diff --git a/.ci/jobs/beats-release-minor-major.yml b/.ci/jobs/beats-release-minor-major.yml new file mode 100644 index 00000000000..91c7d105fb8 --- /dev/null +++ b/.ci/jobs/beats-release-minor-major.yml @@ -0,0 +1,20 @@ +--- +- job: + name: Beats/Release/beats-release-minor-major + display-name: 'Prepare Major/minor Release' + description: 'Automate the steps to prepare a new Release branch' + view: Beats + project-type: pipeline + pipeline-scm: + script-path: release_scripts/pipeline-release-minor-major.groovy + scm: + - git: + url: git@github.com:elastic/ingest-dev.git + refspec: +refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pr/* + wipe-workspace: 'True' + name: origin + shallow-clone: true + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ingest-dev.git + branches: + - master diff --git a/.ci/jobs/beats-release-patch.yml b/.ci/jobs/beats-release-patch.yml new file mode 100644 index 00000000000..4d205f79647 --- /dev/null +++ b/.ci/jobs/beats-release-patch.yml @@ -0,0 +1,20 @@ +--- +- job: + name: Beats/Release/beats-release-patch + display-name: 'Prepare Patch Release' + description: 'Automate the steps to prepare a new Patch' + view: Beats + project-type: pipeline + pipeline-scm: + script-path: release_scripts/pipeline-release-patch.groovy + scm: + - git: + url: git@github.com:elastic/ingest-dev.git + refspec: +refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pr/* + wipe-workspace: 'True' + name: origin + shallow-clone: true + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ingest-dev.git + branches: + - master diff --git a/.ci/jobs/folders.yml b/.ci/jobs/folders.yml index 60b6e3eff92..4b6cc5c4944 100644 --- a/.ci/jobs/folders.yml +++ b/.ci/jobs/folders.yml @@ -4,3 +4,8 @@ name: Beats description: Beats project-type: folder + +- job: + name: Beats/Release + description: Jobs for release preparation + project-type: folder diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 67cac68940c..76a7f1edeb6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -22,6 +22,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added `certificate` TLS verification mode to ignore server name mismatch. {issue}12283[12283] {pull}20293[20293] - Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] - Remove redundant `cloudfoundry.*.timestamp` fields. This value is set in `@timestamp`. {pull}21175[21175] +- Allow embedding of CAs, Certificate of private keys for anything that support TLS in ouputs and inputs https://github.com/elastic/beats/pull/21179 *Auditbeat* @@ -174,6 +175,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - [Autodiscover] Handle input-not-finished errors in config reload. {pull}20915[20915] - Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898] - Fix `libbeat.output.write.bytes` and `libbeat.output.read.bytes` metrics of the Elasticsearch output. {issue}20752[20752] {pull}21197[21197] +- The `o365input` and `o365` module now recover from an authentication problem or other fatal errors, instead of terminating. {pull}21259[21258] *Auditbeat* @@ -267,7 +269,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove wrongly mapped `tls.client.server_name` from `fortinet/firewall` fileset. {pull}20983[20983] - Fix an error updating file size being logged when EOF is reached. {pull}21048[21048] - Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943] +- Handle multiple upstreams in ingress-controller. {pull}21215[21215] - Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159] +- Fix checkpoint module when logs contain time field. {pull}20567[20567] *Heartbeat* @@ -363,6 +367,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436[18436] - Fields from Winlogbeat modules were not being included in index templates and patterns. {pull}18983[18983] +- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627] *Functionbeat* @@ -717,6 +722,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Sanitize `event.host`. {pull}21022[21022] - Add overview and platform health dashboards to Cloud Foundry module. {pull}21124[21124] - Release lambda metricset in aws module as GA. {issue}21251[21251] {pull}21255[21255] +- Add dashboard for pubsub metricset in googlecloud module. {pull}21326[21326] {issue}17137[17137] *Packetbeat* diff --git a/Jenkinsfile b/Jenkinsfile index 9121d0d48cf..119cea9b3ab 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -107,22 +107,17 @@ pipeline { mapParallelTasks["${k}"] = v } } + notifyBuildReason() parallel(mapParallelTasks) } } } - post { - always { - dir("${BASE_DIR}"){ - // Archive the markdown files that contain the build reasons - archiveArtifacts(allowEmptyArchive: false, artifacts: 'build-reasons/*.md') - } - } - } } } post { always { + deleteDir() + unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") runbld(stashedTestReports: stashedTestReports, project: env.REPO) } cleanup { @@ -546,6 +541,17 @@ def isDockerInstalled(){ } } +/** +* Notify the build reason. +*/ +def notifyBuildReason() { + // Archive the build reason here, since the workspace can be deleted when running the parallel stages. + archiveArtifacts(allowEmptyArchive: true, artifacts: 'build-reasons/*.*') + if (isPR()) { + echo 'TODO: Add a comment with the build reason (this is required to be implemented in the shared library)' + } +} + /** * This class is the one used for running the parallel stages, therefore * its arguments are passed by the beatsStages step. diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b4888ec8c5e..8a145ff8724 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -105135,6 +105135,46 @@ type: array -- +*`nginx.ingress_controller.upstream_address_list`*:: ++ +-- +An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.length_list`*:: ++ +-- +An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.time_list`*:: ++ +-- +An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.status_code_list`*:: ++ +-- +An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing. + + +type: keyword + +-- + *`nginx.ingress_controller.http.request.length`*:: + -- @@ -105182,7 +105222,7 @@ type: keyword *`nginx.ingress_controller.upstream.response.length`*:: + -- -The length of the response obtained from the upstream server +The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored. type: long @@ -105194,7 +105234,7 @@ format: bytes *`nginx.ingress_controller.upstream.response.time`*:: + -- -The time spent on receiving the response from the upstream server as seconds with millisecond resolution +The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored. type: double @@ -105206,40 +105246,40 @@ format: duration *`nginx.ingress_controller.upstream.response.status_code`*:: + -- -The status code of the response obtained from the upstream server +The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field. type: long -- -*`nginx.ingress_controller.http.request.id`*:: +*`nginx.ingress_controller.upstream.ip`*:: + -- -The randomly generated ID of the request +The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. -type: keyword +type: ip -- -*`nginx.ingress_controller.upstream.ip`*:: +*`nginx.ingress_controller.upstream.port`*:: + -- -The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. +The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. -type: ip +type: long -- -*`nginx.ingress_controller.upstream.port`*:: +*`nginx.ingress_controller.http.request.id`*:: + -- -The port of the upstream server. +The randomly generated ID of the request -type: long +type: keyword -- diff --git a/filebeat/module/nginx/fields.go b/filebeat/module/nginx/fields.go index 2f9e50ceb60..4e622f85db6 100644 --- a/filebeat/module/nginx/fields.go +++ b/filebeat/module/nginx/fields.go @@ -32,5 +32,5 @@ func init() { // AssetNginx returns asset data. // This is the base64 encoded gzipped contents of module/nginx. func AssetNginx() string { - return "eJzsWM9u48YPvucpiP1dfgUSPYAPBYotFsihRVH00Jt3rKFkIqOhSo6c+u2LkeQ/kUe25GS3PUinRDK/7+OQwxnyCV5wvwJfkv/7ASBQcLiCT7/G/z89AFjUXKgOxH4FPz4AAPzCtnEIBQvURpR8CWGL0JqA4xIKcqjZA4BuWcI6Z19QuYIgDT4AFITO6qqFegJvKjzRxyfsa1xBKdzU/ZuEhvh8aYGgEK7GBMTnnO+c0+Q5qh5fp4ivkMfnM/tgyGtP0a7ISUiHH/UcpaTknEsSrDjgmuq1Iw1vfnKQZ0TMfvDlisT4/OQ7K+CiZ4Dn38BYK6iKmsFzAFIwEElhg7lpFIHalzlXFXsIDORz11h8hA0qWdTW09wR+qFQOIN/fEPVxWqLxqIoOHpB+Prn0xeWVyMWbfzra3aB9jsaB8qN5K1wUhDUwII26vrafcmoPjNNru6G7X6t6EO22QfU9PI6MsMvtQnbFWxDqDNBrdkrZhErCVNRKaaLRJ/vl0IaRVnHP2dKiHZZwm4KZ4Vhy/Y+n/9qUEOWRJjkrri5jorLWKgkb4amUwij7PUORYn9PR6nTacwH/JjnbOdG923CabBhEZTONN0FCiC8p54j2BMoTflZVWYktzr1nBu6Mf32LiOYZWHkcp8DmlxR/kwGtddS7rX4aQ28jUvh2pGzGdqeacITpHMlMCaFY1zqYI4T8oYwnw975WSzt97tIwjzdoNJTIN0/3+jZCzD+TRh/eseH9sl8jZTbypC59z44Ps16Scqpx3SbuJOFWc47z92ftFXUGaKkawJPYfFL/rYJODR2H/UQl1BWrmCn1cKt0GHJN2kIQiLN+uYWnhZ/UrOXuPeWjdSt8tHftyXrfy+YgJZNEHKgjlxs3e4Q7n3jEdl1nKbsr9ph7xdpytFo7dYHZpOYUv3M0XtoLGZnexVqhqyrnX2LTVrdQmX8YWcR2PAmHn8Jvk+XPH0uf7iWvp1f8rvfr/DpnwdBYdrTGngvI+HqM937F1cejLsJ1akAqWyoQVpNr5G+H6Y4vQk0JHCv/vFp98efpCHh/7pXwE4+3xy4bt/ofb/gQamRVYbjZu+Ongj20kdU245RJVCOhMrWhByefYZk9BEvXGJYJXlOi2safZWyK5jp1YrUHQVKlbdefFC+5fWYYlasLSR8S4U6KCI811EcYFFG8C7XB8BPMhgs6Ypoo7dv/fNYH7xO1lHzQAb2INxbMgH3SCouwGg4FxX75r8m4RIl8sGT4AexDMkXaHGfXRuTGfwCgo5uytwiuFLVTkHHVvojW75kLVuOvjQ5x7b0fRwQ4VIuoHBe1NsRm5a9y9J8R4y5XbQ4kexQS08PzzSXhLen09R1rXi9cTxJxOuGHd6Ncng+cCFHco8SBrX/UFLx5IJo/ybSPn5b2/a5EvHyMiydkhagRBsTad35t9e0gbvVEHapb0jeK+hIlwY+5ev1gvI/NlZL6MzJeR+TIyX0bm1/UsI/NlZL6MzJeR+b88Mv8nAAD///5cnQ8=" + return "eJzsWcFu4zYQvecrBttLCyT6AB8KFFsskEOLouihNy8tjuTBUhx1SCX13xeUZFmRKFuSkzQLWKdEMue9eTNDDskH+IaHDdic7L93AJ68wQ18+j38/+kOQKNLhUpPbDfw8x0AwG+sK4OQsUCpxJHNwe8R6iFgOIeMDLrkDsDtWfw2ZZtRvgEvFd4BZIRGu01t6gGsKvAEHx5/KHEDuXBVtm8iHMLzpTYEmXAxRSA8fbw+pkpTdK57HQM+Ax6ez2y9IutaiFqRE5HGfuDTUYnR6VMSLNjjlsqtIedf/ORIT4mow+DLGYrh+cU2o4CzFgEe/wCltaBz6BJ49EAOFARQ2GGqKodA9cuUi4IteAayqak03sMOHWl0taepIbRDotAzf/8CqonVHpVGcWDoG8LXvx++sDwr0ajDX1+TkbU/URlwXElaEycHgs6zoA68vjZfEip7Q6Pq7lgftg6tT3YHjy4uryE1/FIqv9/A3vsyEXQlW4dJsBU1U1AuqolEm+9jIpVD2YY/F1II45LIuDmYBfo963U+/1Oh80nUwix3xSx1VEzCQjlZNRw6BzDQ3j6hOGK7xuP40DnIx/zYpqyXRvdlgjmvfOVidubxyFAE5Zp4T9iYA6/y8awwJ7m39cCloZ+usWkew1keJmbmvkmNT5QOo3Hetah7jZ1YIZ/zcshmYvhCLleS4BjIQgrskqwyJjYhLqMyZWE5n2upxPN3DZdpS4uqIUemYbqvL4SUrSeL1l+jeLts58jJRXtzhU+5sl4OW3IcmzlXUbtocS45w2n9s+tJnbE0l4xgTmxfKX7njc0OHvnDayXUGVMLFXq9VLpscIrakRKKsLzdhqU2v2i/krK1mPrarXhvadjmy3YrnzubQBqtp4xQLnT2Bp9waY9pOE9i4+b0N+WEt9NopXDYDSbjkXPw/Go8vxdUOlmFWqBzKl/axsZHXUptsnnYIm7DUiBsDL5Jnj82KG2+n7Bue/WPslf/4ZgJD73ouBJTyiht4xHv90vnBVWxbR2Yjso3PDyzDAtiQVyCmEe4haHZKw8On1CUOZlwKGHHOcJ8RsE6SVXqUYOuhGwO7fbsWOFk8+SsIKctpUGb+/0bCtN5dISEBvI70MZTge+qjK6a+fA70KZ3FPGuEjW4EHA/nEovTkqaLJ/b/2QshfIbiJ0eXtDrrz12DBtQ+LGZ6/vcDVm8b2fue1BWd192rA8/XfYnFEPUG83Vzgw/Hf05ZvRCl6hAQKNKhxoc2RTr+TUjCXyDRE2kQhtzOuqPrGWj/J08YF2VqkH6YHG4AFwoImU8ilWennD6xPdVCPWQ5pIbrAzvlMBt4ra0u2rnXWjZsBfkQQkn8Jh15d1W9bwqvh/xCOZdVRRKuhW9qIyn0uBo8QozTNPCLFlM3q1+9ggBLzRJ1gNbEEyRno63cp03Y1mVA4cpW+3gmfweCjKGmjdhGJsqgI57vNVhmCd78GaF6NMH5mt3okHa3hr0lhk7wh5Jx9YcGv3OMOqIGOVCLuBJRqCwQFK7Jbog6sRZ4ej1DAFPW4pR6/z6Zd2JdKX/JUu8y1mXRMHcx/f+RQswceCweqUSZTUX5gA5WhQV3Hr89ZS/Nej5M57b7e3t9vZ2e3u7vb3d3t5ub8/zud3e3m5vb7e3t9vb//n29r8AAAD//ydZrLw=" } diff --git a/filebeat/module/nginx/ingress_controller/_meta/fields.yml b/filebeat/module/nginx/ingress_controller/_meta/fields.yml index 2c467e3856a..30bc1f5ad9e 100644 --- a/filebeat/module/nginx/ingress_controller/_meta/fields.yml +++ b/filebeat/module/nginx/ingress_controller/_meta/fields.yml @@ -11,6 +11,26 @@ Real source IP is restored to `source.ip`. # ingress-controller specific fields + - name: upstream_address_list + type: keyword + description: > + An array of the upstream addresses. It is a list because it is common that several upstream servers + were contacted during request processing. + - name: upstream.response.length_list + type: keyword + description: > + An array of upstream response lengths. It is a list because it is common that several upstream servers + were contacted during request processing. + - name: upstream.response.time_list + type: keyword + description: > + An array of upstream response durations. It is a list because it is common that several upstream servers + were contacted during request processing. + - name: upstream.response.status_code_list + type: keyword + description: > + An array of upstream response status codes. It is a list because it is common that several upstream servers + were contacted during request processing. - name: http.request.length type: long format: bytes @@ -33,28 +53,33 @@ type: long format: bytes description: > - The length of the response obtained from the upstream server + The length of the response obtained from the upstream server. If several servers were contacted during request process, + the summary of the multiple response lengths is stored. - name: upstream.response.time type: double format: duration description: > - The time spent on receiving the response from the upstream server as seconds with millisecond resolution + The time spent on receiving the response from the upstream as seconds with millisecond resolution. + If several servers were contacted during request process, the summary of the multiple response times is stored. - name: upstream.response.status_code type: long description: > - The status code of the response obtained from the upstream server - - name: http.request.id - type: keyword - description: > - The randomly generated ID of the request + The status code of the response obtained from the upstream server. If several servers were contacted during + request process, only the status code of the response from the last one is stored in this field. - name: upstream.ip type: ip description: > - The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. + The IP address of the upstream server. If several servers were contacted during request process, + only the last one is stored in this field. - name: upstream.port type: long description: > - The port of the upstream server. + The port of the upstream server. If several servers were contacted during request process, + only the last one is stored in this field. + - name: http.request.id + type: keyword + description: > + The randomly generated ID of the request - name: body_sent.bytes type: alias diff --git a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml index c9f4a5860c7..0eca28c6084 100644 --- a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml +++ b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml @@ -12,14 +12,17 @@ processors: %{NUMBER:http.response.status_code:long} %{NUMBER:http.response.body.bytes:long} "(-|%{DATA:http.request.referrer})" "(-|%{DATA:user_agent.original})" %{NUMBER:nginx.ingress_controller.http.request.length:long} %{NUMBER:nginx.ingress_controller.http.request.time:double} \[%{DATA:nginx.ingress_controller.upstream.name}\] - \[%{DATA:nginx.ingress_controller.upstream.alternative_name}\] (%{UPSTREAM_ADDRESS}|-) - (%{NUMBER:nginx.ingress_controller.upstream.response.length:long}|-) (%{NUMBER:nginx.ingress_controller.upstream.response.time:double}|-) - (%{NUMBER:nginx.ingress_controller.upstream.response.status_code:long}|-) %{GREEDYDATA:nginx.ingress_controller.http.request.id} + \[%{DATA:nginx.ingress_controller.upstream.alternative_name}\] (%{UPSTREAM_ADDRESS_LIST:nginx.ingress_controller.upstream_address_list}|-) + (%{UPSTREAM_RESPONSE_LENGTH_LIST:nginx.ingress_controller.upstream.response.length_list}|-) (%{UPSTREAM_RESPONSE_TIME_LIST:nginx.ingress_controller.upstream.response.time_list}|-) + (%{UPSTREAM_RESPONSE_STATUS_CODE_LIST:nginx.ingress_controller.upstream.response.status_code_list}|-) %{GREEDYDATA:nginx.ingress_controller.http.request.id} pattern_definitions: NGINX_HOST: (?:%{IP:destination.ip}|%{NGINX_NOTSEPARATOR:destination.domain})(:%{NUMBER:destination.port})? NGINX_NOTSEPARATOR: "[^\t ,:]+" NGINX_ADDRESS_LIST: (?:%{IP}|%{WORD})("?,?\s*(?:%{IP}|%{WORD}))* - UPSTREAM_ADDRESS: '%{IP:nginx.ingress_controller.upstream.ip}(:%{NUMBER:nginx.ingress_controller.upstream.port})?' + UPSTREAM_ADDRESS_LIST: (?:%{IP}(:%{NUMBER})?)("?,?\s*(?:%{IP}(:%{NUMBER})?))* + UPSTREAM_RESPONSE_LENGTH_LIST: (?:%{NUMBER})("?,?\s*(?:%{NUMBER}))* + UPSTREAM_RESPONSE_TIME_LIST: (?:%{NUMBER})("?,?\s*(?:%{NUMBER}))* + UPSTREAM_RESPONSE_STATUS_CODE_LIST: (?:%{NUMBER})("?,?\s*(?:%{NUMBER}))* ignore_missing: true - grok: field: nginx.ingress_controller.info @@ -33,6 +36,22 @@ processors: field: nginx.ingress_controller.remote_ip_list separator: '"?,?\s+' ignore_missing: true +- split: + field: nginx.ingress_controller.upstream_address_list + separator: '"?,?\s+' + ignore_missing: true +- split: + field: nginx.ingress_controller.upstream.response.length_list + separator: '"?,?\s+' + ignore_missing: true +- split: + field: nginx.ingress_controller.upstream.response.time_list + separator: '"?,?\s+' + ignore_missing: true +- split: + field: nginx.ingress_controller.upstream.response.status_code_list + separator: '"?,?\s+' + ignore_missing: true - split: field: nginx.ingress_controller.origin separator: '"?,?\s+' @@ -41,6 +60,81 @@ processors: field: source.address if: ctx.source?.address == null value: "" +- script: + if: ctx.nginx?.ingress_controller?.upstream?.response?.length_list != null && ctx.nginx.ingress_controller.upstream.response.length_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream.response.length_list.length == null) { + return; + } + int last_length = 0; + for (def item : ctx.nginx.ingress_controller.upstream.response.length_list) { + last_length = Integer.parseInt(item); + } + ctx.nginx.ingress_controller.upstream.response.length = last_length; + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.response.length = null; + } +- script: + if: ctx.nginx?.ingress_controller?.upstream?.response?.time_list != null && ctx.nginx.ingress_controller.upstream.response.time_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream.response.time_list.length == null) { + return; + } + float res_time = 0; + for (def item : ctx.nginx.ingress_controller.upstream.response.time_list) { + res_time = res_time + Float.parseFloat(item); + } + ctx.nginx.ingress_controller.upstream.response.time = res_time; + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.response.time = null; + } +- script: + if: ctx.nginx?.ingress_controller?.upstream?.response?.status_code_list != null && ctx.nginx.ingress_controller.upstream.response.status_code_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream.response.status_code_list.length == null) { + return; + } + int last_status_code; + for (def item : ctx.nginx.ingress_controller.upstream.response.status_code_list) { + last_status_code = Integer.parseInt(item); + } + ctx.nginx.ingress_controller.upstream.response.status_code = last_status_code; + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.response.time = null; + } +- script: + if: ctx.nginx?.ingress_controller?.upstream_address_list != null && ctx.nginx.ingress_controller.upstream_address_list.length > 0 + lang: painless + source: >- + try { + if (ctx.nginx.ingress_controller.upstream_address_list.length == null) { + return; + } + def last_upstream = ""; + for (def item : ctx.nginx.ingress_controller.upstream_address_list) { + last_upstream = item; + } + StringTokenizer tok = new StringTokenizer(last_upstream, ":"); + if (tok.countTokens()>1) { + ctx.nginx.ingress_controller.upstream.ip = tok.nextToken(); + ctx.nginx.ingress_controller.upstream.port = Integer.parseInt(tok.nextToken()); + } else { + ctx.nginx.ingress_controller.upstream.ip = last_upstream; + } + } + catch (Exception e) { + ctx.nginx.ingress_controller.upstream.ip = null; + ctx.nginx.ingress_controller.upstream.port = null; + } - script: if: ctx.nginx?.ingress_controller?.remote_ip_list != null && ctx.nginx.ingress_controller.remote_ip_list.length > 0 lang: painless diff --git a/filebeat/module/nginx/ingress_controller/test/test.log b/filebeat/module/nginx/ingress_controller/test/test.log index 862c03a4af2..c8ba580f64d 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log +++ b/filebeat/module/nginx/ingress_controller/test/test.log @@ -20,3 +20,4 @@ 192.168.64.1 - - [07/Feb/2020:12:02:38 +0000] "GET /v2 HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 343 0.000 [default-web2-8080] [] 172.17.0.6:8080 61 0.001 200 ba91c30454893c121879396b0a78be79 192.168.64.1 - - [07/Feb/2020:12:02:38 +0000] "GET /favicon.ico HTTP/1.1" 200 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 262 0.001 [default-web-8080] [] 172.17.0.5:8080 59 0.000 200 98c81aa2d50c67f6fb1fa16d5ce62f8f 192.168.64.1 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080 61 0.000 200 835136ae24486dbb4156dcbe21f5d402 +192.168.64.14 - - [07/Feb/2020:12:02:42 +0000] "GET /v2/some HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" 348 0.001 [default-web2-8080] [] 172.17.0.6:8080, 172.17.0.7:8080 61, 100 0.100, 0.004 200, 203 835136ae24486dbb4156dcbe21f5d402 diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 4bf393a5906..e8b09bc1abd 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -28,10 +28,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -73,10 +85,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -118,10 +142,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -163,10 +199,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -280,10 +328,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -325,10 +385,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -374,10 +446,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -422,10 +506,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -471,10 +567,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -519,10 +627,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -568,10 +688,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -616,10 +748,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -664,10 +808,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -713,10 +869,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -761,10 +929,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.002, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.002" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -810,10 +990,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -858,10 +1050,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -903,10 +1107,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.001, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.001" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -951,10 +1167,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.5", "nginx.ingress_controller.upstream.name": "default-web-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 59, + "nginx.ingress_controller.upstream.response.length_list": [ + "59" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.5:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -999,10 +1227,22 @@ "nginx.ingress_controller.upstream.alternative_name": "", "nginx.ingress_controller.upstream.ip": "172.17.0.6", "nginx.ingress_controller.upstream.name": "default-web2-8080", - "nginx.ingress_controller.upstream.port": "8080", + "nginx.ingress_controller.upstream.port": 8080, "nginx.ingress_controller.upstream.response.length": 61, + "nginx.ingress_controller.upstream.response.length_list": [ + "61" + ], "nginx.ingress_controller.upstream.response.status_code": 200, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200" + ], "nginx.ingress_controller.upstream.response.time": 0.0, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.000" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080" + ], "related.ip": [ "192.168.64.1" ], @@ -1017,5 +1257,69 @@ "user_agent.os.name": "Mac OS X", "user_agent.os.version": "10.14", "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-07T12:02:42.000Z", + "event.category": [ + "web" + ], + "event.dataset": "nginx.ingress_controller", + "event.kind": "event", + "event.module": "nginx", + "event.outcome": "success", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "ingress_controller", + "http.request.method": "GET", + "http.response.body.bytes": 61, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 5730, + "nginx.ingress_controller.http.request.id": "835136ae24486dbb4156dcbe21f5d402", + "nginx.ingress_controller.http.request.length": 348, + "nginx.ingress_controller.http.request.time": 0.001, + "nginx.ingress_controller.remote_ip_list": [ + "192.168.64.14" + ], + "nginx.ingress_controller.upstream.alternative_name": "", + "nginx.ingress_controller.upstream.ip": "172.17.0.7", + "nginx.ingress_controller.upstream.name": "default-web2-8080", + "nginx.ingress_controller.upstream.port": 8080, + "nginx.ingress_controller.upstream.response.length": 100, + "nginx.ingress_controller.upstream.response.length_list": [ + "61", + "100" + ], + "nginx.ingress_controller.upstream.response.status_code": 