#! @PERL@ -w # vim:syntax=perl use strict; use lib '@LR_PERL5LIBDIR@'; use Lire::DlfSchema; use Lire::Program qw( :msg :dlf ); use Lire::WELF; init_dlf_converter( "proxy" ); my $schema = Lire::DlfSchema::load_schema( "proxy" ); my $dlf_maker = $schema->make_hashref2asciidlf_func( qw/time client_ip client_host user duration cache_result req_result protocol dst_ip dst_host dst_port operation requested_url bytes rule useragent cat_site cat_page catlevel_site catlevel_page /); my $lines = 0; my $dlflines = 0; my $errorlines = 0; my $parser = new Lire::WELF; while (<>) { lire_chomp(); $lines++; # Skip empty lines next if /^\s*$/; eval { my $welf = $parser->parse( $_ ); die "not a firewall WELF record: id=", $welf->{id}, "\n" unless $welf->{id} eq 'firewall'; # Skip messages without proto, src, dst return unless defined $welf->{proto} && defined $welf->{src} && $welf->{dst}; my %dlf = ( time => $welf->{time}, rule => $welf->{rule}, user => $welf->{user}, duration => $welf->{duration}, client_ip => $welf->{src}, client_host => $welf->{srcname} || $welf->{src}, dst_ip => $welf->{dst}, dst_host => $welf->{dstname} || $welf->{dst}, dst_port => $welf->{dst_port}, protocol => $welf->{proto}, operation => $welf->{op}, requested_url => $welf->{arg}, req_result => $welf->{result}, cache_result => $welf->{cache}, useragent => $welf->{agent}, # Category cat_action => $welf->{cat_action}, cat_site => $welf->{cat_site}, catlevel_site => $welf->{catlevel_site}, cat_page => $welf->{cat_page}, catlevel_page => $welf->{catlevel_page}, ); # Bytes should be computed from rcvd and sent if ( $welf->{rcvd} || $welf->{sent}) { $dlf{bytes} = 0; $dlf{bytes} += $welf->{rcvd} if $welf->{rcvd}; $dlf{bytes} += $welf->{sent} if $welf->{sent}; } my $dlf = $dlf_maker->( \%dlf ); print join( " ", @$dlf), "\n"; $dlflines++; }; if ($@) { lr_warn( $@ ); lr_notice( qq{cannot convert line $. "$_" to proxy dlf, skipping} ); $errorlines++; } } end_dlf_converter( $lines, $dlflines, $errorlines ); __END__ =pod =head1 NAME welf_proxy2dlf - convert logs in WebTrends Enhanced Log Format to proxy DLF =head1 SYNOPSIS B I =head1 DESCRIPTION B converts firewall logs in the WebTrends Enhanced Log Format into the proxy DLF. That format is defined at the following URL: http://www.netiq.com/partners/technology/welf.asp This converter also supports the SonicWall extensions. A list of firewall products that supports that format can be found at the following URL: http://www.netiq.com/products/fwr/compatible.asp =head1 EXAMPLES To process a log as produced by a WebTrends proxy: $ welf_proxy2dlf < welf-proxy.log welf_proxy2dlf will be rarely used on its own, but is more likely called by lr_log2report: $ lr_log2report welf_proxy < /var/log/welf-proxy.log =head1 IMPLEMENTATION NOTES Welf log files contains information about many applications: proxies, packet filters, IDS. IDS and packet filters information is handled by the firewall superservice, whereas the proxy information is handled by the proxy supersevice. This converter will only convert records with a proto, src and dst field. All other records are ignored (they won't be ignored by the firewall superservice). =head1 SEE ALSO Lire::WELF(3) welf2dlf(1) =head1 AUTHORS Francis J. Lacoste =head1 VERSION $Id: welf_proxy2dlf.in,v 1.8 2006/07/23 13:16:36 vanbaal Exp $ =head1 COPYRIGHT Copyright (C) 2001 Stichting LogReport Foundation LogReport@LogReport.org This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html. =cut # Local Variables: # mode: cperl # End: