├── .gitignore ├── .gitmodules ├── LICENSE ├── README.md ├── deprecated ├── contrib │ ├── AWS-Install │ │ ├── README.md │ │ └── images │ │ │ ├── aws-instance-type.jpg │ │ │ └── volume.jpg │ ├── README.md │ ├── array2json.sh │ ├── collect-debug-logs │ ├── diskfree-alert-to-neo │ ├── docker_delete_orphaned_veth.sh │ ├── fio │ │ ├── fiotest │ │ └── tests │ │ │ ├── 4ktest.fio │ │ │ └── runtest-sample.sh │ ├── install-via-proxy.sh │ ├── iopstest.py │ ├── lzoffline.sh │ ├── makemeta │ │ ├── .gitignore │ │ ├── README.md │ │ ├── images │ │ │ └── user-tag-fields.jpg │ │ ├── makemeta │ │ ├── test.tsv │ │ └── tsv2meta │ ├── mkhosts.sh │ ├── neotags │ ├── offline-upgrades │ │ ├── README.md │ │ └── images │ │ │ ├── manual-method.jpg │ │ │ └── online-to-offline.jpg │ ├── tcpcap.sh │ ├── ubuntu-install-syslog-ng.sh │ ├── zfs-benchmark.sh │ ├── zfs_arc_summary.py │ └── zfs_healthcheck.sh ├── dashboards │ ├── README.md │ ├── deprecated │ │ ├── Cisco │ │ │ ├── README.md │ │ │ ├── dashboard-cisco-firewalls.json │ │ │ ├── dashboard-cisco-identity-services-engine-ise.json │ │ │ ├── dashboard-cisco-network-actionable.json │ │ │ ├── dashboard-cisco-network.json │ │ │ └── images │ │ │ │ ├── cisco-network-dashboard.png │ │ │ │ └── cisco-security-dashboard.png │ │ ├── FortiGate │ │ │ ├── README.md │ │ │ ├── dashboard-fortigate.yaml │ │ │ ├── fortigate-dashboard-sample.png │ │ │ └── makedash │ │ ├── General │ │ │ ├── README.md │ │ │ └── dashboard-sample.json │ │ ├── Linux │ │ │ ├── README.md │ │ │ ├── dashboard-dhcpd.json │ │ │ ├── dashboard-localhost-performance.json │ │ │ ├── images │ │ │ │ ├── dhcpd-screenshot.png │ │ │ │ └── ufw-dashboard.png │ │ │ └── ufw-linux-firewall.dashboard.json │ │ ├── Microsoft │ │ │ ├── README.md │ │ │ └── dashboard-microsoft-windows.json │ │ ├── Security │ │ │ ├── README.md │ │ │ ├── wannacry-dash.json │ │ │ └── watchguard-firewalls.json │ │ └── SonicWall │ │ │ ├── README.md │ │ │ ├── dashboard-sonicwall.yaml │ │ │ └── sonicwall-dashboard-sample.png │ └── logzilla_appstore.jpg ├── howtos │ └── Execute_Remote_Commands_on_a_Cisco_Device │ │ ├── .gitignore │ │ ├── dashboards │ │ └── LogZilla_Howto.yaml │ │ └── images │ │ ├── lab-design.jpg │ │ └── slack-cisco-interface-bounce.jpg ├── packages │ ├── Cisco │ │ ├── ASA │ │ │ ├── README.md │ │ │ ├── dashboards │ │ │ │ └── cisco-asa-buildup-teardown.dashboard.yaml │ │ │ └── rules.d │ │ │ │ └── 500-cisco-asa-connection-buildup-teardown.yaml │ │ ├── FirePower │ │ │ ├── README.md │ │ │ ├── dashboards │ │ │ │ ├── cisco-firepower-dashboard.yaml │ │ │ │ └── cisco-firepower-vpn-dashboard.yaml │ │ │ ├── images │ │ │ │ └── cisco-firepower-dashboard-sample.jpg │ │ │ ├── rules.d │ │ │ │ ├── 500-cisco-firepower.yaml │ │ │ │ ├── 501-firepower-portmap-dst.yaml │ │ │ │ └── 501-firepower-portmap-src.yaml │ │ │ └── syslog-ng │ │ │ │ └── custom.conf │ │ ├── ISE │ │ │ ├── README.md │ │ │ ├── dashboards │ │ │ │ └── cisco-ise-dashboard.yaml │ │ │ ├── images │ │ │ │ ├── cisco-ise-sample-dashboard.jpg │ │ │ │ └── cisco_ise_categories.jpg │ │ │ ├── rules.d │ │ │ │ └── 500-cisco-ise.yaml │ │ │ └── syslog-ng │ │ │ │ ├── 01-cise.conf │ │ │ │ └── custom.conf │ │ ├── Meraki │ │ │ ├── README.md │ │ │ ├── dashboards │ │ │ │ ├── Meraki_DHCP.yaml │ │ │ │ ├── Meraki_Flows.yaml │ │ │ │ ├── Meraki_General.yaml │ │ │ │ ├── Meraki_IDS.yaml │ │ │ │ ├── Meraki_URLs.yaml │ │ │ │ └── Meraki_VPN.yaml │ │ │ ├── images │ │ │ │ ├── Meraki-DHCP.jpg │ │ │ │ ├── Meraki-Flows.jpg │ │ │ │ ├── Meraki-URLs.jpg │ │ │ │ ├── Meraki-VPN.jpg │ │ │ │ ├── Meraki_General.jpg │ │ │ │ └── Meraki_IDS.jpg │ │ │ ├── rules.d │ │ │ │ ├── 101-meraki-ids-priorities.yaml │ │ │ │ ├── 101-meraki-ldap-users.yaml │ │ │ │ ├── 101-meraki-portmap-dst.yaml │ │ │ │ ├── 101-meraki-portmap-src.yaml │ │ │ │ ├── 101-meraki-protocol-numbers.yaml │ │ │ │ └── 101-meraki.yaml │ │ │ └── syslog-ng │ │ │ │ └── remove-ldap-spaces.conf │ │ └── Wireless │ │ │ ├── 003-cisco-wireless.yaml │ │ │ ├── README.md │ │ │ ├── dashboard-cisco-wireless.yaml │ │ │ └── images │ │ │ └── cisco-wlc-dashboard.jpg │ ├── FortiGate │ │ ├── 700-fortigate.yaml │ │ ├── 701-fortigate-src-dst-ip.yaml │ │ ├── 702-fortigate-normalize.yaml │ │ ├── 703-fortigate-portmap-dst.yaml │ │ ├── 703-fortigate-portmap-src.yaml │ │ ├── README.md │ │ ├── fortigate-event-dashboard.yaml │ │ ├── fortigate-traffic-dashboard.yaml │ │ ├── fortigate-utm-dashboard.yaml │ │ └── makerules.sh │ ├── InfoBlox │ │ ├── README.md │ │ ├── dashboards │ │ │ └── dashboard-infoblox-dns.yaml │ │ ├── images │ │ │ └── infoblox-dashboard.jpg │ │ └── rules.d │ │ │ └── 500-infoblox-dns-query-logging.yaml │ ├── PaloAlto │ │ ├── README.md │ │ ├── dashboards │ │ │ ├── palo-alto-threat.dashboard.yaml │ │ │ └── palo-alto-traffic.dashboard.yaml │ │ ├── images │ │ │ ├── pan-os-threat-dashboard.png │ │ │ └── pan-os-traffic-dashboard.png │ │ └── rules.d │ │ │ ├── .gitignore │ │ │ ├── 700-paloalto-threat.yaml │ │ │ └── 700-paloalto-traffic.yaml │ ├── README.md │ ├── WatchGuard │ │ ├── README.md │ │ ├── catalog │ │ │ ├── watchguard-cluster.tsv │ │ │ ├── watchguard-firewall.tsv │ │ │ ├── watchguard-mgmt.tsv │ │ │ ├── watchguard-mobile.tsv │ │ │ ├── watchguard-networking.tsv │ │ │ ├── watchguard-proxy.tsv │ │ │ ├── watchguard-security-services.tsv │ │ │ └── watchguard-vpn.tsv │ │ ├── dashboards │ │ │ ├── watchguard-firewall.json │ │ │ ├── watchguard-proxy.dashboard.json │ │ │ └── watchguard.dashboard.json │ │ ├── images │ │ │ ├── LogZilla-NEO-WatchGuard-Firewall-Dashboard.jpg │ │ │ ├── LogZilla-NEO-WatchGuard-Proxy-Dashboard.jpg │ │ │ └── focus3-596x335.jpg │ │ ├── rules.d │ │ │ ├── 500-watchguard-firewall.yaml │ │ │ └── 500-watchguard-proxy.yaml │ │ ├── samples │ │ │ └── sample-events.log │ │ └── scripts │ │ │ ├── makerules │ │ │ ├── replacerules │ │ │ └── tsv2NEO │ ├── Zeek │ │ ├── .gitignore │ │ ├── README.md │ │ ├── addrules_to_logzilla.sh │ │ ├── dashboards │ │ │ ├── Threat_Hunting.yaml │ │ │ ├── dashboard-bro_conn.yaml │ │ │ ├── dashboard-bro_dce_rpc.yaml │ │ │ ├── dashboard-bro_dhcp.yaml │ │ │ ├── dashboard-bro_dns.yaml │ │ │ ├── dashboard-bro_dpd.yaml │ │ │ ├── dashboard-bro_files.yaml │ │ │ ├── dashboard-bro_http.yaml │ │ │ ├── dashboard-bro_kerberos.yaml │ │ │ ├── dashboard-bro_notice.yaml │ │ │ ├── dashboard-bro_ntlm.yaml │ │ │ ├── dashboard-bro_ntp.yaml │ │ │ ├── dashboard-bro_sip.yaml │ │ │ ├── dashboard-bro_smb_files.yaml │ │ │ ├── dashboard-bro_smb_mapping.yaml │ │ │ ├── dashboard-bro_software.yaml │ │ │ ├── dashboard-bro_ssh.yaml │ │ │ ├── dashboard-bro_ssl.yaml │ │ │ ├── dashboard-bro_stats.yaml │ │ │ ├── dashboard-bro_syslog.yaml │ │ │ ├── dashboard-bro_weird.yaml │ │ │ ├── dashboard-bro_x509.yaml │ │ │ └── demo.yaml │ │ ├── fields.tsv │ │ ├── images │ │ │ ├── 1-source-ip-hunt.jpg │ │ │ ├── 1a-source-ip-hunt-with-exclusion-results.jpg │ │ │ ├── 1a-source-ip-hunt-with-exclusion.jpg │ │ │ ├── 2-dst-ip-hunt.jpg │ │ │ ├── 2-source-dst-pairs.jpg │ │ │ ├── 3-detect-services-edit-widget-2.jpg │ │ │ ├── 3-detect-services-edit-widget-filter-by-tag.jpg │ │ │ ├── 3-detect-services-edit-widget.jpg │ │ │ ├── 3-detect-services-filtered-nulls.jpg │ │ │ ├── 3-detect-services.jpg │ │ │ ├── 4-longest-durations.jpg │ │ │ ├── 5-dst-ports.jpg │ │ │ ├── 6-dns-c2.jpg │ │ │ └── Threat_Hunting_Dashboard.png │ │ ├── makerules.sh │ │ ├── notags.txt │ │ ├── rules.d │ │ │ ├── 400-bro_conn.yaml │ │ │ ├── 400-bro_dce_rpc.yaml │ │ │ ├── 400-bro_dhcp.yaml │ │ │ ├── 400-bro_dns.yaml │ │ │ ├── 400-bro_dpd.yaml │ │ │ ├── 400-bro_files.yaml │ │ │ ├── 400-bro_http.yaml │ │ │ ├── 400-bro_kerberos.yaml │ │ │ ├── 400-bro_notice.yaml │ │ │ ├── 400-bro_ntlm.yaml │ │ │ ├── 400-bro_ntp.yaml │ │ │ ├── 400-bro_sip.yaml │ │ │ ├── 400-bro_smb_files.yaml │ │ │ ├── 400-bro_smb_mapping.yaml │ │ │ ├── 400-bro_software.yaml │ │ │ ├── 400-bro_ssh.yaml │ │ │ ├── 400-bro_ssl.yaml │ │ │ ├── 400-bro_stats.yaml │ │ │ ├── 400-bro_syslog.yaml │ │ │ ├── 400-bro_weird.yaml │ │ │ └── 400-bro_x509.yaml │ │ ├── static │ │ │ ├── 399-zeek-rewrite-nulls.yaml │ │ │ ├── 401-zeek-portmap-dst.yaml │ │ │ ├── 401-zeek-portmap-src.yaml │ │ │ ├── 402-threathunt.yaml │ │ │ └── 402-zeek-highports-dst.yaml │ │ └── syslog-ng │ │ │ └── zeek2logzilla.conf │ └── stolen-device-tracking │ │ ├── README.md │ │ ├── csv2meta.tgz │ │ └── csv2meta │ │ ├── devicelist2meta.sh │ │ ├── metaData.conf │ │ ├── metaData.csv │ │ ├── sourceIPs.txt │ │ └── stolen-device-list.csv ├── rules.d │ ├── README.md │ ├── deprecated │ │ ├── Apple │ │ │ ├── 600-apple-osx-by-host.yaml │ │ │ └── 600-apple-osx.yaml │ │ ├── Barracuda │ │ │ ├── 800-barracuda-web-application-firewall.json │ │ │ ├── 800-barracuda-web-security-gateway.json │ │ │ ├── README.md │ │ │ └── images │ │ │ │ └── web-security-gateway.jpg │ │ ├── BigIP │ │ │ └── 500-bigip.yaml.do_not_use │ │ ├── BlueCoat │ │ │ └── 800-bluecoat-proxy.json │ │ ├── CAS │ │ │ ├── 610-cas.yaml │ │ │ └── README.md │ │ ├── CEF │ │ │ └── 000-CEF-format.yaml │ │ ├── CISA │ │ │ ├── AA20-352A │ │ │ │ ├── 002-AA20-352A.yaml │ │ │ │ ├── makemeta │ │ │ │ └── meta.tsv │ │ │ └── README.md │ │ ├── Cisco │ │ │ ├── 002-cisco-acl.json │ │ │ ├── 002-cisco-macflap.json │ │ │ ├── 002-cisco-nac.json │ │ │ ├── 005-cisco-acl-deny.json │ │ │ ├── 005-cisco-nac.json │ │ │ ├── 098-cisco-message-cleanup.yaml │ │ │ ├── 500-cisco-asa-nat-pat.yaml │ │ │ ├── 500-cisco-asa-usertracking.yaml │ │ │ ├── 500-cisco-stealthwatch.json │ │ │ ├── 999-cisco-asa-random-ports.yaml │ │ │ ├── cisco-ise │ │ │ └── cisco-meraki.yaml │ │ ├── HP │ │ │ ├── 001-hp-aruba.json │ │ │ └── 001-hp-switch.json │ │ ├── IBM │ │ │ └── 000-IBM-LEEF.json │ │ ├── Java │ │ │ └── 300-log4j.yaml │ │ ├── Juniper │ │ │ └── 500-junos.yaml │ │ ├── Linux │ │ │ ├── 100-iptables.yaml │ │ │ ├── 600-pam_unix.yaml │ │ │ ├── 900-dhcpd-device-types.yaml │ │ │ ├── 900-dnsmasq.yaml │ │ │ └── 900-linux-procs.yaml │ │ ├── Microsoft │ │ │ ├── 100-MCAS-Microsoft-Cloud-App-Security.yaml │ │ │ ├── 599-LZ-Winagent.yaml │ │ │ ├── 600-Microsoft-ATP-Gateway.yaml │ │ │ ├── 601-lz-mswin-program.yaml │ │ │ ├── 602-Microsoft-Events.yaml │ │ │ ├── 603-Microsoft-Event-Crits.yaml │ │ │ ├── 604-Microsoft-Compliance.yaml │ │ │ ├── 605-Microsoft-Categories.yaml │ │ │ └── 606-Microsoft-User-Tracking.yaml │ │ ├── Misc │ │ │ ├── 001-drop-useless.yaml │ │ │ ├── 002-baseboard-mgmt-controller.json │ │ │ ├── 002-extract-ips.yaml │ │ │ ├── 002-lz-tag-ip.json │ │ │ ├── 002-mac-tracker.json │ │ │ ├── 200-ldap-user-extract.yaml │ │ │ ├── 999-dtclean.yaml │ │ │ ├── 999-portmap-dst.yaml │ │ │ ├── 999-portmap-src.yaml │ │ │ ├── 999-protocol-numbers.yaml │ │ │ └── 999-rfc5424.yaml │ │ ├── Nginx │ │ │ └── 800-nginx.yaml │ │ ├── PaloAlto │ │ │ ├── README.md │ │ │ └── images │ │ │ │ ├── pan-os-threat-dashboard.jpg │ │ │ │ └── pan-os-traffic-dashboard.jpg │ │ ├── Polycom_VVX │ │ │ └── 599-Polycom_VVX.yaml │ │ ├── SonicWall │ │ │ ├── 500-sonicwall.yaml │ │ │ ├── 501-sonicwall-normalize.yaml │ │ │ └── README.md │ │ ├── Sungard │ │ │ ├── 999-sungard.yaml │ │ │ └── README.md │ │ ├── TrendMicro │ │ │ ├── 500-unityos.yaml │ │ │ ├── 501-unityos-dstports.yaml │ │ │ └── 501-unityos-srcports.yaml │ │ ├── Ubiquiti │ │ │ └── 099-unifi-udm-pro.yaml │ │ ├── VMWare │ │ │ ├── 800-vmware-esxi.yaml │ │ │ ├── 800-vmware-vcenter.yaml │ │ │ ├── 800-vmware-vshield.yaml │ │ │ ├── 800-vmware-workstation.yaml │ │ │ ├── 801-vmware-misc.yaml │ │ │ └── 802-vmware-useless.yaml │ │ ├── WatchGuard │ │ │ ├── 500-watchguard-firewall.json │ │ │ └── 500-watchguard-proxy.json │ │ └── Zeek │ │ │ └── README.md │ └── logzilla_appstore.jpg ├── scripts │ ├── README.md │ ├── cisco-duplex_mismatch-autorepair-slack │ │ ├── README.md │ │ └── duplex-mismatch │ ├── cisco-generic-slack │ │ └── cisco2slack.pl │ ├── cisco-interface-UpDown │ │ ├── README.md │ │ ├── cisco-intUpDown-to-slack │ │ └── slack_sample.png │ ├── cisco-trunkport-slack │ │ ├── README.md │ │ └── cisco-trunkport-slack │ ├── generic-slack │ │ ├── README.md │ │ └── lz2slack.pl │ └── generic-snmpTrap │ │ └── lz2snmp.pl ├── sec │ └── cisco │ │ └── cisco.sec ├── triggers │ ├── README.md │ ├── deprecated │ │ ├── Brocade │ │ │ ├── Brocade_Bad_Port.json │ │ │ ├── Brocade_Failed_Login_Alert.json │ │ │ └── Brocade_Login_Alert.json │ │ ├── Cisco │ │ │ ├── cisco-asic-module-error.trigger.json │ │ │ ├── cisco-asic-port-error.trigger.json │ │ │ ├── cisco-audit-logging.trigger.json │ │ │ ├── cisco-crypto-ike-message-failure.trigger.json │ │ │ ├── cisco-crypto-packet-failed-mac-verification.trigger.json │ │ │ ├── cisco-crypto-packet-security-association-missing.trigger.json │ │ │ ├── cisco-dtp-port-channel.trigger.json │ │ │ ├── cisco-duplex-mismatch.trigger.json │ │ │ ├── cisco-error-disabled-port-has-been-reenabled.trigger.json │ │ │ ├── cisco-hsrp-vip-does-not-match-the-standby-vip.trigger.json │ │ │ ├── cisco-interface-disabled-due-to-misconfiguration.trigger.json │ │ │ ├── cisco-ios-xr-bgp-max-prefix-exceeded.trigger.json │ │ │ ├── cisco-ios-xr-bgp-max-prefix-warning.trigger.json │ │ │ ├── cisco-ip-sec-error-packet-missing-from-sadb.trigger.json │ │ │ ├── cisco-most-actionable-events.trigger.json │ │ │ ├── cisco-non-ip-sec-encapsulated-crypto.trigger.json │ │ │ ├── cisco-ospf-hello-unidentified-sender.trigger.json │ │ │ ├── cisco-ospf-neighbor-change.trigger.json │ │ │ ├── cisco-ospf-process-received-an-invalid-packet.trigger.json │ │ │ ├── cisco-ospf-received-lsa-with-wrong-mask.trigger.json │ │ │ ├── cisco-spanning-tree-bpdu-received-from-another-bridge.trigger.json │ │ │ ├── cisco-spanning-tree-bpdu.trigger.json │ │ │ ├── cisco-spanning-tree-root-change.trigger.json │ │ │ └── cisco-unauthorized-connection-attempt-on-a-secure-port.trigger.json │ │ ├── Linux │ │ │ ├── SSH_Failed_Login_Attempts.json │ │ │ ├── SSH_Root_Login_Alert.json │ │ │ ├── SSH_Root_Session.json │ │ │ └── SSH_User_Login.json │ │ ├── Microsoft │ │ │ ├── windows-dns-server-zone-corruption.json │ │ │ ├── windows-file-added-modified-deleted.trigger.json │ │ │ ├── windows-new-firewall-rule-added.trigger.json │ │ │ ├── windows-new-network-connection-established.trigger.json │ │ │ ├── windows-new-registry-item-added.trigger.json │ │ │ ├── windows-new-scheduled-task-added.trigger.json │ │ │ ├── windows-new-service-installed.trigger.json │ │ │ ├── windows-powershell-execution.trigger.json │ │ │ ├── windows-process-started.trigger.json │ │ │ ├── windows-user-fileshare-accesses.trigger.json │ │ │ └── windows-user-logon.trigger.json │ │ ├── Security │ │ │ └── tor-node-ports.trigger.json │ │ └── Solaris │ │ │ ├── Solaris_Failed_User_Login.json │ │ │ ├── Solaris_Unknown_User_Login.json │ │ │ └── Solaris_User_Login.json │ └── logzilla_appstore.jpg └── webinars │ ├── LICENSE │ ├── README.md │ └── to-catch-a-thief │ ├── README.md │ ├── images │ ├── tcat-header.jpg │ └── tcat-slack.gif │ ├── neo │ ├── README.md │ ├── scripts │ │ ├── README.md │ │ └── getAP │ └── tsv2NEO │ │ ├── README.md │ │ ├── test.tsv │ │ └── tsv2NEO │ └── slack │ ├── neobot │ ├── README.md │ ├── neobot.service │ ├── package-lock.json │ ├── package.json │ └── server.js │ └── ngrok │ ├── ngrok.service │ └── ngrok.yml ├── howtos ├── .gitignore ├── README.md └── trigger-cisco-config │ ├── Dockerfile │ ├── README.md │ ├── compliance.py │ ├── compliance.yaml │ ├── compose.yml │ ├── requirements.txt │ └── script_server.yaml ├── winagent ├── LogZillaSyslogAgentManual.pdf ├── LogZilla_SyslogAgent_6.32.1.0.msi ├── README.md ├── doc │ └── gpo_deploy │ │ ├── group-policy-deployment.md │ │ └── images │ │ ├── gpo_install_1.png │ │ ├── gpo_install_2.png │ │ ├── gpo_install_3.png │ │ ├── gpo_install_4.png │ │ ├── gpo_install_5.png │ │ ├── gpo_install_6.png │ │ ├── gpo_install_7.png │ │ ├── gpo_install_8.png │ │ └── gpo_install_9.png └── images │ ├── agent_config.png │ └── appstore_add_app.png └── winagent_source ├── Documents ├── Documents.vcxitems ├── Documents.vcxitems.filters ├── LogZillaSyslogAgentManual.pdf ├── Manual.docx ├── Next-Gen LogZilla Architecture.svg ├── SyslogAgentConfig.png ├── SyslogAgentConfig.svg ├── SyslogAgentConfig_EditRegistry.png ├── SyslogAgentConfig_raw.png ├── SyslogAgentRegistry.png ├── appstore_add_app_edited.png ├── appstore_add_app_raw.png └── logzilla_registry_sample.reg ├── README.md ├── Release ├── EventLogInterface.dll ├── EventLogInterface.exp ├── EventLogInterface.lib └── EventLogInterface.pdb ├── SyslogAgent.sln ├── UpgradeLog.htm ├── UpgradeLog2.htm ├── UpgradeLog3.htm ├── UpgradeLog4.htm ├── UpgradeLog5.htm ├── UpgradeLog6.htm ├── build.cmd ├── build.proj ├── license.txt └── source ├── Agent ├── Agent.cpp ├── Agent.rc ├── Agent.vcxproj ├── Agent.vcxproj.filters ├── Agent.vcxproj.user ├── ArrayQueue.h ├── Bitmap.cpp ├── Bitmap.h ├── BitmappedObjectPool.h ├── ChannelEventHandlerBase.h ├── Configuration.cpp ├── Configuration.h ├── EventHandlerMessageQueuer.cpp ├── EventHandlerMessageQueuer.h ├── EventLogEvent.cpp ├── EventLogEvent.h ├── EventLogSubscription.cpp ├── EventLogSubscription.h ├── FileWatcher.cpp ├── FileWatcher.h ├── Globals.cpp ├── Globals.h ├── LogConfiguration.cpp ├── LogConfiguration.h ├── Logger.cpp ├── Logger.h ├── MSG00001.bin ├── MessageQueue.cpp ├── MessageQueue.h ├── NetworkClient.cpp ├── NetworkClient.h ├── OStreamBuf.h ├── Options.cpp ├── Options.h ├── PersistentConnections.cpp ├── PersistentConnections.h ├── README.md ├── RecordNumber.cpp ├── RecordNumber.h ├── Registry.cpp ├── Registry.h ├── Result.cpp ├── Result.h ├── Service.cpp ├── Service.h ├── SyslogAgentSharedConstants.h ├── SyslogSender.cpp ├── SyslogSender.h ├── Syslog_server.cpp ├── TLS.cpp ├── TLS.h ├── Util.cpp ├── Util.h ├── WindowsEvent.cpp ├── WindowsEvent.h ├── WindowsTimer.cpp ├── WindowsTimer.h ├── WinsockNetworkClient.cpp ├── WinsockNetworkClient.h ├── extra_dlls │ ├── libffi-6.dll │ ├── libgcc_s_seh-1.dll │ ├── libgmp-10.dll │ ├── libgnutls-30.dll │ ├── libhogweed-6.dll │ ├── libidn2-0.dll │ ├── libnettle-8.dll │ ├── libp11-kit-0.dll │ ├── libssp-0.dll │ └── libwinpthread-1.dll ├── include │ └── gnutls │ │ ├── abstract.h │ │ ├── compat.h │ │ ├── crypto.h │ │ ├── dtls.h │ │ ├── gnutls.h │ │ ├── gnutlsxx.h │ │ ├── ocsp.h │ │ ├── openpgp.h │ │ ├── pkcs11.h │ │ ├── pkcs12.h │ │ ├── pkcs7.h │ │ ├── self-test.h │ │ ├── socket.h │ │ ├── system-keys.h │ │ ├── tpm.h │ │ ├── urls.h │ │ ├── x509-ext.h │ │ └── x509.h ├── lib │ ├── libgnutls-30.exp │ └── libgnutls-30.lib ├── message.h ├── message.mc ├── message.rc ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── Config ├── AgentService.cs ├── App.config ├── App.xaml ├── App.xaml.cs ├── BaseInpc.cs ├── CertificateChecker.cs ├── Communications.cs ├── Config.csproj ├── Config.csproj.user ├── Configuration.cs ├── ConfigurationModel.cs ├── EventLogCandidate.cs ├── EventLogGroupMember.cs ├── EventLogTreeViewItemHelper.cs ├── EventLogTreeviewItem.cs ├── Globals.cs ├── HttpFetcher.cs ├── ICheckedTreeView.cs ├── IMainView.cs ├── IOptionListView.cs ├── IOptionView.cs ├── ISelectionListView.cs ├── IStringView.cs ├── IThreeStateOptionView.cs ├── IValidatedOptionView.cs ├── IValidatedStringView.cs ├── MainPresenter.cs ├── MainWindow.xaml ├── MainWindow.xaml.cs ├── OptionListButtons.cs ├── OptionListCombo.cs ├── Properties │ ├── AssemblyInfo.cs │ ├── Resources.Designer.cs │ ├── Resources.resx │ ├── Settings.Designer.cs │ └── Settings.settings ├── README.md ├── Registry.cs ├── SelectionListBox.cs ├── ServiceModel.cs ├── StartupWindow.xaml ├── StartupWindow.xaml.cs ├── StringTextBox.cs ├── SyslogAgentSharedConstants.cs ├── Transport.cs ├── ValidatedOptionCheckBox.cs ├── ValidatedOptionRadioButton.cs ├── ValidatedTextBox.cs ├── WindowsEventLog.cs ├── app.manifest └── packages.config ├── EventGenerator ├── App.config ├── EventGenerator.cs ├── EventGenerator.csproj ├── EventLogCreator.cs ├── EventLogMessages.dll ├── EventLogMessages.h ├── EventLogMessages.mc ├── EventLogMessages.rc ├── EventLogMessages.res ├── EventLogMessages_Orig.mc ├── Messages_ENU.bin ├── Messages_RUS.bin ├── Program.cs ├── Properties │ └── AssemblyInfo.cs └── README.md ├── EventLogInterface ├── EventLogInterface.cpp ├── EventLogInterface.vcxproj ├── EventLogInterface.vcxproj.filters ├── EventLogInterface.vcxproj.user ├── README.md ├── Release │ ├── EventLog.4e3dda78.tlog │ │ ├── CL.command.1.tlog │ │ ├── CL.read.1.tlog │ │ ├── CL.write.1.tlog │ │ ├── Cl.items.tlog │ │ ├── EventLogInterface.lastbuildstate │ │ ├── link.command.1.tlog │ │ ├── link.read.1.tlog │ │ ├── link.secondary.1.tlog │ │ └── link.write.1.tlog │ ├── EventLogInterface.Build.CppClean.log │ ├── EventLogInterface.dll.recipe │ ├── EventLogInterface.iobj │ ├── EventLogInterface.ipdb │ ├── EventLogInterface.log │ ├── EventLogInterface.obj │ ├── EventLogInterface.pch │ ├── EventLogInterface.vcxproj.FileListAbsolute.txt │ ├── pch.obj │ └── vc143.pdb ├── framework.h ├── pch.cpp └── pch.h └── Setup ├── Product.wxs └── Setup.wixproj /.gitignore: -------------------------------------------------------------------------------- 1 | docker/ 2 | ~* 3 | *.swp 4 | *.icloud 5 | .DS_Store 6 | .nfs.* 7 | *.bak 8 | 9 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "winagent_source/source/Agent/external/pugixml"] 2 | path = winagent_source/source/Agent/external/pugixml 3 | url = https://github.com/zeux/pugixml.git 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LogZilla Extras 2 | 3 | ## IMPORTANT: Repository Status 4 | 5 | **PLEASE NOTE:** Most of the content in this repository (except for the `howtos` 6 | and `winagent` directories) is now deprecated as LogZilla's current architecture 7 | and features have all of these capabilities built in natively. 