203, + "nginx.ingress_controller.upstream.response.status_code_list": [ + "200", + "203" + ], + "nginx.ingress_controller.upstream.response.time": 0.104, + "nginx.ingress_controller.upstream.response.time_list": [ + "0.100", + "0.004" + ], + "nginx.ingress_controller.upstream_address_list": [ + "172.17.0.6:8080", + "172.17.0.7:8080" + ], + "related.ip": [ + "192.168.64.14" + ], + "service.type": "nginx", + "source.address": "192.168.64.14", + "source.ip": "192.168.64.14", + "url.original": "/v2/some", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "72.0." } -] \ No newline at end of file +] diff --git a/libbeat/cmd/instance/metrics.go b/libbeat/cmd/instance/metrics.go index fa0d42bbeaf..24d3d12e3e1 100644 --- a/libbeat/cmd/instance/metrics.go +++ b/libbeat/cmd/instance/metrics.go @@ -285,6 +285,10 @@ func reportBeatCgroups(_ monitoring.Mode, V monitoring.Visitor) { logp.Err("error getting group status: %v", err) return } + // GetStatsForProcess returns a nil selfStats and no error when there's no stats + if selfStats == nil { + return + } if cpu := selfStats.CPU; cpu != nil { monitoring.ReportNamespace(V, "cpu", func() { diff --git a/libbeat/common/transport/tlscommon/tls.go b/libbeat/common/transport/tlscommon/tls.go index 5dea417637e..3616a9f07e4 100644 --- a/libbeat/common/transport/tlscommon/tls.go +++ b/libbeat/common/transport/tlscommon/tls.go @@ -24,7 +24,10 @@ import ( "encoding/pem" "errors" "fmt" + "io" "io/ioutil" + "os" + "strings" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -67,13 +70,19 @@ func LoadCertificate(config *CertificateConfig) (*tls.Certificate, error) { return &cert, nil } -// ReadPEMFile reads a PEM format file on disk and decrypt it with the privided password and -// return the raw content. -func ReadPEMFile(log *logp.Logger, path, passphrase string) ([]byte, error) { +// ReadPEMFile reads a PEM formatted string either from disk or passed as a plain text starting with a "-" +// and decrypt it with the provided password and return the raw content. +func ReadPEMFile(log *logp.Logger, s, passphrase string) ([]byte, error) { pass := []byte(passphrase) var blocks []*pem.Block - content, err := ioutil.ReadFile(path) + r, err := NewPEMReader(s) + if err != nil { + return nil, err + } + defer r.Close() + + content, err := ioutil.ReadAll(r) if err != nil { return nil, err } @@ -102,7 +111,7 @@ func ReadPEMFile(log *logp.Logger, path, passphrase string) ([]byte, error) { if err != nil { log.Errorf("Dropping encrypted pem '%v' block read from %v. %+v", - block.Type, path, err) + block.Type, r, err) continue } @@ -139,20 +148,28 @@ func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error) { log := logp.NewLogger(logSelector) roots := x509.NewCertPool() - for _, path := range CAs { - pemData, err := ioutil.ReadFile(path) + for _, s := range CAs { + r, err := NewPEMReader(s) if err != nil { log.Errorf("Failed reading CA certificate: %+v", err) - errors = append(errors, fmt.Errorf("%v reading %v", err, path)) + errors = append(errors, fmt.Errorf("%v reading %v", err, r)) + continue + } + defer r.Close() + + pemData, err := ioutil.ReadAll(r) + if err != nil { + log.Errorf("Failed reading CA certificate: %+v", err) + errors = append(errors, fmt.Errorf("%v reading %v", err, r)) continue } if ok := roots.AppendCertsFromPEM(pemData); !ok { - log.Error("Failed to add CA to the cert pool, CA is not a valid PEM file") - errors = append(errors, fmt.Errorf("%v adding %v to the list of known CAs", ErrNotACertificate, path)) + log.Error("Failed to add CA to the cert pool, CA is not a valid PEM document") + errors = append(errors, fmt.Errorf("%v adding %v to the list of known CAs", ErrNotACertificate, r)) continue } - log.Debugf("tls", "successfully loaded CA certificate: %v", path) + log.Debugf("tls", "successfully loaded CA certificate: %v", r) } return roots, errors @@ -187,3 +204,45 @@ func ResolveTLSVersion(v uint16) string { func ResolveCipherSuite(cipher uint16) string { return tlsCipherSuite(cipher).String() } + +// PEMReader allows to read a certificate in PEM format either through the disk or from a string. +type PEMReader struct { + reader io.ReadCloser + debugStr string +} + +// NewPEMReader returns a new PEMReader. +func NewPEMReader(certificate string) (*PEMReader, error) { + if IsPEMString(certificate) { + // Take a substring of the certificate so we do not leak the whole certificate or private key in the log. + debugStr := certificate[0:256] + "..." + return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: debugStr}, nil + } + + r, err := os.Open(certificate) + if err != nil { + return nil, err + } + return &PEMReader{reader: r, debugStr: certificate}, nil +} + +// Close closes the target io.ReadCloser. +func (p *PEMReader) Close() error { + return p.reader.Close() +} + +// Read read bytes from the io.ReadCloser. +func (p *PEMReader) Read(b []byte) (n int, err error) { + return p.reader.Read(b) +} + +func (p *PEMReader) String() string { + return p.debugStr +} + +// IsPEMString returns true if the provided string match a PEM formatted certificate. try to pem decode to validate. +func IsPEMString(s string) bool { + // Trim the certificates to make sure we tolerate any yaml weirdness, we assume that the string starts + // with "-" and let further validation verifies the PEM format. + return strings.HasPrefix(strings.TrimSpace(s), "-") +} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 42748770069..53e9da18db3 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -22,6 +22,8 @@ package tlscommon import ( "crypto/tls" "fmt" + "io/ioutil" + "os" "testing" "github.com/stretchr/testify/assert" @@ -331,3 +333,267 @@ func TestResolveCipherSuite(t *testing.T) { c := ResolveCipherSuite(tls.TLS_RSA_WITH_AES_128_CBC_SHA) assert.Equal(t, "RSA-AES-128-CBC-SHA", c) } + +func TestPEMString(t *testing.T) { + t.Run("is PEM formatted String", func(t *testing.T) { + c := `-----BEGIN CERTIFICATE----- +MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF +ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 +MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n +fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl +94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t +/D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP +PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 +CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O +BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux +8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D +874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw +3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA +H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu +8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 +yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk +sxSmbIUfc2SGJGCJD4I= +-----END CERTIFICATE-----` + assert.True(t, IsPEMString(c)) + }) + + // Well use `|` if you want to keep the newline, theses are required so the PEM document is valid. + t.Run("From the YAML/multiline", func(t *testing.T) { + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +cipher_suites: null +curve_types: null +supported_protocols: null + `) + assert.NoError(t, err) + assert.True(t, IsPEMString(cfg.CAs[0])) + }) + + t.Run("is not a PEM formatted String", func(t *testing.T) { + c := "/tmp/certificate" + assert.False(t, IsPEMString(c)) + }) + + t.Run("is an empty string", func(t *testing.T) { + c := "" + assert.False(t, IsPEMString(c)) + }) +} + +func TestCertificate(t *testing.T) { + // Write certificate to a temporary file. + c := `-----BEGIN CERTIFICATE----- +MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF +ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 +MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n +fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl +94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t +/D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP +PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 +CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O +BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux +8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D +874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw +3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA +H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu +8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 +yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk +sxSmbIUfc2SGJGCJD4I= +-----END CERTIFICATE-----` + f, err := ioutil.TempFile("", "certificate.crt") + f.WriteString(c) + f.Close() + assert.NoError(t, err) + defer os.Remove(f.Name()) + + t.Run("certificate authorities", func(t *testing.T) { + t.Run("From configuration", func(t *testing.T) { + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +cipher_suites: null +curve_types: null +supported_protocols: null + `) + assert.NoError(t, err) + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + assert.NotNil(t, tlsC) + }) + + t.Run("From disk", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + + cfg.CAs = []string{f.Name()} + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + + t.Run("mixed from disk and embed", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + + cfg.CAs = []string{f.Name(), c} + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + }) + + t.Run("Certificate and Private keys", func(t *testing.T) { + key := ` +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI +sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP +Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F +KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 +MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z +HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ +nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx +Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 +eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ +Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM +epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve +Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn +BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 +VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU +zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 +GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA +5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 +TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF +hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li +e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze +Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T +kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ +kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav +NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K +0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc +nygO9KTJuUiBrLr0AHEnqko= +-----END PRIVATE KEY----- +` + t.Run("embed", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + cfg.Certificate.Certificate = c + cfg.Certificate.Key = key + + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + + t.Run("From disk", func(t *testing.T) { + k, err := ioutil.TempFile("", "certificate.key") + k.WriteString(key) + k.Close() + assert.NoError(t, err) + defer os.Remove(k.Name()) + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + + cfg.Certificate.Certificate = f.Name() + cfg.Certificate.Key = k.Name() + + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + }) +} diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index 8aa9a33a828..43a88002bcd 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -105,6 +105,32 @@ NOTE: SSL settings are disabled if either `enabled` is set to `false` or the ==== `certificate_authorities` The list of root certificates for server verifications. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used. +By default you can specify a list of file that +{beatname_lc} will read, but you can also embed a certificate directly in the `YAML` configuration: + +[source,yaml] +---- +certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +---- [float] [[certificate]] @@ -117,12 +143,72 @@ require client authentication, the certificate will be loaded, but not requested by the server. When this option is configured, the <> option is also required. +The certificate option support embedding of the certificate: + +[source,yaml] +---- +certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +---- + [float] [[key]] ==== `key: "/etc/pki/client/cert.key"` The client certificate key used for client authentication. This option is required if <> is specified. +The key option support embedding of the private key: + +[source,yaml] +---- +key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- +---- [float] ==== `key_passphrase` diff --git a/libbeat/processors/dns/config.go b/libbeat/processors/dns/config.go index b5e7cf0a0d3..8b0d6c9bd97 100644 --- a/libbeat/processors/dns/config.go +++ b/libbeat/processors/dns/config.go @@ -29,7 +29,7 @@ import ( // Config defines the configuration options for the DNS processor. type Config struct { - CacheConfig + CacheConfig `config:",inline"` Nameservers []string `config:"nameservers"` // Required on Windows. /etc/resolv.conf is used if none are given. Timeout time.Duration `conifg:"timeout"` // Per request timeout (with 2 nameservers the total timeout would be 2x). Type string `config:"type" validate:"required"` // Reverse is the only supported type currently. @@ -89,7 +89,7 @@ type CacheSettings struct { TTL time.Duration `config:"ttl"` // Minimum TTL value for successful DNS responses. - MinTTL time.Duration `config:"min_ttl" validate:"min=1"` + MinTTL time.Duration `config:"min_ttl" validate:"min=1ns"` // Initial capacity. How much space is allocated at initialization. InitialCapacity int `config:"capacity.initial" validate:"min=0"` @@ -166,6 +166,7 @@ var defaultConfig = Config{ MaxCapacity: 10000, }, FailureCache: CacheSettings{ + MinTTL: time.Minute, TTL: time.Minute, InitialCapacity: 1000, MaxCapacity: 10000, diff --git a/libbeat/publisher/includes/includes.go b/libbeat/publisher/includes/includes.go index e6f3ded0bee..a14dd16d3ba 100644 --- a/libbeat/publisher/includes/includes.go +++ b/libbeat/publisher/includes/includes.go @@ -27,6 +27,7 @@ import ( _ "github.com/elastic/beats/v7/libbeat/outputs/kafka" _ "github.com/elastic/beats/v7/libbeat/outputs/logstash" _ "github.com/elastic/beats/v7/libbeat/outputs/redis" + _ "github.com/elastic/beats/v7/libbeat/publisher/queue/diskqueue" _ "github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue" _ "github.com/elastic/beats/v7/libbeat/publisher/queue/spool" ) diff --git a/libbeat/publisher/queue/diskqueue/acks.go b/libbeat/publisher/queue/diskqueue/acks.go new file mode 100644 index 00000000000..ed9d7589db2 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/acks.go @@ -0,0 +1,146 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "os" + "sync" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// queuePosition represents a logical position within the queue buffer. +type queuePosition struct { + segmentID segmentID + offset segmentOffset +} + +type diskQueueACKs struct { + logger *logp.Logger + + // This lock must be held to access diskQueueACKs fields (except for + // diskQueueACKs.done, which is always safe). + lock sync.Mutex + + // The id and position of the first unacknowledged frame. + nextFrameID frameID + nextPosition queuePosition + + // If a frame has been ACKed, then frameSize[frameID] contains its size on + // disk. The size is used to track the queuePosition of the oldest + // remaining frame, which is written to disk as ACKs are received. (We do + // this to avoid duplicating events if the beat terminates without a clean + // shutdown.) + frameSize map[frameID]uint64 + + // segmentBoundaries maps the first frameID of each segment to its + // corresponding segment ID. + segmentBoundaries map[frameID]segmentID + + // When a segment has been completely acknowledged by a consumer, it sends + // the segment ID to this channel, where it is read by the core loop and + // scheduled for deletion. + segmentACKChan chan segmentID + + // An open writable file handle to the file that stores the queue position. + // This position is advanced as we receive ACKs, confirming it is safe + // to move forward, so the acking code is responsible for updating this + // file. + positionFile *os.File + + // When the queue is closed, diskQueueACKs.done is closed to signal that + // the core loop will not accept any more acked segments and any future + // ACKs should be ignored. + done chan struct{} +} + +func newDiskQueueACKs( + logger *logp.Logger, position queuePosition, positionFile *os.File, +) *diskQueueACKs { + return &diskQueueACKs{ + logger: logger, + nextFrameID: 0, + nextPosition: position, + frameSize: make(map[frameID]uint64), + segmentBoundaries: make(map[frameID]segmentID), + segmentACKChan: make(chan segmentID), + positionFile: positionFile, + done: make(chan struct{}), + } +} + +func (dqa *diskQueueACKs) addFrames(frames []*readFrame) { + dqa.lock.Lock() + defer dqa.lock.Unlock() + select { + case <-dqa.done: + // We are already done and should ignore any leftover ACKs we receive. + return + default: + } + for _, frame := range frames { + segment := frame.segment + if frame.id != 0 && frame.id == segment.firstFrameID { + // This is the first frame in its segment, mark it so we know when + // we're starting a new segment. + // + // Subtlety: we don't count the very first frame as a "boundary" even + // though it is the first frame we read from its segment. This prevents + // us from resetting our segment offset to zero, in case the initial + // offset was restored from a previous session instead of starting at + // the beginning of the first file. + dqa.segmentBoundaries[frame.id] = segment.id + } + dqa.frameSize[frame.id] = frame.bytesOnDisk + } + oldSegmentID := dqa.nextPosition.segmentID + if dqa.frameSize[dqa.nextFrameID] != 0 { + for ; dqa.frameSize[dqa.nextFrameID] != 0; dqa.nextFrameID++ { + newSegment, ok := dqa.segmentBoundaries[dqa.nextFrameID] + if ok { + // This is the start of a new segment. Remove this frame from the + // segment boundary list and set the position to the start of the + // new segment. + delete(dqa.segmentBoundaries, dqa.nextFrameID) + dqa.nextPosition = queuePosition{ + segmentID: newSegment, + offset: 0, + } + } + dqa.nextPosition.offset += segmentOffset(dqa.frameSize[dqa.nextFrameID]) + delete(dqa.frameSize, dqa.nextFrameID) + } + // We advanced the ACK position at least somewhat, so write its + // new value. + err := writeQueuePositionToHandle(dqa.positionFile, dqa.nextPosition) + if err != nil { + // TODO: Don't spam this warning on every ACK if it's a permanent error. + dqa.logger.Warnf("Couldn't save queue position: %v", err) + } + } + if oldSegmentID != dqa.nextPosition.segmentID { + // We crossed at least one segment boundary, inform the listener that + // everything before the current segment has been acknowledged (but bail + // out if our done channel has been closed, since that means there is no + // listener on the other end.) + select { + case dqa.segmentACKChan <- dqa.nextPosition.segmentID - 1: + case <-dqa.done: + } + } +} diff --git a/libbeat/publisher/queue/diskqueue/checksum.go b/libbeat/publisher/queue/diskqueue/checksum.go new file mode 100644 index 00000000000..87cdb7b1aef --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/checksum.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "hash/crc32" +) + +// Computes the checksum that should be written / read in a frame footer +// based on the raw content of that frame (excluding header / footer). +func computeChecksum(data []byte) uint32 { + hash := crc32.NewIEEE() + frameLength := uint32(len(data) + frameMetadataSize) + binary.Write(hash, binary.LittleEndian, &frameLength) + hash.Write(data) + return hash.Sum32() +} diff --git a/libbeat/publisher/queue/diskqueue/config.go b/libbeat/publisher/queue/diskqueue/config.go new file mode 100644 index 00000000000..f39f608361d --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/config.go @@ -0,0 +1,158 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "fmt" + "path/filepath" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgtype" + "github.com/elastic/beats/v7/libbeat/paths" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +// Settings contains the configuration fields to create a new disk queue +// or open an existing one. +type Settings struct { + // The path on disk of the queue's containing directory, which will be + // created if it doesn't exist. Within the directory, the queue's state + // is stored in state.dat and each segment's data is stored in + // {segmentIndex}.seg + // If blank, the default directory is "diskqueue" within the beat's data + // directory. + Path string + + // MaxBufferSize is the maximum number of bytes that the queue should + // ever occupy on disk. A value of 0 means the queue can grow until the + // disk is full (this is not recommended on a primary system disk). + MaxBufferSize uint64 + + // MaxSegmentSize is the maximum number of bytes that should be written + // to a single segment file before creating a new one. + MaxSegmentSize uint64 + + // How many events will be read from disk while waiting for a consumer + // request. + ReadAheadLimit int + + // How many events will be queued in memory waiting to be written to disk. + // This setting should rarely matter in practice, but if data is coming + // in faster than it can be written to disk for an extended period, + // this limit can keep it from overflowing memory. + WriteAheadLimit int + + // A listener that should be sent ACKs when an event is successfully + // written to disk. + WriteToDiskListener queue.ACKListener +} + +// userConfig holds the parameters for a disk queue that are configurable +// by the end user in the beats yml file. +type userConfig struct { + Path string `config:"path"` + MaxSize cfgtype.ByteSize `config:"max_size" validate:"required"` + SegmentSize *cfgtype.ByteSize `config:"segment_size"` + ReadAheadLimit *int `config:"read_ahead"` + WriteAheadLimit *int `config:"write_ahead"` +} + +func (c *userConfig) Validate() error { + // If the segment size is explicitly specified, the total queue size must + // be at least twice as large. + if c.SegmentSize != nil && c.MaxSize != 0 && c.MaxSize < *c.SegmentSize*2 { + return errors.New( + "Disk queue max_size must be at least twice as big as segment_size") + } + + // We require a total queue size of at least 10MB, and a segment size of + // at least 1MB. The queue can support lower thresholds, but it will perform + // terribly, so we give an explicit error in that case. + // These bounds are still extremely low for Beats ingestion, but if all you + // need is for a low-volume stream on a tiny device to persist between + // restarts, it will work fine. + if c.MaxSize != 0 && c.MaxSize < 10*1000*1000 { + return fmt.Errorf( + "Disk queue max_size (%d) cannot be less than 10MB", c.MaxSize) + } + if c.SegmentSize != nil && *c.SegmentSize < 1000*1000 { + return fmt.Errorf( + "Disk queue segment_size (%d) cannot be less than 1MB", *c.SegmentSize) + } + + return nil +} + +// DefaultSettings returns a Settings object with reasonable default values +// for all important fields. +func DefaultSettings() Settings { + return Settings{ + MaxSegmentSize: 100 * (1 << 20), // 100MiB + MaxBufferSize: (1 << 30), // 1GiB + + ReadAheadLimit: 256, + WriteAheadLimit: 1024, + } +} + +// SettingsForUserConfig returns a Settings struct initialized with the +// end-user-configurable settings in the given config tree. +func SettingsForUserConfig(config *common.Config) (Settings, error) { + userConfig := userConfig{} + if err := config.Unpack(&userConfig); err != nil { + return Settings{}, fmt.Errorf("parsing user config: %w", err) + } + settings := DefaultSettings() + settings.Path = userConfig.Path + + settings.MaxBufferSize = uint64(userConfig.MaxSize) + if userConfig.SegmentSize != nil { + settings.MaxSegmentSize = uint64(*userConfig.SegmentSize) + } else { + // If no value is specified, default segment size is total queue size + // divided by 10. + settings.MaxSegmentSize = uint64(userConfig.MaxSize) / 10 + } + return settings, nil +} + +// +// bookkeeping helpers +// + +func (settings Settings) directoryPath() string { + if settings.Path == "" { + return paths.Resolve(paths.Data, "diskqueue") + } + return settings.Path +} + +func (settings Settings) stateFilePath() string { + return filepath.Join(settings.directoryPath(), "state.dat") +} + +func (settings Settings) segmentPath(segmentID segmentID) string { + return filepath.Join( + settings.directoryPath(), + fmt.Sprintf("%v.seg", segmentID)) +} + +func (settings Settings) maxSegmentOffset() segmentOffset { + return segmentOffset(settings.MaxSegmentSize - segmentHeaderSize) +} diff --git a/libbeat/publisher/queue/diskqueue/consumer.go b/libbeat/publisher/queue/diskqueue/consumer.go new file mode 100644 index 00000000000..b2922778ea5 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/consumer.go @@ -0,0 +1,114 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "fmt" + + "github.com/elastic/beats/v7/libbeat/publisher" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +type diskQueueConsumer struct { + queue *diskQueue + closed bool +} + +type diskQueueBatch struct { + queue *diskQueue + frames []*readFrame +} + +// +// diskQueueConsumer implementation of the queue.Consumer interface +// + +func (consumer *diskQueueConsumer) Get(eventCount int) (queue.Batch, error) { + if consumer.closed { + return nil, fmt.Errorf("Tried to read from a closed disk queue consumer") + } + + // Read at least one frame. This is guaranteed to eventually + // succeed unless the queue is closed. + frame, ok := <-consumer.queue.readerLoop.output + if !ok { + return nil, fmt.Errorf("Tried to read from a closed disk queue") + } + frames := []*readFrame{frame} +eventLoop: + for eventCount <= 0 || len(frames) < eventCount { + select { + case frame, ok := <-consumer.queue.readerLoop.output: + if !ok { + // The queue was closed while we were reading it, just send back + // what we have so far. + break eventLoop + } + frames = append(frames, frame) + default: + // We can't read any more frames without blocking, so send back + // what we have now. + break eventLoop + } + } + + // There is a mild race condition here based on queue closure: events + // written to readerLoop.output may have been buffered before the + // queue was closed, and we may be reading its leftovers afterwards. + // We could try to detect this case here by checking the + // consumer.queue.done channel, and return nothing if it's been closed. + // But this gives rise to another race: maybe the queue was + // closed _after_ we read those frames, and we _ought_ to return them + // to the reader. The queue interface doesn't specify the proper + // behavior in this case. + // + // Lacking formal requirements, we elect to be permissive: if we have + // managed to read frames, then the queue already knows and considers them + // "read," so we lose no consistency by returning them. If someone closes + // the queue while we are draining the channel, nothing changes functionally + // except that any ACKs after that point will be ignored. A well-behaved + // Beats shutdown will always ACK / close its consumers before closing the + // queue itself, so we expect this corner case not to arise in practice, but + // if it does it is innocuous. + + return &diskQueueBatch{ + queue: consumer.queue, + frames: frames, + }, nil +} + +func (consumer *diskQueueConsumer) Close() error { + consumer.closed = true + return nil +} + +// +// diskQueueBatch implementation of the queue.Batch interface +// + +func (batch *diskQueueBatch) Events() []publisher.Event { + events := make([]publisher.Event, len(batch.frames)) + for i, frame := range batch.frames { + events[i] = frame.event + } + return events +} + +func (batch *diskQueueBatch) ACK() { + batch.queue.acks.addFrames(batch.frames) +} diff --git a/libbeat/publisher/queue/diskqueue/core_loop.go b/libbeat/publisher/queue/diskqueue/core_loop.go new file mode 100644 index 00000000000..56a50b5a422 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/core_loop.go @@ -0,0 +1,449 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import "fmt" + +// This file contains the queue's "core loop" -- the central goroutine +// that owns all queue state that is not encapsulated in one of the +// self-contained helper loops. This is the only file that is allowed to +// modify the queue state after its creation, and it contains the full +// logical "state transition diagram" for queue operation. + +func (dq *diskQueue) run() { + // Wake up the reader and deleter loops if there are segments to process + // from a previous instantiation of the queue. + dq.maybeReadPending() + dq.maybeDeleteACKed() + + for { + select { + // Endpoints used by the producer / consumer API implementation. + case producerWriteRequest := <-dq.producerWriteRequestChan: + dq.handleProducerWriteRequest(producerWriteRequest) + + // After a write request, there may be data ready to send to the + // writer loop. + dq.maybeWritePending() + + case ackedSegmentID := <-dq.acks.segmentACKChan: + dq.handleSegmentACK(ackedSegmentID) + + // After receiving new ACKs, a segment might be ready to delete. + dq.maybeDeleteACKed() + + case <-dq.done: + dq.handleShutdown() + return + + // Writer loop handling + case writerLoopResponse := <-dq.writerLoop.responseChan: + dq.handleWriterLoopResponse(writerLoopResponse) + + // The writer loop completed a request, so check if there is more + // data to be sent. + dq.maybeWritePending() + // We also check whether the reader loop is waiting for the data + // that was just written. + dq.maybeReadPending() + + // Reader loop handling + case readerLoopResponse := <-dq.readerLoop.responseChan: + dq.handleReaderLoopResponse(readerLoopResponse) + + // If there is more data to read, start a new read request. + dq.maybeReadPending() + + // Deleter loop handling + case deleterLoopResponse := <-dq.deleterLoop.responseChan: + dq.handleDeleterLoopResponse(deleterLoopResponse) + + // If there are still files waiting to be deleted, send another request. + dq.maybeDeleteACKed() + + // If there were blocked producers waiting for more queue space, + // we might be able to unblock them now. + dq.maybeUnblockProducers() + } + } +} + +func (dq *diskQueue) handleProducerWriteRequest(request producerWriteRequest) { + // Pathological case checking: make sure the incoming frame isn't bigger + // than an entire segment all by itself (as long as it isn't, it is + // guaranteed to eventually enter the queue assuming no disk errors). + frameSize := request.frame.sizeOnDisk() + if dq.settings.MaxSegmentSize < frameSize { + dq.logger.Warnf( + "Rejecting event with size %v because the maximum segment size is %v", + frameSize, dq.settings.MaxSegmentSize) + request.responseChan <- false + return + } + + // If no one else is blocked waiting for queue capacity, and there is + // enough space, then we add the new frame and report success. + // Otherwise, we either add to the end of blockedProducers to wait for + // the requested space or report immediate failure, depending on the + // producer settings. + if len(dq.blockedProducers) == 0 && dq.canAcceptFrameOfSize(frameSize) { + // There is enough space for the new frame! Add it to the + // pending list and report success, then dispatch it to the + // writer loop if no other requests are outstanding. + dq.enqueueWriteFrame(request.frame) + request.responseChan <- true + } else { + // The queue is too full. Either add the request to blockedProducers, + // or send an immediate reject. + if request.shouldBlock { + dq.blockedProducers = append(dq.blockedProducers, request) + } else { + request.responseChan <- false + } + } +} + +func (dq *diskQueue) handleWriterLoopResponse(response writerLoopResponse) { + dq.writing = false + + // The writer loop response contains the number of bytes written to + // each segment that appeared in the request. Entries always appear in + // the same sequence as (the beginning of) segments.writing. + for index, bytesWritten := range response.bytesWritten { + // Update the segment with its new size. + dq.segments.writing[index].endOffset += segmentOffset(bytesWritten) + } + + // If there is more than one segment in the response, then all but the + // last have been closed and are ready to move to the reading list. + closedCount := len(response.bytesWritten) - 1 + if closedCount > 0 { + // Remove the prefix of the writing array and append to to reading. + closedSegments := dq.segments.writing[:closedCount] + dq.segments.writing = dq.segments.writing[closedCount:] + dq.segments.reading = + append(dq.segments.reading, closedSegments...) + } +} + +func (dq *diskQueue) handleReaderLoopResponse(response readerLoopResponse) { + dq.reading = false + + // Advance the frame / offset based on what was just completed. + dq.segments.nextReadFrameID += frameID(response.frameCount) + dq.segments.nextReadOffset += segmentOffset(response.byteCount) + + var segment *queueSegment + if len(dq.segments.reading) > 0 { + // A segment is finished if we have read all the data, or + // the read response reports an error. + // Segments in the reading list have been completely written, + // so we can rely on their endOffset field to determine their size. + segment = dq.segments.reading[0] + if dq.segments.nextReadOffset >= segment.endOffset || response.err != nil { + dq.segments.reading = dq.segments.reading[1:] + dq.segments.acking = append(dq.segments.acking, segment) + dq.segments.nextReadOffset = 0 + } + } else { + // A segment in the writing list can't be finished writing, + // so we don't check the endOffset. + segment = dq.segments.writing[0] + } + segment.framesRead = uint64(dq.segments.nextReadFrameID - segment.firstFrameID) + + // If there was an error, report it. + if response.err != nil { + dq.logger.Errorf( + "Error reading segment file %s: %v", + dq.settings.segmentPath(segment.id), response.err) + } +} + +func (dq *diskQueue) handleDeleterLoopResponse(response deleterLoopResponse) { + dq.deleting = false + newAckedSegments := []*queueSegment{} + errors := []error{} + for i, err := range response.results { + if err != nil { + // This segment had an error, so it stays in the acked list. + newAckedSegments = append(newAckedSegments, dq.segments.acked[i]) + errors = append(errors, + fmt.Errorf("Couldn't delete segment %d: %w", + dq.segments.acked[i].id, err)) + } + } + if len(dq.segments.acked) > len(response.results) { + // Preserve any new acked segments that were added during the deletion + // request. + tail := dq.segments.acked[len(response.results):] + newAckedSegments = append(newAckedSegments, tail...) + } + dq.segments.acked = newAckedSegments + if len(errors) > 0 { + dq.logger.Errorw("Deleting segment files", "errors", errors) + } +} + +func (dq *diskQueue) handleSegmentACK(ackedSegmentID segmentID) { + acking := dq.segments.acking + if len(acking) == 0 { + return + } + ackedSegmentCount := 0 + for ; ackedSegmentCount < len(acking); ackedSegmentCount++ { + if acking[ackedSegmentCount].id > ackedSegmentID { + // This segment has not been acked yet, we're done. + break + } + } + if ackedSegmentCount > 0 { + // Move fully acked segments to the acked list and remove them + // from the acking list. + dq.segments.acked = + append(dq.segments.acked, acking[:ackedSegmentCount]...) + dq.segments.acking = acking[ackedSegmentCount:] + } +} + +func (dq *diskQueue) handleShutdown() { + // Shutdown: first, we wait for any outstanding requests to complete, to + // make sure the helper loops are idle and all state is finalized, then + // we do final cleanup and write our position to disk. + + // Close the reader loop's request channel to signal an abort in case it's + // still processing a request (we don't need any more frames). + // We still wait for acknowledgement afterwards: if there is a request in + // progress, it's possible that a consumer already read and acknowledged + // some of its data, so we want the final metadata before we write our + // closing state. + close(dq.readerLoop.requestChan) + if dq.reading { + response := <-dq.readerLoop.responseChan + dq.handleReaderLoopResponse(response) + } + + // We are assured by our callers within Beats that we will not be sent a + // shutdown signal until all our producers have been finalized / + // shut down -- thus, there should be no writer requests outstanding, and + // writerLoop.requestChan should be idle. But just in case (and in + // particular to handle the case where a request is stuck retrying a fatal + // error), we signal abort by closing the request channel, and read the + // final state if there is any. + close(dq.writerLoop.requestChan) + if dq.writing { + response := <-dq.writerLoop.responseChan + dq.handleWriterLoopResponse(response) + } + + // We let the deleter loop finish its current request, but we don't send + // the abort signal yet, since we might want to do one last deletion + // after checking the final consumer ACK state. + if dq.deleting { + response := <-dq.deleterLoop.responseChan + dq.handleDeleterLoopResponse(response) + } + + // If there are any blocked producers still hoping for space to open up + // in the queue, send them the bad news. + for _, request := range dq.blockedProducers { + request.responseChan <- false + } + dq.blockedProducers = nil + + // The reader and writer loops are now shut down, and the deleter loop is + // idle. The remaining cleanup is in finalizing the read position in the + // queue (the first event that hasn't been acknowledged by consumers), and + // in deleting any older segment files that may be left. + // + // Events read by consumers have been accumulating their ACK data in + // dq.acks. During regular operation the core loop is not allowed to use + // this data, since it requires holding a mutex, but during shutdown we're + // allowed to block to acquire it. However, we still must close its done + // channel first, otherwise the lock may be held by a consumer that is + // blocked trying to send us a message we're no longer listening to... + close(dq.acks.done) + dq.acks.lock.Lock() + finalPosition := dq.acks.nextPosition + // We won't be updating the position anymore, so we can close the file. + dq.acks.positionFile.Sync() + dq.acks.positionFile.Close() + dq.acks.lock.Unlock() + + // First check for the rare and fortunate case that every single event we + // wrote to the queue was ACKed. In this case it is safe to delete + // everything up to and including the current segment. Otherwise, we only + // delete things before the current segment. + if len(dq.segments.writing) > 0 && + finalPosition.segmentID == dq.segments.writing[0].id && + finalPosition.offset >= dq.segments.writing[0].endOffset { + dq.handleSegmentACK(finalPosition.segmentID) + } else if finalPosition.segmentID > 0 { + dq.handleSegmentACK(finalPosition.segmentID - 1) + } + + // Do one last round of deletions, then shut down the deleter loop. + dq.maybeDeleteACKed() + if dq.deleting { + response := <-dq.deleterLoop.responseChan + dq.handleDeleterLoopResponse(response) + } + close(dq.deleterLoop.requestChan) +} + +// If the pendingFrames list is nonempty, and there are no outstanding +// requests to the writer loop, send the next batch of frames. +func (dq *diskQueue) maybeWritePending() { + if dq.writing || len(dq.pendingFrames) == 0 { + // Nothing to do right now + return + } + // Remove everything from pendingFrames and forward it to the writer loop. + frames := dq.pendingFrames + dq.pendingFrames = nil + + dq.writerLoop.requestChan <- writerLoopRequest{ + frames: frames, + } + dq.writing = true +} + +// Returns the active read segment, or nil if there is none. +func (segments *diskQueueSegments) readingSegment() *queueSegment { + if len(segments.reading) > 0 { + return segments.reading[0] + } + if len(segments.writing) > 0 { + return segments.writing[0] + } + return nil +} + +// If the reading list is nonempty, and there are no outstanding read +// requests, send one. +func (dq *diskQueue) maybeReadPending() { + if dq.reading { + // A read request is already pending + return + } + segment := dq.segments.readingSegment() + if segment == nil || + dq.segments.nextReadOffset >= segmentOffset(segment.endOffset) { + // Nothing to read + return + } + if dq.segments.nextReadOffset == 0 { + // If we're reading the beginning of this segment, assign its firstFrameID. + segment.firstFrameID = dq.segments.nextReadFrameID + } + request := readerLoopRequest{ + segment: segment, + startFrameID: dq.segments.nextReadFrameID, + startOffset: dq.segments.nextReadOffset, + endOffset: segment.endOffset, + } + dq.readerLoop.requestChan <- request + dq.reading = true +} + +// If the acked list is nonempty, and there are no outstanding deletion +// requests, send one. +func (dq *diskQueue) maybeDeleteACKed() { + if !dq.deleting && len(dq.segments.acked) > 0 { + dq.deleterLoop.requestChan <- deleterLoopRequest{ + segments: dq.segments.acked} + dq.deleting = true + } +} + +// maybeUnblockProducers checks whether the queue has enough free space +// to accept any of the requests in the blockedProducers list, and if so +// accepts them in order and updates the list. +func (dq *diskQueue) maybeUnblockProducers() { + unblockedCount := 0 + for _, request := range dq.blockedProducers { + if !dq.canAcceptFrameOfSize(request.frame.sizeOnDisk()) { + // Not enough space for this frame, we're done. + break + } + // Add the frame to pendingFrames and report success. + dq.enqueueWriteFrame(request.frame) + request.responseChan <- true + unblockedCount++ + } + if unblockedCount > 0 { + dq.blockedProducers = dq.blockedProducers[unblockedCount:] + } +} + +// enqueueWriteFrame determines which segment an incoming frame should be +// written to and adds the resulting segmentedFrame to pendingFrames. +func (dq *diskQueue) enqueueWriteFrame(frame *writeFrame) { + // Start with the most recent writing segment if there is one. + var segment *queueSegment + if len(dq.segments.writing) > 0 { + segment = dq.segments.writing[len(dq.segments.writing)-1] + } + frameLen := segmentOffset(frame.sizeOnDisk()) + // If segment is nil, or the new segment exceeds its bounds, + // we need to create a new writing segment. + if segment == nil || + dq.segments.nextWriteOffset+frameLen > dq.settings.maxSegmentOffset() { + segment = &queueSegment{id: dq.segments.nextID} + dq.segments.writing = append(dq.segments.writing, segment) + dq.segments.nextID++ + dq.segments.nextWriteOffset = 0 + } + + dq.segments.nextWriteOffset += frameLen + dq.pendingFrames = append(dq.pendingFrames, segmentedFrame{ + frame: frame, + segment: segment, + }) +} + +// canAcceptFrameOfSize checks whether there is enough free space in the +// queue (subject to settings.MaxBufferSize) to accept a new frame with +// the given size. Size includes both the serialized data and the frame +// header / footer; the easy way to do this for a writeFrame is to pass +// in frame.sizeOnDisk(). +// Capacity calculations do not include requests in the blockedProducers +// list (that data is owned by its callers and we can't touch it until +// we are ready to respond). That allows this helper to be used both while +// handling producer requests and while deciding whether to unblock +// producers after free capacity increases. +// If we decide to add limits on how many events / bytes can be stored +// in pendingFrames (to avoid unbounded memory use if the input is faster +// than the disk), this is the function to modify. +func (dq *diskQueue) canAcceptFrameOfSize(frameSize uint64) bool { + if dq.settings.MaxBufferSize == 0 { + // Currently we impose no limitations if the queue size is unbounded. + return true + } + + // Compute the current queue size. We accept if there is enough capacity + // left in the queue after accounting for the existing segments and the + // pending writes that were already accepted. + pendingBytes := uint64(0) + for _, request := range dq.pendingFrames { + pendingBytes += request.frame.sizeOnDisk() + } + currentSize := pendingBytes + dq.segments.sizeOnDisk() + + return currentSize+frameSize <= dq.settings.MaxBufferSize +} diff --git a/libbeat/publisher/queue/diskqueue/core_loop_test.go b/libbeat/publisher/queue/diskqueue/core_loop_test.go new file mode 100644 index 00000000000..b5f0d301d15 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/core_loop_test.go @@ -0,0 +1,94 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import "testing" + +func TestProducerWriteRequest(t *testing.T) { + dq := &diskQueue{settings: DefaultSettings()} + frame := &writeFrame{ + serialized: make([]byte, 100), + } + request := producerWriteRequest{ + frame: frame, + shouldBlock: true, + responseChan: make(chan bool, 1), + } + dq.handleProducerWriteRequest(request) + + // The request inserts 100 bytes into an empty queue, so it should succeed. + // We expect: + // - the response channel should contain the value true + // - the frame should be added to pendingFrames and assigned to + // segment 0. + success, ok := <-request.responseChan + if !ok { + t.Error("Expected a response from the producer write request.") + } + if !success { + t.Error("Expected write request to succeed") + } + + if len(dq.pendingFrames) != 1 { + t.Error("Expected 1 pending frame after a write request.") + } + if dq.pendingFrames[0].frame != frame { + t.Error("Expected pendingFrames to contain the new frame.") + } + if dq.pendingFrames[0].segment.id != 0 { + t.Error("Expected new frame to be assigned to segment 0.") + } +} + +func TestHandleWriterLoopResponse(t *testing.T) { + // Initialize the queue with two writing segments only. + dq := &diskQueue{ + settings: DefaultSettings(), + segments: diskQueueSegments{ + writing: []*queueSegment{ + {id: 1}, + {id: 2}, + }, + }, + } + // This response says that the writer loop wrote 200 bytes to the first + // segment and 100 bytes to the second. + dq.handleWriterLoopResponse(writerLoopResponse{ + bytesWritten: []int64{200, 100}, + }) + + // After the response is handled, we expect: + // - Each segment's endOffset should be incremented by the bytes written + // - Segment 1 should be moved to the reading list (because all but the + // last segment in a writer loop response has been closed) + // - Segment 2 should remain in the writing list + if len(dq.segments.reading) != 1 || dq.segments.reading[0].id != 1 { + t.Error("Expected segment 1 to move to the reading list") + } + if len(dq.segments.writing) != 1 || dq.segments.writing[0].id != 2 { + t.Error("Expected segment 2 to remain in the writing list") + } + if dq.segments.reading[0].endOffset != 200 { + t.Errorf("Expected segment 1 endOffset 200, got %d", + dq.segments.reading[0].endOffset) + } + if dq.segments.writing[0].endOffset != 100 { + t.Errorf("Expected segment 2 endOffset 100, got %d", + dq.segments.writing[0].endOffset) + } +} diff --git a/libbeat/publisher/queue/diskqueue/deleter_loop.go b/libbeat/publisher/queue/diskqueue/deleter_loop.go new file mode 100644 index 00000000000..4e685285948 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/deleter_loop.go @@ -0,0 +1,99 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "os" + "time" +) + +type deleterLoop struct { + // The settings for the queue that created this loop. + settings Settings + + // When one or more segments are ready to delete, they are sent to + // requestChan. At most one deleteRequest may be outstanding at any time. + requestChan chan deleterLoopRequest + + // When a request has been completely processed, a response is sent on + // responseChan. If at least one deletion was successful, the response + // is sent immediately. Otherwise, the deleter loop delays for + // queueSettings.RetryWriteInterval before returning, so timed retries + // don't have to be handled by the core loop. + responseChan chan deleterLoopResponse +} + +type deleterLoopRequest struct { + segments []*queueSegment +} + +type deleterLoopResponse struct { + results []error +} + +func newDeleterLoop(settings Settings) *deleterLoop { + return &deleterLoop{ + settings: settings, + + requestChan: make(chan deleterLoopRequest, 1), + responseChan: make(chan deleterLoopResponse), + } +} + +func (dl *deleterLoop) run() { + for { + request, ok := <-dl.requestChan + if !ok { + // The channel has been closed, time to shut down. + return + } + results := []error{} + deletedCount := 0 + for _, segment := range request.segments { + path := dl.settings.segmentPath(segment.id) + err := os.Remove(path) + // We ignore errors caused by the file not existing: this shouldn't + // happen, but it is still safe to report it as successfully removed. + if err == nil || errors.Is(err, os.ErrNotExist) { + deletedCount++ + results = append(results, nil) + } else { + results = append(results, err) + } + } + if len(request.segments) > 0 && deletedCount == 0 { + // If we were asked to delete segments but could not delete + // _any_ of them, we haven't made progress. Returning an error + // will log the issue and retry, but in this situation we + // want to delay before retrying. The core loop itself can't + // delay (it can never sleep or block), so we handle the + // delay