forked from breakandinspect/graylog
-
Notifications
You must be signed in to change notification settings - Fork 0
/
GRAYLOG_Untangle-v13_Extractors.json
271 lines (271 loc) · 20.7 KB
/
GRAYLOG_Untangle-v13_Extractors.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
{
"extractors": [
{
"title": "com.untangle.app.firewall.FirewallEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"flagged\\\":%{DATA:junk},\\\"blocked\\\":%{DATA:junk},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"ruleId\\\":%{DATA:policyrule},\\\"class\\\":\\\"%{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "class com.untangle.app.firewall.FirewallEvent"
},
{
"title": "com.untangle.uvm.HostTableEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"address\\\":\\\"/%{IPV4:sip}\\\",\\\"oldValue\\\":\\\"%{DATA:objectprevname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"value\\\":\\\"%{DATA:objectname}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"key\\\":\\\"%{DATA:process}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "class com.untangle.uvm.HostTableEvent"
},
{
"title": "com.untangle.uvm.logging.InterfaceStatEvent(2)",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"txRate\\\":%{DATA:bytesOut},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"rxRate\\\":%{DATA:bytesIn},\\\"class\\\":\\\"%{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.logging.InterfaceStatEvent"
},
{
"title": "com.untangle.uvm.logging.InterfaceStatEvent",
"extractor_type": "grok",
"converters": [],
"order": 8,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"grok_pattern": "%{HOSTNAME:sname} %{DATA:header} <%{DATA:session}> %{DATA:severity} %{DATA:tag}\\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"txRate\\\":%{DATA:bytesOut},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"tag\\\":\\\"%{DATA:tag}\\\",\\\"rxRate\\\":%{DATA:bytesIn},\\\"class\\\":\\\"class %{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:partitionTable}\\\"}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.logging.InterfaceStatEvent"
},
{
"title": "com.untangle.app.application_control_lite.ApplicationControlLiteEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"protocol\\\":\\\"%{DATA:protname}\\\",\\\"blocked\\\":%{DATA:junk},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.app.application_control_lite.ApplicationControlLiteEvent"
},
{
"title": "com.untangle.uvm.app.SessionMinuteEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"c2sBytes\\\":%{BASE10NUM:bytesIn},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"s2cBytes\\\":%{BASE10NUM:bytesOut},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.app.SessionMinuteEvent"
},
{
"title": "com.untangle.uvm.app.SessionStatsEvent(3)",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"s2pBytes\\\":%{BASE10NUM:bytesOut},\\\"p2sBytes\\\":%{BASE10NUM:bytesIn},\\\"endTime\\\":%{DATA:timeend},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"c2pBytes\\\":%{BASE10NUM:bytesIn},\\\"p2cBytes\\\":%{BASE10NUM:bytesOut},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "class com.untangle.uvm.app.SessionStatsEvent"
},
{
"title": "com.untangle.uvm.app.SessionEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{DATA:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{DATA:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:dport},\\\"policyRuleId\\\":%{DATA:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.app.SessionEvent"
},
{
"title": "com.untangle.uvm.app.SessionEvent(2)",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"entitled\\\":%{DATA:junk},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:dport},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"clientIntf\\\":%{DATA:dinterface},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{DATA:policy},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"localAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{DATA:sinterface}\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.app.SessionEvent"