8 | 9 | For the latest features, documentation, and best practices, please refer to: 10 | * https://docs.logzilla.net 11 | 12 | ## Repository Contents 13 | 14 | The only actively maintained sections of this repository are: 15 | * `howtos` - Step-by-step guides for implementing specific use cases with LogZilla 16 | * `winagent` - Windows agent components for LogZilla 17 | 18 | All other directories have been moved to the `deprecated` folder and are kept 19 | for historical reference only. 20 | 21 | Feel free to contact us at https://www.logzilla.net for any assistance. 22 | -------------------------------------------------------------------------------- /deprecated/contrib/AWS-Install/images/aws-instance-type.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/contrib/AWS-Install/images/aws-instance-type.jpg -------------------------------------------------------------------------------- /deprecated/contrib/AWS-Install/images/volume.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/contrib/AWS-Install/images/volume.jpg -------------------------------------------------------------------------------- /deprecated/contrib/README.md: -------------------------------------------------------------------------------- 1 | # About 2 | 3 | A collection of various scripts which we find useful in day to day operations or support. 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /deprecated/contrib/array2json.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | arr2js(){ 4 | local arr=( "$@" ); 5 | local len=${#arr[@]} 6 | if [[ ${len} -eq 0 ]]; then 7 | >&2 echo "Error: Length of input array needs to be at least 2."; 8 | return 1; 9 | fi 10 | if [[ $((len%2)) -eq 1 ]]; then 11 | >&2 echo "Error: Length of input array needs to be even (key/value pairs)."; 12 | return 1; 13 | fi 14 | local data=""; 15 | local foo=0; 16 | for i in "${arr[@]}"; do 17 | local char="," 18 | if [ $((++foo%2)) -eq 0 ]; then 19 | char=":"; 20 | fi 21 | local first="${i:0:1}"; # read first charc 22 | local app="\"$i\"" 23 | if [[ "$first" == "^" ]]; then 24 | app="${i:1}" # remove first char 25 | fi 26 | data="$data$char$app"; 27 | done 28 | data="${data:1}"; # remove first char 29 | echo "{$data}"; # add braces around the string 30 | } 31 | 32 | 33 | #### now use it like so: 34 | # arr2js a 3 c true 35 | # {"a":"3","c":"true"} 36 | # also works with numbers and booleans 37 | # arr2js a ^3 c ^true 38 | # {"a":3,"c":true} 39 | -------------------------------------------------------------------------------- /deprecated/contrib/diskfree-alert-to-neo: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | useEmail=0 3 | df -PkH | grep -vE '^Filesystem|tmpfs|cdrom|udev|cgmfs' | awk '{ print $5 " " $1 }' | while read output; 4 | do 5 | usep=$(echo "$output" | awk '{ print $1}' | cut -d'%' -f1 ) 6 | partition=$(echo "$output" | awk '{ print $2 }' ) 7 | if [ "${usep}" -ge 90 ]; then 8 | if [ "${useEmail}" -eq 1 ]; then 9 | echo "DISK ALERT: Partition '$partition' on $(hostname) is at $usep% capacity!" | 10 | mail -s "DISK ALERT on $(hostname)" root@localhost 11 | else 12 | logger -p local3.error -t "diskfree-alert" "DISK ALERT: Partition '$partition' on $(hostname) is at $usep% capacity!" 13 | fi 14 | fi 15 | done 16 | -------------------------------------------------------------------------------- /deprecated/contrib/docker_delete_orphaned_veth.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | veth_in_use=() 4 | veth_unused=() 5 | veth_all=() 6 | 7 | function veth_interface_for_container() { 8 | local pid=$(docker inspect -f '{{.State.Pid}}' "${1}") 9 | mkdir -p /var/run/netns 10 | ln -sf /proc/$pid/ns/net "/var/run/netns/${1}" 11 | local index=$(ip netns exec "${1}" ip link show eth0 | head -n1 | sed s/:.*//) 12 | let index=index+1 13 | ip link show | grep "^${index}:" | sed "s/${index}: \(.*\):.*/\1/" 14 | rm -f "/var/run/netns/${1}" 15 | } 16 | 17 | for i in $(docker ps | grep Up | awk '{print $1}') 18 | do 19 | if [ "$(veth_interface_for_container $i)" != "docker0" ] 20 | then 21 | veth_in_use+=($(veth_interface_for_container $i)) 22 | fi 23 | done 24 | 25 | for i in $(brctl show | grep veth | awk '{print $(NF)}') 26 | do 27 | veth_all+=($i) 28 | done 29 | 30 | for i in "${veth_all[@]}" 31 | do 32 | for j in "${veth_in_use[@]}" 33 | do 34 | [[ $i == "$j" ]] && continue 2 35 | done 36 | 37 | ip link set $i down 38 | ip link delete $i 39 | done 40 | -------------------------------------------------------------------------------- /deprecated/contrib/fio/fiotest: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # for Ubuntu < 18, you have to compile fio 4 | # apt install libaio-dev 5 | # git clone https://github.com/axboe/fio.git 6 | # cd fio 7 | # ./configure 8 | # make 9 | # make install 10 | 11 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 12 | sudo dpkg -l fio 2>&1 | grep -q 'no packages found' && sudo apt install fio -y 13 | docker_mount=$(sudo docker info 2>/dev/null | grep "Docker Root Dir" | awk -F': ' '{print $2}') 14 | outfile="${HOME}/fio-4k-$(hostname)-$(date +%s).txt" 15 | 16 | [[ -d "$docker_mount" ]] || docker_mount=$(pwd) 17 | 18 | echo "Running test on $docker_mount, please wait..." 19 | [[ "$1" = "j" ]] && { 20 | echo "Jakub's test" 21 | sudo fio --name TEST --eta-newline=5s --filename="$docker_mount/test" \ 22 | --rw=randread --size=500m --io_size=10g --blocksize=4k \ 23 | --ioengine=libaio --fsync=1 --iodepth=1 --direct=0 \ 24 | --numjobs=1 --runtime=60 --group_reporting 25 | } 26 | 27 | sudo fio --output="${outfile}" "${DIR}/tests/4ktest.fio" 28 | echo "Completed, results stored in \"${outfile}\"" 29 | 30 | rm -f "$docker_mount/test" 31 | -------------------------------------------------------------------------------- /deprecated/contrib/fio/tests/4ktest.fio: -------------------------------------------------------------------------------- 1 | [global] 2 | bs=4k 3 | ioengine=libaio 4 | iodepth=1 5 | size=200G 6 | direct=1 7 | runtime=600 8 | directory=./ 9 | filename=fio.test 10 | unlink=1 11 | 12 | [seq-read] 13 | rw=read 14 | stonewall 15 | 16 | [rand-read] 17 | rw=randread 18 | stonewall 19 | 20 | [seq-write] 21 | rw=write 22 | stonewall 23 | 24 | [rand-write] 25 | rw=randwrite 26 | stonewall 27 | -------------------------------------------------------------------------------- /deprecated/contrib/fio/tests/runtest-sample.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | fio --output=fio-4k-$(hostname)-$(date +%s).txt 4ktest.fio 3 | -------------------------------------------------------------------------------- /deprecated/contrib/makemeta/.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | -------------------------------------------------------------------------------- /deprecated/contrib/makemeta/images/user-tag-fields.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/contrib/makemeta/images/user-tag-fields.jpg -------------------------------------------------------------------------------- /deprecated/contrib/makemeta/test.tsv: -------------------------------------------------------------------------------- 1 | addTag matchString matchField matchOp 2 | 1 10.1.2.3 host eq deviceID rtp-core-sw DeviceDescription RTP Core Layer2 DeviceImportance High DeviceLocation Raleigh DeviceContact support@logzilla.net 3 | 1 host-a host eq deviceID lax-srv-01 DeviceDescription LA Server 1 DeviceImportance Low DeviceLocation Los Angeles DeviceContact support@logzilla.net 4 | 0 down message =~ deviceID nyc-rtr-01 DeviceDescription NYC Router DeviceImportance Med DeviceLocation New York DeviceContact support@logzilla.net -------------------------------------------------------------------------------- /deprecated/contrib/mkhosts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script can be used to easily create 4 | # a hosts file for environments that do 5 | # not have reverse DNS available 6 | # but still want hostnames instead of IP's 7 | # to show up in the UI 8 | 9 | # Note: Requires jq (apt install -y jq) 10 | 11 | # Obtained from 'logzilla authtoken create': 12 | token="ac3e5526f03b77f3f0f4d316904495ce579cb51d2e53a508" 13 | apiURL="http://192.168.10.135/api" 14 | hostsFile="/etc/logzilla/hosts.in" 15 | 16 | declare -A entries 17 | ips=($(curl -sH "Content-Type: application/json; charset=utf-8" -H "Authorization: token $token" "$apiURL/dictionaries/host?limit=1000" | jq -r '.list[].name' | grep -P '^\d{1,3}\.')) 18 | 19 | echo 20 | for ip in "${ips[@]}"; do 21 | if ! grep -q "$ip" ${hostsFile}; then 22 | echo -n "Set hostname for $ip: "; 23 | read; 24 | #echo "$ip ${REPLY}" 25 | [[ "${REPLY}" ]] && entries["${REPLY}"]="$ip" 26 | else 27 | echo "[SKIPPED] IP "\"${ip}\"" already exists in ${hostsFile}" 28 | fi 29 | done 30 | 31 | echo 32 | echo "### Adding entries to ${hostsFile}" 33 | echo 34 | for key in "${!entries[@]}"; do 35 | val="${entries[$key]}" 36 | if ! grep -q "$key\|$val" ${hostsFile}; then 37 | echo "${val} $key" >> ${hostsFile} 38 | else 39 | echo "[SKIPPED] Either host "\"$key\"" or IP "\"${val}\"" already exists in ${hostsFile}" 40 | fi 41 | done 42 | -------------------------------------------------------------------------------- /deprecated/contrib/offline-upgrades/images/manual-method.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/contrib/offline-upgrades/images/manual-method.jpg -------------------------------------------------------------------------------- /deprecated/contrib/offline-upgrades/images/online-to-offline.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/contrib/offline-upgrades/images/online-to-offline.jpg -------------------------------------------------------------------------------- /deprecated/dashboards/README.md: -------------------------------------------------------------------------------- 1 | # LogZilla Dashboards Transition 2 | 3 | The conventional LogZilla Dashboards previously available in this repository have been updated. We've seamlessly moved all our dashboards into the more streamlined LogZilla Apps format. You can effortlessly activate these directly from the LogZilla platform. For detailed steps, navigate to *Settings->App Store* in the LogZilla UI or consult our official documentation at [https://docs.logzilla.net](https://docs.logzilla.net). 4 | 5 | ![LogZilla's App Store Showcase](logzilla_appstore.jpg) 6 | -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/Cisco/images/cisco-network-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/dashboards/deprecated/Cisco/images/cisco-network-dashboard.png -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/Cisco/images/cisco-security-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/dashboards/deprecated/Cisco/images/cisco-security-dashboard.png -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/FortiGate/README.md: -------------------------------------------------------------------------------- 1 | # FortiGate Dashboard 2 | 3 | 4 | Be sure to load the associated rules for this dashboard located in ../../rules.d/untested/FortiGate/ 5 | 6 | [LINK](../../rules.d/untested/FortiGate/) 7 | 8 | # Or do this from your LogZilla Server: 9 | 10 | ``` 11 | sudo su - 12 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/rules.d/untested/FortiGate/700-fortigate.yaml' 13 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/rules.d/untested/FortiGate/701-fortigate-normalize.yaml' 14 | logzilla rules add 700-fortigate.yaml 15 | logzilla rules add 701-fortigate-normalize.yaml 16 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/dashboards/FortiGate/dashboard-fortigate.yaml' 17 | logzilla dashboards import -I dashboard-fortigate.yaml 18 | ``` 19 | 20 | ##### Sample 21 | 22 | ![FortiGate Dashboard](fortigate-dashboard-sample.png) 23 | -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/FortiGate/fortigate-dashboard-sample.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/dashboards/deprecated/FortiGate/fortigate-dashboard-sample.png -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/FortiGate/makedash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Test script only...not for production use 3 | OLDIFS=${IFS} 4 | IFS=$'\n' 5 | for dashboard in $(cat foo | awk '{print $1, $2}' | sort -u) 6 | do 7 | dashname=$(echo $dashboard | sed 's/ /-/g') 8 | cat << EOF > t/$dashname.yaml 9 | - config: 10 | style_class: infographic 11 | time_range: 12 | preset: last_1_hours 13 | title: $dashboard 14 | is_public: true 15 | widgets: 16 | EOF 17 | #col=0 18 | #row=0 19 | #c=0 20 | #r=0 21 | for tag in $(cat foo | grep $dashboard) 22 | do 23 | cat << EOF >> t/$dashname.yaml 24 | - config: 25 | field: $tag 26 | filter: [] 27 | limit: 5 28 | show_other: false 29 | time_range: 30 | preset: last_1_hours 31 | title: $tag 32 | view_type: pie_chart 33 | type: TopN 34 | EOF 35 | #if [[ $c -eq 2 ]]; then 36 | #col=0 37 | #c=0 38 | #else 39 | #col=$((col+1)) 40 | #c=$((c+1)) 41 | #fi 42 | #if [[ $r -eq 2 ]]; then 43 | #row=$((row+1)) 44 | #r=0 45 | #else 46 | #r=$((r+1)) 47 | #fi 48 | done 49 | done 50 | IFS=$OLDIFS 51 | -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/General/README.md: -------------------------------------------------------------------------------- 1 | # LogZilla Sample Dashboard 2 | 3 | This dashboard provides a General overview for your incoming event streams. Widgets included: 4 | 5 | * EPD: All Events 6 | * EPS: All Events 7 | * Unknown Events 8 | * Actionable Events 9 | * Latest Unread Notifications 10 | * Top Hosts 11 | * Recent Error Messages 12 | * Failed Messages 13 | * Non Actionable EPS 14 | * Most Recent Event Sources 15 | 16 | -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/Linux/README.md: -------------------------------------------------------------------------------- 1 | # LogZilla Dashboards For Linux Systems 2 | 3 | 4 | 5 | ## Dynamic Host Configuration 6 | This dashboard provides an overview for DHCP-based Events. Widgets included: 7 | 8 | * DHCPd Events Per Minute 9 | * DHCPd: Top 10 Hosts 10 | * DHCPd: Requests Per Minute 11 | * DHCPd: Lease Starvation 12 | * DHCPd: Live Stream 13 | 14 | 15 | **DHCPd Dashboard:** 16 | 17 | ![DHCP Dashboard](images/dhcpd-screenshot.png) 18 | 19 | ## UFW (Uncomplicated Firewall) 20 | This dashboard provides user tag based widgets for Linux's UFW. Widgets included: 21 | > Important: This dashboard requires the UFW rules included in the [Parsers directory](https://github.com/logzilla/extras/tree/master/parsers) 22 | 23 | * UFW: Top Blocked Mac Addresses 24 | * UFW: Top Blocked Source IP's 25 | * UFW: Top Blocked Destination IP's 26 | * UFW: Events Per Second 27 | * UFW: Top Blocked Destination Ports 28 | 29 | 30 | **UFW Dashboard:** 31 | 32 | ![UFW Dashboard](images/ufw-dashboard.png) -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/Linux/images/dhcpd-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/dashboards/deprecated/Linux/images/dhcpd-screenshot.png -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/Linux/images/ufw-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/dashboards/deprecated/Linux/images/ufw-dashboard.png -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/Microsoft/README.md: -------------------------------------------------------------------------------- 1 | # LogZilla Dashboard For Microsoft Windows 2 | 3 | This dashboard provides an overview for Windows-based Network Events. Widgets included: 4 | 5 | * Top Windows Hosts 6 | * Most Recent Windows Sources 7 | * EPS: Windows Sources 8 | * EPD: Windows Sources 9 | * New Process Started 10 | * User Logon Success 11 | * File Share Accessed 12 | * New Service Installed 13 | * Network Connection Established 14 | * File Audit 15 | * Registry Audit 16 | * Power Shell Command Line Execution 17 | * Windows Firewall: Change Detection 18 | * Scheduled Task Added 19 | * Host File Shares Opened 20 | * New Network Connections Per Hour 21 | 22 | # Import/Export 23 | Import 24 | --- 25 | ``` 26 | wget https://raw.githubusercontent.com/logzilla/extras/master/dashboards/Microsoft/dashboard-microsoft-windows.json 27 | 28 | logzilla dashboards import -I dashboard-microsoft-windows.json 29 | 30 | rm dashboard-microsoft-windows.json 31 | ``` 32 | 33 | Export 34 | --- 35 | ``` 36 | logzilla dashboards export -O mydashboards.json 37 | ``` 38 | -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/Security/README.md: -------------------------------------------------------------------------------- 1 | # LogZilla Dashboard For WannaCry Malware 2 | 3 | 4 | ## About 5 | This dashboard provides visibility for the WannaCry ransomware IoC's. 6 | To automatically match on these IoC, [follow the guide here](https://github.com/logzilla/extras/tree/master/parsers) 7 | 8 | 9 | **Widgets included in this dashboard:** 10 | 11 | * Blacklisted IP Detection 12 | * WannaCry Events/Sec seen on the network 13 | * Last Unread Notifications 14 | * Infected Hosts 15 | * Blacklist Events: Live Stream 16 | * WannaCry Events: Live Stream 17 | 18 | # Import/Export 19 | Import 20 | --- 21 | logzilla dashboards import -I wannacry-dash.json 22 | 23 | 24 | Note: 25 | The files provided on Github are either contributed by us or the community, they come with no warranty and should not be considered production quality unless you have personally tested and approved them in your environment. 26 | 27 | -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/SonicWall/README.md: -------------------------------------------------------------------------------- 1 | # SonicWall Dashboard 2 | 3 | 4 | Be sure to load the associated rules for this dashboard located in ../../rules.d/untested/SonicWall/ 5 | 6 | [LINK](../../rules.d/untested/SonicWall/) 7 | 8 | # Or do this from your LogZilla Server: 9 | 10 | ``` 11 | sudo su - 12 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/rules.d/untested/SonicWall/500-sonicwall.yaml' 13 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/rules.d/untested/SonicWall/501-sonicwall-normalize.yaml' 14 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/dashboards/SonicWall/dashboard-sonicwall.yaml' 15 | logzilla rules add 500-sonicwall.yaml 16 | logzilla rules add 501-sonicwall-normalize.yaml 17 | logzilla dashboards import -I dashboard-sonicwall.yaml 18 | ``` 19 | 20 | ##### Sample 21 | 22 | ![Sonicwall Dashboard](sonicwall-dashboard-sample.png) 23 | -------------------------------------------------------------------------------- /deprecated/dashboards/deprecated/SonicWall/sonicwall-dashboard-sample.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/dashboards/deprecated/SonicWall/sonicwall-dashboard-sample.png -------------------------------------------------------------------------------- /deprecated/dashboards/logzilla_appstore.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/dashboards/logzilla_appstore.jpg -------------------------------------------------------------------------------- /deprecated/howtos/Execute_Remote_Commands_on_a_Cisco_Device/.gitignore: -------------------------------------------------------------------------------- 1 | *.pptx 2 | -------------------------------------------------------------------------------- /deprecated/howtos/Execute_Remote_Commands_on_a_Cisco_Device/images/lab-design.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/howtos/Execute_Remote_Commands_on_a_Cisco_Device/images/lab-design.jpg -------------------------------------------------------------------------------- /deprecated/howtos/Execute_Remote_Commands_on_a_Cisco_Device/images/slack-cisco-interface-bounce.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/howtos/Execute_Remote_Commands_on_a_Cisco_Device/images/slack-cisco-interface-bounce.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/ASA/README.md: -------------------------------------------------------------------------------- 1 | # Cisco ASA Rules 2 | 3 | This package includes Dashboards and Rules for ASA Buildup/Teardown events 4 | 5 | WARNING: If your server is not properly sized, then you run the risk of causing problems. Please do not attempt to run these on a large network with something like a small/slow virtual machine. 6 | 7 | You can test your server's capabilities by running `logzilla speedtest` or `logzilla rules performance` 8 | 9 | 10 | # Integration 11 | 12 | ## Import rules 13 | 14 | From this directory, paste the following: 15 | 16 | ``` 17 | for rule in ls rules.d/*.yaml 18 | do 19 | [ -f "${rule}" ] || continue 20 | sudo logzilla rules add ${rule} -f -R 21 | done 22 | ``` 23 | 24 | ``` 25 | sudo logzilla rules reload 26 | ``` 27 | 28 | ## Import the dashboards 29 | 30 | From this directory, paste the following: 31 | 32 | ``` 33 | for dashboard in dashboards/*.yaml 34 | do 35 | [ -f "${dashboard}" ] || continue 36 | sudo logzilla dashboards import -I ${dashboard} 37 | done 38 | ``` 39 | 40 | Refresh your browser in the LogZilla NEO UI 41 | 42 | -------------------------------------------------------------------------------- /deprecated/packages/Cisco/FirePower/images/cisco-firepower-dashboard-sample.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/FirePower/images/cisco-firepower-dashboard-sample.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/FirePower/syslog-ng/custom.conf: -------------------------------------------------------------------------------- 1 | # Firepower 2 | filter f_cisco_firepower { 3 | program("FirePower*|FTD*") 4 | }; 5 | rewrite rw_kv_firepower { 6 | subst("([a-zA-Z0-9-_]+): ([a-zA-Z0-9-_\/\(\)\.: ]{3,})(,|$)", 7 | "$1=\"$2\"", value(MESSAGE), flags("global") 8 | condition( filter(f_cisco_firepower)) 9 | ); 10 | }; 11 | 12 | log { 13 | source(s_logzilla); 14 | rewrite(rw_kv_firepower); 15 | destination(d_logzilla_network); 16 | flags(flow-control, final); 17 | }; 18 | -------------------------------------------------------------------------------- /deprecated/packages/Cisco/ISE/images/cisco-ise-sample-dashboard.