here, by waiting before sending the result. + // The delay can be interrupted if the request channel is closed, + // indicating queue shutdown. + select { + // TODO: make the retry interval configurable. + case <-time.After(time.Second): + case <-dl.requestChan: + } + } + dl.responseChan <- deleterLoopResponse{ + results: results, + } + } +} diff --git a/libbeat/publisher/queue/diskqueue/frames.go b/libbeat/publisher/queue/diskqueue/frames.go new file mode 100644 index 00000000000..02571a65ce9 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/frames.go @@ -0,0 +1,72 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import "github.com/elastic/beats/v7/libbeat/publisher" + +// Every data frame read from the queue is assigned a unique sequential +// integer, which is used to keep track of which frames have been +// acknowledged. +// This id is not stable between restarts; the value 0 is always assigned +// to the oldest remaining frame on startup. +type frameID uint64 + +// A data frame created through the producer API and waiting to be +// written to disk. +type writeFrame struct { + // The event, serialized for writing to disk and wrapped in a frame + // header / footer. + serialized []byte + + // The producer that created this frame. This is included in the + // frame structure itself because we may need the producer and / or + // its config at any time up until it has been completely written: + // - While the core loop is tracking frames to send to the writer, + // it may receive a Cancel request, which requires us to know + // the producer / config each frame came from. + // - After the writer loop has finished writing the frame to disk, + // it needs to call the ACK function specified in ProducerConfig. + producer *diskQueueProducer +} + +// A frame that has been read from disk and is waiting to be read / +// acknowledged through the consumer API. +type readFrame struct { + // The segment containing this frame. + segment *queueSegment + + // The id of this frame. + id frameID + + // The event decoded from the data frame. + event publisher.Event + + // How much space this frame occupied on disk (before deserialization), + // including the frame header / footer. + bytesOnDisk uint64 +} + +// Each data frame has a 32-bit length in the header, and a 32-bit checksum +// and a duplicate 32-bit length in the footer. +const frameHeaderSize = 4 +const frameFooterSize = 8 +const frameMetadataSize = frameHeaderSize + frameFooterSize + +func (frame writeFrame) sizeOnDisk() uint64 { + return uint64(len(frame.serialized) + frameMetadataSize) +} diff --git a/libbeat/publisher/queue/diskqueue/producer.go b/libbeat/publisher/queue/diskqueue/producer.go new file mode 100644 index 00000000000..f4ff4ef2706 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/producer.go @@ -0,0 +1,109 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "github.com/elastic/beats/v7/libbeat/publisher" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +type diskQueueProducer struct { + // The disk queue that created this producer. + queue *diskQueue + + // The configuration this producer was created with. + config queue.ProducerConfig + + encoder *eventEncoder + + // When a producer is cancelled, cancelled is set to true and the done + // channel is closed. (We could get by with just a done channel, but we + // need to make sure that calling Cancel repeatedly doesn't close an + // already-closed channel, which would panic.) + cancelled bool + done chan struct{} +} + +// A request sent from a producer to the core loop to add a frame to the queue. +type producerWriteRequest struct { + frame *writeFrame + shouldBlock bool + responseChan chan bool +} + +// +// diskQueueProducer implementation of the queue.Producer interface +// + +func (producer *diskQueueProducer) Publish(event publisher.Event) bool { + return producer.publish(event, true) +} + +func (producer *diskQueueProducer) TryPublish(event publisher.Event) bool { + return producer.publish(event, false) +} + +func (producer *diskQueueProducer) publish( + event publisher.Event, shouldBlock bool, +) bool { + if producer.cancelled { + return false + } + serialized, err := producer.encoder.encode(&event) + if err != nil { + producer.queue.logger.Errorf( + "Couldn't serialize incoming event: %v", err) + return false + } + request := producerWriteRequest{ + frame: &writeFrame{ + serialized: serialized, + producer: producer, + }, + shouldBlock: shouldBlock, + // This response channel will be used by the core loop, so it must have + // buffer size 1 to guarantee that the core loop will not need to block. + responseChan: make(chan bool, 1), + } + + select { + case producer.queue.producerWriteRequestChan <- request: + // The request has been sent, and we are now guaranteed to get a result on + // the response channel, so we must read from it immediately to avoid + // blocking the core loop. + response := <-request.responseChan + return response + case <-producer.queue.done: + return false + case <-producer.done: + return false + } +} + +func (producer *diskQueueProducer) Cancel() int { + if producer.cancelled { + return 0 + } + producer.cancelled = true + close(producer.done) + + // TODO (possibly?): message the core loop to remove any pending events that + // were sent through this producer. If we do, return the number of cancelled + // events here instead of zero. + return 0 +} diff --git a/libbeat/publisher/queue/diskqueue/queue.go b/libbeat/publisher/queue/diskqueue/queue.go new file mode 100644 index 00000000000..5f756996e5f --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/queue.go @@ -0,0 +1,249 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "fmt" + "os" + "sync" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/feature" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/publisher/queue" +) + +// diskQueue is the internal type representing a disk-based implementation +// of queue.Queue. +type diskQueue struct { + logger *logp.Logger + settings Settings + + // Metadata related to the segment files. + segments diskQueueSegments + + // Metadata related to consumer acks / positions of the oldest remaining + // frame. + acks *diskQueueACKs + + // The queue's helper loops, each of which is run in its own goroutine. + readerLoop *readerLoop + writerLoop *writerLoop + deleterLoop *deleterLoop + + // Wait group for shutdown of the goroutines associated with this queue: + // reader loop, writer loop, deleter loop, and core loop (diskQueue.run()). + waitGroup sync.WaitGroup + + // writing is true if the writer loop is processing a request, false + // otherwise. + writing bool + + // reading is true if the reader loop is processing a request, false + // otherwise. + reading bool + + // deleting is true if the deleter loop is processing a request, false + // otherwise. + deleting bool + + // The API channel used by diskQueueProducer to write events. + producerWriteRequestChan chan producerWriteRequest + + // pendingFrames is a list of all incoming data frames that have been + // accepted by the queue and are waiting to be sent to the writer loop. + // Segment ids in this list always appear in sorted order, even between + // requests (that is, a frame added to this list always has segment id + // at least as high as every previous frame that has ever been added). + pendingFrames []segmentedFrame + + // blockedProducers is a list of all producer write requests that are + // waiting for free space in the queue. + blockedProducers []producerWriteRequest + + // The channel to signal our goroutines to shut down. + done chan struct{} +} + +func init() { + queue.RegisterQueueType( + "disk", + queueFactory, + feature.MakeDetails( + "Disk queue", + "Buffer events on disk before sending to the output.", + feature.Beta)) +} + +// queueFactory matches the queue.Factory interface, and is used to add the +// disk queue to the registry. +func queueFactory( + ackListener queue.ACKListener, logger *logp.Logger, cfg *common.Config, +) (queue.Queue, error) { + settings, err := SettingsForUserConfig(cfg) + if err != nil { + return nil, fmt.Errorf("disk queue couldn't load user config: %w", err) + } + settings.WriteToDiskListener = ackListener + return NewQueue(logger, settings) +} + +// NewQueue returns a disk-based queue configured with the given logger +// and settings, creating it if it doesn't exist. +func NewQueue(logger *logp.Logger, settings Settings) (queue.Queue, error) { + logger = logger.Named("diskqueue") + logger.Debugf( + "Initializing disk queue at path %v", settings.directoryPath()) + + if settings.MaxBufferSize > 0 && + settings.MaxBufferSize < settings.MaxSegmentSize*2 { + return nil, fmt.Errorf( + "disk queue buffer size (%v) must be at least "+ + "twice the segment size (%v)", + settings.MaxBufferSize, settings.MaxSegmentSize) + } + + // Create the given directory path if it doesn't exist. + err := os.MkdirAll(settings.directoryPath(), os.ModePerm) + if err != nil { + return nil, fmt.Errorf("couldn't create disk queue directory: %w", err) + } + + // Load the previous queue position, if any. + nextReadPosition, err := queuePositionFromPath(settings.stateFilePath()) + if err != nil && !errors.Is(err, os.ErrNotExist) { + // Errors reading / writing the position are non-fatal -- we just log a + // warning and fall back on the oldest existing segment, if any. + logger.Warnf("Couldn't load most recent queue position: %v", err) + } + positionFile, err := os.OpenFile( + settings.stateFilePath(), os.O_WRONLY|os.O_CREATE, 0600) + if err != nil { + // This is not the _worst_ error: we could try operating even without a + // position file. But it indicates a problem with the queue permissions on + // disk, which keeps us from tracking our position within the segment files + // and could also prevent us from creating new ones, so we treat this as a + // fatal error on startup rather than quietly providing degraded + // performance. + return nil, fmt.Errorf("couldn't write to state file: %v", err) + } + + // Index any existing data segments to be placed in segments.reading. + initialSegments, err := scanExistingSegments(settings.directoryPath()) + if err != nil { + return nil, err + } + var nextSegmentID segmentID + if len(initialSegments) > 0 { + // Initialize nextSegmentID to the first ID after the existing segments. + lastID := initialSegments[len(initialSegments)-1].id + nextSegmentID = lastID + 1 + } + + // If any of the initial segments are older than the current queue + // position, move them directly to the acked list where they can be + // deleted. + ackedSegments := []*queueSegment{} + readSegmentID := nextReadPosition.segmentID + for len(initialSegments) > 0 && initialSegments[0].id < readSegmentID { + ackedSegments = append(ackedSegments, initialSegments[0]) + initialSegments = initialSegments[1:] + } + + // If the queue position is older than all existing segments, advance + // it to the beginning of the first one. + if len(initialSegments) > 0 && readSegmentID < initialSegments[0].id { + nextReadPosition = queuePosition{segmentID: initialSegments[0].id} + } + + queue := &diskQueue{ + logger: logger, + settings: settings, + + segments: diskQueueSegments{ + reading: initialSegments, + nextID: nextSegmentID, + nextReadOffset: nextReadPosition.offset, + }, + + acks: newDiskQueueACKs(logger, nextReadPosition, positionFile), + + readerLoop: newReaderLoop(settings), + writerLoop: newWriterLoop(logger, settings), + deleterLoop: newDeleterLoop(settings), + + producerWriteRequestChan: make(chan producerWriteRequest), + + done: make(chan struct{}), + } + + // We wait for four goroutines on shutdown: core loop, reader loop, + // writer loop, deleter loop. + queue.waitGroup.Add(4) + + // Start the goroutines and return the queue! + go func() { + queue.readerLoop.run() + queue.waitGroup.Done() + }() + go func() { + queue.writerLoop.run() + queue.waitGroup.Done() + }() + go func() { + queue.deleterLoop.run() + queue.waitGroup.Done() + }() + go func() { + queue.run() + queue.waitGroup.Done() + }() + + return queue, nil +} + +// +// diskQueue implementation of the queue.Queue interface +// + +func (dq *diskQueue) Close() error { + // Closing the done channel signals to the core loop that it should + // shut down the other helper goroutines and wrap everything up. + close(dq.done) + dq.waitGroup.Wait() + + return nil +} + +func (dq *diskQueue) BufferConfig() queue.BufferConfig { + return queue.BufferConfig{MaxEvents: 0} +} + +func (dq *diskQueue) Producer(cfg queue.ProducerConfig) queue.Producer { + return &diskQueueProducer{ + queue: dq, + config: cfg, + encoder: newEventEncoder(), + done: make(chan struct{}), + } +} + +func (dq *diskQueue) Consumer() queue.Consumer { + return &diskQueueConsumer{queue: dq} +} diff --git a/libbeat/publisher/queue/diskqueue/reader_loop.go b/libbeat/publisher/queue/diskqueue/reader_loop.go new file mode 100644 index 00000000000..dc2bb95777f --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/reader_loop.go @@ -0,0 +1,247 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "fmt" + "os" +) + +type readerLoopRequest struct { + segment *queueSegment + startOffset segmentOffset + startFrameID frameID + endOffset segmentOffset +} + +type readerLoopResponse struct { + // The number of frames successfully read from the requested segment file. + frameCount uint64 + + // The number of bytes successfully read from the requested segment file. + byteCount uint64 + + // If there was an error in the segment file (i.e. inconsistent data), the + // err field is set. + err error +} + +type readerLoop struct { + // The settings for the queue that created this loop. + settings Settings + + // When there is a block available for reading, it will be sent to + // requestChan. When the reader loop has finished processing it, it + // sends the result to finishedReading. If there is more than one block + // available for reading, the core loop will wait until it gets a + // finishedReadingMessage before it + requestChan chan readerLoopRequest + responseChan chan readerLoopResponse + + // Frames that have been read from disk are sent to this channel. + // Unlike most of the queue's API channels, this one is buffered to allow + // the reader to read ahead and cache pending frames before a consumer + // explicitly requests them. + output chan *readFrame + + // The helper object to deserialize binary blobs from the queue into + // publisher.Event objects that can be returned in a readFrame. + decoder *eventDecoder +} + +func newReaderLoop(settings Settings) *readerLoop { + return &readerLoop{ + settings: settings, + + requestChan: make(chan readerLoopRequest, 1), + responseChan: make(chan readerLoopResponse), + output: make(chan *readFrame, settings.ReadAheadLimit), + decoder: newEventDecoder(), + } +} + +func (rl *readerLoop) run() { + for { + request, ok := <-rl.requestChan + if !ok { + // The channel is closed, we are shutting down. + close(rl.output) + return + } + response := rl.processRequest(request) + rl.responseChan <- response + } +} + +func (rl *readerLoop) processRequest(request readerLoopRequest) readerLoopResponse { + frameCount := uint64(0) + byteCount := uint64(0) + nextFrameID := request.startFrameID + + // Open the file and seek to the starting position. + handle, err := request.segment.getReader(rl.settings) + if err != nil { + return readerLoopResponse{err: err} + } + defer handle.Close() + _, err = handle.Seek(segmentHeaderSize+int64(request.startOffset), 0) + if err != nil { + return readerLoopResponse{err: err} + } + + targetLength := uint64(request.endOffset - request.startOffset) + for { + remainingLength := targetLength - byteCount + + // Try to read the next frame, clipping to the given bound. + // If the next frame extends past this boundary, nextFrame will return + // an error. + frame, err := rl.nextFrame(handle, remainingLength) + if frame != nil { + // Add the segment / frame ID, which nextFrame leaves blank. + frame.segment = request.segment + frame.id = nextFrameID + nextFrameID++ + // We've read the frame, try sending it to the output channel. + select { + case rl.output <- frame: + // Successfully sent! Increment the total for this request. + frameCount++ + byteCount += frame.bytesOnDisk + case <-rl.requestChan: + // Since we haven't sent a finishedReading message yet, we can only + // reach this case when the nextReadBlock channel is closed, indicating + // queue shutdown. In this case we immediately return. + return readerLoopResponse{ + frameCount: frameCount, + byteCount: byteCount, + err: nil, + } + } + } + + // We are done with this request if: + // - there was an error reading the frame, + // - there are no more frames to read, or + // - we have reached the end of the requested region + if err != nil || frame == nil || byteCount >= targetLength { + return readerLoopResponse{ + frameCount: frameCount, + byteCount: byteCount, + err: err, + } + } + + // If the output channel's buffer is not full, the previous select + // might not recognize when the queue is being closed, so check that + // again separately before we move on to the next data frame. + select { + case <-rl.requestChan: + return readerLoopResponse{ + frameCount: frameCount, + byteCount: byteCount, + err: nil, + } + default: + } + } +} + +// nextFrame reads and decodes one frame from the given file handle, as long +// it does not exceed the given length bound. The returned frame leaves the +// segment and frame IDs unset. +func (rl *readerLoop) nextFrame( + handle *os.File, maxLength uint64, +) (*readFrame, error) { + // Ensure we are allowed to read the frame header. + if maxLength < frameHeaderSize { + return nil, fmt.Errorf( + "Can't read next frame: remaining length %d is too low", maxLength) + } + // Wrap the handle to retry non-fatal errors and always return the full + // requested data length if possible. + reader := autoRetryReader{handle} + var frameLength uint32 + err := binary.Read(reader, binary.LittleEndian, &frameLength) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame header: %w", err) + } + + // If the frame extends past the area we were told to read, return an error. + // This should never happen unless the segment file is corrupted. + if maxLength < uint64(frameLength) { + return nil, fmt.Errorf( + "Can't read next frame: frame size is %d but remaining data is only %d", + frameLength, maxLength) + } + if frameLength <= frameMetadataSize { + // Valid enqueued data must have positive length + return nil, fmt.Errorf( + "Data frame with no data (length %d)", frameLength) + } + + // Read the actual frame data + dataLength := frameLength - frameMetadataSize + bytes := rl.decoder.Buffer(int(dataLength)) + _, err = reader.Read(bytes) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame content: %w", err) + } + + // Read the footer (checksum + duplicate length) + var checksum uint32 + err = binary.Read(reader, binary.LittleEndian, &checksum) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame checksum: %w", err) + } + expected := computeChecksum(bytes) + if checksum != expected { + return nil, fmt.Errorf( + "Data frame checksum mismatch (%x != %x)", checksum, expected) + } + + var duplicateLength uint32 + err = binary.Read(reader, binary.LittleEndian, &duplicateLength) + if err != nil { + return nil, fmt.Errorf("Couldn't read data frame footer: %w", err) + } + if duplicateLength != frameLength { + return nil, fmt.Errorf( + "Inconsistent data frame length (%d vs %d)", + frameLength, duplicateLength) + } + + event, err := rl.decoder.Decode() + if err != nil { + // Unlike errors in the segment or frame metadata, this is entirely + // a problem in the event [de]serialization which may be isolated (i.e. + // may not indicate data corruption in the segment). + // TODO: Rather than pass this error back to the read request, which + // discards the rest of the segment, we should just log the error and + // advance to the next frame, which is likely still valid. + return nil, fmt.Errorf("Couldn't decode data frame: %w", err) + } + + frame := &readFrame{ + event: event, + bytesOnDisk: uint64(frameLength), + } + + return frame, nil +} diff --git a/libbeat/publisher/queue/diskqueue/segments.go b/libbeat/publisher/queue/diskqueue/segments.go new file mode 100644 index 00000000000..5ce0dc49962 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/segments.go @@ -0,0 +1,254 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "fmt" + "io/ioutil" + "os" + "sort" + "strconv" + "strings" +) + +// diskQueueSegments encapsulates segment-related queue metadata. +type diskQueueSegments struct { + + // A list of the segments that have not yet been completely written, sorted + // by increasing segment ID. When the first entry has been completely + // written, it is removed from this list and appended to reading. + // + // If the reading list is empty, the queue may read from a segment that is + // still being written, but it will always be writing[0], since later + // entries do not yet exist on disk. + writing []*queueSegment + + // A list of the segments that have been completely written but have + // not yet been completely read, sorted by increasing segment ID. When the + // first entry has been completely read, it is removed from this list and + // appended to acking. + reading []*queueSegment + + // A list of the segments that have been completely read but have not yet + // been completely acknowledged, sorted by increasing segment ID. When the + // first entry has been completely acknowledged, it is removed from this + // list and appended to acked. + acking []*queueSegment + + // A list of the segments that have been completely read and acknowledged + // and are ready to be deleted. When a segment is successfully deleted, it + // is removed from this list and discarded. + acked []*queueSegment + + // The next sequential unused segment ID. This is what will be assigned + // to the next queueSegment we create. + nextID segmentID + + // nextWriteOffset is the segment offset at which the next new frame + // should be written. This offset always applies to the last entry of + // writing[]. This is distinct from the endOffset field within a segment: + // endOffset tracks how much data _has_ been written to a segment, while + // nextWriteOffset also includes everything that is _scheduled_ to be + // written. + nextWriteOffset segmentOffset + + // nextReadFrameID is the first frame ID in the current or pending + // read request. + nextReadFrameID frameID + + // nextReadOffset is the segment offset corresponding to the frame + // nextReadFrameID. This offset always applies to the first reading + // segment: either reading[0], or writing[0] if reading is empty. + nextReadOffset segmentOffset +} + +// segmentID is a unique persistent integer id assigned to each created +// segment in ascending order. +type segmentID uint64 + +// segmentOffset is a byte index into the segment's data region. +// An offset of 0 means the first byte after the segment file header. +type segmentOffset uint64 + +// The metadata for a single segment file. +type queueSegment struct { + // A segment id is globally unique within its originating queue. + id segmentID + + // The byte offset of the end of the segment's data region. This is + // updated when the segment is written to, and should always correspond + // to the end of a complete data frame. The total size of a segment file + // on disk is segmentHeaderSize + segment.endOffset. + endOffset segmentOffset + + // The ID of the first frame that was / will be read from this segment. + // This field is only valid after a read request has been sent for + // this segment. (Currently it is only used to handle consumer ACKs, + // which can only happen after reading has begun on the segment.) + firstFrameID frameID + + // The number of frames read from this segment during this session. This + // does not necessarily equal the number of frames in the segment, even + // after reading is complete, since the segment may have been partially + // read during a previous session. + // + // Used to count how many frames still need to be acknowledged by consumers. + framesRead uint64 +} + +type segmentHeader struct { + version uint32 +} + +// Segment headers are currently just a 32-bit version. +const segmentHeaderSize = 4 + +// Sort order: we store loaded segments in ascending order by their id. +type bySegmentID []*queueSegment + +func (s bySegmentID) Len() int { return len(s) } +func (s bySegmentID) Swap(i, j int) { s[i], s[j] = s[j], s[i] } +func (s bySegmentID) Less(i, j int) bool { return s[i].id < s[j].id } + +// Scan the given path for segment files, and return