-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathOpenVPNCustom_ext.xml
24 lines (24 loc) · 2.49 KB
/
OpenVPNCustom_ext.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<ns2:device-extension xmlns:ns2="event_parsing/device_extension">
<pattern type="JavaPattern" id="DestinationIp-Pattern-1">IPv4=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</pattern>
<pattern type="JavaPattern" id="EventCategory-Pattern-1">(openvpn)(\:\s|\[\d+\]\:\s)</pattern>
<pattern type="JavaPattern" id="EventName-Pattern-1">(?:openvpn|openvpn\[\d+\])\:\s(?:(?:\w+\/|)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\s\[.*?\]|\sread|)\s|\S+\s'\w+'\s|)(.*?)(?:\s\(|\s\w+\s\[|\s\w+\s\'.*?\'|\,|\.\s|$|(?:|\:)\s\w+=|\.$)</pattern>
<pattern type="JavaPattern" id="DeviceTime-Pattern-1">(\w+)\s+(\d+)\s+([\d:]+)\s</pattern>
<pattern type="JavaPattern" id="SourceIp-Pattern-1">[\s|\/|\:](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})[\s|\/|\:]</pattern>
<pattern type="JavaPattern" id="SourcePort-Pattern-1">\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)</pattern>
<pattern type="JavaPattern" id="UserName-Pattern-1">openvpn\[\d+\]\:\s(\w+)\/</pattern>
<pattern type="JavaPattern" id="UserName-Pattern-2">openvpn\:\suser\s'(\w+)'</pattern>
<pattern type="JavaPattern" id="UserName-Pattern-3">openvpn\[\d+\]\:\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\[(\w+)\]</pattern>
<pattern type="JavaPattern" id="AllEvents">(.*?)</pattern>
<match-group device-type-id-override="4003" order="1">
<matcher order="1" enable-substitutions="true" capture-group="\1" pattern-id="DestinationIp-Pattern-1" field="DestinationIp" />
<matcher order="1" enable-substitutions="true" capture-group="\1" pattern-id="EventCategory-Pattern-1" field="EventCategory" />
<matcher order="1" enable-substitutions="true" capture-group="\1" pattern-id="EventName-Pattern-1" field="EventName" />
<matcher ext-data="yyyy-MMM-dd hh:mm:ss" order="1" enable-substitutions="true" capture-group="2018-\1-\2 \3" pattern-id="DeviceTime-Pattern-1" field="DeviceTime" />
<matcher order="1" enable-substitutions="true" capture-group="\1" pattern-id="SourceIp-Pattern-1" field="SourceIp" />
<matcher order="1" capture-group="1" pattern-id="SourcePort-Pattern-1" field="SourcePort" />
<matcher order="1" enable-substitutions="true" capture-group="\1" pattern-id="UserName-Pattern-1" field="UserName" />
<matcher order="2" enable-substitutions="true" capture-group="\1" pattern-id="UserName-Pattern-2" field="UserName" />
<matcher order="3" enable-substitutions="true" capture-group="\1" pattern-id="UserName-Pattern-3" field="UserName" />
<event-match-multiple force-qidmap-lookup-on-fixup="true" send-identity="UseDSMResults" pattern-id="AllEvents" />
</match-group>
</ns2:device-extension>