 } # class consolidated_message = { label = "$lang_stats.field_labels.consolidated_message" type = "flat" index = 0 subindex = 0 } # consolidated_message count = { label = "$lang_stats.field_labels.count" type = "flat" index = 0 subindex = 0 } # count cve = { label = "$lang_stats.field_labels.cve" type = "flat" index = 0 subindex = 0 } # cve end_time = { label = "$lang_stats.field_labels.end_time" type = "flat" index = 0 subindex = 0 } # end_time family = { label = "$lang_stats.field_labels.family" type = "flat" index = 0 subindex = 0 } # family flag = { label = "$lang_stats.field_labels.flag" type = "flat" index = 0 subindex = 0 } # flag flow_cookie = { label = "$lang_stats.field_labels.flow_cookie" type = "flat" index = 0 subindex = 0 } # flow_cookie host = { label = "$lang_stats.field_labels.host" type = "flat" index = 0 subindex = 0 } # host interface = { label = "$lang_stats.field_labels.interface" type = "flat" index = 0 subindex = 0 } # interface interface_id = { label = "$lang_stats.field_labels.interface_id" type = "flat" index = 0 subindex = 0 } # interface_id interval = { label = "$lang_stats.field_labels.interval" type = "flat" index = 0 subindex = 0 } # interval ip_code = { label = "$lang_stats.field_labels.ip_code" type = "flat" index = 0 subindex = 0 } # ip_code ip_protocol = { label = "$lang_stats.field_labels.ip_protocol" type = "flat" index = 0 subindex = 0 } # ip_protocol level = { label = "$lang_stats.field_labels.level" type = "flat" index = 0 subindex = 0 } # level outcome = { label = "$lang_stats.field_labels.outcome" type = "flat" index = 0 subindex = 0 } # outcome packet = { label = "$lang_stats.field_labels.packet" type = "flat" index = 0 subindex = 0 } # packet payload_left_offset = { label = "$lang_stats.field_labels.payload_left_offset" type = "flat" index = 0 subindex = 0 } # payload_left_offset payload_right_offset = { label = "$lang_stats.field_labels.payload_right_offset" type = "flat" index = 0 subindex = 0 } # payload_right_offset policy_tag = { label = "$lang_stats.field_labels.policy_tag" type = "flat" index = 0 subindex = 0 } # policy_tag program_name = { label = "$lang_stats.field_labels.program_name" type = "flat" index = 0 subindex = 0 } # program_name reliability = { label = "$lang_stats.field_labels.reliability" type = "flat" index = 0 subindex = 0 } # reliability request = { label = "$lang_stats.field_labels.request" type = "flat" index = 0 subindex = 0 } # request resource = { label = "$lang_stats.field_labels.resource" type = "flat" index = 0 subindex = 0 } # resource response = { label = "$lang_stats.field_labels.response" type = "flat" index = 0 subindex = 0 } # response start_time = { label = "$lang_stats.field_labels.start_time" type = "flat" index = 0 subindex = 0 } # start_time string_value = { label = "$lang_stats.field_labels.string_value" type = "flat" index = 0 subindex = 0 } # string_value title = { label = "$lang_stats.field_labels.title" type = "flat" index = 0 subindex = 0 } # title type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type vendor = { label = "$lang_stats.field_labels.vendor" type = "flat" index = 0 subindex = 0 } # vendor vlan_id = { label = "$lang_stats.field_labels.vlan_id" type = "flat" index = 0 subindex = 0 } # vlan_id month = { label = "month" type = "flat" index = 0 subindex = 0 } # month user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 } # user setting = { label = "$lang_stats.field_labels.setting" type = "flat" index = 0 subindex = 0 } # setting key = { label = "$lang_stats.field_labels.key" type = "flat" index = 0 subindex = 0 } # key revision = { label = "$lang_stats.field_labels.revision" type = "flat" index = 0 subindex = 0 } # revision domain = { label = "$lang_stats.field_labels.domain" type = "flat" index = 0 subindex = 0 } # domain client_port = { label = "$lang_stats.field_labels.client_port" type = "flat" index = 0 subindex = 0 } # client_port related_id = { label = "$lang_stats.field_labels.related_id" type = "flat" index = 0 subindex = 0 } # related_id server = { label = "$lang_stats.field_labels.server" type = "flat" index = 0 subindex = 0 } # server