them in a list +// ordered by segment id. +func scanExistingSegments(path string) ([]*queueSegment, error) { + files, err := ioutil.ReadDir(path) + if err != nil { + return nil, fmt.Errorf("Couldn't read queue directory '%s': %w", path, err) + } + + segments := []*queueSegment{} + for _, file := range files { + if file.Size() <= segmentHeaderSize { + // Ignore segments that don't have at least some data beyond the + // header (this will always be true of segments we write unless there + // is an error). + continue + } + components := strings.Split(file.Name(), ".") + if len(components) == 2 && strings.ToLower(components[1]) == "seg" { + // Parse the id as base-10 64-bit unsigned int. We ignore file names that + // don't match the "[uint64].seg" pattern. + if id, err := strconv.ParseUint(components[0], 10, 64); err == nil { + segments = append(segments, + &queueSegment{ + id: segmentID(id), + endOffset: segmentOffset(file.Size() - segmentHeaderSize), + }) + } + } + } + sort.Sort(bySegmentID(segments)) + return segments, nil +} + +func (segment *queueSegment) sizeOnDisk() uint64 { + return uint64(segment.endOffset) + segmentHeaderSize +} + +// Should only be called from the reader loop. +func (segment *queueSegment) getReader( + queueSettings Settings, +) (*os.File, error) { + path := queueSettings.segmentPath(segment.id) + file, err := os.Open(path) + if err != nil { + return nil, fmt.Errorf( + "Couldn't open segment %d: %w", segment.id, err) + } + // Right now there is only one valid header (indicating schema version + // zero) so we don't need the value itself. + _, err = readSegmentHeader(file) + if err != nil { + file.Close() + return nil, fmt.Errorf("Couldn't read segment header: %w", err) + } + + return file, nil +} + +// Should only be called from the writer loop. +func (segment *queueSegment) getWriter( + queueSettings Settings, +) (*os.File, error) { + path := queueSettings.segmentPath(segment.id) + file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + return nil, err + } + header := &segmentHeader{version: 0} + err = writeSegmentHeader(file, header) + if err != nil { + return nil, fmt.Errorf("Couldn't write segment header: %w", err) + } + + return file, nil +} + +// getWriterWithRetry tries to create a file handle for writing via +// queueSegment.getWriter. On error, it retries as long as the given +// retry callback returns true. This is used for timed retries when +// creating a queue segment from the writer loop. +func (segment *queueSegment) getWriterWithRetry( + queueSettings Settings, retry func(error) bool, +) (*os.File, error) { + file, err := segment.getWriter(queueSettings) + for err != nil && retry(err) { + // Try again + file, err = segment.getWriter(queueSettings) + } + return file, err +} + +func readSegmentHeader(in *os.File) (*segmentHeader, error) { + header := &segmentHeader{} + err := binary.Read(in, binary.LittleEndian, &header.version) + if err != nil { + return nil, err + } + if header.version != 0 { + return nil, fmt.Errorf("Unrecognized schema version %d", header.version) + } + return header, nil +} + +func writeSegmentHeader(out *os.File, header *segmentHeader) error { + err := binary.Write(out, binary.LittleEndian, header.version) + return err +} + +// The number of bytes occupied by all the queue's segment files. This +// should only be called from the core loop. +func (segments *diskQueueSegments) sizeOnDisk() uint64 { + total := uint64(0) + for _, segment := range segments.writing { + total += segment.sizeOnDisk() + } + for _, segment := range segments.reading { + total += segment.sizeOnDisk() + } + for _, segment := range segments.acking { + total += segment.sizeOnDisk() + } + for _, segment := range segments.acked { + total += segment.sizeOnDisk() + } + return total +} diff --git a/libbeat/publisher/queue/diskqueue/serialize.go b/libbeat/publisher/queue/diskqueue/serialize.go new file mode 100644 index 00000000000..9db8e7b1bd9 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/serialize.go @@ -0,0 +1,154 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Encoding / decoding routines adapted from +// libbeat/publisher/queue/spool/codec.go. + +package diskqueue + +import ( + "bytes" + "time" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/outputs/codec" + "github.com/elastic/beats/v7/libbeat/publisher" + "github.com/elastic/go-structform/gotype" + "github.com/elastic/go-structform/json" +) + +type eventEncoder struct { + buf bytes.Buffer + folder *gotype.Iterator +} + +type eventDecoder struct { + buf []byte + + parser *json.Parser + unfolder *gotype.Unfolder +} + +type entry struct { + Timestamp int64 + Flags uint8 + Meta common.MapStr + Fields common.MapStr +} + +const ( + // If + flagGuaranteed uint8 = 1 << 0 +) + +func newEventEncoder() *eventEncoder { + e := &eventEncoder{} + e.reset() + return e +} + +func (e *eventEncoder) reset() { + e.folder = nil + + visitor := json.NewVisitor(&e.buf) + // This can't return an error: NewIterator is deterministic based on its + // input, and doesn't return an error when called with valid options. In + // this case the options are hard-coded to fixed values, so they are + // guaranteed to be valid and we can safely proceed. + folder, _ := gotype.NewIterator(visitor, + gotype.Folders( + codec.MakeTimestampEncoder(), + codec.MakeBCTimestampEncoder(), + ), + ) + + e.folder = folder +} + +func (e *eventEncoder) encode(event *publisher.Event) ([]byte, error) { + e.buf.Reset() + + err := e.folder.Fold(entry{ + Timestamp: event.Content.Timestamp.UTC().UnixNano(), + Flags: uint8(event.Flags), + Meta: event.Content.Meta, + Fields: event.Content.Fields, + }) + if err != nil { + e.reset() + return nil, err + } + + // Copy the encoded bytes to a new array owned by the caller. + bytes := e.buf.Bytes() + result := make([]byte, len(bytes)) + copy(result, bytes) + + return result, nil +} + +func newEventDecoder() *eventDecoder { + d := &eventDecoder{} + d.reset() + return d +} + +func (d *eventDecoder) reset() { + // When called on nil, NewUnfolder deterministically returns a nil error, + // so it's safe to ignore the error result. + unfolder, _ := gotype.NewUnfolder(nil) + + d.unfolder = unfolder + d.parser = json.NewParser(unfolder) +} + +// Buffer prepares the read buffer to hold the next event of n bytes. +func (d *eventDecoder) Buffer(n int) []byte { + if cap(d.buf) > n { + d.buf = d.buf[:n] + } else { + d.buf = make([]byte, n) + } + return d.buf +} + +func (d *eventDecoder) Decode() (publisher.Event, error) { + var ( + to entry + err error + ) + + d.unfolder.SetTarget(&to) + defer d.unfolder.Reset() + + err = d.parser.Parse(d.buf) + + if err != nil { + d.reset() // reset parser just in case + return publisher.Event{}, err + } + + return publisher.Event{ + Flags: publisher.EventFlags(to.Flags), + Content: beat.Event{ + Timestamp: time.Unix(0, to.Timestamp), + Fields: to.Fields, + Meta: to.Meta, + }, + }, nil +} diff --git a/libbeat/publisher/queue/diskqueue/state_file.go b/libbeat/publisher/queue/diskqueue/state_file.go new file mode 100644 index 00000000000..2ff14e3e5e2 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/state_file.go @@ -0,0 +1,93 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "bufio" + "encoding/binary" + "fmt" + "os" +) + +// Given an open file handle to the queue state, decode the current position +// and return the result if successful, otherwise an error. +func queuePositionFromHandle( + file *os.File, +) (queuePosition, error) { + _, err := file.Seek(0, 0) + if err != nil { + return queuePosition{}, err + } + + reader := bufio.NewReader(file) + var version uint32 + err = binary.Read(reader, binary.LittleEndian, &version) + if err != nil { + return queuePosition{}, err + } + if version != 0 { + return queuePosition{}, + fmt.Errorf("Unsupported queue metadata version (%d)", version) + } + + position := queuePosition{} + err = binary.Read(reader, binary.LittleEndian, &position.segmentID) + if err != nil { + return queuePosition{}, err + } + + err = binary.Read( + reader, binary.LittleEndian, &position.offset) + if err != nil { + return queuePosition{}, err + } + + return position, nil +} + +func queuePositionFromPath(path string) (queuePosition, error) { + // Try to open an existing state file. + file, err := os.OpenFile(path, os.O_RDONLY, 0600) + if err != nil { + return queuePosition{}, err + } + defer file.Close() + return queuePositionFromHandle(file) +} + +// Given the queue position, encode and write it to the given file handle. +// Returns nil if successful, otherwise an error. +func writeQueuePositionToHandle( + file *os.File, + position queuePosition, +) error { + _, err := file.Seek(0, 0) + if err != nil { + return err + } + + // Want to write: version (0), segment id, segment offset. + elems := []interface{}{uint32(0), position.segmentID, position.offset} + for _, elem := range elems { + err = binary.Write(file, binary.LittleEndian, &elem) + if err != nil { + return err + } + } + return nil +} diff --git a/libbeat/publisher/queue/diskqueue/util.go b/libbeat/publisher/queue/diskqueue/util.go new file mode 100644 index 00000000000..60c529a9992 --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/util.go @@ -0,0 +1,89 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "errors" + "io" + "syscall" +) + +// A wrapper for an io.Reader that tries to read the full number of bytes +// requested, retrying on EAGAIN and EINTR, and returns an error if +// and only if the number of bytes read is less than requested. +// This is similar to io.ReadFull but with retrying. +type autoRetryReader struct { + wrapped io.Reader +} + +func (r autoRetryReader) Read(p []byte) (int, error) { + bytesRead := 0 + reader := r.wrapped + n, err := reader.Read(p) + for n < len(p) { + if err != nil && !readErrorIsRetriable(err) { + return bytesRead + n, err + } + // If there is an error, it is retriable, so advance p and try again. + bytesRead += n + p = p[n:] + n, err = reader.Read(p) + } + return bytesRead + n, nil +} + +func readErrorIsRetriable(err error) bool { + return errors.Is(err, syscall.EINTR) || errors.Is(err, syscall.EAGAIN) +} + +// writeErrorIsRetriable returns true if the given IO error can be +// immediately retried. +func writeErrorIsRetriable(err error) bool { + return errors.Is(err, syscall.EINTR) || errors.Is(err, syscall.EAGAIN) +} + +// callbackRetryWriter is an io.Writer that wraps another writer and enables +// write-with-retry. When a Write encounters an error, it is passed to the +// retry callback. If the callback returns true, the the writer retries +// any unwritten portion of the input, otherwise it passes the error back +// to the caller. +// This helper is specifically for working with the writer loop, which needs +// to be able to retry forever at configurable intervals, but also cancel +// immediately if the queue is closed. +// This writer is unbuffered. In particular, it is safe to modify the +// "wrapped" field in-place as long as it isn't captured by the callback. +type callbackRetryWriter struct { + wrapped io.Writer + retry func(error) bool +} + +func (w callbackRetryWriter) Write(p []byte) (int, error) { + bytesWritten := 0 + writer := w.wrapped + n, err := writer.Write(p) + for n < len(p) { + if err != nil && !w.retry(err) { + return bytesWritten + n, err + } + // Advance p and try again. + bytesWritten += n + p = p[n:] + n, err = writer.Write(p) + } + return bytesWritten + n, nil +} diff --git a/libbeat/publisher/queue/diskqueue/writer_loop.go b/libbeat/publisher/queue/diskqueue/writer_loop.go new file mode 100644 index 00000000000..b42e4573cab --- /dev/null +++ b/libbeat/publisher/queue/diskqueue/writer_loop.go @@ -0,0 +1,239 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package diskqueue + +import ( + "encoding/binary" + "os" + "time" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// A segmentedFrame is a data frame waiting to be written to disk along with +// the segment it has been assigned to. +type segmentedFrame struct { + // The frame to be written to disk. + frame *writeFrame + + // The segment to which this frame should be written. + segment *queueSegment +} + +// A writer loop request contains a list of writeFrames with the +// segment each should be written to. +// +// Input invariant (segment ids are sorted): If a frame f is included in a +// writerLoopRequest, then every subsequent frame in this and future +// requests must have segment id at least f.segment.id. +// +// That is: we must write all frames for segment 0 before we start writing +// to frame 1, etc. This assumption allows all file operations to happen +// safely in the writer loop without any knowledge of the broader queue state. +type writerLoopRequest struct { + frames []segmentedFrame +} + +// A writerLoopResponse reports the number of bytes written to each +// segment in the request. There is guaranteed to be one entry for each +// segment that appeared in the request, in the same order. If there is +// more than one entry, then all but the last segment have been closed. +type writerLoopResponse struct { + bytesWritten []int64 +} + +type writerLoop struct { + // The settings for the queue that created this loop. + settings Settings + + // The logger for the writer loop, assigned when the queue creates it. + logger *logp.Logger + + // The writer loop listens on requestChan for frames to write, and + // writes them to disk immediately (all queue capacity checking etc. is + // done by the core loop before sending it to the writer). + // When this channel is closed, any in-progress writes are aborted and + // the run loop terminates. + requestChan chan writerLoopRequest + + // The writer loop sends to responseChan when it has finished handling a + // request, to signal the core loop that it is ready for the next one. + responseChan chan writerLoopResponse + + // The most recent segment that has been written to, if there is one. + // This segment + currentSegment *queueSegment + + // The file handle corresponding to currentSegment. When currentSegment + // changes, this handle is closed and a new one is created. + outputFile *os.File +} + +func newWriterLoop(logger *logp.Logger, settings Settings) *writerLoop { + return &writerLoop{ + logger: logger, + settings: settings, + + requestChan: make(chan writerLoopRequest, 1), + responseChan: make(chan writerLoopResponse), + } +} + +func (wl *writerLoop) run() { + for { + block, ok := <-wl.requestChan + if !ok { + // The request channel is closed, we are done + return + } + bytesWritten := wl.processRequest(block) + wl.responseChan <- writerLoopResponse{bytesWritten: bytesWritten} + } +} + +// processRequest writes the frames in the given request to disk and returns +// the number of bytes written to each segment, in the order they were +// encountered. +func (wl *writerLoop) processRequest(request writerLoopRequest) []int64 { + // retryWriter wraps the file handle with timed retries. + // retryWriter.Write is guaranteed to return only if the write + // completely succeeded or the queue is being closed. + retryWriter := callbackRetryWriter{retry: wl.retryCallback} + + // We keep track of how many frames are written during this request, + // and send the associated ACKs to the queue / producer listeners + // in a batch at the end (since each ACK call can involve a round-trip + // to the registry). + totalACKCount := 0 + producerACKCounts := make(map[*diskQueueProducer]int) + + var bytesWritten []int64 // Bytes written to all segments. + curBytesWritten := int64(0) // Bytes written to the current segment. +outerLoop: + for _, frameRequest := range request.frames { + // If the new segment doesn't match the last one, we need to open a new + // file handle and possibly clean up the old one. + if wl.currentSegment != frameRequest.segment { + wl.logger.Debugf( + "Creating new segment file with id %v\n", frameRequest.segment.id) + if wl.outputFile != nil { + // Try to sync to disk, then close the file. + wl.outputFile.Sync() + wl.outputFile.Close() + wl.outputFile = nil + // We are done with this segment, add the byte count to the list and + // reset the current counter. + bytesWritten = append(bytesWritten, curBytesWritten) + curBytesWritten = 0 + } + wl.currentSegment = frameRequest.segment + file, err := wl.currentSegment.getWriterWithRetry( + wl.settings, wl.retryCallback) + if err != nil { + // This can only happen if the queue is being closed; abort. + break + } + wl.outputFile = file + } + // Make sure our writer points to the current file handle. + retryWriter.wrapped = wl.outputFile + + // We have the data and a file to write it to. We are now committed + // to writing this block unless the queue is closed in the meantime. + frameSize := uint32(frameRequest.frame.sizeOnDisk()) + + // The Write calls below all pass through retryWriter, so they can + // only return an error if the write should be aborted. Thus, all we + // need to do when we see an error is break out of the request loop. + err := binary.Write(retryWriter, binary.LittleEndian, frameSize) + if err != nil { + break + } + _, err = retryWriter.Write(frameRequest.frame.serialized) + if err != nil { + break + } + // Compute / write the frame's checksum + checksum := computeChecksum(frameRequest.frame.serialized) + err = binary.Write(wl.outputFile, binary.LittleEndian, checksum) + if err != nil { + break + } + // Write the frame footer's (duplicate) length + err = binary.Write(wl.outputFile, binary.LittleEndian, frameSize) + if err != nil { + break + } + // Update the byte count as the last step: that way if we abort while + // a frame is partially written, we only report up to the last + // complete frame. (This almost never matters, but it allows for + // more controlled recovery after a bad shutdown.) + curBytesWritten += int64(frameSize) + + // Update the ACKs that will be sent at the end of the request. + totalACKCount++ + if frameRequest.frame.producer.config.ACK != nil { + producerACKCounts[frameRequest.frame.producer]++ + } + + // Explicitly check if we should abort before starting the next frame. + select { + case <-wl.requestChan: + break outerLoop + default: + } + } + // Try to sync the written data to disk. + wl.outputFile.Sync() + + // If the queue has an ACK listener, notify it the frames were written. + if wl.settings.WriteToDiskListener != nil { + wl.settings.WriteToDiskListener.OnACK(totalACKCount) + } + + // Notify any producers with ACK listeners that their frames were written. + for producer, ackCount := range producerACKCounts { + producer.config.ACK(ackCount) + } + + // Return the total byte counts, including the final segment. + return append(bytesWritten, curBytesWritten) +} + +// retryCallback is called (by way of retryCallbackWriter) when there is +// an error writing to a segment file. It pauses for a configurable +// interval and returns true if the operation should be retried (which +// it always should, unless the queue is being closed). +func (wl *writerLoop) retryCallback(err error) bool { + if writeErrorIsRetriable(err) { + return true + } + // If the error is not immediately retriable, log the error + // and wait for the retry interval before trying again, but + // abort if the queue is closed (indicated by the request channel + // becoming unblocked). + wl.logger.Errorf("Writing to segment %v: %v", + wl.currentSegment.id, err) + select { + case <-time.After(time.Second): + // TODO: use a configurable interval here + return true + case <-wl.requestChan: + return false + } +} diff --git a/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png b/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png index 5d0ffd588fe..b1bfdd4531f 100644 Binary files a/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png and b/metricbeat/docs/images/metricbeat-googlecloud-pubsub-overview.png differ diff --git a/x-pack/filebeat/input/o365audit/input.go b/x-pack/filebeat/input/o365audit/input.go index ceff10751de..67013dc6a71 100644 --- a/x-pack/filebeat/input/o365audit/input.go +++ b/x-pack/filebeat/input/o365audit/input.go @@ -26,6 +26,9 @@ import ( const ( pluginName = "o365audit" fieldsPrefix = pluginName + + // How long to retry when a fatal error is encountered in the input. + failureRetryInterval = time.Minute * 5 ) type o365input struct { @@ -107,6 +110,34 @@ func (inp *o365input) Run( src cursor.Source, cursor cursor.Cursor, publisher cursor.Publisher, +) error { + for ctx.Cancelation.Err() == nil { + err := inp.runOnce(ctx, src, cursor, publisher) + if err == nil { + break + } + if ctx.Cancelation.Err() != err && err != context.Canceled { + msg := common.MapStr{} + msg.Put("error.message", err.Error()) + msg.Put("event.kind", "pipeline_error") + event := beat.Event{ + Timestamp: time.Now(), + Fields: msg, + } + publisher.Publish(event, nil) + ctx.Logger.Errorf("Input failed: %v", err) + ctx.Logger.Infof("Restarting in %v", failureRetryInterval) + time.Sleep(failureRetryInterval) + } + } + return nil +} + +func (inp *o365input) runOnce( + ctx v2.Context, + src cursor.Source, + cursor cursor.Cursor, + publisher cursor.Publisher, ) error { stream := src.