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/ISE/images/cisco-ise-sample-dashboard.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/ISE/images/cisco_ise_categories.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/ISE/images/cisco_ise_categories.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/ISE/syslog-ng/custom.conf: -------------------------------------------------------------------------------- 1 | log { 2 | source(s_logzilla); 3 | rewrite(rw_cisco_ise); 4 | destination(d_logzilla_network); 5 | flags(flow-control,final); 6 | }; 7 | -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/images/Meraki-DHCP.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/Meraki/images/Meraki-DHCP.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/images/Meraki-Flows.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/Meraki/images/Meraki-Flows.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/images/Meraki-URLs.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/Meraki/images/Meraki-URLs.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/images/Meraki-VPN.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/Meraki/images/Meraki-VPN.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/images/Meraki_General.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/Meraki/images/Meraki_General.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/images/Meraki_IDS.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/Meraki/images/Meraki_IDS.jpg -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/rules.d/101-meraki-ids-priorities.yaml: -------------------------------------------------------------------------------- 1 | first_match_only: true 2 | rewrite_rules: 3 | - match: 4 | field: 'ut_Meraki IDS Priority' 5 | value: '1' 6 | tag: 7 | 'Meraki IDS Priority': High 8 | - match: 9 | field: 'ut_Meraki IDS Priority' 10 | value: '2' 11 | tag: 12 | 'Meraki IDS Priority': Medium 13 | - match: 14 | field: 'ut_Meraki IDS Priority' 15 | value: '3' 16 | tag: 17 | 'Meraki IDS Priority': Low 18 | - match: 19 | field: 'ut_Meraki IDS Priority' 20 | value: '4' 21 | tag: 22 | 'Meraki IDS Priority': Very Low 23 | -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/rules.d/101-meraki-ldap-users.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 'Meraki AD Users, depends on syslog-ng/remove-ldap-spaces.conf' 3 | match: 4 | - field: message 5 | op: =~ 6 | value: 'user=CN=([^,]+)' 7 | tag: 8 | Meraki User: $1 9 | -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Meraki/syslog-ng/remove-ldap-spaces.conf: -------------------------------------------------------------------------------- 1 | rewrite rw_ldap_space { 2 | subst('(\\20|\\,)', " ", value("MESSAGE") flags("utf8" "global")); 3 | }; 4 | 5 | log { 6 | source(s_logzilla); 7 | rewrite(rw_ldap_space); 8 | destination(d_logzilla_network); 9 | flags(flow-control, final); 10 | }; 11 | -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Wireless/README.md: -------------------------------------------------------------------------------- 1 | # Cisco Wireless Lan Controller 2 | 3 | Reference: [Cisco Wireless Lan Controller Events](https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-system-message-guides-list.html) 4 | 5 | # Installation 6 | 7 | ``` 8 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/packages/Cisco/Wireless/003-cisco-wireless.yaml' 9 | sudo logzilla rules add 003-cisco-wireless.yaml -f 10 | 11 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/packages/Cisco/Wireless/dashboard-cisco-wireless.yaml' 12 | sudo logzilla dashboards import -I dashboard-cisco-wireless.yaml 13 | ``` 14 | 15 | ###### Customers running LogZilla `v6.12` or lower must also run the following commands: 16 | 17 | ``` 18 | # check to make sure you don't already have defined tags, if so, add them along with the new ones: 19 | logzilla config | grep HIGH_CARDINALITY_TAGS 20 | ``` 21 | ``` 22 | logzilla config HIGH_CARDINALITY_TAGS "Cisco WLC Client AP MAC, Cisco WLC Client IP, Cisco WLC Client MAC, Cisco WLC Client Username" 23 | ``` 24 | ``` 25 | logzilla restart 26 | ``` 27 | 28 | # Sample Dashboard 29 | 30 | ![!](images/cisco-wlc-dashboard.jpg) 31 | -------------------------------------------------------------------------------- /deprecated/packages/Cisco/Wireless/images/cisco-wlc-dashboard.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Cisco/Wireless/images/cisco-wlc-dashboard.jpg -------------------------------------------------------------------------------- /deprecated/packages/InfoBlox/README.md: -------------------------------------------------------------------------------- 1 | # InfoBlox DNS 2 | 3 | 4 | # Installation 5 | 6 | ``` 7 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/packages/InfoBlox/rules.d/500-infoblox-dns-query-logging.yaml' 8 | sudo logzilla rules add 500-infoblox-dns-query-logging.yaml -f 9 | 10 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/packages/InfoBlox/dashboards/dashboard-infoblox-dns.yaml' 11 | sudo logzilla dashboards import -I dashboard-infoblox-dns.yaml 12 | ``` 13 | 14 | ###### Customers running LogZilla `v6.12` or lower must also run the following commands: 15 | 16 | ``` 17 | # check to make sure you don't already have defined tags, if so, add them along with the new ones: 18 | logzilla config | grep HIGH_CARDINALITY_TAGS 19 | ``` 20 | ``` 21 | logzilla config HIGH_CARDINALITY_TAGS "Infoblox DNS Client IP, Infoblox DNS Client Query" 22 | ``` 23 | ``` 24 | logzilla restart 25 | ``` 26 | 27 | # Sample Dashboard 28 | 29 | ![!](images/infoblox-dashboard.jpg) 30 | -------------------------------------------------------------------------------- /deprecated/packages/InfoBlox/images/infoblox-dashboard.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/InfoBlox/images/infoblox-dashboard.jpg -------------------------------------------------------------------------------- /deprecated/packages/PaloAlto/images/pan-os-threat-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/PaloAlto/images/pan-os-threat-dashboard.png -------------------------------------------------------------------------------- /deprecated/packages/PaloAlto/images/pan-os-traffic-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/PaloAlto/images/pan-os-traffic-dashboard.png -------------------------------------------------------------------------------- /deprecated/packages/PaloAlto/rules.d/.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | -------------------------------------------------------------------------------- /deprecated/packages/PaloAlto/rules.d/700-paloalto-threat.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: 2 | - PaloAlto Threat Source Users 3 | pre_match: 4 | - field: message 5 | op: =* 6 | value: THREAT 7 | rewrite_rules: 8 | - comment: 'Palo_Alto: PaloAlto Threat Events' 9 | match: 10 | field: program 11 | op: eq 12 | value: PaloAlto_Threat 13 | tag: 14 | PaloAlto NAT Sources: ${natsrc} 15 | PaloAlto Threat Action Sources: ${action_source} 16 | PaloAlto Threat Actions: ${action} 17 | PaloAlto Threat Dest Locations: ${dstloc} 18 | PaloAlto Threat Rules: ${rule} 19 | PaloAlto Threat Sources: ${src} 20 | PaloAlto Types: ${type} 21 | PaloAlto Threat Source Users: ${srcuser} 22 | - comment: 'Palo_Alto: Remove \ from usernames' 23 | match: 24 | field: ut_PaloAlto Threat Source Users 25 | op: =~ 26 | value: \S+\\(\S+) 27 | tag: 28 | PaloAlto Threat Source Users: $1 29 | -------------------------------------------------------------------------------- /deprecated/packages/PaloAlto/rules.d/700-paloalto-traffic.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: 2 | - PaloAlto Traffic Source Users 3 | pre_match: 4 | - field: message 5 | op: =* 6 | value: TRAFFIC 7 | rewrite_rules: 8 | - comment: 'Palo_Alto: PaloAlto Traffic Events' 9 | match: 10 | field: program 11 | op: eq 12 | value: PaloAlto_Traffic 13 | tag: 14 | PaloAlto NAT Sources: ${natsrc} 15 | PaloAlto Traffic Action Sources: ${action_source} 16 | PaloAlto Traffic Actions: ${action} 17 | PaloAlto Traffic Dest Locations: ${dstloc} 18 | PaloAlto Traffic Rules: ${rule} 19 | PaloAlto Traffic Sources: ${src} 20 | PaloAlto Types: ${type} 21 | PaloAlto Traffic Source Users: ${srcuser} 22 | - comment: 'Palo_Alto: Remove \ from usernames' 23 | match: 24 | field: ut_PaloAlto Traffic Source Users 25 | op: =~ 26 | value: \S+\\(\S+) 27 | tag: 28 | PaloAlto Traffic Source Users: $1 29 | - comment: 'Palo_Alto: Remove Bytes/Packets/Sessionid for normalization' 30 | match: 31 | field: message 32 | op: =~ 33 | value: (type="TRAFFIC".+).+sessionid="\d+"\s+(.+)\s+bytes.+packets="\d+"\s*(.*) 34 | rewrite: 35 | message: $1 $2 $3 36 | -------------------------------------------------------------------------------- /deprecated/packages/README.md: -------------------------------------------------------------------------------- 1 | # About 2 | "Packages" in LogZilla consist of multiple files which might include rules, triggers, dashboards, etc. 3 | 4 | # Installation 5 | 6 | To use any of the packages, please check the readme in the associated directory 7 | -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/README.md: -------------------------------------------------------------------------------- 1 | # WatchGuard Rules 2 | 3 | These rules were tested on LogZilla NEO v6.3 but should work for future versions. 4 | 5 | 6 | ## Adding Rules 7 | 8 | To load the rules, paste the following as either root or a user with docker permissions: 9 | 10 | ``` 11 | for f in rules.d/*.yaml 12 | do 13 | logzilla rules add "$f" -f -R 14 | done 15 | logzilla rules reload 16 | ``` 17 | 18 | ## Importing the Dashboard 19 | 20 | To import the dashboard, paste the following command: 21 | 22 | ``` 23 | for f in dashboards/*.json 24 | do 25 | logzilla dashboards import -I $f 26 | done 27 | ``` 28 | 29 | ## Sample Dashboard - Watchguard Firewall 30 | 31 | ![](images/LogZilla-NEO-WatchGuard-Firewall-Dashboard.jpg) 32 | 33 | 34 | ## Sample Dashboard - Watchguard Proxy 35 | 36 | ![](images/LogZilla-NEO-WatchGuard-Proxy-Dashboard.jpg) 37 | -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-cluster.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-cluster.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-firewall.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-firewall.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-mgmt.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-mgmt.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-mobile.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-mobile.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-networking.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-networking.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-proxy.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-proxy.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-security-services.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-security-services.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/catalog/watchguard-vpn.tsv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/catalog/watchguard-vpn.tsv -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/images/LogZilla-NEO-WatchGuard-Firewall-Dashboard.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/images/LogZilla-NEO-WatchGuard-Firewall-Dashboard.jpg -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/images/LogZilla-NEO-WatchGuard-Proxy-Dashboard.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/images/LogZilla-NEO-WatchGuard-Proxy-Dashboard.jpg -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/images/focus3-596x335.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/WatchGuard/images/focus3-596x335.jpg -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/scripts/makerules: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | for f in ../catalog/*.* 5 | do 6 | fn=$(basename "$f") 7 | newname=$(echo "500-$fn" | sed 's/tsv$/json/') 8 | ./tsv2NEO < "$f" > "../rules.d/$newname" 9 | done 10 | -------------------------------------------------------------------------------- /deprecated/packages/WatchGuard/scripts/replacerules: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | while read rule 4 | do 5 | logzilla rules remove "$rule" 6 | done < <(logzilla rules list | awk '{print $1}' | grep -i 'watchguard') 7 | 8 | for f in ../rules.d/*.json 9 | do 10 | logzilla rules add "$f" 11 | done 12 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/.gitignore: -------------------------------------------------------------------------------- 1 | *.lzlog 2 | *.swp 3 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/addrules_to_logzilla.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for r in rules.d/*.yaml; do logzilla rules add $r -f -R; done 4 | for r in static/*.yaml; do logzilla rules add $r -f -R; done 5 | logzilla rules reload 6 | 7 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/dashboards/dashboard-bro_stats.yaml: -------------------------------------------------------------------------------- 1 | - config: 2 | style_class: infographic 3 | time_range: 4 | preset: last_1_minutes 5 | title: Zeek stats events 6 | is_public: true 7 | widgets: 8 | - config: 9 | col: 0 10 | filter: 11 | - field: program 12 | op: eq 13 | value: 14 | - bro_stats 15 | limit: 10 16 | row: 0 17 | sizeX: 6 18 | sizeY: 2 19 | sort: -first_occurrence 20 | time_range: 21 | preset: last_1_minutes 22 | title: All stats Events 23 | type: Search 24 | - config: 25 | col: 0 26 | field: Zeek peer 27 | filter: 28 | - field: program 29 | op: eq 30 | value: 31 | - bro_stats 32 | limit: 5 33 | row: 2 34 | show_other: false 35 | time_range: 36 | preset: last_1_minutes 37 | title: stats peer 38 | view_type: pie_chart 39 | type: TopN 40 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/1-source-ip-hunt.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/1-source-ip-hunt.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/1a-source-ip-hunt-with-exclusion-results.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/1a-source-ip-hunt-with-exclusion-results.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/1a-source-ip-hunt-with-exclusion.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/1a-source-ip-hunt-with-exclusion.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/2-dst-ip-hunt.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/2-dst-ip-hunt.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/2-source-dst-pairs.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/2-source-dst-pairs.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/3-detect-services-edit-widget-2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/3-detect-services-edit-widget-2.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/3-detect-services-edit-widget-filter-by-tag.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/3-detect-services-edit-widget-filter-by-tag.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/3-detect-services-edit-widget.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/3-detect-services-edit-widget.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/3-detect-services-filtered-nulls.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/3-detect-services-filtered-nulls.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/3-detect-services.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/3-detect-services.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/4-longest-durations.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/4-longest-durations.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/5-dst-ports.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/5-dst-ports.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/6-dns-c2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/6-dns-c2.jpg -------------------------------------------------------------------------------- /deprecated/packages/Zeek/images/Threat_Hunting_Dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/Zeek/images/Threat_Hunting_Dashboard.png -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_conn.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst", "Zeek dstip" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_conn 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek conn events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek proto: $7 22 | Zeek service: $8 23 | Zeek local_orig: $13 24 | Zeek local_resp: $14 25 | rewrite: 26 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" proto="$7" service="$8" duration="$9" orig_bytes="$10" resp_bytes="$11" conn_state="$12" local_orig="$13" local_resp="$14" missed_bytes="$15" history="$16" orig_pkts="$17" orig_ip_bytes="$18" resp_pkts="$19" resp_ip_bytes="$20" tunnel_parents="$21" 27 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_dce_rpc.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_dce_rpc 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek dce_rpc events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek named_pipe: $8 22 | Zeek endpoint: $9 23 | Zeek operation: $10 24 | rewrite: 25 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" rtt="$7" named_pipe="$8" endpoint="$9" operation="$10" 26 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_dhcp.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_dhcp 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek dhcp events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek client_addr: $3 18 | Zeek server_addr: $4 19 | Zeek host_name: $6 20 | Zeek client_fqdn: $7 21 | Zeek domain: $8 22 | Zeek assigned_addr: $10 23 | Zeek client_message: $12 24 | Zeek server_message: $13 25 | Zeek msg_types: $14 26 | rewrite: 27 | message: client_addr="$3" server_addr="$4" mac="$5" host_name="$6" client_fqdn="$7" domain="$8" requested_addr="$9" assigned_addr="$10" lease_time="$11" client_message="$12" server_message="$13" msg_types="$14" duration="$15" 28 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_dpd.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_dpd 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek dpd events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek proto: $7 22 | Zeek analyzer: $8 23 | Zeek failure_reason: $9 24 | rewrite: 25 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" proto="$7" analyzer="$8" failure_reason="$9" 26 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_files.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_files 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek files events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek dstip: $4 19 | Zeek source: $6 20 | Zeek mime_type: $9 21 | Zeek local_orig: $12 22 | Zeek is_orig: $13 23 | Zeek extracted: $23 24 | Zeek extracted_cutoff: $24 25 | rewrite: 26 | message: srcip="$3" dstip="$4" conn_uids="$5" source="$6" depth="$7" analyzers="$8" mime_type="$9" filename="$10" duration="$11" local_orig="$12" is_orig="$13" seen_bytes="$14" total_bytes="$15" missing_bytes="$16" overflow_bytes="$17" timedout="$18" parent_fuid="$19" md5="$20" sha1="$21" sha256="$22" extracted="$23" extracted_cutoff="$24" extracted_size="$25" 27 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_ntlm.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_ntlm 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek ntlm events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek username: $7 22 | Zeek hostname: $8 23 | Zeek domainname: $9 24 | Zeek server_nb_computer_name: $10 25 | Zeek server_dns_computer_name: $11 26 | Zeek server_tree_name: $12 27 | Zeek success: $13 28 | rewrite: 29 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" username="$7" hostname="$8" domainname="$9" server_nb_computer_name="$10" server_dns_computer_name="$11" server_tree_name="$12" success="$13" 30 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_ntp.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_ntp 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek ntp events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek version: $7 22 | Zeek mode: $8 23 | Zeek stratum: $9 24 | Zeek precision: $11 25 | Zeek root_disp: $13 26 | Zeek ref_id: $14 27 | Zeek num_exts: $19 28 | rewrite: 29 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" version="$7" mode="$8" stratum="$9" poll="$10" precision="$11" root_delay="$12" root_disp="$13" ref_id="$14" ref_time="$15" org_time="$16" rec_time="$17" xmt_time="$18" num_exts="$19" 30 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_smb_files.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_smb_files 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek smb_files events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek action: $8 22 | Zeek path: $9 23 | Zeek name: $10 24 | Zeek prev_name: $12 25 | Zeek times_modified: $13 26 | Zeek times_accessed: $14 27 | Zeek times_created: $15 28 | Zeek times_changed: $16 29 | rewrite: 30 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" action="$8" path="$9" name="$10" size="$11" prev_name="$12" times_modified="$13" times_accessed="$14" times_created="$15" times_changed="$16" 31 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_smb_mapping.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_smb_mapping 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek smb_mapping events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek path: $7 22 | Zeek service: $8 23 | Zeek native_file_system: $9 24 | Zeek share_type: $10 25 | rewrite: 26 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" path="$7" service="$8" native_file_system="$9" share_type="$10" 27 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_software.