ip_address = { label = "$lang_stats.field_labels.ip_address" type = "flat" index = 0 subindex = 0 } # ip_address license_exp_date = { label = "$lang_stats.field_labels.license_exp_date" type = "flat" index = 0 subindex = 0 } # license_exp_date feature_id = { label = "$lang_stats.field_labels.feature_id" type = "flat" index = 0 subindex = 0 } # feature_id license_type = { label = "$lang_stats.field_labels.license_type" type = "flat" index = 0 subindex = 0 } # license_type product = { label = "$lang_stats.field_labels.product" type = "flat" index = 0 subindex = 0 } # product version = { label = "$lang_stats.field_labels.version" type = "flat" index = 0 subindex = 0 } # version } # log.fields # Log Parsing Filters log.parsing_filters = { parse = { label = "parse" comment = "" value = " if (matches_regular_expression(current_log_line(), '^()([A-Za-z]+ [0-9][0-9], [0-9]+)[ ]([0-9]+:[0-9]+:[0-9]+)\\\\.[0-9]+[ ]+([0-9.]+|[^ ]+) ([A-Za-z0-9 ]+)(\\\\[[0-9]+\\\\] | [0-9]+ )[0-9]+[ ]+([A-Z]+)[: ]+([^ ]+)[, ]* (.*)$')) then ( v.key = $1; set_collected_field(v.key, 'date', $2); set_collected_field(v.key, 'time', $3); set_collected_field(v.key, 'logging_device', $4); set_collected_field(v.key, 'service', $5); set_collected_field(v.key, 'message_type', $7); set_collected_field(v.key, 'message', $8); v.listed_fields = $9; if (matches_regular_expression(v.listed_fields, '[A-Za-z0-9 ]+ [A-Za-z0-9 ]+')) then (collect_listed_fields(v.key, v.listed_fields, ' ', ' ', 'Argument=url|Date=license_exp_date')); else if (matches_regular_expression(v.listed_fields, '[A-Za-z0-9 ]+=[A-Za-z0-9 ]+')) then (collect_listed_fields(v.key, v.listed_fields, ', ', '=', 'Argument=url|Date=license_exp_date'); if (get_collected_field(v.key, 'duration') ne '(empty)') then set_collected_field(v.key, 'duration', substr(get_collected_field(v.key, 'duration'), 0, length(get_collected_field(v.key, 'duration')) - 1)); ); accept_collected_entry(v.key, false); ); else if (matches_regular_expression(current_log_line(), '^()([A-Za-z]+ [0-9][0-9], [0-9]+) ([0-9]+:[0-9]+:[0-9]+)\.[0-9]+ *([^ ]+) ([^ ]+) [0-9]+ ([A-Z]+) [0-9]+ ([^ ]+) (.*)$')) then ( v.key = $1; set_collected_field(v.key, 'date', $2); set_collected_field(v.key, 'time', $3); set_collected_field(v.key, 'logging_device', $4); set_collected_field(v.key, 'service', $5); set_collected_field(v.key, 'message_type', $6); set_collected_field(v.key, 'message', $7); v.listed_fields = $8; if (matches_regular_expression(v.listed_fields, '[A-Za-z0-9 ]+ [A-Za-z0-9 ]+')) then (collect_listed_fields(v.key, v.listed_fields, ' ', ' ', 'Target=url|Date=license_exp_date')); else if (matches_regular_expression(v.listed_fields, '[A-Za-z0-9 ]+=[A-Za-z0-9 ]+')) then (collect_listed_fields(v.key, v.listed_fields, ', ', '=', 'Argument=url|Date=license_exp_date'); if (get_collected_field(v.key, 'duration') ne '(empty)') then set_collected_field(v.key, 'duration', substr(get_collected_field(v.key, 'duration'), 0, length(get_collected_field(v.key, 'duration')) - 1)); ); accept_collected_entry(v.key, false); ); " } # parse } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day logging_device = { label = "$lang_stats.field_labels.logging_device" log_field = "logging_device" type = "string" suppress_top = 0 suppress_bottom = 2 } # logging_device service = { label = "$lang_stats.field_labels.service" log_field = "service" type = "string" suppress_top = 0 suppress_bottom = 2 } # service message_type = { label = "$lang_stats.field_labels.message_type" log_field = "message_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # message_type message = { label = "$lang_stats.field_labels.message" log_field = "message" type = "string" suppress_top = 0 suppress_bottom = 2 } # message url = { label = "$lang_stats.field_labels.url" log_field = "url" type = "string" suppress_top = 0 suppress_bottom = 2 } # url file_type = { label = "$lang_stats.field_labels.file_type" log_field = "file_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # file_type client_destination = { label = "$lang_stats.field_labels.client_destination" log_field = "client_destination" type = "string" suppress_top = 0 suppress_bottom = 2 } # client_destination source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip destination_ip = { label = "$lang_stats.field_labels.destination_ip" log_field = "destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_ip source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port source_name = { label = "$lang_stats.field_labels.source_name" log_field = "source_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_name destination_name = { label = "$lang_stats.field_labels.destination_name" log_field = "destination_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_name source_interface = { label = "$lang_stats.field_labels.source_interface" log_field = "source_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_interface destination_interface = { label = "$lang_stats.field_labels.destination_interface" log_field = "destination_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_interface server_source = { label = "$lang_stats.field_labels.server_source" log_field = "server_source" type = "string" suppress_top = 0 suppress_bottom = 2 } # server_source server_source_port = { label = "$lang_stats.field_labels.server_source_port" log_field = "server_source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # server_source_port result = { label = "$lang_stats.field_labels.result" log_field = "result" type = "string" suppress_top = 0 suppress_bottom = 2 } # result protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol rule_id = { label = "$lang_stats.field_labels.rule_id" log_field = "rule_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule_id authentication_result = { label = "$lang_stats.field_labels.authentication_result" log_field = "authentication_result" type = "string" suppress_top = 0 suppress_bottom = 2 } # authentication_result id = { label = "$lang_stats.field_labels.id" log_field = "id" type = "string" suppress_top = 0 suppress_bottom = 2 } # id operation = { label = "$lang_stats.field_labels.operation" log_field = "operation" type = "string" suppress_top = 0 suppress_bottom = 2 } # operation status = { label = "$lang_stats.field_labels.status" log_field = "status" type = "string" suppress_top = 0 suppress_bottom = 2 } # status state = { label = "$lang_stats.field_labels.state" log_field = "state" type = "string" suppress_top = 0 suppress_bottom = 2 } # state rule = { label = "$lang_stats.field_labels.rule" log_field = "rule" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule pid = { label = "$lang_stats.field_labels.pid" log_field = "pid" type = "string" suppress_top = 0 suppress_bottom = 2 } # pid notes = { label = "$lang_stats.field_labels.notes" log_field = "notes" type = "string" suppress_top = 0 suppress_bottom = 2 } # notes adapter = { label = "$lang_stats.field_labels.adapter" log_field = "adapter" type = "string" suppress_top = 0 suppress_bottom = 2 } # adapter alert_destination_mac_addr = { label = "$lang_stats.field_labels.alert_destination_mac_addr" log_field = "alert_destination_mac_addr" type = "string" suppress_top = 0 suppress_bottom = 2 } # alert_destination_mac_addr alert_source_mac_addr = { label = "$lang_stats.field_labels.alert_source_mac_addr" log_field = "alert_source_mac_addr" type = "string" suppress_top = 0 suppress_bottom = 2 } # alert_source_mac_addr class = { label = "$lang_stats.field_labels.class" log_field = "class" type = "string" suppress_top = 0 suppress_bottom = 2 } # class consolidated_message = { label = "$lang_stats.field_labels.consolidated_message" log_field = "consolidated_message" type = "string" suppress_top = 0 suppress_bottom = 2 } # consolidated_message count = { label = "$lang_stats.field_labels.count" log_field = "count" type = "string" suppress_top = 0 suppress_bottom = 2 } # count cve = { label = "$lang_stats.field_labels.cve" log_field = "cve" type = "string" suppress_top = 0 suppress_bottom = 2 } # cve family = { label = "$lang_stats.field_labels.family" log_field = "family" type = "string" suppress_top = 0 suppress_bottom = 2 } # family flag = { label = "$lang_stats.field_labels.flag" log_field = "flag" type = "string" suppress_top = 0 