(*stream) tenantID, contentType := stream.tenantID, stream.contentType @@ -156,18 +187,7 @@ func (inp *o365input) Run( } log.Infow("Start fetching events", "cursor", start) - err = poller.Run(action) - if err != nil && ctx.Cancelation.Err() != err && err != context.Canceled { - msg := common.MapStr{} - msg.Put("error.message", err.Error()) - msg.Put("event.kind", "pipeline_error") - event := beat.Event{ - Timestamp: time.Now(), - Fields: msg, - } - publisher.Publish(event, nil) - } - return err + return poller.Run(action) } func initCheckpoint(log *logp.Logger, c cursor.Cursor, maxRetention time.Duration) checkpoint { diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js b/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js index 37a1fa68d5e..3c8db034ee1 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js @@ -152,11 +152,9 @@ var map_getEventLegacyCategory = { "default": constant("1901000000"), }; -var dup1 = // "Pattern{Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" -match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); +var dup1 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); -var dup2 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); +var dup2 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); var dup3 = setc("eventcategory","1207010201"); @@ -194,8 +192,7 @@ var dup13 = setc("eventcategory","1207010000"); var dup14 = setc("direction","outbound"); -var dup15 = // "Pattern{Constant('SZ:'), Field(fld9,true), Constant(' SUBJ:'), Field(subject,false)}" -match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); +var dup15 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); var dup16 = setc("eventcategory","1207040000"); @@ -259,8 +256,7 @@ var dup33 = linear_select([ dup2, ]); -var hdr1 = // "Pattern{Field(messageid,false), Constant('['), Field(hfld14,false), Constant(']: '), Field(p0,false)}" -match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -275,8 +271,7 @@ match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_ch }), ])); -var hdr2 = // "Pattern{Field(hfld1,false), Constant('/'), Field(messageid,false), Constant('['), Field(hfld14,false), Constant(']: '), Field(p0,false)}" -match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -293,8 +288,7 @@ match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", pro }), ])); -var hdr3 = // "Pattern{Field(messageid,false), Constant(': '), Field(p0,false)}" -match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -313,8 +307,7 @@ var select1 = linear_select([ hdr3, ]); -var part1 = // "Pattern{Constant('inbound/pass1['), Field(fld14,false), Constant(']: '), Field(username,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' RECV '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); +var part1 = match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); var all1 = all_match({ processors: [ @@ -337,14 +330,11 @@ var all1 = all_match({ var msg1 = msg("000001", all1); -var part2 = // "Pattern{Constant('inbound/pass1: '), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' SCAN '), Field(fld4,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); +var part2 = match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); -var part3 = // "Pattern{Field(fld6,true), Constant(' SZ:'), Field(fld8,true), Constant(' SUBJ:'), Field(subject,false)}" -match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); +var part3 = match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); -var part4 = // "Pattern{Field(domain,true), Constant(' '), Field(info,false)}" -match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); +var part4 = match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); var select2 = linear_select([ part3, @@ -372,8 +362,7 @@ var all2 = all_match({ var msg2 = msg("inbound/pass1", all2); -var part5 = // "Pattern{Constant('inbound/pass1:'), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' RECV '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); +var part5 = match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); var all3 = all_match({ processors: [ @@ -402,11 +391,9 @@ var select3 = linear_select([ msg3, ]); -var part6 = // "Pattern{Constant('outbound/smtp['), Field(fld14,false), Constant(']: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); +var part6 = match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); -var part7 = // "Pattern{Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" -match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); +var part7 = match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); var select4 = linear_select([ part7, @@ -430,37 +417,28 @@ var all4 = all_match({ var msg4 = msg("000002", all4); -var part8 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); +var part8 = match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); -var part9 = // "Pattern{Field(fld8,true), Constant(' <<'), Field(from,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); +var part9 = match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); -var part10 = // "Pattern{Constant('<<'), Field(from,false), Constant('>'), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); +var part10 = match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); var select5 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); +var part11 = match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); -var part12 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant(', Hostname='), Field(hostname,false), Constant('] '), Field(event_description,true), Constant(' #to#'), Field(ddomain,false)}" -match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); +var part12 = match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); -var part13 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant('] '), Field(event_description,true), Constant(' #to#'), Field(daddr,false)}" -match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); +var part13 = match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); -var part14 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant(', Hostname='), Field(hostname,false), Constant('] '), Field(info,false)}" -match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); +var part14 = match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); -var part15 = // "Pattern{Field(event_description,true), Constant(' #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); +var part15 = match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); -var part16 = // "Pattern{Field(event_description,true), Constant(' #to#'), Field(ddomain,false)}" -match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); +var part16 = match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); var select6 = linear_select([ part12, @@ -489,22 +467,18 @@ var all5 = all_match({ var msg5 = msg("outbound/smtp", all5); -var part17 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); +var part17 = match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); -var part18 = // "Pattern{Field(fld8,true), Constant(' ok'), Field(p0,false)}" -match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); +var part18 = match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); -var part19 = // "Pattern{Constant('ok'), Field(p0,false)}" -match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); +var part19 = match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); var select7 = linear_select([ part18, part19, ]); -var part20 = // "Pattern{Field(fld9,true), Constant(' Message '), Field(fld10,true), Constant(' accepted #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); +var part20 = match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); var all6 = all_match({ processors: [ @@ -524,8 +498,7 @@ var all6 = all_match({ var msg6 = msg("000009", all6); -var part21 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' Message accepted for delivery #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ +var part21 = match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ dup13, dup4, dup14, @@ -537,8 +510,7 @@ match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr- var msg7 = msg("outbound/smtp:01", part21); -var part22 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' conversation with '), Field(fld5,false), Constant('['), Field(fld6,false), Constant('] timed out while sending '), Field(fld7,true), Constant(' #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" -match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ +var part22 = match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ dup13, dup4, dup14, @@ -549,26 +521,19 @@ match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr- var msg8 = msg("outbound/smtp:02", part22); -var part23 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); +var part23 = match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); -var part24 = // "Pattern{Constant('Ok '), Field(fld9,true), Constant(' '), Field(fld10,true), Constant(' - gsmtp #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); +var part24 = match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); -var part25 = // "Pattern{Constant('Ok: queued as '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); +var part25 = match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); -var part26 = // "Pattern{Constant('ok '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); +var part26 = match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); -var part27 = // "Pattern{Constant('Ok ('), Field(fld9,false), Constant(') #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); +var part27 = match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); -var part28 = // "Pattern{Constant('OK '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); +var part28 = match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); -var part29 = // "Pattern{Field(fld9,true), Constant(' #to#'), Field(p0,false)}" -match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); +var part29 = match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); var select8 = linear_select([ part24, @@ -579,8 +544,7 @@ var select8 = linear_select([ part29, ]); -var part30 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); +var part30 = match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); var all7 = all_match({ processors: [ @@ -600,8 +564,7 @@ var all7 = all_match({ var msg9 = msg("000010", all7); -var part31 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' connect to '), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ +var part31 = match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -612,8 +575,7 @@ match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} var msg10 = msg("000011", part31); -var part32 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(fld7,true), Constant(' ['), Field(ddomain,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ +var part32 = match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -624,8 +586,7 @@ match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id-> var msg11 = msg("000012", part32); -var part33 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' <<'), Field(from,false), Constant('>: '), Field(event_description,false)}" -match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ +var part33 = match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -636,8 +597,7 @@ match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id-> var msg12 = msg("000013", part33); -var part34 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld8,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ +var part34 = match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ dup13, dup4, dup14, @@ -661,8 +621,7 @@ var select9 = linear_select([ msg13, ]); -var part35 = // "Pattern{Constant('scan['), Field(fld14,false), Constant(']: '), Field(username,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld8,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); +var part35 = match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); var all8 = all_match({ processors: [ @@ -683,8 +642,7 @@ var all8 = all_match({ var msg14 = msg("000003", all8); -var part36 = // "Pattern{Constant('scan: '), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld8,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); +var part36 = match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); var all9 = all_match({ processors: [ @@ -710,16 +668,14 @@ var select10 = linear_select([ msg15, ]); -var part37 = // "Pattern{Constant('web: Ret Policy Summary (Del:'), Field(fld1,true), Constant(' Kept:'), Field(fld2,false), Constant(')')}" -match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ +var part37 = match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ dup17, dup4, ])); var msg16 = msg("000004", part37); -var part38 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] FAILED_LOGIN ('), Field(username,false), Constant(')')}" -match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ +var part38 = match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ setc("eventcategory","1401030000"), dup18, dup19, @@ -731,16 +687,14 @@ match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{ var msg17 = msg("000005", part38); -var part39 = // "Pattern{Constant('web: Retention violating accounts: '), Field(fld1,true), Constant(' total')}" -match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ +var part39 = match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ setc("eventcategory","1605000000"), dup4, ])); var msg18 = msg("000006", part39); -var part40 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] global CHANGE '), Field(category,true), Constant(' ('), Field(info,false), Constant(')')}" -match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ +var part40 = match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ dup17, dup4, setc("action","CHANGE"), @@ -748,8 +702,7 @@ match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{ var msg19 = msg("000007", part40); -var part41 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] LOGOUT ('), Field(username,false), Constant(')')}" -match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ +var part41 = match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ setc("eventcategory","1401070000"), dup18, setc("ec_activity","Logoff"), @@ -760,8 +713,7 @@ match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{userna var msg20 = msg("000029", part41); -var part42 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] LOGIN ('), Field(username,false), Constant(')')}" -match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ +var part42 = match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ setc("eventcategory","1401060000"), dup18, dup19, @@ -781,8 +733,7 @@ var select11 = linear_select([ msg21, ]); -var part43 = // "Pattern{Constant('notify/smtp['), Field(fld14,false), Constant(']: '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(bytes,true), Constant(' '), Field(version,true), Constant(' '), Field(from,true), Constant(' '), Field(info,false)}" -match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ +var part43 = match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ dup13, dup4, dup32, @@ -792,8 +743,7 @@ match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr-> var msg22 = msg("000008", part43); -var part44 = // "Pattern{Constant('reports: REPORTS ('), Field(process,false), Constant(') queued as '), Field(fld1,false)}" -match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ +var part44 = match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ dup16, dup4, setc("event_description","report queued"), @@ -813,14 +763,11 @@ var chain1 = processor_chain([ }), ]); -var part45 = // "Pattern{Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" -match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); +var part45 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); -var part46 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); +var part46 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); -var part47 = // "Pattern{Constant('SZ:'), Field(fld9,true), Constant(' SUBJ:'), Field(subject,false)}" -match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); +var part47 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); var select12 = linear_select([ dup1, diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml index d21d421ce0f..d22d9a65eaf 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml @@ -40,10 +40,14 @@ processors: - message - host ignore_missing: true -- set: - field: '@timestamp' - value: '{{syslog5424_ts}}' - if: ctx.checkpoint?.time == null +- rename: + field: "@timestamp" + target_field: "event.created" + ignore_missing: true +- date: + field: "syslog5424_ts" + formats: ["ISO8601", "UNIX"] + if: "ctx.checkpoint?.time == null" - set: field: event.module value: checkpoint @@ -578,10 +582,10 @@ processors: field: checkpoint.industry_reference target_field: vulnerability.id ignore_missing: true -- rename: - field: checkpoint.time - target_field: '@timestamp' - ignore_missing: true +- date: + field: "checkpoint.time" + formats: ["ISO8601", "UNIX"] + if: "ctx.checkpoint?.time != null" - rename: field: checkpoint.message target_field: message @@ -795,6 +799,7 @@ processors: - checkpoint.xlatesrc - checkpoint.xlatedst - checkpoint.uid + - checkpoint.time - syslog5424_ts ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json index 72aede80ce5..fd07aa51eca 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2020-03-29T13:19:20Z", + "@timestamp": "2020-03-29T13:19:20.000Z", "checkpoint.sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -27,7 +27,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:20Z", + "@timestamp": "2020-03-29T13:19:20.000Z", "checkpoint.sys_message": "The eth1 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -54,7 +54,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:21Z", + "@timestamp": "2020-03-29T13:19:21.000Z", "checkpoint.sys_message": "installed Standard", "event.category": [ "network" @@ -81,7 +81,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -135,7 +135,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -202,7 +202,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -256,7 +256,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -320,7 +320,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -374,7 +374,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -438,7 +438,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -492,7 +492,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -556,7 +556,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -610,7 +610,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -674,7 +674,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -728,7 +728,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -792,7 +792,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -846,7 +846,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -910,7 +910,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -964,7 +964,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1028,7 +1028,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1082,7 +1082,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1146,7 +1146,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1200,7 +1200,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1264,7 +1264,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1318,7 +1318,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1382,7 +1382,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1436,7 +1436,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1500,7 +1500,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1554,7 +1554,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1618,7 +1618,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1672,7 +1672,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1736,7 +1736,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1790,7 +1790,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1854,7 +1854,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -1908,7 +1908,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -1972,7 +1972,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2026,7 +2026,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2090,7 +2090,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2144,7 +2144,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:22Z", + "@timestamp": "2020-03-29T13:19:22.000Z", "checkpoint.additional_info": "Access Control Policy : Standard", "checkpoint.audit_status": "Success", "checkpoint.machine": "192.168.1.117", @@ -2192,7 +2192,7 @@ ] }, { - "@timestamp": "2020-03-29T13:19:23Z", + "@timestamp": "2020-03-29T13:19:23.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2256,7 +2256,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:26Z", + "@timestamp": "2020-03-29T13:20:26.000Z", "checkpoint.blade_name": "Anti Bot & Anti Virus", "checkpoint.information": "policy installation for blade Anti Bot & Anti Virus completed successfully", "event.category": [ @@ -2283,7 +2283,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2350,7 +2350,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2404,7 +2404,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2458,7 +2458,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2512,7 +2512,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2576,7 +2576,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2630,7 +2630,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2694,7 +2694,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2748,7 +2748,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2812,7 +2812,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2866,7 +2866,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -2930,7 +2930,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -2984,7 +2984,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3048,7 +3048,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3102,7 +3102,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3166,7 +3166,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:28Z", + "@timestamp": "2020-03-29T13:20:28.000Z", "checkpoint.additional_info": "Threat Prevention Policy : Standard", "checkpoint.audit_status": "Success", "checkpoint.machine": "192.168.1.117", @@ -3214,7 +3214,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3268,7 +3268,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3332,7 +3332,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3386,7 +3386,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:29Z", + "@timestamp": "2020-03-29T13:20:29.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3450,7 +3450,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3504,7 +3504,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3568,7 +3568,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3622,7 +3622,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3686,7 +3686,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3740,7 +3740,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:30Z", + "@timestamp": "2020-03-29T13:20:30.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3804,7 +3804,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -3868,7 +3868,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3922,7 +3922,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -3976,7 +3976,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4040,7 +4040,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4094,7 +4094,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:31Z", + "@timestamp": "2020-03-29T13:20:31.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4158,7 +4158,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:46Z", + "@timestamp": "2020-03-29T13:20:46.000Z", "checkpoint.sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -4185,7 +4185,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:46Z", + "@timestamp": "2020-03-29T13:20:46.000Z", "checkpoint.sys_message": "The eth1 interface is not protected by the anti-spoofing feature. Your network may be at risk", "event.category": [ "network" @@ -4212,7 +4212,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:46Z", + "@timestamp": "2020-03-29T13:20:46.000Z", "checkpoint.sys_message": "installed Standard", "event.category": [ "network" @@ -4239,7 +4239,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4306,7 +4306,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4360,7 +4360,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4414,7 +4414,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4478,7 +4478,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4532,7 +4532,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4596,7 +4596,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4650,7 +4650,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4714,7 +4714,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4768,7 +4768,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:47Z", + "@timestamp": "2020-03-29T13:20:47.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4832,7 +4832,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -4886,7 +4886,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -4950,7 +4950,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5004,7 +5004,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5068,7 +5068,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5122,7 +5122,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5186,7 +5186,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5240,7 +5240,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5304,7 +5304,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5358,7 +5358,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5422,7 +5422,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5476,7 +5476,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:48Z", + "@timestamp": "2020-03-29T13:20:48.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", @@ -5540,7 +5540,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:49Z", + "@timestamp": "2020-03-29T13:20:49.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.parent_rule": "0", @@ -5594,7 +5594,7 @@ ] }, { - "@timestamp": "2020-03-29T13:20:49Z", + "@timestamp": "2020-03-29T13:20:49.000Z", "checkpoint.logid": "0", "checkpoint.match_id": "1", "checkpoint.nat_addtnl_rulenum": "0", diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log new file mode 100644 index 00000000000..c2a7b014e15 --- /dev/null +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log @@ -0,0 +1 @@ +<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"] diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json new file mode 100644 index 00000000000..7df3da49b7b --- /dev/null +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint_with_time.log-expected.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2020-07-13T13:29:14.000Z", + "checkpoint.logid": "0", + "checkpoint.match_id": "1", + "checkpoint.parent_rule": "0", + "checkpoint.rule_action": "Accept", + "client.ip": "192.168.1.100", + "client.port": 43103, + "destination.ip": "192.168.1.153", + "destination.port": 514, + "event.action": "Accept", + "event.category": [ + "network" + ], + "event.dataset": "checkpoint.firewall", + "event.id": "{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}", + "event.kind": "event", + "event.module": "checkpoint", + "event.outcome": "success", + "event.sequence": 1, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 0, + "network.application": "syslog", + "network.direction": "outbound", + "network.iana_number": "17", + "network.name": "Network", + "observer.egress.interface.name": "eth0", + "observer.egress.zone": "External", + "observer.ingress.zone": "Local", + "observer.name": "192.168.1.100", + "observer.product": "VPN-1 & FireWall-1", + "observer.type": "firewall", + "observer.vendor": "Checkpoint", + "related.ip": [ + "192.168.1.100", + "192.168.1.153" + ], + "rule.uuid": "1fde807b-6300-4b1a-914f-f1c1f3e2e7d2", + "server.ip": "192.168.1.153", + "server.port": 514, + "service.type": "checkpoint", + "source.ip": "192.168.1.100", + "source.port": 43103, + "tags": [ + "checkpoint-firewall", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/meraki/config/pipeline.js b/x-pack/filebeat/module/cisco/meraki/config/pipeline.js index 45a7b628d63..53a05ad2527 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/meraki/config/pipeline.js @@ -29,8 +29,7 @@ var map_actionType = { }, }; -var dup1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); +var dup1 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); var dup2 = call({ dest: "nwparser.payload", @@ -52,8 +51,7 @@ var dup3 = call({ ], }); -var dup4 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); +var dup4 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); var dup5 = setc("eventcategory","1605020000"); @@ -71,20 +69,15 @@ var dup9 = date_time({ ], }); -var dup10 = // "Pattern{}" -match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); +var dup10 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); -var dup11 = // "Pattern{Constant('dhost='), Field(dmacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); +var dup11 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); -var dup12 = // "Pattern{Constant('shost='), Field(smacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); +var dup12 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); -var dup13 = // "Pattern{Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); +var dup13 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); -var dup14 = // "Pattern{Field(signame,false)}" -match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); +var dup14 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); var dup15 = setc("eventcategory","1607000000"); @@ -102,13 +95,11 @@ var dup18 = setc("event_type","security_event"); var dup19 = constant("Allow"); -var dup20 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" -match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ +var dup20 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ dup2, ])); -var dup21 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ +var dup21 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ dup3, ])); @@ -122,8 +113,7 @@ var dup23 = linear_select([ dup21, ]); -var part1 = // "Pattern{Constant('urls '), Field(p0,false)}" -match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); +var part1 = match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); var all1 = all_match({ processors: [ @@ -137,19 +127,16 @@ var all1 = all_match({ ]), }); -var part2 = // "Pattern{Field(node,false), Constant('_appliance events '), Field(p0,false)}" -match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); +var part2 = match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); -var part3 = // "Pattern{Field(node,true), Constant(' events '), Field(p0,false)}" -match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); +var part3 = match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); var select1 = linear_select([ part2, part3, ]); -var part4 = // "Pattern{Field(payload,false)}" -match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); +var part4 = match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); var all2 = all_match({ processors: [ @@ -163,8 +150,7 @@ var all2 = all_match({ ]), }); -var part5 = // "Pattern{Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); +var part5 = match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); var all3 = all_match({ processors: [ @@ -177,19 +163,16 @@ var all3 = all_match({ ]), }); -var part6 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" -match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); +var part6 = match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); -var part7 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); +var part7 = match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); var select2 = linear_select([ part6, part7, ]); -var part8 = // "Pattern{Field(,true), Constant(' '), Field(hfld5,true), Constant(' '), Field(hfld6,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ +var part8 = match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ call({ dest: "nwparser.payload", fn: STRCAT, @@ -214,8 +197,7 @@ var all4 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(hfld4,false), Constant('_'), Field(space,true), Constant(' '), Field(messageid,true), Constant(' '), Field(payload,false)}" -match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ setc("header_id","0004"), ])); @@ -227,36 +209,29 @@ var select3 = linear_select([ hdr1, ]); -var part9 = // "Pattern{Field(node,false), Constant('_appliance '), Field(p0,false)}" -match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); +var part9 = match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); -var part10 = // "Pattern{Field(node,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); +var part10 = match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); var select4 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Constant('flows src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); +var part11 = match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); -var part12 = // "Pattern{Constant('mac='), Field(dmacaddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); +var part12 = match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); var select5 = linear_select([ part12, dup4, ]); -var part13 = // "Pattern{Constant('protocol='), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); +var part13 = match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); -var part14 = // "Pattern{Constant('sport='), Field(sport,true), Constant(' dport='), Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); +var part14 = match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); -var part15 = // "Pattern{Constant('type='), Field(event_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); +var part15 = match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); var select6 = linear_select([ part14, @@ -264,8 +239,7 @@ var select6 = linear_select([ dup4, ]); -var part16 = // "Pattern{Constant('pattern: '), Field(fld21,true), Constant(' '), Field(info,false)}" -match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); +var part16 = match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); var all5 = all_match({ processors: [ @@ -292,14 +266,11 @@ var all5 = all_match({ var msg1 = msg("flows", all5); -var part17 = // "Pattern{Field(node,true), Constant(' flows '), Field(action,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' mac='), Field(smacaddr,true), Constant(' protocol='), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); +var part17 = match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); -var part18 = // "Pattern{Constant('sport='), Field(sport,true), Constant(' dport='), Field(dport,true), Constant(' ')}" -match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); +var part18 = match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); -var part19 = // "Pattern{Constant('type='), Field(event_type,true), Constant(' ')}" -match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); +var part19 = match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); var select7 = linear_select([ part18, @@ -323,8 +294,7 @@ var all6 = all_match({ var msg2 = msg("flows:01", all6); -var part20 = // "Pattern{Field(node,true), Constant(' flows '), Field(action,false)}" -match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ +var part20 = match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ dup5, dup6, dup7, @@ -340,14 +310,11 @@ var select8 = linear_select([ msg3, ]); -var part21 = // "Pattern{Field(node,false), Constant('_appliance urls src='), Field(p0,false)}" -match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); +var part21 = match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); -var part22 = // "Pattern{Field(node,true), Constant(' urls src='), Field(p0,false)}" -match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); +var part22 = match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); -var part23 = // "Pattern{Constant('src='), Field(p0,false)}" -match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); +var part23 = match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); var select9 = linear_select([ part21, @@ -355,17 +322,13 @@ var select9 = linear_select([ part23, ]); -var part24 = // "Pattern{Field(sport,false), Constant(':'), Field(saddr,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' mac='), Field(macaddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); +var part24 = match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); -var part25 = // "Pattern{Constant('agent=''), Field(user_agent,false), Constant('' request: '), Field(p0,false)}" -match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); +var part25 = match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); -var part26 = // "Pattern{Constant('agent='), Field(user_agent,true), Constant(' request: '), Field(p0,false)}" -match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); +var part26 = match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); -var part27 = // "Pattern{Constant('request: '), Field(p0,false)}" -match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); +var part27 = match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); var select10 = linear_select([ part25, @@ -373,8 +336,7 @@ var select10 = linear_select([ part27, ]); -var part28 = // "Pattern{Field(,true), Constant(' '), Field(web_method,false), Constant(''), Field(url,false)}" -match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); +var part28 = match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); var all7 = all_match({ processors: [ @@ -394,22 +356,18 @@ var all7 = all_match({ var msg4 = msg("urls", all7); -var part29 = // "Pattern{Constant('dhcp lease of ip '), Field(saddr,true), Constant(' from server mac '), Field(smacaddr,true), Constant(' for client mac '), Field(p0,false)}" -match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); +var part29 = match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); -var part30 = // "Pattern{Field(dmacaddr,true), Constant(' with hostname '), Field(hostname,true), Constant(' from router '), Field(p0,false)}" -match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); +var part30 = match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); -var part31 = // "Pattern{Field(dmacaddr,true), Constant(' from router '), Field(p0,false)}" -match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); +var part31 = match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); var select11 = linear_select([ part30, part31, ]); -var part32 = // "Pattern{Field(hostip,true), Constant(' on subnet '), Field(mask,true), Constant(' with dns '), Field(dns_a_record,false)}" -match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); +var part32 = match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); var all8 = all_match({ processors: [ @@ -428,11 +386,9 @@ var all8 = all_match({ var msg5 = msg("events", all8); -var part33 = // "Pattern{Constant('content_filtering_block url=''), Field(url,false), Constant('' category0=''), Field(category,false), Constant('' server=''), Field(daddr,false), Constant(':'), Field(dport,false), Constant('''), Field(p0,false)}" -match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); +var part33 = match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); -var part34 = // "Pattern{Constant(' client_mac=''), Field(dmacaddr,false), Constant(''')}" -match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); +var part34 = match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); var select12 = linear_select([ part34, @@ -502,8 +458,7 @@ var part35 = tagval("MESSAGE#6:events:01", "nwparser.payload", tvm, { var msg7 = msg("events:01", part35); -var part36 = // "Pattern{Constant('IDS: '), Field(info,false)}" -match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ +var part36 = match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ dup5, dup6, setc("event_description","events IDS"), @@ -513,22 +468,18 @@ match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain var msg8 = msg("events:03", part36); -var part37 = // "Pattern{Constant('dhcp '), Field(p0,false)}" -match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); +var part37 = match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); -var part38 = // "Pattern{Constant('no offers'), Field(p0,false)}" -match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); +var part38 = match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); -var part39 = // "Pattern{Constant('release'), Field(p0,false)}" -match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); +var part39 = match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); var select13 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Field(,false), Constant('for mac '), Field(macaddr,false)}" -match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); +var part40 = match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); var all10 = all_match({ processors: [ @@ -547,8 +498,7 @@ var all10 = all_match({ var msg9 = msg("events:04", all10); -var part41 = // "Pattern{Constant('MAC '), Field(macaddr,true), Constant(' and MAC '), Field(macaddr,true), Constant(' both claim IP: '), Field(saddr,false)}" -match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ +var part41 = match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ dup5, dup6, setc("event_description"," events MAC"), @@ -567,14 +517,11 @@ var select14 = linear_select([ msg10, ]); -var part42 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); +var part42 = match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); -var part43 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' message: '), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); +var part43 = match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); -var part44 = // "Pattern{Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' message: '), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); +var part44 = match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); var select15 = linear_select([ part43, @@ -600,8 +547,7 @@ var all11 = all_match({ var msg11 = msg("ids-alerts:01", all11); -var part45 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,false), Constant('direction='), Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ +var part45 = match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ dup15, dup6, dup16, @@ -611,8 +557,7 @@ match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts sign var msg12 = msg("ids-alerts:03", part45); -var part46 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,false), Constant('protocol='), Field(protocol,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,false), Constant('message: '), Field(signame,false)}" -match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ +var part46 = match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ dup15, dup6, dup16, @@ -628,8 +573,7 @@ var select16 = linear_select([ msg13, ]); -var part47 = // "Pattern{Field(node,false), Constant('security_event '), Field(event_description,true), Constant(' url='), Field(url,true), Constant(' src='), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' mac='), Field(smacaddr,true), Constant(' name='), Field(fld10,true), Constant(' sha256='), Field(fld11,true), Constant(' disposition='), Field(disposition,true), Constant(' action='), Field(action,false)}" -match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ +var part47 = match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ dup5, dup6, dup18, @@ -639,14 +583,11 @@ match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{ var msg14 = msg("security_event", part47); -var part48 = // "Pattern{Field(node,true), Constant(' security_event '), Field(event_description,true), Constant(' signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); +var part48 = match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); -var part49 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' message:'), Field(p0,false)}" -match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); +var part49 = match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); -var part50 = // "Pattern{Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' message:'), Field(p0,false)}" -match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); +var part50 = match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); var select17 = linear_select([ part49, @@ -688,34 +629,25 @@ var chain1 = processor_chain([ }), ]); -var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); +var hdr2 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); -var part51 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); +var part51 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); -var part52 = // "Pattern{}" -match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); +var part52 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); -var part53 = // "Pattern{Constant('dhost='), Field(dmacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); +var part53 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); -var part54 = // "Pattern{Constant('shost='), Field(smacaddr,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); +var part54 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); -var part55 = // "Pattern{Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); +var part55 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); -var part56 = // "Pattern{Field(signame,false)}" -match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); +var part56 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); -var part57 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" -match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ +var part57 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ dup2, ])); -var part58 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ +var part58 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ dup3, ])); diff --git a/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js b/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js index 0da0631e21e..55f1931192c 100644 --- a/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js +++ b/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js @@ -77,14 +77,11 @@ var dup12 = setc("eventcategory","1201000000"); var dup13 = setc("event_description","AppFw Buffer Overflow violation in URL"); -var dup14 = // "Pattern{Field(saddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); +var dup14 = match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); -var dup15 = // "Pattern{Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); +var dup15 = match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); -var dup16 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); +var dup16 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); var dup17 = setc("event_description","AppFw SQL Injection violation"); @@ -92,25 +89,19 @@ var dup18 = setc("event_description","AppFw Request error. Generated 400 Respons var dup19 = setc("severity","Warning"); -var dup20 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); +var dup20 = match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); -var dup21 = // "Pattern{Constant('HASTATE '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); +var dup21 = match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); -var dup22 = // "Pattern{Field(network_service,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); +var dup22 = match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); -var dup23 = // "Pattern{Field(info,false), Constant('"')}" -match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); +var dup23 = match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); var dup24 = setc("event_description","Routing details"); -var dup25 = // "Pattern{Constant('for '), Field(dclass_counter1,false)}" -match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); +var dup25 = match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); -var dup26 = // "Pattern{Field(space,false)}" -match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); +var dup26 = match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); var dup27 = setc("ec_subject","Configuration"); @@ -120,14 +111,11 @@ var dup29 = setc("ec_theme","Configuration"); var dup30 = setc("ec_activity","Start"); -var dup31 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); +var dup31 = match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); -var dup32 = // "Pattern{Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); +var dup32 = match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); -var dup33 = // "Pattern{}" -match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); +var dup33 = match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); var dup34 = setc("ec_subject","Service"); @@ -140,14 +128,11 @@ var dup35 = date_time({ ], }); -var dup36 = // "Pattern{Field(obj_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); +var dup36 = match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); -var dup37 = // "Pattern{Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); +var dup37 = match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); -var dup38 = // "Pattern{Constant(''), Field(obj_name,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); +var dup38 = match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); var dup39 = setc("event_description","The monitor bound to the service is up"); @@ -155,11 +140,9 @@ var dup40 = setc("ec_subject","NetworkComm"); var dup41 = setc("severity","Debug"); -var dup42 = // "Pattern{Constant('" '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); +var dup42 = match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); -var dup43 = // "Pattern{Constant(''), Field(info,false), Constant('"')}" -match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); +var dup43 = match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); var dup44 = date_time({ dest: "starttime", @@ -171,16 +154,13 @@ var dup44 = date_time({ var dup45 = setc("event_description","Process"); -var dup46 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); +var dup46 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); var dup47 = setc("event_description","SNMP TRAP SENT"); -var dup48 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); +var dup48 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); -var dup49 = // "Pattern{Constant('ClientIP '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); +var dup49 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); var dup50 = date_time({ dest: "event_time", @@ -193,23 +173,17 @@ var dup50 = date_time({ var dup51 = setc("ec_activity","Request"); -var dup52 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); +var dup52 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); -var dup53 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); +var dup53 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); -var dup54 = // "Pattern{Field(fld10,true), Constant(' - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); +var dup54 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); -var dup55 = // "Pattern{Constant('" '), Field(fld11,true), Constant(' GMT" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); +var dup55 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); -var dup56 = // "Pattern{Constant('" '), Field(fld11,false), Constant('" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); +var dup56 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); -var dup57 = // "Pattern{Field(fld11,true), Constant(' - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); +var dup57 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); var dup58 = setc("event_description","ICA connection related information for a connection belonging to a SSLVPN session"); @@ -233,61 +207,45 @@ var dup62 = date_time({ ], }); -var dup63 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); +var dup63 = match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); -var dup64 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); +var dup64 = match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); -var dup65 = // "Pattern{Constant('User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); +var dup65 = match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); -var dup66 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); +var dup66 = match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); -var dup67 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); +var dup67 = match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); -var