;; plugin_id: 9666
;; type: detector
;;

[DEFAULT]
plugin_id=9666

[config]
type=detector
enable=yes

source=log
# Enable syslog to log everything to one file. Add it to log rotation also.
# echo "*.*     /var/log/all.log" >> /etc/syslog.conf; killall -HUP syslogd
#location=/var/log/all.log
location=/var/log/WiKID.log

# create log file if it does not exists,
# otherwise stop processing this plugin
create_file=true

process=
start=no
stop=no
startup=
shutdown=

[translation]
_DEFAULT_=100
Access Denied=2
ERROR=4
WARNING=3

## rules

[01 WiKID - radius Access Denied]
#Jan 23 13:43:33 10.100.0.167 user: INFO log.DBSvrLogImpl [Session.19,write:44] <17> Access-Request(1) LEN=117 10.100.0.112:42334 Access-Request by ossim Failed: AccessRejectException: Access Denied
regexp="(?P<date>\S+\s+\d+\s+\d+:\d+:\d+)\s+(?P<src>\S+)\s+user:\s+(?P<log_level>\S+)(\s+\S+\s+\[.*\]\s+<\d+>\s)(?P<reply_message>\S+\(\d+\))(\s\S+=\d+\s)+(?P<network_client>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b):\d+(\sAccess\-Request\sby\s)(?P<username>\S+)\s(Failed:\sAccessRejectException:\sAccess\sDenied)"
event_type=event
date={normalize_date($date)}
plugin_sid=2
src_ip={resolv($src)}
dst_ip={resolv($network_client)}
userdata1={$log_level}
userdata2={$reply_message}
userdata3={$network_client}
userdata4={$username}

;[10 syslog - datamining - all]
;#Mar  2 22:45:06 192.168.1.2 kernel: 03 1fd4b030 1fd4b040 0001800d(03) 00000000 00000000
;ent_type=event
;regexp="^(?P<logline>(?P<date>\SYSLOG_DATE)\s+(?P<sensor>\S+)\s+(?P<source>\S+)\s+(?P<logged_event>.*)$)"
;sensor={resolv($sensor)}
;date={normalize_date($date)}
;plugin_sid=1
;sensor={resolv($sensor)}
;userdata1={md5sum($logline)}
;userdata2={$logline}
;userdata3={$logged_event}