},
{
"title": "com.untangle.uvm.app.SessionStatsEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"s2pBytes\\\":%{BASE10NUM:bytesIn},\\\"p2sBytes\\\":%{BASE10NUM:bytesOut},\\\"endTime\\\":%{DATA:duration},\\\"sessionId\\\":%{DATA:session},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"%{DATA:objectname}\\\":\\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{DATA:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:dport},\\\"policyRuleId\\\":%{DATA:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"%{DATA:junk}\\\"},\\\"c2pBytes\\\":%{DATA:bytesOut},\\\"p2cBytes\\\":%{BASE10NUM:bytesIn},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "class com.untangle.uvm.app.SessionStatsEvent"
},
{
"title": "com.untangle.uvm.logging.SystemStatEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{%{GREEDYDATA:junk},\\\"class\\\":\\\"%{DATA:object}\\\",%{GREEDYDATA:junk},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",%{GREEDYDATA:junk}\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.logging.SystemStatEvent"
},
{
"title": "com.untangle.uvm.DeviceTableEntry",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"macAddress\\\":\\\"%{DATA:smac}\\\",\\\"oldValue\\\":\\\"%{DATA:junk}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"device\\\":\\{\\\"macAddress\\\":\\\"%{DATA:smac}\\\",\\\"macVendor\\\":\\\"%{DATA:junk}\\\",\\\"hostnameLastKnown\\\":\\\"%{HOSTNAME:sname}\\\",\\\"lastSessionTime\\\":%{DATA:session},\\\"interfaceId\\\":%{BASE10NUM:sinterface},\\\"httpUserAgent\\\":\\\"%{DATA:version}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"tags\\\":%{DATA:junk},\\\"tagsString\\\":\\\"%{DATA:junk}\\\"\\},\\\"value\\\":\\\"%{DATA:version}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"key\\\":\\\"%{DATA:objectname}\\\",\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.DeviceTableEntry"
},
{
"title": "requestUri (Truncated)",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"referer\\\":\\\"%{DATA:URL}\\\",\\\"method\\\":\\\"%{DATA:command}\\\",\\\"requestId\\\":%{DATA:session},\\\"domain\\\":\\\"%{DATA:domain}\\\",\\\"host\\\":\\\"%{DATA:dname}\\\",\\\"contentLength\\\":%{DATA:size},\\\"requestUri\\\":\\\"%{GREEDYDATA:URI}"
},
"condition_type": "string",
"condition_value": "requestUri"
},
{
"title": "com.untangle.app.http.HttpRequestEvent(2)",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"method\\\":\\\"%{DATA:command}\\\",\\\"requestId\\\":%{DATA:session},\\\"domain\\\":\\\"%{DATA:domain}\\\",\\\"host\\\":\\\"%{DATA:URL}\\\",\\\"contentLength\\\":%{DATA:size},\\\"requestUri\\\":\\\"%{DATA:URI}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:junk}\\,\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"%{GREEDYDATA:payload}"
},
"condition_type": "string",
"condition_value": "com.untangle.app.http.HttpRequestEvent"
},
{
"title": "com.untangle.app.intrusion_prevention.IntrusionPreventionLogEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"msg\\\":\\\"%{DATA:object}\\\",\\\"ipDestination\\\":\\\"\\/%{IPV4:dip}\\\",\\\"classtype\\\":\\\"%{DATA:objectname}\\\",\\\"signatureId\\\":%{DATA:policy},\\\"sportItype\\\":%{BASE10NUM:sport},\\\"mplsLabel\\\":%{DATA:junk},\\\"eventMicrosecond\\\":%{DATA:duration},\\\"sensorId\\\":%{DATA:junk},\\\"priorityId\\\":%{BASE10NUM:policyId},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"generatorId\\\":%{DATA:junk},\\\"protocol\\\":%{DATA:protnum},\\\"blocked\\\":%{DATA:junk},\\\"signatureRevision\\\":%{DATA:version},\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"dportIcode\\\":%{BASE10NUM:dport},\\\"eventId\\\":%{DATA:vmid},\\\"padding\\\":%{DATA:junk},\\\"impactFlag\\\":%{DATA:junk},\\\"vlanId\\\":%{DATA:junk},\\\"eventSecond\\\":%{DATA:timestart},\\\"impact\\\":%{DATA:junk},\\\"ipSource\\\":\\\"\\/%{IPV4:sip}\\\",\\\"eventType\\\":%{DATA:policyrule},\\\"classificationId\\\":%{DATA:junk},\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"category\\\":\\\"%{DATA:command}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.app.intrusion_prevention.IntrusionPreventionLogEvent"
