%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /backups/router/usr/local/share/syslog-ng/include/scl/checkpoint/
Upload File :
Create Path :
Current File : //backups/router/usr/local/share/syslog-ng/include/scl/checkpoint/plugin.conf

#############################################################################
# Copyright (c) 2019 Balabit
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published
# by the Free Software Foundation, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# As an additional exemption you are allowed to compile & link against the
# OpenSSL libraries as published by the OpenSSL project. See the file
# COPYING for details.
#
#############################################################################

# CheckPoint Log Exporter
#
#   Documentation:
# 	https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323
#
#   Relevant Forum Topic:
#       https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-guide/td-p/9035

#
# sample message (from CheckPoint Log Exporter):
# "syslog" format
#   <134>1 2018-03-21 17:25:25 MDS-72 CheckPoint 13752 - [action:"Update"; flags:"150784"; ifdir:"inbound"; logid:"160571424"; loguid:"{0x5ab27965,0x0,0x5b20a8c0,0x7d5707b6}"; origin:"192.168.32.91"; originsicname:"CN=GW91,O=Domain2_Server..cuggd3"; sequencenum:"1"; time:"1521645925"; version:"5"; auth_method:"Machine Authentication (Active Directory)"; auth_status:"Successful Login"; authentication_trial:"this is a reauthentication for session 9a026bba"; client_name:"Active Directory Query"; client_version:"R80.10"; domain_name:"spec.mgmt"; endpoint_ip:"192.168.32.69"; identity_src:"AD Query"; identity_type:"machine"; product:"Identity Awareness"; snid:"9a026bba"; src:"192.168.32.69"; src_machine_group:"All Machines"; src_machine_name:"yonatanad";]
#   <134>1 2019-11-27T02:58:25Z ABDP-CPLOG01 CheckPoint 22103 - [action:"Accept"; flags:"18692"; ifdir:"inbound"; ifname:"bond1.734"; loguid:"{0x5ddde651,0x48,0xca96040a,0xc000001b}"; origin:"10.4.150.2"; time:"1574823505"; version:"1"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={12D7A082-42F0-B240-8103-29F2F6FF139C};mgmt=ABDP-MGT01;date=1573204576;policy_name=Cutover_Final_V3_20161031]"; dst:"124.156.190.9"; nat_addtnl_rulenum:"1"; nat_rulenum:"8"; origin_sic_name:"CN=ABDP-CPFW01,O=ABDP-CPMGT01..94r78q"; product:"VPN-1 & FireWall-1"; proto:"6"; rule:"8"; rule_name:"3G IP Pool Outgoing"; rule_uid:"{DF64DC15-BEDF-4246-8B71-A75E0991C5D9}"; s_port:"64442"; service:"80"; service_id:"http"; src:"10.7.79.7"; xlatedport:"0"; xlatedst:"0.0.0.0"; xlatesport:"49254"; xlatesrc:"202.1.50.67"; ]
# "Splunk" format
#   time=1557767758|hostname=r80test|product=Firewall|layer_name=Network|layer_uuid=c0264a80-1832-4fce-8a90-d0849dc4ba33|match_id=1|parent_rule=0|rule_action=Accept|rule_uid=4420bdc0-19f3-4a3e-8954-03b742cd3aee|action=Accept|ifdir=inbound|ifname=eth0|logid=0|loguid={0x5cd9a64e,0x0,0x5060a8c0,0xc0000001}|origin=192.168.96.80|originsicname=cn\=cp_mgmt,o\=r80test..ymydp2|sequencenum=1|time=1557767758|version=5|dst=192.168.96.80|inzone=Internal|outzone=Local|proto=6|s_port=63945|service=443|service_id=https|src=192.168.96.27|
#
# Currently missing: support for CEF, LEEF & Generic formats as I don't have
# samples.

# this is assumed to be used on a flags(no-parse) log as the RFC5424 format
# produced by checkpoint is utterly wrong.

block parser checkpoint-parser(prefix('.checkpoint.')) {
    channel {
        if {
            # syslog format, we should be handling escaped values properly
            filter { message("<" type(string) flags(prefix)); };
            if {
                parser {
                    csv-parser(columns("1", "2", "HOST", "PROGRAM", "PID", "MSGID", "MSG")
                               flags(greedy) delimiters(" ") null("-") dialect(escape-none));
                    date-parser(format("%Y-%m-%dT%H:%M:%S%z",
                                       "%Y-%m-%dT%H:%M:%S") template("$2"));
                };
            } else {
                parser {
                    csv-parser(columns("1", "2", "3", "HOST", "PROGRAM", "PID", "MSGID", "MSG")
                               flags(greedy) delimiters(" ") null("-") dialect(escape-none));
                    date-parser(format("%Y-%m-%d %H:%M:%S") template("$2 $3"));
                };
            };
            parser {
                kv-parser(prefix(`prefix`) value-separator(':') pair-separator(';'));
            };
            flags(final);
        } else {
            # splunk format, we are not handling value escaping properly, as
            # CheckPoint will transform characters in values this way:
            #    '|' -> ';'     -- not handled
            #    '=' -> '\='    -- handled properly
            parser { kv-parser(prefix(`prefix`) value-separator('|') pair-separator('=')); };
            flags(final);
        };
    };
};

application checkpoint[syslog-raw] {
    filter {
        # "syslog" format
        message("^(<[0-9]{1,3}>)1 .* CheckPoint ") or
        # "splunk" format
        message('^time=[0-9]+\|hostname=[a-zA-Z0-9-]+\|product=Firewall');
    };
    parser { checkpoint-parser(); };
};

Zerion Mini Shell 1.0