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_software 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek software events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek host: $2 18 | Zeek host_p: $3 19 | Zeek name: $5 20 | Zeek version_major: $6 21 | Zeek version_minor: $7 22 | Zeek version_minor2: $8 23 | Zeek version_addl: $10 24 | Zeek unparsed_version: $11 25 | rewrite: 26 | message: host="$2" host_p="$3" software_type="$4" name="$5" version_major="$6" version_minor="$7" version_minor2="$8" version_minor3="$9" version_addl="$10" unparsed_version="$11" 27 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_ssl.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_ssl 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek ssl events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek version: $7 22 | Zeek cipher: $8 23 | Zeek server_name: $10 24 | Zeek resumed: $11 25 | Zeek subject: $17 26 | Zeek issuer: $18 27 | Zeek validation_status: $21 28 | rewrite: 29 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" version="$7" cipher="$8" curve="$9" server_name="$10" resumed="$11" last_alert="$12" next_protocol="$13" established="$14" cert_chain_fuids="$15" client_cert_chain_fuids="$16" subject="$17" issuer="$18" client_subject="$19" client_issuer="$20" validation_status="$21" 30 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_stats.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_stats 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek stats events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek peer: $2 18 | rewrite: 19 | message: peer="$2" mem="$3" pkts_proc="$4" bytes_recv="$5" pkts_dropped="$6" pkts_link="$7" pkt_lag="$8" events_proc="$9" events_queued="$10" active_tcp_conns="$11" active_udp_conns="$12" active_icmp_conns="$13" tcp_conns="$14" udp_conns="$15" icmp_conns="$16" timers="$17" active_timers="$18" files="$19" active_files="$20" dns_requests="$21" active_dns_requests="$22" reassem_tcp_size="$23" reassem_file_size="$24" reassem_frag_size="$25" reassem_unknown_size="$26" 20 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_syslog.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_syslog 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek syslog events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek proto: $7 22 | rewrite: 23 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" proto="$7" message="$10" 24 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/rules.d/400-bro_weird.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek san_ip","Zeek srcip","Zeek dstip","Zeek host_key", "Zeek host", "Zeek server_addr", "Zeek assigned_addr", "Zeek client_addr", "ip", "Zeek uri", "Zeek query", "Zeek answers", "Zeek referrer", "Zeek dst" ] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_weird 9 | rewrite_rules: 10 | - comment: 11 | - 'Zeek weird events' 12 | match: 13 | field: message 14 | op: =~ 15 | value: ^([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)$ 16 | tag: 17 | Zeek srcip: $3 18 | Zeek srcport: $4 19 | Zeek dstip: $5 20 | Zeek dstport: $6 21 | Zeek name: $7 22 | Zeek peer: $10 23 | Zeek source: $11 24 | rewrite: 25 | message: srcip="$3" srcport="$4" dstip="$5" dstport="$6" name="$7" addl="$8" notice="$9" peer="$10" source="$11" 26 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/static/399-zeek-rewrite-nulls.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - Rewrite empty fields with dashes 4 | - 'e.g: SHA1,X509,SHA256,MD5 application/x-x509-ca-cert - 0.000000 F F 692 - 0 0 F -' 5 | - 'becomes: SHA1,X509,SHA256,MD5 application/x-x509-ca-cert empty 0.000000 F F 692 empty 0 0 F empty' 6 | match: 7 | field: program 8 | op: =* 9 | value: bro_ 10 | replace: 11 | field: message 12 | expr: \t- 13 | fmt: "\tnull" 14 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/static/402-threathunt.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: ["Zeek Src to Dst Port", "Zeek Src to Dst", "Zeek Long Durations", "Zeek High Ports"] 2 | pre_match: 3 | - comment: 4 | - Match on Zeek events 5 | - Note that this rule assumes a TSV incoming log from Zeek, not JSON 6 | field: program 7 | op: =* 8 | value: bro_ 9 | rewrite_rules: 10 | - comment: 11 | - Detect ports above 1024 12 | match: 13 | field: message 14 | op: =~ 15 | value: dstport="(6553[0-1]|655[0-4]\d|650\d\d|4[0-8]\d{3}|[1-3]\d{4}|[2-9]\d{3}|1[1-9]\d{2}|10[3-9]\d|102[4-9])" 16 | tag: 17 | Zeek High Ports: ${dstport} 18 | Zeek Src to Dst Port: ${srcip}->${dstport} 19 | - comment: 20 | - Tag Source to Destination Pairs 21 | match: 22 | field: message 23 | op: =~ 24 | value: srcip="\d+.*dstip="\d+ 25 | tag: 26 | Zeek Src to Dst: ${srcip}->${dstip} 27 | - comment: 28 | - Detect Long Duration Connections 29 | match: 30 | field: program 31 | op: =* 32 | value: bro_conn 33 | field: message 34 | op: =~ 35 | value: srcip="\d+.*dstip="\d+.+duration="(\d*[3-9]+)\.\d+" 36 | tag: 37 | Zeek Long Durations: $1 Seconds 38 | -------------------------------------------------------------------------------- /deprecated/packages/Zeek/syslog-ng/zeek2logzilla.conf: -------------------------------------------------------------------------------- 1 | # This is for your *relay* server (not the LogZilla server) 2 | # filename: /etc/syslog-ng/conf.d/zeek2logzilla.conf 3 | # 4 | # 5 | # Filter out comments in bro logs 6 | filter f_not_comment { not message("^#"); }; 7 | 8 | # Define log sources 9 | source s_bro_logs { 10 | wildcard-file( 11 | base-dir("/usr/local/zeek/logs/current") 12 | filename-pattern("*.log") 13 | follow-freq(1) 14 | flags(no-parse) 15 | ); 16 | }; 17 | 18 | # Sets the program name based on the filename 19 | # also removes the file extension from the name 20 | rewrite r_set_program { 21 | set("bro_$(basename ${FILE_NAME}): $MESSAGE" value("MESSAGE")); 22 | subst('^([^\.]+)\.[^ ]+', '$1', value("MESSAGE"), type(pcre) ); 23 | }; 24 | 25 | 26 | # Set destination (logzilla) 27 | destination d_logzilla { tcp("1.2.3.4" port(514)); }; 28 | 29 | log { 30 | source(s_bro_logs); 31 | filter(f_not_comment); 32 | rewrite(r_set_program); 33 | destination(d_logzilla); 34 | flags(flow-control); 35 | }; 36 | -------------------------------------------------------------------------------- /deprecated/packages/stolen-device-tracking/README.md: -------------------------------------------------------------------------------- 1 | # Use Case 2 | Tracking stolen laptops on the network 3 | 4 | -------------------------------------------------------------------------------- /deprecated/packages/stolen-device-tracking/csv2meta.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/packages/stolen-device-tracking/csv2meta.tgz -------------------------------------------------------------------------------- /deprecated/packages/stolen-device-tracking/csv2meta/metaData.conf: -------------------------------------------------------------------------------- 1 | parser p_add_context_data { 2 | add-contextual-data( 3 | selector("$HOST"), 4 | database("/etc/syslog-ng/conf.d/metaData.csv"), 5 | default-selector("unknown"), 6 | prefix("meta.")); 7 | }; 8 | 9 | rewrite r_add_meta{ 10 | set("STARTMETA:deviceSerial=\"${meta.deviceSerial}\" sMAC1=\"${meta.sMAC1}\" sMAC2=\"${meta.sMAC2}\" deviceName=\"${meta.deviceName}\"ENDMETA $MSG", value("MESSAGE")); 11 | }; 12 | -------------------------------------------------------------------------------- /deprecated/packages/stolen-device-tracking/csv2meta/sourceIPs.txt: -------------------------------------------------------------------------------- 1 | 10.68.1.13 2 | 10.68.1.14 3 | 10.68.176.34 4 | 10.68.176.35 5 | 11.31.2.7 6 | 11.31.2.8 7 | 11.31.3.7 8 | 11.31.3.8 9 | -------------------------------------------------------------------------------- /deprecated/packages/stolen-device-tracking/csv2meta/stolen-device-list.csv: -------------------------------------------------------------------------------- 1 | 8FWJMH2,A4:4C:C8:B1:AE:2A,B0:35:9F:A0:A3:7C,DEVICE_NAME-01 2 | 3PPJMH2,A4:4C:C8:BC:AA:A3,B0:35:9F:C0:1A:B3,DEVICE_NAME-02 3 | TEST_SERIAL,80:49:71:10:BA:12,80:49:71:10:BA:13,LAPTOP-TEST 4 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Apple/600-apple-osx-by-host.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: "Some Apple events don't send the program name, the only way to categorize them 3 | is by using a generic MacOs program. 4 | feel free to modify this for multiple hosts or IP's" 5 | match: 6 | field: host 7 | op: eq 8 | value: Users-mac-mini 9 | update: 10 | program: MacOs 11 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Apple/600-apple-osx.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: Identify OSX events sent from MacOS's syslogd 3 | match: 4 | field: message 5 | op: =~ 6 | value: ^\(com\.apple\.([^\.]+)[^\)]+\):\s*(.*) 7 | update: 8 | program: $1 9 | message: $2 10 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Barracuda/README.md: -------------------------------------------------------------------------------- 1 | # Barracuda rules for LogZilla NEO 2 | 3 | ## Web Security Gateway 4 | 5 | Docs for this rule are located on [Barracuda's Website](https://campus.barracuda.com/product/websecuritygateway/doc/6160435/syslog-and-the-barracuda-web-security-gateway/) 6 | 7 | 8 | 9 | **Sample Dashboard** 10 | 11 | ![](images/web-security-gateway.jpg) -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Barracuda/images/web-security-gateway.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/rules.d/deprecated/Barracuda/images/web-security-gateway.jpg -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/BlueCoat/800-bluecoat-proxy.json: -------------------------------------------------------------------------------- 1 | { 2 | "first_match_only": true, 3 | "rewrite_rules": [ 4 | { 5 | "comment": [ 6 | "Extract Torrent URL and IP", 7 | "Sample Log: 10.164.87.99 Accessed URL 88.212.201.194:http://counter.yadro.ru/hit?t39.6;r;s1829*1029*24;uhttp%3A//securityscreendoorssee.blogspot.com/2013/02/residential-security-how-to-clean.html;0.1551675321809" 8 | ], 9 | "match": { 10 | "field": "message", 11 | "op": "=~", 12 | "value": "(\\d+\\.\\d+\\.\\d+\\.\\d+) Accessed URL (\\S+):http.?:\\/\\/([^\\/]+)" 13 | }, 14 | "tag": { 15 | "ut_bluecoat_src_ip": "$1", 16 | "ut_bluecoat_dst_ip": "$2", 17 | "ut_bluecoat_dst_url": "$3" 18 | }, 19 | "update": { 20 | "program": "Bluecoat" 21 | } 22 | } 23 | ] 24 | } 25 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/CAS/610-cas.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - CAS Events 4 | - 'Description: Special rule for CAS Server' 5 | match: 6 | field: message 7 | op: =~ 8 | value: \d{4}-\d{2}-\d{2}T\S+ \S+ CAS\S+ \d+ (\S+) - (.+) 9 | rewrite: 10 | program: CAS-$1 11 | message: $2 12 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/CAS/README.md: -------------------------------------------------------------------------------- 1 | # CAS Test 2 | 3 | You can test that the rule matches using: 4 | 5 | ``` 6 | logzilla events tester -I sample.lzlog --rule-file 500-cas.yaml 7 | ``` 8 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/CISA/README.md: -------------------------------------------------------------------------------- 1 | # Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations 2 | Alert (AA20-352A) 3 | 4 | ## Reference 5 | Information based on data from https://us-cert.cisa.gov/ncas/alerts/aa20-352a 6 | 7 | 8 | ## Summary 9 | This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques. 10 | The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations. 11 | 12 | One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A). 13 | 14 | * Orion Platform 2019.4 HF5, version 2019.4.5200.9083 15 | * Orion Platform 2020.2 RC1, version 2020.2.100.12219 16 | * Orion Platform 2020.2 RC2, version 2020.2.5200.12394 17 | * Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 18 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Cisco/002-cisco-macflap.json: -------------------------------------------------------------------------------- 1 | { 2 | "first_match_only": true, 3 | "rewrite_rules": [ 4 | { 5 | "comment": [ 6 | "WARNING: This Rule will potentially create a large amount of entries, make sure your server is properly scaled to handle it", 7 | "Name: Used for tracking MACFLAP events from Cisco Devices", 8 | "Sample Log: host 1.2.3.4 in vlan 321 is flapping between port GigabitEthernet1/0/1 and port GigabitEthernet1/0/1", 9 | "Description: Extract the IP/Hostname, VLAN, Source Port and Destination Port", 10 | "Category: Fault" 11 | ], 12 | "match": { 13 | "field": "message", 14 | "op": "=~", 15 | "value": "host (\\S+) in vlan (\\S+) is flapping between port (\\S+) and port (\\S+)" 16 | }, 17 | "tag": { 18 | "ut_cisco_macflap_host": "$1", 19 | "ut_cisco_macflap_vlan": "$2", 20 | "ut_cisco_macflap_src_port": "$3", 21 | "ut_cisco_macflap_dst_port": "$4" 22 | } 23 | } 24 | ] 25 | } 26 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Cisco/002-cisco-nac.json: -------------------------------------------------------------------------------- 1 | { 2 | "first_match_only": true, 3 | "rewrite_rules": [ 4 | { 5 | "comment": "Cisco NAC", 6 | "match": { 7 | "field": "message", 8 | "op": "=~", 9 | "value": "NAC Policy Log: Source: (\\S+),.+?Rule: Policy \"(.+?)\".*?" 10 | }, 11 | "tag": { 12 | "ut_src_ip": "$1", 13 | "ut_cisco_nac_policies": "$2" 14 | }, 15 | "update": { 16 | "program": "Cisco-NAC" 17 | } 18 | }, 19 | { 20 | "comment": "Cisco NAC - Block Event", 21 | "match": { 22 | "field": "message", 23 | "op": "=~", 24 | "value": "Block Event: Host: (\\S+), Target: (\\S+),.+?Service: (\\d+)\\/(\\S+).+?Reason: .+? - Limit (Inbound|Outbound)" 25 | }, 26 | "tag": { 27 | "ut_src_ip": "$1", 28 | "ut_dst_ip": "$2", 29 | "ut_src_port": "$3", 30 | "ut_src_proto": "$4", 31 | "ut_cisco_nac_blockreasons": "Limit $5" 32 | }, 33 | "update": { 34 | "program": "Cisco-NAC" 35 | } 36 | }, 37 | { 38 | "comment": "Track Kernel Martians", 39 | "match": { 40 | "field": "message", 41 | "op": "=~", 42 | "value": "martian source (\\S+) from (\\S+)" 43 | }, 44 | "tag": { 45 | "ut_src_ip": "$2", 46 | "ut_dst_ip": "$1" 47 | } 48 | } 49 | ] 50 | } 51 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Cisco/005-cisco-acl-deny.json: -------------------------------------------------------------------------------- 1 | { 2 | "rewrite_rules": [ 3 | { 4 | "tag": { 5 | "ut_cisco_acl_deny_src_port": "$3", 6 | "ut_cisco_acl_deny_src_proto": "$1", 7 | "ut_cisco_acl_deny_dst_port": "$5", 8 | "ut_cisco_acl_deny_dst_ip": "$4", 9 | "ut_cisco_acl_deny_src_ip": "$2" 10 | }, 11 | "comment": "Extract denied protocol, ip and port as well as destination ip and port from ACL deny", 12 | "match": { 13 | "value": "list \\S+ denied (\\S+) (\\d+\\.\\d+\\.\\d+\\.\\d+)\\((\\d+)\\)\\s+\\-\\>\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+)\\((\\d+)\\)", 14 | "field": "message", 15 | "op": "=~" 16 | } 17 | } 18 | ], 19 | "first_match_only": true 20 | } 21 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Cisco/098-cisco-message-cleanup.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'Description: Strip TS and counter from the message' 4 | - 'Sample 1: Aug 9 08:39:15.662 CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:KWIKTRIP\dthomasa 5 | d logged command:description New Description 29 Host-Group="KWan-Routers"' 6 | - 'Sample 2: 001549: Aug 9 09:43:49.852 CDT: %: User:svcapicadmin logged command:!exec: 7 | enable' 8 | match: 9 | - field: program 10 | op: eq 11 | value: Cisco 12 | - field: message 13 | op: =~ 14 | value: '^.*?[A-Za-z]{3} \d+ \d{2}:\d{2}:\d{2}\.\d+ [A-Za-z]{3}: \S+ (.+)' 15 | update: 16 | message: $1 17 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Cisco/500-cisco-asa-nat-pat.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'Description: Track NAT/PAT Translations' 4 | - 'Sample: %ASA-6-305011: Built dynamic UDP translation from BLDG-A:10.44.117.111/57310 to outside:130.58.13.12/57310' 5 | match: 6 | field: cisco_mnemonic 7 | op: =* 8 | value: ASA* 9 | field: message 10 | op: =~ 11 | value: .+from (\S+):(\d+\.\d+\.\d+\.\d+).+to (\S+):(\d+\.\d+\.\d+\.\d+) 12 | tags: 13 | ASA Translation Protocol: $1 14 | ASA Translation Source Name: $2 15 | ASA Translation Source IP: $3 16 | ASA Translation Destination Name: $4 17 | ASA Translation Destination IP: $5 18 | ASA Translation Source to Destination IP: $3->$5 19 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Cisco/999-cisco-asa-random-ports.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'Description: Strip Random Ports' 4 | match: 5 | field: cisco_mnemonic 6 | op: =* 7 | value: ASA* 8 | field: message 9 | op: =~ 10 | value: (.*)\/\d+\. 11 | rewrite: 12 | message: $1 13 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Cisco/cisco-ise: -------------------------------------------------------------------------------- 1 | ../../../packages/Cisco/ISE -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/IBM/000-IBM-LEEF.json: -------------------------------------------------------------------------------- 1 | { 2 | "rewrite_rules": [ 3 | { 4 | "comment": [ 5 | "Extract Correct Program Name from IBM LEEF formatted logs", 6 | "LEEF Formatted logs include extra metadata that are pipe deliited: ", 7 | "* LEEF version", 8 | "* Vendor Name", 9 | "* Product Name", 10 | "* Product Version", 11 | "* Event ID", 12 | "Sample: 1.0|WatchGuard|XTM|12.1.1.B558423|2CFF0000|" 13 | ], 14 | "match": [ 15 | { 16 | "field": "program", 17 | "value": "LEEF" 18 | }, 19 | { 20 | "field": "message", 21 | "op": "=~", 22 | "value": "(\\d\\.\\d)\\|([^|]+)\\|([^|]+)\\|([^|]+)\\|([^|]+)\\|(.*)" 23 | } 24 | ], 25 | "update": { 26 | "program": "$2", 27 | "message": "$6" 28 | }, 29 | "tag": { 30 | "ibm_leef_version": "$1", 31 | "ibm_leef_vendor_name": "$2", 32 | "ibm_leef_product_name": "$3", 33 | "ibm_leef_product_version": "$4", 34 | "ibm_leef_event_id": "$5" 35 | } 36 | } 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Java/300-log4j.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'transform java thread to program name containing `localhost`' 4 | - 'Make sure you are logging properly from your log4j system' 5 | - 'See https://demo.logzilla.net/help/receiving_data/receiving_java_events for help' 6 | match: 7 | field: message 8 | op: =~ 9 | value: (.+) - threadName=localhost-([a-z]+).* className=(.+) methodName=(.+) 10 | rewrite: 11 | message: $1 - threadName=$2 className=$3 methodName=$4 12 | - comment: Rewrite Java Events 13 | match: 14 | - field: program 15 | value: java 16 | - field: message 17 | op: =~ 18 | value: (.+) - threadName=([a-z]+).* className=(.+) methodName=(.+) 19 | rewrite: 20 | message: $1 21 | program: Java-$2 22 | tag: 23 | Java Classnames: $3 24 | Java Methodnames: $4 25 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Juniper/500-junos.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - match: 3 | field: message 4 | op: =~ 5 | value: (\S+) (\S+) \S+ - RT_FLOW_(SESSION_\w+) 6 | rewrite: 7 | message: $3 reason=${reason} src=${source-address} dst=${destination-address} 8 | src-port=${source-port} dst-port=${destination-port} service=${service-name} 9 | policy=${policy-name} nat-src=${nat-source-address} nat-src-port=${nat-source-port} 10 | nat-dst=${nat-destination-address} nat-dst-port=${nat-destination-port} src-nat-rule=${src-nat-rule-name} 11 | dst-nat-rule=${dst-nat-rule-name} protocol=${protocol-id} src-zone=${source-zone-name} 12 | dst-zone=${destination-zone-name} session-id=${session-id-32} ingress-interface=${packet-incoming-interface} 13 | $2 $1 14 | program: Juniper 15 | tag: 16 | ut_junos_reasons: $3 17 | ut_junos_source_ips: ${source-address} 18 | ut_junos_dest_ips: ${destination-address} 19 | ut_junos_policies: ${policy-name} 20 | - match: 21 | - field: program 22 | value: Juniper 23 | - field: message 24 | value: (.+?) reason= (.+) 25 | rewrite: 26 | message: $1 $2 27 | - match: 28 | - field: message 29 | value: ^\d{4}-\d{2}-\d{2}[^ ]+\s+(\S+)\s+(\S+)\s+\S+\s+(\S+)\s+(.*) 30 | rewrite: 31 | program: $2 32 | message: category="$3" overlay_path="$1" $4 33 | tag: 34 | ut_junos_categories: $3 35 | ut_junos_overlay_paths: $1 36 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Linux/100-iptables.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: 2 | - dstIP 3 | - MAC 4 | - Proto 5 | - srcIP 6 | - srcIP to dstIP 7 | - srcIP to dstIP Port 8 | rewrite_rules: 9 | - comment: 10 | - 'Sample Log: [UFW BLOCK] IN=eth0 OUT= MAC=04:01:7b:02:e5:01:84:b5:9c:a9:18:30:08:00 11 | SRC=198.2.182.60 DST=14.131.31.136 LEN=60 TOS=0x00' 12 | - 'Sample Log: [UFW BLOCK] IN=eth0 OUT= MAC=04:01:92:99:4d:01:84:b5:9c:a9:08:30:08:00 13 | SRC=168.1.128.59 DST=4.55.153.114 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=54321 PROTO=TCP 14 | SPT=10978 DPT=8888 WINDOW=65535 RES=0x00 SYN URGP=0' 15 | - 'Sample Log: [327011.724198] IN=br0 OUT=eth8.2 MAC=f6:92:bf:72:e4:f5:d2:45:5c:26:e1:17:08:00 SRC=192.168.18.82 DST=80.49.19.12 LEN=1474 TOS=0x00 PREC=0x00 TTL=127 ID=31041 DF PROTO=UDP SPT=56476 DPT=61146 LEN=1454' 16 | match: 17 | field: message 18 | op: =~ 19 | value: IN=(\S+) OUT=(\S+) MAC=(\S+) SRC=(\S+) DST=(\S+).+PROTO=(\S+) SPT=\S+ DPT=(\S+) 20 | rewrite: 21 | program: iptables 22 | tag: 23 | NetIF In: $1 24 | NetIF Out: $2 25 | Src MAC: $3 26 | srcIP: $4 27 | dstIP: $5 28 | Proto: $6 29 | Dst Port: $7 30 | srcIP to dstIP: $1->$2 31 | srcIP to dstIP Port: $1->$7 32 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Linux/600-pam_unix.