############################################################################# # Copyright (c) 2019 Balabit # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License version 2 as published # by the Free Software Foundation, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # As an additional exemption you are allowed to compile & link against the # OpenSSL libraries as published by the OpenSSL project. See the file # COPYING for details. # ############################################################################# # sample message (from CheckPoint Log Exporter): # <134>1 2018-03-21 17:25:25 MDS-72 CheckPoint 13752 - [action:"Update"; flags:"150784"; ifdir:"inbound"; logid:"160571424"; loguid:"{0x5ab27965,0x0,0x5b20a8c0,0x7d5707b6}"; origin:"192.168.32.91"; originsicname:"CN=GW91,O=Domain2_Server..cuggd3"; sequencenum:"1"; time:"1521645925"; version:"5"; auth_method:"Machine Authentication (Active Directory)"; auth_status:"Successful Login"; authentication_trial:"this is a reauthentication for session 9a026bba"; client_name:"Active Directory Query"; client_version:"R80.10"; domain_name:"spec.mgmt"; endpoint_ip:"192.168.32.69"; identity_src:"AD Query"; identity_type:"machine"; product:"Identity Awareness"; snid:"9a026bba"; src:"192.168.32.69"; src_machine_group:"All Machines"; src_machine_name:"yonatanad";] # this is assumed to be used on a flags(no-parse) log as the RFC5424 format # produced by checkpoint is utterly wrong. block parser checkpoint-parser(prefix('.checkpoint.')) { csv-parser(columns("1", "2", "3", "HOST", "PROGRAM", "PID", "MSGID", "MSG") flags(greedy) delimiters(" ") null("-") dialect(escape-none)); date-parser(format("%Y-%m-%d %H:%M:%S") template("$2 $3")); kv-parser(prefix(`prefix`) value-separator(':') pair-separator(';')); }; application checkpoint[syslog-raw] { filter { match("^(<[0-9]{1,3}>)1 .*CheckPoint" value('MESSAGE')); }; parser { checkpoint-parser(); }; };