<!-- CGFW Firewall Activity via syslog --> <decoder name="cgfw-firewall-activity"> <type>syslog</type> <program_name type="pcre2">^.*\/box_Firewall_Activity</program_name> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">type=([\w\s]+)</regex> <order>Type</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">proto=([\w\s]+)</regex> <order>L4Protocol</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">srcIF=([\w\s]+)</regex> <order>SourceInterface</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">srcIP=([\d\.]+)</regex> <order>srcip</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">srcPort=([\d\s]+)</regex> <order>srcport</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">srcMAC=([\w\d:]+)</regex> <order>SourceMAC</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">dstIP=([\d\.]+)</regex> <order>dstip</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">dstPort=([\w\s]+)</regex> <order>dstport</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">dstService=([\w\s]+)</regex> <order>DestinationService</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">dstIF=([\w\s]+)</regex> <order>DestinationInterface</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">rule=([\w\s\-]+)</regex> <order>FirewallRule</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">info=([\w\s]+)</regex> <order>Info</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">srcNAT=([\d\.]+)</regex> <order>SourceNAT</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">dstNAT=([\d\.]+)</regex> <order>DestinationNAT</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">duration=([\d]+)</regex> <order>Duration</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">count=([\d]+)</regex> <order>Count</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">receivedBytes=([\d]+)</regex> <order>ReceivedBytes</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">sentBytes=([\d]+)</regex> <order>SentBytes</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">receivedPackets=([\d]+)</regex> <order>ReceivedPackets</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">sentPackets=([\d]+)</regex> <order>SentPackets</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">user=([\w\s]+)</regex> <order>User</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">protocol=([\w\s]+)</regex> <order>L7Protocol</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">application=([\w\s]+)</regex> <order>Application</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">target=([\w\s]+)</regex> <order>Target</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">content=([\w\s]+)</regex> <order>Content</order> </decoder> <decoder name="cgfw-firewall-activity-fields"> <parent>cgfw-firewall-activity</parent> <regex type="pcre2">urlcat=([\w\s]+)</regex> <order>URLCategory</order> </decoder>