suppress_bottom = 2 } # flag flow_cookie = { label = "$lang_stats.field_labels.flow_cookie" log_field = "flow_cookie" type = "string" suppress_top = 0 suppress_bottom = 2 } # flow_cookie host = { label = "$lang_stats.field_labels.host" log_field = "host" type = "string" suppress_top = 0 suppress_bottom = 2 } # host interface = { label = "$lang_stats.field_labels.interface" log_field = "interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # interface interface_id = { label = "$lang_stats.field_labels.interface_id" log_field = "interface_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # interface_id interval = { label = "$lang_stats.field_labels.interval" log_field = "interval" type = "string" suppress_top = 0 suppress_bottom = 2 } # interval ip_code = { label = "$lang_stats.field_labels.ip_code" log_field = "ip_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # ip_code ip_protocol = { label = "$lang_stats.field_labels.ip_protocol" log_field = "ip_protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # ip_protocol level = { label = "$lang_stats.field_labels.level" log_field = "level" type = "string" suppress_top = 0 suppress_bottom = 2 } # level outcome = { label = "$lang_stats.field_labels.outcome" log_field = "outcome" type = "string" suppress_top = 0 suppress_bottom = 2 } # outcome packet = { label = "$lang_stats.field_labels.packet" log_field = "packet" type = "string" suppress_top = 0 suppress_bottom = 2 } # packet payload_left_offset = { label = "$lang_stats.field_labels.payload_left_offset" log_field = "payload_left_offset" type = "string" suppress_top = 0 suppress_bottom = 2 } # payload_left_offset payload_right_offset = { label = "$lang_stats.field_labels.payload_right_offset" log_field = "payload_right_offset" type = "string" suppress_top = 0 suppress_bottom = 2 } # payload_right_offset policy_tag = { label = "$lang_stats.field_labels.policy_tag" log_field = "policy_tag" type = "string" suppress_top = 0 suppress_bottom = 2 } # policy_tag program_name = { label = "$lang_stats.field_labels.program_name" log_field = "program_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # program_name reliability = { label = "$lang_stats.field_labels.reliability" log_field = "reliability" type = "string" suppress_top = 0 suppress_bottom = 2 } # reliability request = { label = "$lang_stats.field_labels.request" log_field = "request" type = "string" suppress_top = 0 suppress_bottom = 2 } # request resource = { label = "$lang_stats.field_labels.resource" log_field = "resource" type = "string" suppress_top = 0 suppress_bottom = 2 } # resource response = { label = "$lang_stats.field_labels.response" log_field = "response" type = "string" suppress_top = 0 suppress_bottom = 2 } # response string_value = { label = "$lang_stats.field_labels.string_value" log_field = "string_value" type = "string" suppress_top = 0 suppress_bottom = 2 } # string_value title = { label = "$lang_stats.field_labels.title" log_field = "title" type = "string" suppress_top = 0 suppress_bottom = 2 } # title type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type vendor = { label = "$lang_stats.field_labels.vendor" log_field = "vendor" type = "string" suppress_top = 0 suppress_bottom = 2 } # vendor vlan_id = { label = "$lang_stats.field_labels.vlan_id" log_field = "vlan_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # vlan_id user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user setting = { label = "$lang_stats.field_labels.setting" log_field = "setting" type = "string" suppress_top = 0 suppress_bottom = 2 } # setting key = { label = "$lang_stats.field_labels.key" log_field = "key" type = "string" suppress_top = 0 suppress_bottom = 2 } # key revision = { label = "$lang_stats.field_labels.revision" log_field = "revision" type = "string" suppress_top = 0 suppress_bottom = 2 } # revision domain = { label = "$lang_stats.field_labels.domain" log_field = "domain" type = "string" suppress_top = 0 suppress_bottom = 2 } # domain client_port = { label = "$lang_stats.field_labels.client_port" log_field = "client_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # client_port related_id = { label = "$lang_stats.field_labels.related_id" log_field = "related_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # related_id server = { label = "$lang_stats.field_labels.server" log_field = "server" type = "string" suppress_top = 0 suppress_bottom = 2 } # server ip_address = { label = "$lang_stats.field_labels.ip_address" log_field = "ip_address" type = "string" suppress_top = 0 suppress_bottom = 2 } # ip_address license_exp_date = { label = "$lang_stats.field_labels.license_exp_date" log_field = "license_exp_date" type = "string" suppress_top = 0 suppress_bottom = 2 } # license_exp_date license_type = { label = "$lang_stats.field_labels.license_type" log_field = "license_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # license_type product = { label = "$lang_stats.field_labels.product" log_field = "product" type = "string" suppress_top = 0 suppress_bottom = 2 } # product version = { label = "$lang_stats.field_labels.version" log_field = "version" type = "string" suppress_top = 0 suppress_bottom = 2 } # version feature_id = { label = "$lang_stats.field_labels.feature_id" log_field = "feature_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # feature_id } # database.fields # Log Filters log.filters = { simplify_url = { label = 'simplify_url' comment = 'simplify_url' value = `if (matches_regular_expression(url, '^(http://[^/]+)')) then url = $1 . '(truncated)'; else if(matches_regular_expression(url, '^([^/]+)')) then url = $1 . '(truncated)';` } # simplify_url simplify_id = { label = 'simplify_id' comment = 'simplify_id' value = `id = ''` } # simplify_id mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "source_ip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events sent = { label = "$lang_stats.field_labels.sent" default = false requires_log_field = true log_field = "sent" type = "float" display_format_type = "bandwidth" } # sent received = { label = "$lang_stats.field_labels.received" default = false requires_log_field = true log_field = "received" type = "float" display_format_type = "bandwidth" } # received bytes = { label = "$lang_stats.field_labels.bytes" default = false requires_log_field = true log_field = "bytes" type = "float" display_format_type = "bandwidth" } # bytes duration = { label = "$lang_stats.field_labels.duration" default = false requires_log_field = true log_field = "duration" type = "float" display_format_type = "duration_compact" } # duration } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" hour_of_day = true day_of_week = true logging_device = true message_type = true message = true notes = true consolidated_message = true adapter = true operation = true protocol = true status = true state = true rule = true rule_id = true authentication_result = true license_type = true license_exp_date = true feature_id = true product = true version = true source_group = { source_ip = true source_port = true source_name = true source_interface = true user = true client_port = true ip_address = true } content_group = { url = true file_type = true } destination_group = { destination_ip = true destination_port = true destination_name = true destination_interface = true client_destination = true } server_group = { server_source = true server_source_port = true server = true domain = true service = true } other_group = { id = true result = true pid = true alert_destination_mac_addr = true alert_source_mac_addr = true class = true count = true cve = true family = true flag = true flow_cookie = true host = true interface = true interface_id = true interval = true ip_code = true ip_protocol = true level = true outcome = true packet = true payload_left_offset = true payload_right_offset = true policy_tag = true program_name = true reliability = true request = true resource = true response = true string_value = true title = true type = true vendor = true vlan_id = true setting = true key = true revision = true related_id = true } # other_group } # report_groups } # create_profile_wizard_options not_supported = { sessions = true pageviews = true visitors = true } # not_supported } # symantec_gateway_security