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'Description: Extract usernames from pam sessions' 4 | - 'Sample 1: pam_unix(crond:session): session opened for user foo by (uid=0)' 5 | - 'Sample 2: pam_unix(crond:session): session closed for user root' 6 | - 'Regex Check: https://regex101.com/r/K6cbNS/1' 7 | match: 8 | field: message 9 | op: =~ 10 | value: 'pam_unix\([^\)]+\): (session.+user (\S+).*)' 11 | rewrite: 12 | message: $1 13 | program: pam_unix 14 | tag: 15 | Linux Pam User Tracking: $2 16 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Linux/900-dhcpd-device-types.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: Attempt to categorize device types requesting IP's 3 | match: 4 | - field: program 5 | value: dhcpd 6 | - field: message 7 | op: =~ 8 | value: '[0-9a-fA-F][0-9a-fA-F] \(.*([Aa]ndroid|[iI][Pp]hone|[Ss]amsung|[Aa]pple|[Hh][Pp]|[Dd][Ee][Ll][Ll]|[Mm][Bb][Pp]|[Xx][Bb][Oo][Xx]|[Ll][Aa][Pp][Tt][Oo][Pp]|[Dd][Ee][Ss][Kk][Tt][Oo][Pp]|[Aa][Ii][Rr]).*\) 9 | via' 10 | tag: 11 | ut_dhcp_client_types: $1 12 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Linux/900-dnsmasq.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: Track DHCP assignments 3 | match: 4 | - field: program 5 | value: dnsmasq-dhcp 6 | - field: message 7 | op: =~ 8 | value: DHCPACK\S+\s+(\d+.\d+.\d+.\d+)\s+\S+\s+(\S+) 9 | tag: 10 | DNSmasq DHCP Assigned IPs: $1 11 | DNSmasq DHCP Assigned Hostnames: $2 12 | DNSmasq DHCP IP -> Hostname: "$1 -> $2" 13 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Linux/900-linux-procs.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'Description: Extract real program name from logger command' 4 | - 'Sample 1: logger: [ssl_req][15/May/2020:20:00:05 -0400] 192.168.1.10 TLSv1 DHE-RSA-AES256-SHA "/index.html" 3309' 5 | - 'Regex Check: https://regex101.com/r/UxatXC/2' 6 | match: 7 | field: message 8 | op: =~ 9 | value: '^logger: \[(\w+)\].*\d+\/\w+\/\d{4}[^\]]+\] (.*)' 10 | rewrite: 11 | program: $1 12 | message: $2 13 | - comment: 14 | - 'Description: Extract real program name and remove PID' 15 | - 'Sample 1: crond[27532]: (root) CMD (/usr/lib/sa/sa1)' 16 | - 'Regex Check: https://regex101.com/r/4YSy4r/1' 17 | match: 18 | field: message 19 | op: =~ 20 | value: '^(\w+)\[\d+\]: (.*)' 21 | rewrite: 22 | program: $1 23 | message: $2 24 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Microsoft/599-LZ-Winagent.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: [] 2 | pre_match: 3 | field: message 4 | op: =* 5 | value: LZ_SyslogAgent 6 | rewrite_rules: 7 | - comment: 8 | - Match on Microsoft Events from LZ Winagent 9 | - "Ref: https://github.com/logzilla/extras/tree/master/winagent" 10 | - "Category: Windows Events" 11 | - "Description: Extract user tags from LogZilla's Winagent" 12 | match: 13 | field: program 14 | op: =~ 15 | value: (?:MSWinEventLog|Microsoft-Windows|Windows)-(\S+) 16 | rewrite: 17 | program: MSWin-$1 18 | tag: 19 | Microsoft Windows Event IDs: ${EventID} 20 | - comment: 21 | - Match on Microsoft Events not conforming to normal MS standards 22 | match: 23 | field: program 24 | op: =~ 25 | value: (Service_Control_Manager|gupdatem) 26 | rewrite: 27 | program: MSWin-$1 28 | - comment: Drop Winagent polling updates 29 | drop: true 30 | match: 31 | field: message 32 | op: =~ 33 | value: A token right was adjusted.+LZ-WINAGENT.+Process\s*Name.+LogZilla\\Syslo 34 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Microsoft/600-Microsoft-ATP-Gateway.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'Description: Strip Zulu TS from events' 4 | match: 5 | - field: message 6 | op: =~ 7 | value: '(.*)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\S*Z(.*)' 8 | rewrite: 9 | message: "$1 $2" 10 | - comment: 11 | - 'Description: Strip number of times it happened' 12 | - 'Sample: server01 Service_Control_Manager 5216 7031 - \t Microsoft Advanced 13 | Threat Analytics Gateway Updater 14 | service terminated unexpectedly. It has done this 200241 15 | time(s). The following corrective action will be taken in 16 | 5000 milliseconds: Restart the service.' 17 | - 'Pattern Test: https://regex101.com/r/ho7WBW/1' 18 | match: 19 | - field: message 20 | op: =~ 21 | value: '(.*)It has done this \d+ time\S+\.(.*)' 22 | rewrite: 23 | message: "$1$2" 24 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Microsoft/601-lz-mswin-program.yaml: -------------------------------------------------------------------------------- 1 | first_match_only: true 2 | rewrite_rules: 3 | - comment: Drop LZ winagent polling events 4 | drop: true 5 | match: 6 | field: message 7 | op: =~ 8 | value: Process Name.+LogZilla.+SyslogAgent 9 | - comment: handle MS Windows events 10 | match: 11 | field: message 12 | op: =~ 13 | value: (\d+)\s+(?:MSWinEventLog|Microsoft-Windows|Windows)-(\S+)\s*(.*) 14 | rewrite: 15 | message: EventID=$1 $3 16 | program: MSWin-$2 17 | tag: 18 | Microsoft Windows Event IDs: $1 19 | - comment: handle MS Windows events from LZ Agent 20 | match: 21 | field: message 22 | op: =* 23 | value: Source="LZ_SyslogAgent" 24 | tag: 25 | Microsoft Windows Event IDs: ${EventID} 26 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Microsoft/606-Microsoft-User-Tracking.yaml: -------------------------------------------------------------------------------- 1 | hc_tags: [] 2 | pre_match: 3 | field: ut_Microsoft Windows Event IDs 4 | op: eq 5 | value: "4625" 6 | rewrite_rules: 7 | - comment: 8 | - Match on Failed logons 9 | - 'Ref: http://eventopedia.cloudapp.net/default.aspx?LogType=Windows+Event+Log&LogName=Security&OSVersion=6.0%2c+6.1%2c+6.2%2c+6.3%2c+10&Category=Logon%2fLogoff&Source=Microsoft-Windows-Security-Auditing&TaskCategory=Account+Lockout&EventID=4625&action=go' 10 | - 'Category: Windows Security' 11 | - 'Description: Extract user names from failed login attempts' 12 | match: 13 | field: message 14 | op: =~ 15 | value: An account failed to log on.+Account Name:\s*(.*?)\s*Account Domain.+Source 16 | Network Address:\s*(\S+)\s* 17 | tag: 18 | Microsoft Windows Failed Login Source Networks: $2 19 | Microsoft Windows Failed Login Users: $1 20 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Misc/001-drop-useless.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: Useless mark messages 3 | drop: true 4 | match: 5 | field: message 6 | op: =~ 7 | value: MARK -- 8 | - comment: Drop useless 'last message repeated N times' events 9 | drop: true 10 | match: 11 | field: message 12 | op: =~ 13 | value: message repeated \d+ times 14 | - comment: Drop suppressed 15 | drop: true 16 | match: 17 | field: message 18 | op: =~ 19 | value: \d+ messages suppressed 20 | - comment: Drop empty/blank messages 21 | drop: true 22 | match: 23 | field: message 24 | op: =~ 25 | value: ^$ 26 | - comment: Drop Audit log rotation 27 | drop: true 28 | match: 29 | field: message 30 | op: eq 31 | value: Audit daemon rotating log files 32 | - comment: Drop Tracebacks 33 | drop: true 34 | match: 35 | field: message 36 | op: =~ 37 | value: Traceback=\s+?\S+ \S+ \S+ \S+ 38 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Misc/002-baseboard-mgmt-controller.json: -------------------------------------------------------------------------------- 1 | { 2 | "first_match_only": true, 3 | "rewrite_rules": [ 4 | { 5 | "comment": "Assign program name to BMC Events", 6 | "match": { 7 | "field": "message", 8 | "op": "=*", 9 | "value": "bmcEvent:" 10 | }, 11 | "update": { 12 | "program": "Hardware-BMC" 13 | } 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Misc/002-extract-ips.yaml: -------------------------------------------------------------------------------- 1 | first_match_only: true 2 | rewrite_rules: 3 | - comment: 4 | - "WARNING: This Rule will potentially create a large amount of entries, 5 | make sure you've enabled HC tags on these user tags" 6 | - Tracks Cisco event with IP address and port 7 | - 'Category: Security' 8 | match: 9 | - field: program 10 | value: Cisco 11 | - field: message 12 | op: =~ 13 | value: \b([\d\.]+)/(\d+) (?:\([^\)]+\) )?to (?:\w+:)?([\d\.]+)/(\d+) 14 | tag: 15 | Cisco Destination IPs: $3 16 | Cisco Destination Ports: $4 17 | Cisco Source IPs: $1 18 | Cisco Source Ports: $2 19 | - comment: tag NetScreen event with IP address and port 20 | match: 21 | - field: program 22 | value: NetScreen 23 | - field: message 24 | op: =~ 25 | value: ' src=([a-f\d\.:]+) dst=([a-f\d\.:]+) src-port=(\d+) dst-port=(\d+) ' 26 | tag: 27 | NetScreen Destination IPs: $2 28 | NetScreen Destination Ports: $4 29 | NetScreen Source IPs: $1 30 | NetScreen Source Ports: $3 31 | - comment: tag NetScreen event with IP address 32 | match: 33 | - field: program 34 | value: NetScreen 35 | - field: message 36 | op: =~ 37 | value: ' src=([a-f\d\.:]+) dst=([a-f\d\.:]+) ' 38 | tag: 39 | NetScreen Destination IPs: $2 40 | NetScreen Source IPs: $1 41 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Misc/002-mac-tracker.json: -------------------------------------------------------------------------------- 1 | { 2 | "first_match_only": true, 3 | "rewrite_rules": [ 4 | { 5 | "comment": [ 6 | "WARNING: This Rule will potentially create a large amount of entries, make sure your server is properly scaled to handle it", 7 | "Description: Track MAC Addresses" 8 | ], 9 | "match": { 10 | "field": "message", 11 | "op": "=~", 12 | "value": "([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})" 13 | }, 14 | "tag": { 15 | "ut_mac_address": "$0" 16 | } 17 | } 18 | ] 19 | } 20 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Misc/200-ldap-user-extract.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - Extract Usernames From LDAP entries 4 | - 'user=CN=Foo\20Bar,OU=Baz\20CONTRACTORS\20USERS,OU=CP_CONTRACTORS,DC=example,DC=com' 5 | match: 6 | - field: message 7 | op: =~ 8 | value: 'user=CN=([^OU]+)' 9 | update: 10 | message: $1 11 | - comment: 12 | - 'Description: Strip TS from events, we do not need them' 13 | - 'Sample 1: 2019-08-15T23:50:46.712-0400:' 14 | match: 15 | - field: message 16 | op: =~ 17 | value: '^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+-\d+:\s+(.*)' 18 | update: 19 | message: $1 20 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Misc/999-rfc5424.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - Detect and warn about incorrect port for rfc5424 style events 4 | match: 5 | field: program 6 | value: Unknown 7 | field: message 8 | op: =~ 9 | value: (^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\S+\d{2}:\d{2}.+- - .*) 10 | update: 11 | message: "$1 WARNING: Possible RFC5424 style event detected, consider sending these events to port 601" 12 | tag: 13 | ut_invalid_rfc_port: $HOST 14 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Nginx/800-nginx.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: This rule requires correct format of incoming events from Nginx, see /help/receiving_data/receiving_events_from_nginx 3 | on your LogZilla server. 4 | match: 5 | field: program 6 | op: =* 7 | value: nginx 8 | tag: 9 | NGINX Destination IPs: ${dest_ip} 10 | NGINX Servers: ${server} 11 | NGINX Sites: ${site} 12 | NGINX Sources: ${src} 13 | NGINX Statuses: ${status} 14 | NGINX URI Paths: ${uri_path} 15 | NGINX User Agents: ${http_user_agent} 16 | update: 17 | program: NGINX 18 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/PaloAlto/images/pan-os-threat-dashboard.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/rules.d/deprecated/PaloAlto/images/pan-os-threat-dashboard.jpg -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/PaloAlto/images/pan-os-traffic-dashboard.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/rules.d/deprecated/PaloAlto/images/pan-os-traffic-dashboard.jpg -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Polycom_VVX/599-Polycom_VVX.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - Polycom VVX 4 | - 'Description: Cleanup Invalid Syslog Format from Polycom VVX' 5 | match: 6 | field: program 7 | op: =~ 8 | value: (\d+[^|]+\|\d+[^|]+)\|(\S+) 9 | rewrite: 10 | program: Polycom_VVX_$2 11 | message: $1$MESSAGE 12 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/SonicWall/501-sonicwall-normalize.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - 'Remove unnecessary time field' 4 | - 'Category: Security' 5 | match: 6 | field: program 7 | op: =* 8 | value: SonicWall 9 | replace: 10 | field: message 11 | expr: time="[^"]+"(\s+)? 12 | fmt: " " 13 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/SonicWall/README.md: -------------------------------------------------------------------------------- 1 | # SonicWall Rules 2 | 3 | Be sure to load the associated rules for this dashboard located in ../../rules.d/untested/SonicWall/ 4 | 5 | [LINK](../../../dashboards/SonicWall) 6 | 7 | # Or do this from your LogZilla Server: 8 | 9 | ``` 10 | sudo su - 11 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/rules.d/untested/SonicWall/500-sonicwall.yaml' 12 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/rules.d/untested/SonicWall/501-sonicwall-normalize.yaml' 13 | wget 'https://raw.githubusercontent.com/logzilla/extras/master/dashboards/SonicWall/dashboard-sonicwall.yaml' 14 | logzilla rules add 500-sonicwall.yaml 15 | logzilla rules add 501-sonicwall-normalize.yaml 16 | logzilla dashboards import -I dashboard-sonicwall.yaml 17 | ``` 18 | 19 | ##### Sample 20 | 21 | ![Sonicwall Dashboard](../../../dashboards/SonicWall/sonicwall-dashboard-sample.png) 22 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Sungard/999-sungard.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - Sungard 4 | - 'Description: Special rule for Sungard Server' 5 | match: 6 | field: host 7 | op: =* 8 | value: SUNGARD 9 | rewrite: 10 | program: Sungard 11 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Sungard/README.md: -------------------------------------------------------------------------------- 1 | # Special file for End User 2 | 3 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Ubiquiti/099-unifi-udm-pro.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: 3 | - Fix UDM hostnames 4 | - Someone should really get Ubiquiti to fix their syslog header 5 | - Sadly, the UDM Pro doesn't even put the hostname in the hostname field 6 | - So you will have to manually do it here :( 7 | - Change the following match value from 50c9676c6d24 to 8 | - match on your UDM's mac address, and manually set the IP 9 | - this is a HORRIBLE way to do it, but Ubi needs to learn how to syslog 10 | match: 11 | field: host 12 | op: =* 13 | value: 50c9676c6d24 14 | rewrite: 15 | host: 192.168.28.1 16 | - comment: 17 | - Fix unifi AP hostnames 18 | - Someone should really get Ubiquiti to fix their syslog header 19 | match: 20 | field: host 21 | op: =~ 22 | value: \(.([^,]+),([[:alnum:]]{6}([[:alnum:]]{6})),v(\d+\.\d+\.\d+\.\d+).+\) 23 | rewrite: 24 | host: $3 25 | program: Unifi-AP 26 | tag: 27 | Ubiquiti MAC IDs: $2$3 28 | Ubiquiti AP Types: $1 29 | Ubiquiti AP Versions: $4 30 | - comment: Extract Leave/Joins 31 | match: 32 | field: message 33 | op: =~ 34 | value: .+UBNT-STA-(\S+) eth\d+.\d+\(([^\)]+)\) 35 | tag: 36 | Ubiquiti Client Leave/Join MACs: $1->$2 37 | Ubiquiti Client Leave/Joins: $1 38 | Ubiquiti Client MACs: $2 39 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/VMWare/801-vmware-misc.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - match: 3 | - field: program 4 | value: Unknown 5 | - field: message 6 | op: =~ 7 | value: '[Vv][Mm][Ww]are|vpxd|hostd|vsanperfsvc|Vserver|Vpxa|hostd-probe|vmafdd|ajp-nio|HandshakeCompleted|vRealize|\d+\.\d+:\s+Total 8 | time for which appli' 9 | rewrite: 10 | program: VMWare 11 | - comment: 12 | - Clean useless DT 13 | match: 14 | - field: program 15 | op: =~ 16 | value: VMWare 17 | - capture: true 18 | field: message 19 | op: =~ 20 | value: (.*?)\[\d{2}\/\w{3}\/20\d{2}:\d{2}:\d{2}:\d{2}[^\]]+.[^\]]+\]\s+(.*) 21 | rewrite: 22 | message: $1 $2 23 | - comment: 24 | - 'Remove PID, e.g.: error hostd[4257653].*' 25 | - 'Sample: error hostd[4257653] [Originator@6876 sub=Default] [LikewiseGetDomainJoinInfo:354] QueryInformation(): ERROR_FILE_NOT_FOUND (2/0):' 26 | match: 27 | - capture: true 28 | field: message 29 | op: =~ 30 | value: \S+ \w+\[\d+\]\s+(.*) 31 | rewrite: 32 | message: $1 33 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/VMWare/802-vmware-useless.yaml: -------------------------------------------------------------------------------- 1 | rewrite_rules: 2 | - comment: Useless apptime events 3 | drop: true 4 | match: 5 | - field: message 6 | op: =~ 7 | value: '^\d+\.\d+:\s\S+\s+time:\s+\d+\.\d+\s+\S+$' 8 | -------------------------------------------------------------------------------- /deprecated/rules.d/deprecated/Zeek/README.md: -------------------------------------------------------------------------------- 1 | # Bro/Zeek Rules 2 | 3 | # Work in progress, please do not use yet 4 | 5 | 6 | From your Bro/Zeek server, set file format to TSV 7 | 8 | 9 | Edit: 10 | ``` 11 | vi /usr/local/zeek/share/zeek/site/local.zeek 12 | ``` 13 | 14 | Comment out: 15 | ``` 16 | # Output in JSON format 17 | #@load policy/tuning/json-logs.zeek 18 | ``` 19 | 20 | ``` 21 | /usr/local/zeek/bin/zeekctl stop 22 | /usr/local/zeek/bin/zeekctl deploy 23 | ``` 24 | 25 | Get fields list 26 | 27 | ``` 28 | cd /usr/local/zeek/logs/current/ 29 | grep '^#' *.log >/tmp/fields 30 | ``` 31 | 32 | # syslog-ng 33 | 34 | requires a newer version of syslog-ng: 35 | 36 | ``` 37 | wget -O /etc/yum.repos.d/czanik-syslog-ng331-epel-7.repo 'https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng331/repo/epel-7/czanik-syslog-ng331-epel-7.repo' 38 | yum install -y syslog-ng 39 | systemctl enable syslog-ng --now 40 | yum -y erase rsyslog 41 | ``` 42 | 43 | ## syslog-ng config 44 | 45 | [Zeek syslog-ng config](zeek2logzilla.conf) 46 | 47 | 48 | You may get errors on RHEL/CentOS from syslog-ng about `Can't resolve to absolute path; path='/usr/local/zeek/logs/current', error='Permission denied (13)'` 49 | 50 | I had to `setenforce permissive`. There's a right way to do it, but that's up to you :) 51 | -------------------------------------------------------------------------------- /deprecated/rules.d/logzilla_appstore.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/rules.d/logzilla_appstore.jpg -------------------------------------------------------------------------------- /deprecated/scripts/cisco-duplex_mismatch-autorepair-slack/README.md: -------------------------------------------------------------------------------- 1 | # Cisco Duplex Mismatch Auto-Remediation 2 | - Match on `CDP-4-DUPLEX_MISMATCH` 3 | - SSH to device and check for `duplex half` 4 | - If exists, fix it! 5 | - Reports results to Slack channel 6 | 7 | # Script Type: Perl 8 | 9 | **Required Modules** 10 | 11 | File::Sync 12 | Net::DNS::Resolver 13 | JSON 14 | HTTP::Request::Common 15 | LWP::UserAgent 16 | LWP::Protocol::https 17 | 18 | # Script Variables 19 | You will need to obtain your webhook URL from the slack admin interface 20 | 21 | Once you have that, modify the script and set the correct webhook url: 22 | 23 | my $posturl = https://hooks.slack.com/services/STRING/STRING/STRING'; 24 | -------------------------------------------------------------------------------- /deprecated/scripts/cisco-interface-UpDown/slack_sample.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/scripts/cisco-interface-UpDown/slack_sample.png -------------------------------------------------------------------------------- /deprecated/scripts/cisco-trunkport-slack/README.md: -------------------------------------------------------------------------------- 1 | # Cisco Trunk Port 2 | - Match on `DTP-5-NONTRUNKPORTON` or `DTP-5-TRUNKPORTON` 3 | - SSH to device and check trunk status 4 | - Gather more information such as `show interface` 5 | - Reports results to Slack channel 6 | 7 | # Script Type: Perl 8 | 9 | **Required Modules** 10 | 11 | File::Sync 12 | Net::DNS::Resolver 13 | JSON 14 | HTTP::Request::Common 15 | LWP::UserAgent 16 | LWP::Protocol::https 17 | 18 | # Script Variables 19 | You will need to obtain your webhook URL from the slack admin interface 20 | 21 | Once you have that, modify the script and set the correct webhook url: 22 | 23 | my $posturl = https://hooks.slack.com/services/STRING/STRING/STRING'; 24 | -------------------------------------------------------------------------------- /deprecated/scripts/generic-slack/README.md: -------------------------------------------------------------------------------- 1 | # lz2Slack 2 | The lz2slack script will allow matched triggers to be sent to a slack.com channel. 3 | 4 | # Script Type: Perl 5 | Required modules: 6 | --- 7 | File::Sync 8 | Net::DNS::Resolver 9 | JSON 10 | HTTP::Request::Common 11 | LWP::UserAgent 12 | LWP::Protocol::https 13 | 14 | # Script Variables 15 | You will need to obtain your webhook URL from the slack admin interface 16 | 17 | Once you have that, modify the lz5slack.pl script and set the correct webhook url: 18 | 19 | my $posturl = https://hooks.slack.com/services/STRING/STRING/STRING'; 20 | -------------------------------------------------------------------------------- /deprecated/triggers/README.md: -------------------------------------------------------------------------------- 1 | # LogZilla Triggers Transition 2 | 3 | The traditional LogZilla Triggers housed in this repository have undergone a transformation. All our triggers have been refined and incorporated into the versatile LogZilla Apps format. You can directly activate these from within the LogZilla interface. To get started, navigate to *Settings->App Store* in the LogZilla UI or delve into our official documentation at [https://docs.logzilla.net](https://docs.logzilla.net). 