},
{
"title": "com.untangle.uvm.app.SessionNatEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"SClientPort\\\":%{BASE10NUM:dnatport},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:junk}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{BASE10NUM:snatport},\\\"policyRuleId\\\":%{BASE10NUM:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dnatport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:dport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"\\\"\\},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.uvm.app.SessionNatEvent"
},
{
"title": "com.untangle.app.ad_blocker.cookies.CookieEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"identification\\\":\\\"%{DATA:URL}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"sessionEvent\\\":\\{\\\"entitled\\\":%{DATA:junk},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"hostname\\\":\\\"%{HOSTNAME:sname}\\\",\\\"CServerPort\\\":%{BASE10NUM:sport},\\\"protocol\\\":%{BASE10NUM:protnum},\\\"protocolName\\\":\\\"%{DATA:protname}\\\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"serverLatitude\\\":%{DATA:latitude},\\\"localAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"class\\\":\\\"%{DATA:junk}\\\",\\\"SServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"remoteAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"serverIntf\\\":%{BASE10NUM:sinterface},\\\"CClientAddr\\\":\\\"\\/%{IPV4:sip}\\\",\\\"serverCountry\\\":\\\"%{DATA:slocation}\\\",\\\"SClientAddr\\\":\\\"\\/%{IPV4:snatip}\\\",\\\"sessionId\\\":%{DATA:session},\\\"CClientPort\\\":%{DATA:dport},\\\"policyRuleId\\\":%{BASE10NUM:policyrule},\\\"clientCountry\\\":\\\"%{DATA:dlocation}\\\",\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"serverLongitude\\\":%{DATA:longitude},\\\"clientIntf\\\":%{BASE10NUM:dinterface},\\\"SClientPort\\\":%{BASE10NUM:dport},\\\"policyId\\\":%{BASE10NUM:policy},\\\"SServerPort\\\":%{BASE10NUM:sport},\\\"bypassed\\\":%{DATA:junk},\\\"CServerAddr\\\":\\\"\\/%{IPV4:dip}\\\",\\\"tagsString\\\":\\\"%{DATA:junk}\\\"\\},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.app.ad_blocker.cookies.CookieEvent"
},
{
"title": "com.untangle.app.http.HttpResponseEvent (Truncated)",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk} \\{\\\"timeStamp\\\":\\\"%{DATA:logstamp}\\\",\\\"contentLength\\\":%{BASE10NUM:size},\\\"requestLine\\\":\\\"%{DATA:command}\",\\\"tag\\\":\\\"%{DATA:junk}\\\",\\\"contentType\\\":\\\"%{DATA:objectname}\\\",\\\"class\\\":\\\"%{DATA:object}\\\",\\\"httpRequestEvent\\\":%{GREEDYDATA:payload}"
},
"condition_type": "string",
"condition_value": "class com.untangle.app.http.HttpResponseEvent"
},
{
"title": "com.untangle.app.openvpn.OpenVpnStatusEvent",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:severity} %{DATA:junk}: \\{\\\"address\\\":\\\"\\/%{IPV4:sip}\\\",\\\"clientName\\\":\\\"%{DATA:account}\\\",\\\"start\\\":\\\"%{DATA:timestart}\\\",\\\"bytesTxDelta\\\":%{BASE10NUM:bytesout},\\\"partitionTablePostfix\\\":\\\"%{DATA:junk}\\\",\\\"timeStamp\\\":\"%{DATA:logstamp}\",\\\"bytesRxTotal\\\":%{BASE10NUM:bytesin},\"port\":%{BASE10NUM:sport},\\\"bytesTxTotal\\\":%{BASE10NUM:size},\\\"poolAddress\\\":\\\"\\/%{IPV4:dip}\\\",\\\"end\\\":\\\"%{DATA:timestop}\",\\\"tag\\\":\\\"%{DATA:junk} \\\",\\\"bytesRxDelta\\\":%{BASE10NUM:rate},\\\"class\\\":\\\"class %{DATA:object}\\\"\\}"
},
"condition_type": "string",
"condition_value": "com.untangle.app.openvpn.OpenVpnStatusEvent"
}
],
"version": "2.3.1"
}