$template Netscreen, "insert into Netscreen (ReceivedAt,DeviceReportedTime,Facility,Severity,Priority,FromHost,InfoUnitID,SyslogTag,Device_ID,Start_Time,Duration ,Policy_ID ,Service,Proto,Src_Zone,Dst_Zone,Action,Sent ,Rcvd,Src_IP ,Src_Port,Dst_IP ,Dst_Port,Src_Xlated_IP ,Port,Session_ID) values ('%timegenerated:::date-mysql%','%timereported:::date-mysql%',%syslogfacility%,%syslogseverity%,%syslogpriority%,'%fromhost-ip%',%iut%,'%syslogtag%','%msg:R,ERE,1,BLANK:device_id=([a-zA-Z0-9]+)--end%','%msg:R,ERE,1,BLANK:start_time="(.+)"--end%',%msg:R,ERE,1,ZERO:duration=([0-9]+)--end%,%msg:R,ERE,1,ZERO:policy_id=([0-9]+)--end%,'%msg:R,ERE,1,BLANK:service=([a-zA-Z0-9_]+)--end%',%msg:R,ERE,1,ZERO:proto=([0-9]+)--end%,'%msg:R,ERE,1,BLANK:src zone=([a-zA-Z0-9_]+)--end%','%msg:R,ERE,1,BLANK:dst zone=([a-zA-Z0-9_]+)--end%','%msg:R,ERE,1,BLANK:action=([a-zA-Z0-9_]+)--end%',%msg:R,ERE,1,ZERO:sent=([0-9]+)--end%,%msg:R,ERE,1,ZERO:rcvd=([0-9]+)--end%,'%msg:R,ERE,1,BLANK:src=([0-9]+.[0-9]+.[0-9]+.[0-9]+)--end%',%msg:R,ERE,1,ZERO:src_port=([0-9]+)--end%,'%msg:R,ERE,1,BLANK:dst=([0-9]+.[0-9]+.[0-9]+.[0-9]+)--end%',%msg:R,ERE,1,ZERO:dst_port=([0-9]+)--end%,'%msg:R,ERE,1,BLANK:src-xlated ip=([0-9]+.[0-9]+.[0-9]+.[0-9]+)--end%',%msg:R,ERE,1,ZERO:[^_]port=([0-9]+)--end%,%msg:R,ERE,1,ZERO:session_id=([0-9]+)--end%)", SQL
2010/04/27
Rsyslog Template for NetScreen Traffic
訂閱:
張貼留言 (Atom)
沒有留言:
張貼留言