4 | 5 | ![LogZilla's App Store Showcase](logzilla_appstore.jpg) 6 | -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Brocade/Brocade_Bad_Port.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "Brocade: Bad Port", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["faulted due to SFP validation failure. Check if the SFP is valid for the configuration."], "field": "message"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Brocade/Brocade_Failed_Login_Alert.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "Brocade: Failed Login Alert", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr"], "field": "message"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Brocade/Brocade_Login_Alert.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "Brocade: Login Alert", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["Event: login, Status: success, Info: Successful login attempt via REMOTE, IP"], "field": "message"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-asic-module-error.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: ASIC Module Error","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"SYS-3-SYS_LCPERR3","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-asic-port-error.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: ASIC Port Error","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"SYS-5-SYS_LCPERR5","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-audit-logging.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"add_note":false,"name":"Cisco: Audit Logging","send_webhook_url":"","send_email_template":"","exec_script":false,"mark_actionable":false,"filter":[{"op":"eq","value":[""],"field":"message"},{"op":"eq","value":["PARSER-5-CFGLOG_LOGGEDCMD"],"field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","send_webhook_template":"","mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"GET"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-crypto-ike-message-failure.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Crypto IKE Message Failure","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"CRYPTO-4-IKMP_BAD_MESSAGE","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-crypto-packet-failed-mac-verification.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Crypto Packet failed MAC verification","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"CRYPTO-4-RECVD_PKT_MAC_ERR","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-crypto-packet-security-association-missing.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Crypto Packet Security Association Missing","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"CRYPTO-4-IKMP_NO_SA","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-dtp-port-channel.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"add_note":false,"name":"Cisco: DTP Port Channel","send_webhook_url":"","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"op":"eq","value":["DTP-5-NONTRUNKPORTON","DTP-5-TRUNKPORTON"],"field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","send_webhook_template":"","mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"GET"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-duplex-mismatch.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"add_note":false,"name":"Cisco: Duplex Mismatch","send_webhook_url":"","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"op":"eq","value":["CDP-4-DUPLEX_MISMATCH"],"field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","send_webhook_template":"","mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"GET"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-error-disabled-port-has-been-reenabled.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Error disabled port has been reenabled","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"MGMT-5-ERRDISPORTENABLED","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-hsrp-vip-does-not-match-the-standby-vip.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: HSRP VIP does not match the standby VIP","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"STANDBY-3-DIFFVIP1","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-interface-disabled-due-to-misconfiguration.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Interface disabled due to misconfiguration","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"PM-4-ERR_DISABLE","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-ios-xr-bgp-max-prefix-exceeded.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":false,"add_note":true,"name":"Cisco IOS-XR: BGP maximum prefix exceeded","send_webhook_url":"","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"op":"eq","value":["ROUTING-BGP-4-MAXPFXEXCEED"],"field":"cisco_mnemonic"}],"send_email":true,"send_webhook_ssl_verify":true,"note_text":"The number of prefixes received from a neighhor exceeeds the configured limit.","send_webhook_template":"","mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"GET"} 2 | -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-ios-xr-bgp-max-prefix-warning.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":false,"add_note":true,"name":"Cisco IOS-XR: BGP maximum prefix warning","send_webhook_url":"","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"op":"qp","value":[""],"field":"message"},{"op":"eq","value":["ROUTING-BGP-5-MAXPFX"],"field":"cisco_mnemonic"}],"send_email":true,"send_webhook_ssl_verify":true,"note_text":"Number of prefixes received from a neighbor for a given address family has reached the warning level configured with the max-prefix command","send_webhook_template":"","mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"GET"} 2 | -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-ip-sec-error-packet-missing-from-sadb.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: IPSec Error - Packet Missing from SADB","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"CRYPTO-4-RECVD_PKT_INV_SPI","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-non-ip-sec-encapsulated-crypto.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Non IPSec-encapsulated Crypto","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"CRYPTO-4-RECVD_PKT_NOT_IPSEC","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-ospf-hello-unidentified-sender.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: OSPF Hello, Unidentified Sender","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"OSPF-4-NONEIGHBOR","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-ospf-neighbor-change.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: OSPF Neighbor Change","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"OSPF-5-ADJCHG","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-ospf-process-received-an-invalid-packet.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: OSPF process received an invalid packet","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"OSPF-4-ERRRCV","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-ospf-received-lsa-with-wrong-mask.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: OSPF received LSA with wrong mask","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"OSPF-4-CONFLICTING_LSAID","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-spanning-tree-bpdu-received-from-another-bridge.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Spanning Tree BPDU received from another bridge","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"SPANTREE-2-RX_BPDUGUARD","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-spanning-tree-bpdu.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Spanning Tree BPDU","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"SPANTREE-5-MSGAGEEXPIRY","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-spanning-tree-root-change.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"add_note":false,"name":"Cisco: Spanning Tree Root Change","send_webhook_url":"","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"op":"eq","value":["SPANTREE-5-ROOTCHANGE"],"field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","send_webhook_template":"","mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"GET"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Cisco/cisco-unauthorized-connection-attempt-on-a-secure-port.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Cisco: Unauthorized connection attempt on a secure port.","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"PORT_SECURITY-2-PSECURE_VIOLATION","field":"cisco_mnemonic"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Linux/SSH_Failed_Login_Attempts.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "SSH: Failed Login Attempts", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["incorrect password attempts"], "field": "message"}, {"op": "eq", "value": ["sudo"], "field": "program"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Linux/SSH_Root_Login_Alert.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "SSH: Root Login Alert", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["session opened for user root"], "field": "message"}, {"op": "eq", "value": [10], "field": "facility"}, {"op": "eq", "value": ["su"], "field": "program"}, {"op": "eq", "value": [6], "field": "severity"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Linux/SSH_Root_Session.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "SSH: Root Session", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["pam_unix(su:session): session opened for user root"], "field": "message"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Linux/SSH_User_Login.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "SSH: User Login", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["Accepted password for"], "field": "message"}, {"op": "eq", "value": ["sshd"], "field": "program"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-dns-server-zone-corruption.json: -------------------------------------------------------------------------------- 1 | {"name":"Windows: DNS Server Error","filter":[{"op":"qp","value":["EventID=500"],"field":"message"},{"op":"eq","value":["MSWin-DNS-Server-Service"],"field":"program"}],"mark_known":true,"mark_actionable":true,"issue_notification":true,"send_webhook_method":"GET","send_webhook_ssl_verify":true} 2 | -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-file-added-modified-deleted.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: File Added/Modified/Deleted","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"4663","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-new-firewall-rule-added.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: New Firewall Rule Added","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"2004","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-new-network-connection-established.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: New Network Connection Established","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"5156","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-new-registry-item-added.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: New Registry Item Added","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"4657","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-new-scheduled-task-added.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: New Scheduled Task Added","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"106","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-new-service-installed.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: New Service Installed","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"7045","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-powershell-execution.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: Powershell Execution","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"500","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-process-started.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: Process Started","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"4688","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-user-fileshare-accesses.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: User Fileshare Accesses","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"5140","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Microsoft/windows-user-logon.trigger.json: -------------------------------------------------------------------------------- 1 | {"send_webhook":false,"issue_notification":true,"name":"Windows: User Logon","send_email_template":"","exec_script":false,"mark_actionable":true,"filter":[{"value":"4624","field":"ut_mswin_event_id"}],"send_email":false,"send_webhook_ssl_verify":true,"note_text":"","add_note":false,"mark_known":true,"script_path":"","snmp_trap":false,"is_private":false,"send_webhook_method":"POST"} -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Security/tor-node-ports.trigger.json: -------------------------------------------------------------------------------- 1 | { 2 | "send_webhook": false, 3 | "issue_notification": true, 4 | "add_note": false, 5 | "name": "TOR Node Ports", 6 | "send_webhook_url": "", 7 | "send_email_template": "", 8 | "exec_script": false, 9 | "mark_actionable": true, 10 | "filter": [ 11 | { 12 | "op": "eq", 13 | "value": [ 14 | "" 15 | ], 16 | "field": "message" 17 | }, 18 | { 19 | "op": "eq", 20 | "value": [ 21 | "9000", 22 | "9001", 23 | "19001" 24 | ], 25 | "field": "ut_src_port" 26 | } 27 | ], 28 | "send_email": false, 29 | "send_webhook_ssl_verify": true, 30 | "note_text": "", 31 | "send_webhook_template": "", 32 | "mark_known": true, 33 | "script_path": "", 34 | "snmp_trap": false, 35 | "is_private": false, 36 | "send_webhook_method": "GET" 37 | } -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Solaris/Solaris_Failed_User_Login.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "Solaris: Failed User Login", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["Failed keyboard-interactive"], "field": "message"}, {"op": "eq", "value": ["gerstest", "live", "gersprod"], "field": "host"}, {"op": "eq", "value": [4], "field": "facility"}, {"op": "eq", "value": ["sshd"], "field": "program"}, {"op": "eq", "value": [5], "field": "severity"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Solaris/Solaris_Unknown_User_Login.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "Solaris: Unknown User Login", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": false, "filter": [{"op": "eq", "value": ["Illegal user"], "field": "message"}, {"op": "eq", "value": ["gerstest", "live", "gersprod"], "field": "host"}, {"op": "eq", "value": [4], "field": "facility"}, {"op": "eq", "value": ["sshd"], "field": "program"}, {"op": "eq", "value": [6], "field": "severity"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/deprecated/Solaris/Solaris_User_Login.json: -------------------------------------------------------------------------------- 1 | [{"send_webhook": false, "issue_notification": true, "add_note": false, "name": "Solaris: User Login", "send_webhook_url": "", "send_email_template": "", "exec_script": false, "mark_actionable": true, "filter": [{"op": "eq", "value": ["Accepted keyboard-interactive for"], "field": "message"}], "send_email": false, "send_webhook_ssl_verify": true, "note_text": "", "send_webhook_template": "", "mark_known": true, "script_path": "", "snmp_trap": false, "is_private": false, "send_webhook_method": "GET"}] -------------------------------------------------------------------------------- /deprecated/triggers/logzilla_appstore.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/triggers/logzilla_appstore.jpg -------------------------------------------------------------------------------- /deprecated/webinars/README.md: -------------------------------------------------------------------------------- 1 | # To Catch A Thief 2 | 3 | 4 | How a University Uses Cisco ISE and LogZilla NEO To physically Locate Mobile Device Thieves and alert police within seconds 5 | 6 | ![](to-catch-a-thief/images/tcat-header.jpg) 7 | 8 | All files for this Webinar are located in the [to-catch-a-thief](to-catch-a-thief) subdirectory. 9 | 10 | # How to get the most out of your WatchGuard events 11 | 12 | Learn how to extract and track 31 valuable event types such as Source/Dest IP pairs, Top Applications, Policies, Categories, NAT Ports, Geolocations, URLs, Denied Apps, and more 13 | 14 | ![](watchguard/images/focus3-596x335.jpg) 15 | 16 | All files for this Webinar are located in the [watchguard](watchguard) subdirectory. 17 | 18 | -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/images/tcat-header.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/webinars/to-catch-a-thief/images/tcat-header.jpg -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/images/tcat-slack.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/deprecated/webinars/to-catch-a-thief/images/tcat-slack.gif -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/neo/README.md: -------------------------------------------------------------------------------- 1 | # LogZilla NEO Files 2 | 3 | ## rules.d 4 | 5 | This directory contains rules for adding the meta tags. We've included a script to generate rules based on a tab separated input file, located in the [tsv2NEO directory](tsv2NEO) 6 | 7 | ## scripts 8 | 9 | This directory contains scripts fired by NEO triggers. 10 | 11 | You will need to edit the [`getAP`](scripts) perl script, then copy it to the container: 12 | 13 | ``` 14 | cd scripts 15 | cp ./getAP /var/lib/docker/volumes/lz_data/_data/scripts/ 16 | ``` 17 | 18 | -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/neo/tsv2NEO/README.md: -------------------------------------------------------------------------------- 1 | # Purpose 2 | 3 | `tsv2NEO` is used to create a NEO rule based on the input from a tab separated file. 4 | 5 | **Usage:** 6 | 7 | ``` 8 | cat test.tsv | ./tsv2NEO 9 | ``` 10 | 11 | or, if you have `jq` installed, pretty print it using: 12 | 13 | ``` 14 | cat test.tsv | ./tsv2NEO | jq . 15 | ``` 16 | 17 | To add it to NEO: 18 | 19 | ``` 20 | cat test.tsv | ./tsv2NEO > 000-missing-devices.json 21 | logzilla rules add 000-missing-devices.json 22 | ``` 23 | 24 | # Description 25 | 26 | The script is written to use the following TAB separated columns: 27 | 28 | ``` 29 | devName devMAC1 devMAC2 devSerial contactFileNo contactName contactPhone contactMobile contactEmail searchType notes 30 | ``` 31 | 32 | **example:** 33 | 34 | ``` 35 | Bobs Laptop A4:4C:C8:a1:Fc:30 B0:35:9F:3E:a9:f9 12345A7 17-11282a Detective Picklepants 555-555-5556 555-555-5556 picklepants@dragnet.com stolen Latitude 3215 2-in-1 tablets stolen from Cafeteria Nov. 14-16th 2018 36 | ``` 37 | -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/neo/tsv2NEO/test.tsv: -------------------------------------------------------------------------------- 1 | devName devMAC1 devMAC2 devSerial contactFileNo contactName contactPhone contactMobile contactEmail searchType notes 2 | Bobs Laptop A4:4C:C8:a1:Fc:30 B0:35:9F:3E:a9:f9 12345A7 17-11282a Detective Picklepants 555-555-5556 555-555-5556 picklepants@dragnet.com stolen Latitude 3215 2-in-1 tablets stolen from Cafeteria Nov. 14-16th 2018 3 | 4 | -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/slack/neobot/neobot.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=TCAT Alert Bot 3 | After=network.target 4 | 5 | [Service] 6 | WorkingDirectory=/opt/neobot 7 | ExecStart=/usr/bin/node server.js 8 | Restart=on-failure 9 | User=root 10 | #Environment=PORT=4390 11 | StandardOutput=syslog 12 | StandardError=syslog 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/slack/neobot/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "neobot", 3 | "version": "0.0.1", 4 | "description": "Provides Middleware for Slack Buttons to push alerts through NEO", 5 | "main": "server.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "author": "LogZilla Corporation", 10 | "dependencies": { 11 | "express": "^4.19.2", 12 | "request": "^2.88.0" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/slack/ngrok/ngrok.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=ngrok 3 | After=network.target 4 | 5 | [Service] 6 | ExecStart=/opt/ngrok/ngrok start --all --config "/opt/ngrok/ngrok.yml" 7 | ExecReload=/bin/kill -HUP $MAINPID 8 | KillMode=process 9 | Restart=on-failure 10 | Type=simple 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /deprecated/webinars/to-catch-a-thief/slack/ngrok/ngrok.yml: -------------------------------------------------------------------------------- 1 | authtoken: 2xxxxxxxxjmdwrQXjTxxxxxxxxAwfxxxxxxxxA8evGK 2 | region: us 3 | console_ui: false 4 | inspect_db_size: 50000000 5 | log_level: info 6 | log_format: json 7 | log: /var/log/ngrok.log 8 | update_channel: stable 9 | web_addr: 0.0.0.0:4040 10 | tunnels: 11 | tcat: 12 | addr: 4390 13 | inspect: true 14 | proto: http 15 | subdomain: tcat 16 | -------------------------------------------------------------------------------- /howtos/.gitignore: -------------------------------------------------------------------------------- 1 | tmp/ 2 | foo 3 | *.swp 4 | .DS_Store 5 | -------------------------------------------------------------------------------- /howtos/README.md: -------------------------------------------------------------------------------- 1 | # Sample trigger scripts 2 | 3 | 4 | - `Execute_Remote_Commands_on_a_Cisco_Device` 5 | 6 | An older trigger that was written in perl (but does work) 7 | 8 | - `trigger-cisco-config` 9 | 10 | A new version of the original perl script, rewritten in python. 11 | 12 | 13 | -------------------------------------------------------------------------------- /howtos/trigger-cisco-config/Dockerfile: -------------------------------------------------------------------------------- 1 | # Use a logzilla script-server base image 2 | FROM logzilla/script-server:latest 3 | 4 | # Copy the requirements.txt file to the container 5 | COPY requirements.txt /tmp/requirements.txt 6 | 7 | # Install Python dependencies 8 | RUN pip install -r /tmp/requirements.txt \ 9 | --no-cache-dir --break-system-packages --root-user-action=ignore 10 | 11 | # Copy script content to the container 12 | RUN mkdir -p /scripts 13 | COPY compliance.py /scripts 14 | COPY compliance.yaml /scripts 15 | RUN chmod +x /scripts/compliance.py 16 | -------------------------------------------------------------------------------- /howtos/trigger-cisco-config/README.md: -------------------------------------------------------------------------------- 1 | # Cisco Device Config Using Netmiko with LogZilla and Slack 2 | 3 | The following files are samples for use in the [LogZilla Documentation](https://docs.logzilla.net/02_Creating_Triggers/03_Trigger_Scripts/) 4 | -------------------------------------------------------------------------------- /howtos/trigger-cisco-config/compliance.yaml: -------------------------------------------------------------------------------- 1 | # Cisco credentials 2 | ciscoUsername: "cisco" 3 | ciscoPassword: "cisco" 4 | 5 | # Slack settings 6 | posturl: "https://hooks.slack.com/services/XXXX/XXX"" 7 | default_channel: "#mychannel" 8 | slack_user: "logzilla-bot" 9 | 10 | bring_interface_up: true 11 | command_delay: 10 12 | timeout: 10 13 | -------------------------------------------------------------------------------- /howtos/trigger-cisco-config/compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | api: 3 | build: 4 | context: . 5 | container_name: compliance-script-server 6 | environment: 7 | SCRIPTS_ENABLED: "1" 8 | SCRIPTS_DIR: /scripts 9 | SCRIPTS_LOGS_DIR: /var/log/logzilla/scripts 10 | # LOG_LEVEL: "DEBUG" 11 | volumes: 12 | - /var/log/logzilla/scripts:/var/log/logzilla/scripts 13 | networks: 14 | - lz_network 15 | networks: 16 | lz_network: 17 | name: lz_main 18 | external: true 19 | -------------------------------------------------------------------------------- /howtos/trigger-cisco-config/requirements.txt: -------------------------------------------------------------------------------- 1 | paramiko 2 | requests 3 | pyyaml 4 | netmiko 5 | -------------------------------------------------------------------------------- /howtos/trigger-cisco-config/script_server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | SERVERS: 3 | - name: custom 4 | url: http://compliance-script-server:8000/scripts 5 | -------------------------------------------------------------------------------- /winagent/LogZillaSyslogAgentManual.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/LogZillaSyslogAgentManual.pdf -------------------------------------------------------------------------------- /winagent/LogZilla_SyslogAgent_6.32.1.0.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/LogZilla_SyslogAgent_6.32.1.0.msi -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_1.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_2.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_3.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_4.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_5.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_6.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_7.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_8.png -------------------------------------------------------------------------------- /winagent/doc/gpo_deploy/images/gpo_install_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/doc/gpo_deploy/images/gpo_install_9.png -------------------------------------------------------------------------------- /winagent/images/agent_config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/images/agent_config.png -------------------------------------------------------------------------------- /winagent/images/appstore_add_app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent/images/appstore_add_app.png -------------------------------------------------------------------------------- /winagent_source/Documents/Documents.vcxitems.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {ee121353-409d-4d2e-8cb3-d88f38be4eab} 6 | 7 | 8 | 9 | 10 | rules 11 | 12 | 13 | rules 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /winagent_source/Documents/LogZillaSyslogAgentManual.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/LogZillaSyslogAgentManual.pdf -------------------------------------------------------------------------------- /winagent_source/Documents/Manual.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/Manual.docx -------------------------------------------------------------------------------- /winagent_source/Documents/SyslogAgentConfig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/SyslogAgentConfig.png -------------------------------------------------------------------------------- /winagent_source/Documents/SyslogAgentConfig_EditRegistry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/SyslogAgentConfig_EditRegistry.png -------------------------------------------------------------------------------- /winagent_source/Documents/SyslogAgentConfig_raw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/SyslogAgentConfig_raw.png -------------------------------------------------------------------------------- /winagent_source/Documents/SyslogAgentRegistry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/SyslogAgentRegistry.png -------------------------------------------------------------------------------- /winagent_source/Documents/appstore_add_app_edited.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/appstore_add_app_edited.png -------------------------------------------------------------------------------- /winagent_source/Documents/appstore_add_app_raw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/appstore_add_app_raw.png -------------------------------------------------------------------------------- /winagent_source/Documents/logzilla_registry_sample.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Documents/logzilla_registry_sample.reg -------------------------------------------------------------------------------- /winagent_source/Release/EventLogInterface.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Release/EventLogInterface.dll -------------------------------------------------------------------------------- /winagent_source/Release/EventLogInterface.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Release/EventLogInterface.exp -------------------------------------------------------------------------------- /winagent_source/Release/EventLogInterface.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Release/EventLogInterface.lib -------------------------------------------------------------------------------- /winagent_source/Release/EventLogInterface.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/Release/EventLogInterface.pdb -------------------------------------------------------------------------------- /winagent_source/UpgradeLog.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/UpgradeLog.htm -------------------------------------------------------------------------------- /winagent_source/UpgradeLog2.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/UpgradeLog2.htm -------------------------------------------------------------------------------- /winagent_source/UpgradeLog3.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/UpgradeLog3.htm -------------------------------------------------------------------------------- /winagent_source/UpgradeLog4.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/UpgradeLog4.htm -------------------------------------------------------------------------------- /winagent_source/UpgradeLog5.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/UpgradeLog5.htm -------------------------------------------------------------------------------- /winagent_source/build.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | "C:\Program Files (x86)\msbuild\14.0\bin\msbuild.exe" /nologo build.proj %1 %2 %3 %4 %5 %6 %7 %8 %9 3 | 4 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/Agent.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Agent.rc -------------------------------------------------------------------------------- /winagent_source/source/Agent/Agent.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -console -debug2 5 | WindowsLocalDebugger 6 | 7 | 8 | 9 | WindowsLocalDebugger 10 | 11 | 12 | -debug2 -console 13 | WindowsLocalDebugger 14 | 15 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/ArrayQueue.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/ArrayQueue.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/Bitmap.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Bitmap.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/Bitmap.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Bitmap.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/BitmappedObjectPool.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/BitmappedObjectPool.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/ChannelEventHandlerBase.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/ChannelEventHandlerBase.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/EventHandlerMessageQueuer.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/EventHandlerMessageQueuer.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/EventHandlerMessageQueuer.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/EventHandlerMessageQueuer.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/EventLogEvent.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/EventLogEvent.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/EventLogEvent.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/EventLogEvent.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/EventLogSubscription.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/EventLogSubscription.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/EventLogSubscription.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/EventLogSubscription.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/FileWatcher.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/FileWatcher.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/FileWatcher.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/FileWatcher.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/Globals.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Globals.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/Globals.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Globals.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/LogConfiguration.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | SyslogAgent: a syslog agent for Windows 3 | Copyright © 2021 Logzilla Corp. 4 | */ 5 | 6 | 7 | #include "stdafx.h" 8 | #include "LogConfiguration.h" 9 | 10 | using namespace Syslog_agent; 11 | 12 | void LogConfiguration::loadFromRegistry(Registry& parent) { 13 | bookmark_ = Registry::readBookmark(channel_.c_str()); 14 | } 15 | 16 | void LogConfiguration::saveToRegistry(Registry& parent) const { 17 | Registry::writeBookmark(channel_.c_str(), bookmark_.c_str()); 18 | } 19 | 20 | 21 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/LogConfiguration.h: -------------------------------------------------------------------------------- 1 | /* 2 | SyslogAgent: a syslog agent for Windows 3 | Copyright © 2021 Logzilla Corp. 4 | */ 5 | 6 | #pragma once 7 | 8 | #include "RecordNumber.h" 9 | #include "Registry.h" 10 | 11 | namespace Syslog_agent { 12 | 13 | class LogConfiguration { 14 | public: 15 | LogConfiguration() {}; 16 | std::wstring channel_; 17 | std::wstring name_; 18 | std::string nname_; 19 | std::wstring bookmark_; 20 | void loadFromRegistry(Registry& parent); 21 | void saveToRegistry(Registry& parent) const; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/Logger.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Logger.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/Logger.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Logger.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/MSG00001.bin: -------------------------------------------------------------------------------- 1 | %1 2 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/MessageQueue.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/MessageQueue.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/MessageQueue.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/MessageQueue.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/NetworkClient.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/NetworkClient.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/NetworkClient.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/NetworkClient.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/OStreamBuf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/OStreamBuf.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/Options.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | SyslogAgent: a syslog agent for Windows 3 | Copyright © 2021 Logzilla Corp. 4 | */ 5 | 6 | #include "stdafx.h" 7 | #include "Options.h" 8 | 9 | using namespace Syslog_agent; 10 | 11 | Options::Options(int count, wchar_t** values) { 12 | this->count = count; 13 | this->values = values; 14 | } 15 | 16 | bool Options::has(wchar_t* option) const { 17 | for (auto i = 1; i < count; i++) { 18 | if (!_wcsicmp(values[i], option)) return true; 19 | } 20 | return false; 21 | } 22 | 23 | wchar_t* Options::getArgument(wchar_t* option) const { 24 | for (auto i = 1; i < count; i++) { 25 | if (!_wcsicmp(values[i], option)) { 26 | if (i < count - 1) { 27 | return values[i + 1]; 28 | } 29 | else { 30 | return nullptr; 31 | } 32 | } 33 | } 34 | return nullptr; 35 | } 36 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/Options.h: -------------------------------------------------------------------------------- 1 | /* 2 | SyslogAgent: a syslog agent for Windows 3 | Copyright © 2021 Logzilla Corp. 4 | */ 5 | 6 | #pragma once 7 | 8 | namespace Syslog_agent { 9 | 10 | class Options { 11 | public: 12 | Options(int count, wchar_t** values); 13 | bool has(wchar_t* option) const; 14 | wchar_t* getArgument(wchar_t* option) const; 15 | private: 16 | int count; 17 | wchar_t** values; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/PersistentConnections.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "stdafx.h" 3 | #include 4 | #include 5 | #include 6 | #include "NetworkClient.h" 7 | #include "WindowsEvent.h" 8 | 9 | using namespace std; 10 | 11 | class PersistentConnections 12 | { 13 | public: 14 | PersistentConnections(vector>& network_clients); 15 | ~PersistentConnections(); 16 | bool start(int msec_between_retries); 17 | bool stop(); 18 | void waitForEnd(); 19 | 20 | private: 21 | volatile bool stop_requested_; 22 | vector> network_clients_; 23 | unique_ptr connection_thread_; 24 | int msec_between_retries_; 25 | WindowsEvent stop_event_{ L"LogZilla_SyslogAgent_PersistentConnections" }; 26 | 27 | void connectThread(); 28 | 29 | friend void connectThreadStart(PersistentConnections* pers_connections); 30 | }; 31 | 32 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/README.md -------------------------------------------------------------------------------- /winagent_source/source/Agent/RecordNumber.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | SyslogAgent: a syslog agent for Windows 3 | Copyright © 2021 Logzilla Corp. 4 | */ 5 | 6 | #include "stdafx.h" 7 | #include "RecordNumber.h" 8 | 9 | using namespace Syslog_agent; 10 | 11 | RecordNumber::RecordNumber(DWORD value) { this->value = value; } 12 | 13 | RecordNumber::RecordNumber(RecordNumber& other) { value = other.value; } 14 | 15 | void RecordNumber::increment() { 16 | value = value == ULONG_MAX ? 0 : value + 1; 17 | } 18 | 19 | bool RecordNumber::is_greater(RecordNumber& other) const { 20 | return 21 | (other.value > value&& other.value - value >= ULONG_MAX / 2) || 22 | (other.value < value && value - other.value < ULONG_MAX / 2); 23 | } 24 | 25 | RecordNumber::operator DWORD () const { return value; } 26 | 27 | DWORD RecordNumber::operator=(DWORD new_value) { 28 | value = new_value; 29 | return new_value; 30 | } 31 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/RecordNumber.h: -------------------------------------------------------------------------------- 1 | /* 2 | SyslogAgent: a syslog agent for Windows 3 | Copyright © 2021 Logzilla Corp. 4 | */ 5 | 6 | #pragma once 7 | #include 8 | 9 | namespace Syslog_agent { 10 | 11 | class RecordNumber { 12 | public: 13 | explicit RecordNumber(DWORD value); 14 | RecordNumber(RecordNumber& other); 15 | bool is_greater(RecordNumber& other) const; 16 | void increment(); 17 | operator DWORD() const; 18 | DWORD operator=(DWORD new_value); 19 | 20 | private: 21 | DWORD value; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/Result.h: -------------------------------------------------------------------------------- 1 | /* 2 | SyslogAgent: a syslog agent for Windows 3 | Copyright © 2021 Logzilla Corp. 4 | */ 5 | 6 | #pragma once 7 | 8 | #include 9 | #include "Logger.h" 10 | 11 | namespace Syslog_agent { 12 | 13 | class Result : public std::exception { 14 | public: 15 | Result(); 16 | Result(const char* message); 17 | Result(DWORD status); 18 | Result(DWORD status, const char* from, const char* format, ...); 19 | Result(Result& other); 20 | static Result ResultLog(DWORD status, Logger::LogLevel log_level, 21 | const char* name, const char* format, ...); 22 | const char* what() const override; 23 | bool isSuccess() const; 24 | DWORD statusCode() const; 25 | void log() const; 26 | static void logLastError(const char* from, const char* message); 27 | static void throwLastError(const char* from, const char* message); 28 | 29 | private: 30 | void setResult(DWORD status, const char* name, const char* message); 31 | DWORD status_; 32 | std::string message_str_; 33 | }; 34 | } 35 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/SyslogAgentSharedConstants.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/SyslogAgentSharedConstants.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/TLS.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/TLS.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/TLS.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/TLS.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/Util.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Util.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/Util.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/Util.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/WindowsEvent.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/WindowsEvent.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/WindowsEvent.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/WindowsEvent.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/WindowsTimer.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/WindowsTimer.cpp -------------------------------------------------------------------------------- /winagent_source/source/Agent/WindowsTimer.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/WindowsTimer.h -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libffi-6.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libffi-6.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libgcc_s_seh-1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libgcc_s_seh-1.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libgmp-10.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libgmp-10.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libgnutls-30.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libgnutls-30.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libhogweed-6.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libhogweed-6.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libidn2-0.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libidn2-0.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libnettle-8.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libnettle-8.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libp11-kit-0.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libp11-kit-0.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libssp-0.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libssp-0.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/extra_dlls/libwinpthread-1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/extra_dlls/libwinpthread-1.dll -------------------------------------------------------------------------------- /winagent_source/source/Agent/lib/libgnutls-30.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/lib/libgnutls-30.exp -------------------------------------------------------------------------------- /winagent_source/source/Agent/lib/libgnutls-30.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/Agent/lib/libgnutls-30.lib -------------------------------------------------------------------------------- /winagent_source/source/Agent/message.h: -------------------------------------------------------------------------------- 1 | // 2 | // Values are 32 bit values laid out as follows: 3 | // 4 | // 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 5 | // 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 6 | // +---+-+-+-----------------------+-------------------------------+ 7 | // |Sev|C|R| Facility | Code | 8 | // +---+-+-+-----------------------+-------------------------------+ 9 | // 10 | // where 11 | // 12 | // Sev - is the severity code 13 | // 14 | // 00 - Success 15 | // 01 - Informational 16 | // 10 - Warning 17 | // 11 - Error 18 | // 19 | // C - is the Customer code flag 20 | // 21 | // R - is a reserved bit 22 | // 23 | // Facility - is the facility code 24 | // 25 | // Code - is the facility's status code 26 | // 27 | // 28 | // Define the facility codes 29 | // 30 | 31 | 32 | // 33 | // Define the severity codes 34 | // 35 | 36 | 37 | // 38 | // MessageId: MSG_GENERIC 39 | // 40 | // MessageText: 41 | // 42 | // %1 43 | // 44 | #define MSG_GENERIC ((DWORD)0x00000001L) 45 | 46 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/message.mc: -------------------------------------------------------------------------------- 1 | MessageIdTypedef=DWORD 2 | 3 | MessageId=0x1 4 | SymbolicName=MSG_GENERIC 5 | Language=English 6 | %1 7 | . 8 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/message.rc: -------------------------------------------------------------------------------- 1 | LANGUAGE 0x9,0x1 2 | 1 11 "MSG00001.bin" 3 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // Agent.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | 5 | #pragma once 6 | 7 | #include "targetver.h" 8 | 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | -------------------------------------------------------------------------------- /winagent_source/source/Agent/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /winagent_source/source/Config/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /winagent_source/source/Config/App.xaml: -------------------------------------------------------------------------------- 1 |  4 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /winagent_source/source/Config/App.xaml.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | using System.Windows; 7 | 8 | namespace SyslogAgent.Config { 9 | public partial class App { 10 | void App_OnStartup(object sender, StartupEventArgs e) { 11 | DispatcherUnhandledException += ShowUnhandledException; 12 | } 13 | 14 | void ShowUnhandledException(object sender, System.Windows.Threading.DispatcherUnhandledExceptionEventArgs e) { 15 | var showException = e.Exception.InnerException ?? e.Exception; 16 | var result = MessageBox.Show("An unexpected exception has occured: " 17 | + showException.Message + Environment.NewLine + Environment.NewLine 18 | + "Continuing may result in undefined behavior" + Environment.NewLine 19 | +" Do you want to continue?", "Unexpected Exception", MessageBoxButton.YesNo); 20 | e.Handled = true; 21 | if (result == MessageBoxResult.No) { 22 | Shutdown(); 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /winagent_source/source/Config/Config.csproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | true 5 | 6 | -------------------------------------------------------------------------------- /winagent_source/source/Config/ConfigurationModel.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public interface ConfigurationModel { 7 | Configuration Configuration { get; set; } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /winagent_source/source/Config/EventLogCandidate.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public class EventLogCandidate { 7 | public string Path; 8 | public bool IsChosen; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /winagent_source/source/Config/EventLogGroupMember.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | using System.Collections.Generic; 7 | using System.Collections.ObjectModel; 8 | using System.Linq; 9 | using System.Text; 10 | using System.Threading.Tasks; 11 | using System.Windows; 12 | 13 | namespace SyslogAgent.Config 14 | { 15 | public class EventLogGroupMember : DependencyObject 16 | { 17 | public string Name { get; set; } 18 | public List ChildMembers { get; set; } 19 | public ObservableCollection ObservableChildren 20 | { 21 | get 22 | { 23 | if (ChildMembers == null) 24 | return null; 25 | return new ObservableCollection(ChildMembers); 26 | } 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /winagent_source/source/Config/Globals.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | /* Not going to refactor whole program to pass base state, just using global */ 6 | 7 | 8 | using System; 9 | using System.Collections.Generic; 10 | using System.Linq; 11 | using System.Text; 12 | using System.Threading.Tasks; 13 | 14 | namespace SyslogAgent.Config 15 | { 16 | static class Globals 17 | { 18 | private static string exe_file_path_; 19 | public static string ExeFilePath 20 | { 21 | get 22 | { 23 | if (exe_file_path_ == null) 24 | exe_file_path_ = AppDomain.CurrentDomain.BaseDirectory; 25 | return exe_file_path_; 26 | } 27 | set 28 | { 29 | exe_file_path_ = value; 30 | } 31 | } 32 | 33 | public static EventLogGroupMember EventLogTop { get; set; } 34 | public static string PrimaryTlsFilename { get; set; } 35 | public static string SecondaryTlsFilename { get; set; } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /winagent_source/source/Config/ICheckedTreeView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | using System.Collections.Generic; 7 | using System.Linq; 8 | using System.Text; 9 | using System.Threading.Tasks; 10 | 11 | namespace SyslogAgent.Config 12 | { 13 | public interface ICheckedTreeView 14 | { 15 | List GetMembers(); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /winagent_source/source/Config/IOptionListView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public interface IOptionListView { 7 | int Option { get; set; } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /winagent_source/source/Config/IOptionView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public interface IOptionView { 7 | bool IsSelected { get; set; } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /winagent_source/source/Config/ISelectionListView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public interface ISelectionListView { 7 | void Add(string name, bool isChosen); 8 | bool IsChosen(int index); 9 | void SetIsChosen(int index, bool isChosen); 10 | int Count { get; } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /winagent_source/source/Config/IStringView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public interface IStringView { 7 | string Content { get; set; } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /winagent_source/source/Config/IThreeStateOptionView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | using System.Collections.Generic; 7 | using System.Linq; 8 | using System.Text; 9 | using System.Threading.Tasks; 10 | 11 | namespace SyslogAgent.Config 12 | { 13 | public interface IThreeStateOptionView 14 | { 15 | bool? IsSelected { get; set; } 16 | } 17 | } 18 | 19 | 20 | -------------------------------------------------------------------------------- /winagent_source/source/Config/IValidatedOptionView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | using System.Collections.Generic; 7 | using System.Linq; 8 | using System.Text; 9 | using System.Threading.Tasks; 10 | 11 | namespace SyslogAgent.Config 12 | { 13 | public interface IValidatedOptionView : IOptionView 14 | { 15 | bool IsValid { get; set; } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /winagent_source/source/Config/IValidatedStringView.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public interface IValidatedStringView { 7 | string Content { get; set; } 8 | bool IsValid { set; } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /winagent_source/source/Config/OptionListButtons.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System.Collections.Generic; 6 | using System.Windows.Controls; 7 | 8 | namespace SyslogAgent.Config { 9 | public class OptionListButtons : IOptionListView { 10 | 11 | public OptionListButtons(RadioButton[] radioButtons) { 12 | this.radioButtons = new List(radioButtons); 13 | } 14 | 15 | public int Option { 16 | get { return radioButtons.FindIndex(b => b.IsChecked.GetValueOrDefault()); } 17 | set { radioButtons[value].IsChecked = true; } 18 | } 19 | 20 | readonly List radioButtons; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /winagent_source/source/Config/OptionListCombo.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System.Windows.Controls; 6 | 7 | namespace SyslogAgent.Config { 8 | public class OptionListCombo: IOptionListView { 9 | public OptionListCombo(ComboBox comboBox) { 10 | this.comboBox = comboBox; 11 | } 12 | 13 | public int Option { 14 | get { return comboBox.SelectedIndex; } 15 | set { comboBox.SelectedIndex = value; } 16 | } 17 | 18 | readonly ComboBox comboBox; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /winagent_source/source/Config/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.InteropServices; 3 | 4 | [assembly: AssemblyTitle("Syslog Agent Config")] 5 | [assembly: AssemblyDescription("Configuration GUI for syslog agent for Windows.")] 6 | [assembly: AssemblyProduct("Syslog Agent for Windows")] 7 | [assembly: AssemblyCopyright("Copyright © 2021 LogZilla Corp. All rights reserved.")] 8 | [assembly: ComVisible(false)] 9 | [assembly: AssemblyVersion("6.30.2.0")] 10 | [assembly: AssemblyFileVersion("6.30.2.0")] 11 | -------------------------------------------------------------------------------- /winagent_source/source/Config/Properties/Settings.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.42000 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace SyslogAgent.Config.Properties { 12 | 13 | 14 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 15 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "17.8.0.0")] 16 | internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase { 17 | 18 | private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings()))); 19 | 20 | public static Settings Default { 21 | get { 22 | return defaultInstance; 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /winagent_source/source/Config/Properties/Settings.settings: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /winagent_source/source/Config/README.md: -------------------------------------------------------------------------------- 1 | # Config - C# Project 2 | 3 | Part of: SyslogAgent: a syslog agent for Windows 4 | Copyright © 2021 LogZilla Corp. 5 | 6 | ## Description 7 | 8 | This project is a C# project that provides a configuration app for the 9 | LogZilla Windows Syslog Agent service utility. This app allows options 10 | such as: which LogZilla server to send logs to and which logs to send, 11 | with multiple detailed options for configuring these functions. 12 | -------------------------------------------------------------------------------- /winagent_source/source/Config/ServiceModel.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | 7 | namespace SyslogAgent.Config { 8 | public interface ServiceModel { 9 | string Status { get; } 10 | void Restart(Action showStatus ); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /winagent_source/source/Config/StartupWindow.xaml: -------------------------------------------------------------------------------- 1 |  10 | 11 | 13 | 14 | -------------------------------------------------------------------------------- /winagent_source/source/Config/StringTextBox.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System.Windows.Controls; 6 | 7 | namespace SyslogAgent.Config { 8 | public class StringTextBox: IStringView { 9 | public StringTextBox(TextBox textBox) { 10 | this.textBox = textBox; 11 | } 12 | 13 | public string Content { 14 | get { return textBox.Text; } 15 | set { textBox.Text = value; } 16 | } 17 | readonly TextBox textBox; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /winagent_source/source/Config/Transport.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | namespace SyslogAgent.Config { 6 | public enum Transport { 7 | Udp = 0, UdpAfterPing = 1, Tcp = 2 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /winagent_source/source/Config/ValidatedOptionCheckBox.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System.Windows.Controls; 6 | 7 | namespace SyslogAgent.Config { 8 | public class ValidatedOptionCheckBox: IValidatedOptionView { 9 | 10 | public ValidatedOptionCheckBox(CheckBox checkBox) { 11 | this.checkBox = checkBox; 12 | } 13 | 14 | public bool IsSelected { 15 | get { return checkBox.IsChecked.GetValueOrDefault(); } 16 | set { checkBox.IsChecked = value; } 17 | } 18 | 19 | bool IValidatedOptionView.IsValid { get; set; } 20 | 21 | readonly CheckBox checkBox; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /winagent_source/source/Config/ValidatedOptionRadioButton.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System.Windows.Controls; 6 | 7 | namespace SyslogAgent.Config { 8 | public class ValidatedOptionRadioButton : IValidatedOptionView { 9 | private readonly RadioButton _radioButton; 10 | 11 | public ValidatedOptionRadioButton( RadioButton radioButton ) 12 | { 13 | _radioButton = radioButton; 14 | } 15 | 16 | public bool IsSelected 17 | { 18 | get => _radioButton.IsChecked ?? false; 19 | set => _radioButton.IsChecked = value; 20 | } 21 | bool IValidatedOptionView.IsValid { get; set; } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /winagent_source/source/Config/ValidatedTextBox.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System.Windows; 6 | using System.Windows.Controls; 7 | using System.Windows.Media; 8 | 9 | namespace SyslogAgent.Config { 10 | public class ValidatedTextBox: IValidatedStringView { 11 | public ValidatedTextBox(TextBox textBox) { 12 | this.textBox = textBox; 13 | } 14 | 15 | public string Content { 16 | get { return textBox.Text; } 17 | set { textBox.Text = value; } 18 | } 19 | 20 | public bool IsValid { 21 | set { textBox.Foreground = value ? SystemColors.ControlTextBrush 22 | : new SolidColorBrush(Color.FromRgb(255, 0, 0)); } 23 | } 24 | 25 | readonly TextBox textBox; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /winagent_source/source/Config/app.manifest: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /winagent_source/source/Config/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/EventLogCreator.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | using System.Collections.Generic; 7 | using System.Linq; 8 | using System.Text; 9 | using System.Threading.Tasks; 10 | using System.Diagnostics; 11 | 12 | namespace EventGenerator 13 | { 14 | public static class EventLogCreator 15 | { 16 | const string MESSAGE_FILENAME = "EventLogMessages.dll"; 17 | public const string LOG_SOURCE_NAME = "EventGenerator"; 18 | 19 | public static void CreateEventLog() 20 | { 21 | if (EventLog.SourceExists(LOG_SOURCE_NAME)) 22 | return; 23 | 24 | EventSourceCreationData creation_data 25 | = new EventSourceCreationData(LOG_SOURCE_NAME, "Application") 26 | { 27 | MessageResourceFile = MESSAGE_FILENAME, 28 | CategoryResourceFile = MESSAGE_FILENAME, 29 | ParameterResourceFile = MESSAGE_FILENAME, 30 | CategoryCount = 3, 31 | MachineName = "." 32 | }; 33 | 34 | EventLog.CreateEventSource(creation_data); 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/EventLogMessages.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventGenerator/EventLogMessages.dll -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/EventLogMessages.rc: -------------------------------------------------------------------------------- 1 | LANGUAGE 0x9,0x1 2 | 1 11 "Messages_ENU.bin" 3 | LANGUAGE 0x19,0x0 4 | 1 11 "Messages_RUS.bin" 5 | -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/EventLogMessages.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventGenerator/EventLogMessages.res -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/Messages_ENU.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventGenerator/Messages_ENU.bin -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/Messages_RUS.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventGenerator/Messages_RUS.bin -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/Program.cs: -------------------------------------------------------------------------------- 1 | /* SyslogAgentConfig: configuring a syslog agent for Windows 2 | Copyright © 2021 LogZilla Corp. 3 | */ 4 | 5 | using System; 6 | using System.Collections.Generic; 7 | using System.Linq; 8 | using System.Text; 9 | using System.Threading; 10 | using System.Threading.Tasks; 11 | 12 | using EventGenerator; 13 | 14 | namespace EventGenerator 15 | { 16 | class Program 17 | { 18 | static void Main(string[] args) 19 | { 20 | EventLogCreator.CreateEventLog(); 21 | var gen = new EventGenerator(); 22 | Console.WriteLine("Sending event..."); 23 | gen.WriteFakeEvent(); 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /winagent_source/source/EventGenerator/README.md: -------------------------------------------------------------------------------- 1 | # EventGenerator - C# Project 2 | 3 | Part of: SyslogAgent: a syslog agent for Windows 4 | Copyright © 2021 LogZilla Corp. 5 | 6 | ## Description 7 | 8 | This project is a simple C# console application that generates Windows 9 | events, for the purpose of verifying that the Windows Syslog Agent app 10 | is able to correctly read and communicate those events. 11 | 12 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/EventLogInterface.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/README.md -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/Cl.items.tlog: -------------------------------------------------------------------------------- 1 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\source\EventLogInterface\EventLogInterface.cpp;E:\Source\Mine\Logzilla\syslogagent\syslogagent\source\EventLogInterface\Release\EventLogInterface.obj 2 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\source\EventLogInterface\pch.cpp;E:\Source\Mine\Logzilla\syslogagent\syslogagent\source\EventLogInterface\Release\pch.obj 3 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/EventLogInterface.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v143:VCToolArchitecture=Native32Bit:VCToolsVersion=14.39.33519:TargetPlatformVersion=10.0.22621.0: 2 | Release|Win32|E:\Source\Mine\Logzilla\syslogagent\syslogagent\| 3 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/link.secondary.1.tlog: -------------------------------------------------------------------------------- 1 | ^E:\SOURCE\MINE\LOGZILLA\SYSLOGAGENT\SYSLOGAGENT\SOURCE\EVENTLOGINTERFACE\RELEASE\EVENTLOGINTERFACE.OBJ|E:\SOURCE\MINE\LOGZILLA\SYSLOGAGENT\SYSLOGAGENT\SOURCE\EVENTLOGINTERFACE\RELEASE\PCH.OBJ 2 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\Release\EventLogInterface.lib 3 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\Release\EventLogInterface.EXP 4 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\source\EventLogInterface\Release\EventLogInterface.IPDB 5 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\source\EventLogInterface\Release\EventLogInterface.iobj 6 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLog.4e3dda78.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.Build.CppClean.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLogInterface.Build.CppClean.log -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.dll.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\Release\EventLogInterface.dll 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLogInterface.iobj -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLogInterface.ipdb -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.log: -------------------------------------------------------------------------------- 1 |  pch.cpp 2 | EventLogInterface.cpp 3 | E:\Source\Mine\Logzilla\syslogagent\syslogagent\source\EventLogInterface\EventLogInterface.cpp(109,46): warning C4018: '>': signed/unsigned mismatch 4 | (compiling source file '/EventLogInterface.cpp') 5 | 6 | Creating library E:\Source\Mine\Logzilla\syslogagent\syslogagent\Release\EventLogInterface.lib and object E:\Source\Mine\Logzilla\syslogagent\syslogagent\Release\EventLogInterface.exp 7 | Generating code 8 | Previous IPDB not found, fall back to full compilation. 9 | All 9 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 10 | Finished generating code 11 | EventLogInterface.vcxproj -> E:\Source\Mine\Logzilla\syslogagent\syslogagent\Release\EventLogInterface.dll 12 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLogInterface.obj -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLogInterface.pch -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/EventLogInterface.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/EventLogInterface.vcxproj.FileListAbsolute.txt -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/pch.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/pch.obj -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/Release/vc143.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/logzilla/extras/a73d1f3fef6f1ae4c4d6cc94a36a95c0170f34a3/winagent_source/source/EventLogInterface/Release/vc143.pdb -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /winagent_source/source/EventLogInterface/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | --------------------------------------------------------------------------------