############################################################################# # Copyright (c) 2018 Balabit # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License version 2 as published # by the Free Software Foundation, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # As an additional exemption you are allowed to compile & link against the # OpenSSL libraries as published by the OpenSSL project. See the file # COPYING for details. # ############################################################################# # Example log message (expected to be received via flags(no-parse)) # <159>Dec 19 10:48:57 EST 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com block parser websense-parser(prefix(".websense.")) { channel { rewrite { # normal BSD timestamp, plus a timezone code. Remove the # timezone information for now. subst('([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2}) [A-Z]{3,4}' "$1 " value("MSG")); # add a $PROGRAM field, so that syslog-parser() would extract # that properly subst('(vendor=Websense)' "Websense: $1" value("MSG")); }; parser { # by this time this message is a properly formatted syslog # message syslog-parser(); # extract name-value pairs. kv-parser(prefix("`prefix`")); }; }; }; application websense[syslog-raw] { filter { message("vendor=Websense" type(string) flags(substring)); }; parser { websense-parser(); }; };