first commit

decoder.xml

@@ -0,0 +1,164 @@
+<!--
+  CGFW Firewall Activity via syslog
+-->
+<decoder name="cgfw-firewall-activity">
+  <type>syslog</type>
+  <program_name type="pcre2">^.*\/box_Firewall_Activity</program_name>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">type=([\w\s]+)</regex>
+  <order>Type</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">proto=([\w\s]+)</regex>
+  <order>L4Protocol</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcIF=([\w\s]+)</regex>
+  <order>SourceInterface</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcIP=([\d\.]+)</regex>
+  <order>SourceIP</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcPort=([\d\s]+)</regex>
+  <order>SourcePort</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcMAC=([\w\d:]+)</regex>
+  <order>SourceMAC</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstIP=([\d\.]+)</regex>
+  <order>DestinationIP</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstPort=([\w\s]+)</regex>
+  <order>DestinationPort</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstService=([\w\s]+)</regex>
+  <order>DestinationService</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstIF=([\w\s]+)</regex>
+  <order>DestinationInterface</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">rule=([\w\s\-]+)</regex>
+  <order>FirewallRule</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">info=([\w\s]+)</regex>
+  <order>Info</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcNAT=([\d\.]+)</regex>
+  <order>SourceNAT</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstNAT=([\d\.]+)</regex>
+  <order>DestinationNAT</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">duration=([\d]+)</regex>
+  <order>Duration</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">count=([\d]+)</regex>
+  <order>Count</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">receivedBytes=([\d]+)</regex>
+  <order>ReceivedBytes</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">sentBytes=([\d]+)</regex>
+  <order>SentBytes</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">receivedPackets=([\d]+)</regex>
+  <order>ReceivedPackets</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">sentPackets=([\d]+)</regex>
+  <order>SentPackets</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">user=([\w\s]+)</regex>
+  <order>User</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">protocol=([\w\s]+)</regex>
+  <order>L7Protocol</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">application=([\w\s]+)</regex>
+  <order>Application</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">target=([\w\s]+)</regex>
+  <order>Target</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">content=([\w\s]+)</regex>
+  <order>Content</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">urlcat=([\w\s]+)</regex>
+  <order>URLCategory</order>
+</decoder>
+