dup68 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); +var dup68 = match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); var dup69 = setc("eventcategory","1401060000"); -var dup70 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); +var dup70 = match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); var dup71 = setc("eventcategory","1401070000"); var dup72 = setc("ec_activity","Logoff"); -var dup73 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(username,true), Constant(' - Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); +var dup73 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); -var dup74 = // "Pattern{Field(,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); +var dup74 = match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); -var dup75 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); +var dup75 = match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); -var dup76 = // "Pattern{Field(fld11,true), Constant(' GMT - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); +var dup76 = match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); -var dup77 = // "Pattern{Field(fld11,true), Constant(' - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); +var dup77 = match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); -var dup78 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); +var dup78 = match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); var dup79 = setc("event_description","A Server side and a Client side TCP connection is delinked"); -var dup80 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); +var dup80 = match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); -var dup81 = // "Pattern{Field(fld10,true), Constant(' GMT - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); +var dup81 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); -var dup82 = // "Pattern{Field(fld10,true), Constant(' - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); +var dup82 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); var dup83 = setc("event_description","TCP connection terminated"); @@ -317,27 +275,21 @@ var dup88 = setc("eventcategory","1401040000"); var dup89 = setc("event_description","CLI or GUI command executed in NetScaler"); -var dup90 = // "Pattern{Field(info,true), Constant(' "')}" -match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); +var dup90 = match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); var dup91 = setf("msg","$MSG"); var dup92 = setc("event_description","GUI command executed in NetScaler"); -var dup93 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); +var dup93 = match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); -var dup94 = // "Pattern{Constant('Sessionid '), Field(sessionid,true), Constant(' - User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); +var dup94 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); -var dup95 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); +var dup95 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); -var dup96 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); +var dup96 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); -var dup97 = // "Pattern{Field(daddr,true), Constant(' - Errmsg " '), Field(event_description,true), Constant(' "')}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); +var dup97 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); var dup98 = linear_select([ dup21, @@ -354,8 +306,7 @@ var dup100 = linear_select([ dup33, ]); -var dup101 = // "Pattern{Field(fld1,false), Constant(':UserLogin:'), Field(username,true), Constant(' - '), Field(event_description,true), Constant(' from client IP Address '), Field(saddr,false)}" -match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ +var dup101 = match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ dup5, dup4, ])); @@ -393,28 +344,24 @@ var dup107 = linear_select([ dup82, ]); -var dup108 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ +var dup108 = match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, dup4, ])); -var dup109 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var dup109 = match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup9, dup91, ])); -var dup110 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var dup110 = match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup11, dup91, ])); -var dup111 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ +var dup111 = match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ dup9, dup4, ])); @@ -450,34 +397,28 @@ var dup114 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(hfld2,false), Constant(':'), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} %{hfld2}:%{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} %{hfld2}:%{payload}", processor_chain([ setc("header_id","0001"), dup1, ])); -var hdr2 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' :'), Field(payload,false)}" -match("HEADER#1:0005", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} :%{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0005", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} :%{payload}", processor_chain([ setc("header_id","0005"), dup1, ])); -var hdr3 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(hfld2,true), Constant(' '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#2:0002/0", "message", "%{hdatetime->} %{hfld1->} : %{hfld2->} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); +var hdr3 = match("HEADER#2:0002/0", "message", "%{hdatetime->} %{hfld1->} : %{hfld2->} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); -var part1 = // "Pattern{Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#2:0002/1_0", "nwparser.p0", "%{hfld3->} %{p0}"); +var part1 = match("HEADER#2:0002/1_0", "nwparser.p0", "%{hfld3->} %{p0}"); -var part2 = // "Pattern{Field(p0,false)}" -match_copy("HEADER#2:0002/1_1", "nwparser.p0", "p0"); +var part2 = match_copy("HEADER#2:0002/1_1", "nwparser.p0", "p0"); var select1 = linear_select([ part1, part2, ]); -var part3 = // "Pattern{Constant(':'), Field(payload,false)}" -match("HEADER#2:0002/2", "nwparser.p0", ":%{payload}"); +var part3 = match("HEADER#2:0002/2", "nwparser.p0", ":%{payload}"); var all1 = all_match({ processors: [ @@ -491,8 +432,7 @@ var all1 = all_match({ ]), }); -var hdr4 = // "Pattern{Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0003", "message", "%{messageid->} %{p0}", processor_chain([ +var hdr4 = match("HEADER#3:0003", "message", "%{messageid->} %{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -505,8 +445,7 @@ match("HEADER#3:0003", "message", "%{messageid->} %{p0}", processor_chain([ }), ])); -var hdr5 = // "Pattern{Constant('CEF:0|Citrix|'), Field(fld1,false), Constant('|'), Field(fld2,false), Constant('|'), Field(fld3,false), Constant('|'), Field(messageid,false), Constant('| '), Field(p0,false)}" -match("HEADER#4:0004", "message", "CEF:0|Citrix|%{fld1}|%{fld2}|%{fld3}|%{messageid}| %{p0}", processor_chain([ +var hdr5 = match("HEADER#4:0004", "message", "CEF:0|Citrix|%{fld1}|%{fld2}|%{fld3}|%{messageid}| %{p0}", processor_chain([ setc("header_id","0004"), call({ dest: "nwparser.payload", @@ -525,8 +464,7 @@ match("HEADER#4:0004", "message", "CEF:0|Citrix|%{fld1}|%{fld2}|%{fld3}|%{messag }), ])); -var hdr6 = // "Pattern{Constant('CEF:0|Citrix|'), Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(hfld1,false), Constant('|'), Field(severity,false), Constant('| '), Field(payload,false)}" -match("HEADER#5:0006", "message", "CEF:0|Citrix|%{product}|%{version}|%{rule}|%{hfld1}|%{severity}| %{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "CEF:0|Citrix|%{product}|%{version}|%{rule}|%{hfld1}|%{severity}| %{payload}", processor_chain([ setc("header_id","0006"), setc("messageid","CITRIX_TVM"), ])); @@ -540,11 +478,9 @@ var select2 = linear_select([ hdr6, ]); -var part4 = // "Pattern{Constant('Extracted_groups "'), Field(group,false), Constant('" ')}" -match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_0", "nwparser.payload", "Extracted_groups \"%{group}\" "); +var part4 = match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_0", "nwparser.payload", "Extracted_groups \"%{group}\" "); -var part5 = // "Pattern{Constant(' Extracted_groups "'), Field(group,false)}" -match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_1", "nwparser.payload", " Extracted_groups \"%{group}"); +var part5 = match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_1", "nwparser.payload", " Extracted_groups \"%{group}"); var select3 = linear_select([ part4, @@ -565,8 +501,7 @@ var all2 = all_match({ var msg1 = msg("AAA_EXTRACTED_GROUPS", all2); -var part6 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Failure_reason "'), Field(result,false), Constant('"')}" -match("MESSAGE#1:AAA_LOGIN_FAILED", "nwparser.payload", "User %{username->} - Client_ip %{saddr->} - Failure_reason \"%{result}\"", processor_chain([ +var part6 = match("MESSAGE#1:AAA_LOGIN_FAILED", "nwparser.payload", "User %{username->} - Client_ip %{saddr->} - Failure_reason \"%{result}\"", processor_chain([ dup5, setc("ec_subject","User"), dup6, @@ -579,8 +514,7 @@ match("MESSAGE#1:AAA_LOGIN_FAILED", "nwparser.payload", "User %{username->} - Cl var msg2 = msg("AAA_LOGIN_FAILED", part6); -var part7 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' --> Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Protocol '), Field(protocol,true), Constant(' - TimeStamp '), Field(info,true), Constant(' - Hitcount '), Field(dclass_counter1,true), Constant(' - Hit Rule '), Field(rulename,true), Constant(' - Data '), Field(message_body,false)}" -match("MESSAGE#2:ACL_ACL_PKT_LOG", "nwparser.payload", "Source %{saddr}:%{sport->} --> Destination %{daddr}:%{dport->} - Protocol %{protocol->} - TimeStamp %{info->} - Hitcount %{dclass_counter1->} - Hit Rule %{rulename->} - Data %{message_body}", processor_chain([ +var part7 = match("MESSAGE#2:ACL_ACL_PKT_LOG", "nwparser.payload", "Source %{saddr}:%{sport->} --> Destination %{daddr}:%{dport->} - Protocol %{protocol->} - TimeStamp %{info->} - Hitcount %{dclass_counter1->} - Hit Rule %{rulename->} - Data %{message_body}", processor_chain([ dup9, setc("event_description","ACL_PKT_LOG"), dup10, @@ -589,8 +523,7 @@ match("MESSAGE#2:ACL_ACL_PKT_LOG", "nwparser.payload", "Source %{saddr}:%{sport- var msg3 = msg("ACL_ACL_PKT_LOG", part7); -var part8 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#3:APPFW_APPFW_BUFFEROVERFLOW_COOKIE", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ +var part8 = match("MESSAGE#3:APPFW_APPFW_BUFFEROVERFLOW_COOKIE", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw Buffer Overflow violation in Cookie"), dup3, @@ -599,8 +532,7 @@ match("MESSAGE#3:APPFW_APPFW_BUFFEROVERFLOW_COOKIE", "nwparser.payload", "%{sadd var msg4 = msg("APPFW_APPFW_BUFFEROVERFLOW_COOKIE", part8); -var part9 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#4:APPFW_APPFW_BUFFEROVERFLOW_HDR", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ +var part9 = match("MESSAGE#4:APPFW_APPFW_BUFFEROVERFLOW_HDR", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw Buffer Overflow violation in HTTP Headers"), dup3, @@ -609,8 +541,7 @@ match("MESSAGE#4:APPFW_APPFW_BUFFEROVERFLOW_HDR", "nwparser.payload", "%{saddr-> var msg5 = msg("APPFW_APPFW_BUFFEROVERFLOW_HDR", part9); -var part10 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#5:APPFW_APPFW_BUFFEROVERFLOW_URL", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ +var part10 = match("MESSAGE#5:APPFW_APPFW_BUFFEROVERFLOW_URL", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ dup12, dup13, dup3, @@ -619,8 +550,7 @@ match("MESSAGE#5:APPFW_APPFW_BUFFEROVERFLOW_URL", "nwparser.payload", "%{saddr-> var msg6 = msg("APPFW_APPFW_BUFFEROVERFLOW_URL", part10); -var part11 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(info,false), Constant(': '), Field(url,false)}" -match("MESSAGE#137:APPFW_APPFW_BUFFEROVERFLOW_URL:01", "nwparser.payload", "%{saddr->} %{fld2->} %{info}: %{url}", processor_chain([ +var part11 = match("MESSAGE#137:APPFW_APPFW_BUFFEROVERFLOW_URL:01", "nwparser.payload", "%{saddr->} %{fld2->} %{info}: %{url}", processor_chain([ dup12, dup13, dup3, @@ -634,14 +564,11 @@ var select4 = linear_select([ msg7, ]); -var part12 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Cookie%{p0}"); +var part12 = match("MESSAGE#6:APPFW_APPFW_COOKIE/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Cookie%{p0}"); -var part13 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Cookie%{p0}"); +var part13 = match("MESSAGE#6:APPFW_APPFW_COOKIE/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Cookie%{p0}"); -var part14 = // "Pattern{Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/1_2", "nwparser.p0", "%{rule_group->} Cookie%{p0}"); +var part14 = match("MESSAGE#6:APPFW_APPFW_COOKIE/1_2", "nwparser.p0", "%{rule_group->} Cookie%{p0}"); var select5 = linear_select([ part12, @@ -649,8 +576,7 @@ var select5 = linear_select([ part14, ]); -var part15 = // "Pattern{Field(url,true), Constant(' validation failed for '), Field(fld3,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/2", "nwparser.p0", "%{url->} validation failed for %{fld3->} \u003c\u003c%{disposition}>"); +var part15 = match("MESSAGE#6:APPFW_APPFW_COOKIE/2", "nwparser.p0", "%{url->} validation failed for %{fld3->} \u003c\u003c%{disposition}>"); var all3 = all_match({ processors: [ @@ -668,11 +594,9 @@ var all3 = all_match({ var msg8 = msg("APPFW_APPFW_COOKIE", all3); -var part16 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Deny URL: '), Field(p0,false)}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Deny URL: %{p0}"); +var part16 = match("MESSAGE#7:APPFW_APPFW_DENYURL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Deny URL: %{p0}"); -var part17 = // "Pattern{Field(rule_group,true), Constant(' Disallow Deny URL: '), Field(p0,false)}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/1_1", "nwparser.p0", "%{rule_group->} Disallow Deny URL: %{p0}"); +var part17 = match("MESSAGE#7:APPFW_APPFW_DENYURL/1_1", "nwparser.p0", "%{rule_group->} Disallow Deny URL: %{p0}"); var select6 = linear_select([ part16, @@ -697,14 +621,11 @@ var all4 = all_match({ var msg9 = msg("APPFW_APPFW_DENYURL", all4); -var part18 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_0", "nwparser.p0", "%{fld1->} %{fld2->} %{rule_group->} Field consistency%{p0}"); +var part18 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_0", "nwparser.p0", "%{fld1->} %{fld2->} %{rule_group->} Field consistency%{p0}"); -var part19 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Field consistency%{p0}"); +var part19 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Field consistency%{p0}"); -var part20 = // "Pattern{Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_2", "nwparser.p0", "%{rule_group->} Field consistency%{p0}"); +var part20 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_2", "nwparser.p0", "%{rule_group->} Field consistency%{p0}"); var select7 = linear_select([ part18, @@ -728,19 +649,16 @@ var all5 = all_match({ var msg10 = msg("APPFW_APPFW_FIELDCONSISTENCY", all5); -var part21 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field'), Field(p0,false)}" -match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Field%{p0}"); +var part21 = match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Field%{p0}"); -var part22 = // "Pattern{Field(rule_group,true), Constant(' Field'), Field(p0,false)}" -match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_1", "nwparser.p0", "%{rule_group->} Field%{p0}"); +var part22 = match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_1", "nwparser.p0", "%{rule_group->} Field%{p0}"); var select8 = linear_select([ part21, part22, ]); -var part23 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' ="'), Field(fld4,false), Constant('" <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/2", "nwparser.p0", "%{url->} %{info->} =\"%{fld4}\" \u003c\u003c%{disposition}>"); +var part23 = match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/2", "nwparser.p0", "%{url->} %{info->} =\"%{fld4}\" \u003c\u003c%{disposition}>"); var all6 = all_match({ processors: [ @@ -758,11 +676,9 @@ var all6 = all_match({ var msg11 = msg("APPFW_APPFW_FIELDFORMAT", all6); -var part24 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' SQL'), Field(p0,false)}" -match("MESSAGE#10:APPFW_APPFW_SQL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} SQL%{p0}"); +var part24 = match("MESSAGE#10:APPFW_APPFW_SQL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} SQL%{p0}"); -var part25 = // "Pattern{Field(rule_group,true), Constant(' SQL'), Field(p0,false)}" -match("MESSAGE#10:APPFW_APPFW_SQL/1_1", "nwparser.p0", "%{rule_group->} SQL%{p0}"); +var part25 = match("MESSAGE#10:APPFW_APPFW_SQL/1_1", "nwparser.p0", "%{rule_group->} SQL%{p0}"); var select9 = linear_select([ part24, @@ -785,11 +701,9 @@ var all7 = all_match({ var msg12 = msg("APPFW_APPFW_SQL", all7); -var part26 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#11:APPFW_APPFW_SQL_1/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{p0}"); +var part26 = match("MESSAGE#11:APPFW_APPFW_SQL_1/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{p0}"); -var part27 = // "Pattern{Field(rule_group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#11:APPFW_APPFW_SQL_1/1_1", "nwparser.p0", "%{rule_group->} %{p0}"); +var part27 = match("MESSAGE#11:APPFW_APPFW_SQL_1/1_1", "nwparser.p0", "%{rule_group->} %{p0}"); var select10 = linear_select([ part26, @@ -817,19 +731,16 @@ var select11 = linear_select([ msg13, ]); -var part28 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Maximum no. '), Field(p0,false)}" -match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Maximum no. %{p0}"); +var part28 = match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Maximum no. %{p0}"); -var part29 = // "Pattern{Field(rule_group,true), Constant(' Maximum no. '), Field(p0,false)}" -match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_1", "nwparser.p0", "%{rule_group->} Maximum no. %{p0}"); +var part29 = match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_1", "nwparser.p0", "%{rule_group->} Maximum no. %{p0}"); var select12 = linear_select([ part28, part29, ]); -var part30 = // "Pattern{Field(url,true), Constant(' of potential credit card numbers seen <<'), Field(info,false), Constant('>')}" -match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/2", "nwparser.p0", "%{url->} of potential credit card numbers seen \u003c\u003c%{info}>"); +var part30 = match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/2", "nwparser.p0", "%{url->} of potential credit card numbers seen \u003c\u003c%{info}>"); var all9 = all_match({ processors: [ @@ -847,19 +758,16 @@ var all9 = all_match({ var msg14 = msg("APPFW_APPFW_SAFECOMMERCE", all9); -var part31 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Transformed ('), Field(info,false), Constant(') Maximum no. '), Field(p0,false)}" -match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{url->} Transformed (%{info}) Maximum no. %{p0}"); +var part31 = match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{url->} Transformed (%{info}) Maximum no. %{p0}"); -var part32 = // "Pattern{Field(rule_group,true), Constant(' '), Field(url,true), Constant(' ('), Field(info,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_1", "nwparser.p0", "%{rule_group->} %{url->} (%{info}) %{p0}"); +var part32 = match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_1", "nwparser.p0", "%{rule_group->} %{url->} (%{info}) %{p0}"); var select13 = linear_select([ part31, part32, ]); -var part33 = // "Pattern{Constant('potential credit card numbers seen in server response'), Field(,false)}" -match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/2", "nwparser.p0", "potential credit card numbers seen in server response%{}"); +var part33 = match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/2", "nwparser.p0", "potential credit card numbers seen in server response%{}"); var all10 = all_match({ processors: [ @@ -877,14 +785,11 @@ var all10 = all_match({ var msg15 = msg("APPFW_APPFW_SAFECOMMERCE_XFORM", all10); -var part34 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" -match("MESSAGE#14:APPFW_APPFW_STARTURL/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Disallow Illegal URL: %{p0}"); +var part34 = match("MESSAGE#14:APPFW_APPFW_STARTURL/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Disallow Illegal URL: %{p0}"); -var part35 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" -match("MESSAGE#14:APPFW_APPFW_STARTURL/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Illegal URL: %{p0}"); +var part35 = match("MESSAGE#14:APPFW_APPFW_STARTURL/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Illegal URL: %{p0}"); -var part36 = // "Pattern{Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" -match("MESSAGE#14:APPFW_APPFW_STARTURL/1_2", "nwparser.p0", "%{rule_group->} Disallow Illegal URL: %{p0}"); +var part36 = match("MESSAGE#14:APPFW_APPFW_STARTURL/1_2", "nwparser.p0", "%{rule_group->} Disallow Illegal URL: %{p0}"); var select14 = linear_select([ part34, @@ -908,19 +813,16 @@ var all11 = all_match({ var msg16 = msg("APPFW_APPFW_STARTURL", all11); -var part37 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Cross-site'), Field(p0,false)}" -match("MESSAGE#15:APPFW_APPFW_XSS/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Cross-site%{p0}"); +var part37 = match("MESSAGE#15:APPFW_APPFW_XSS/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Cross-site%{p0}"); -var part38 = // "Pattern{Field(rule_group,true), Constant(' Cross-site'), Field(p0,false)}" -match("MESSAGE#15:APPFW_APPFW_XSS/1_1", "nwparser.p0", "%{rule_group->} Cross-site%{p0}"); +var part38 = match("MESSAGE#15:APPFW_APPFW_XSS/1_1", "nwparser.p0", "%{rule_group->} Cross-site%{p0}"); var select15 = linear_select([ part37, part38, ]); -var part39 = // "Pattern{Field(url,true), Constant(' script '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#15:APPFW_APPFW_XSS/2", "nwparser.p0", "%{url->} script %{info->} \u003c\u003c%{disposition}>"); +var part39 = match("MESSAGE#15:APPFW_APPFW_XSS/2", "nwparser.p0", "%{url->} script %{info->} \u003c\u003c%{disposition}>"); var all12 = all_match({ processors: [ @@ -938,8 +840,7 @@ var all12 = all_match({ var msg17 = msg("APPFW_APPFW_XSS", all12); -var part40 = // "Pattern{Field(saddr,true), Constant(' "'), Field(info,false), Constant('"')}" -match("MESSAGE#16:APPFW_AF_400_RESP", "nwparser.payload", "%{saddr->} \"%{info}\"", processor_chain([ +var part40 = match("MESSAGE#16:APPFW_AF_400_RESP", "nwparser.payload", "%{saddr->} \"%{info}\"", processor_chain([ dup11, dup18, dup3, @@ -948,8 +849,7 @@ match("MESSAGE#16:APPFW_AF_400_RESP", "nwparser.payload", "%{saddr->} \"%{info}\ var msg18 = msg("APPFW_AF_400_RESP", part40); -var part41 = // "Pattern{Field(saddr,true), Constant(' '), Field(info,false)}" -match("MESSAGE#138:APPFW_AF_400_RESP:01", "nwparser.payload", "%{saddr->} %{info}", processor_chain([ +var part41 = match("MESSAGE#138:APPFW_AF_400_RESP:01", "nwparser.payload", "%{saddr->} %{info}", processor_chain([ dup11, dup18, dup3, @@ -963,8 +863,7 @@ var select16 = linear_select([ msg19, ]); -var part42 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld10,true), Constant(' Match found with Safe Object: '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#17:APPFW_APPFW_SAFEOBJECT", "nwparser.payload", "%{saddr->} %{fld10->} Match found with Safe Object: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part42 = match("MESSAGE#17:APPFW_APPFW_SAFEOBJECT", "nwparser.payload", "%{saddr->} %{fld10->} Match found with Safe Object: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw Safe Object"), dup3, @@ -973,8 +872,7 @@ match("MESSAGE#17:APPFW_APPFW_SAFEOBJECT", "nwparser.payload", "%{saddr->} %{fld var msg20 = msg("APPFW_APPFW_SAFEOBJECT", part42); -var part43 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld10,true), Constant(' CSRF Tag validation failed: <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#18:APPFW_APPFW_CSRF_TAG", "nwparser.payload", "%{saddr->} %{fld10->} CSRF Tag validation failed: \u003c\u003c%{disposition}>", processor_chain([ +var part43 = match("MESSAGE#18:APPFW_APPFW_CSRF_TAG", "nwparser.payload", "%{saddr->} %{fld10->} CSRF Tag validation failed: \u003c\u003c%{disposition}>", processor_chain([ dup11, setc("event_description","AppFw CSRF Tag Validation Failed"), dup3, @@ -983,8 +881,7 @@ match("MESSAGE#18:APPFW_APPFW_CSRF_TAG", "nwparser.payload", "%{saddr->} %{fld10 var msg21 = msg("APPFW_APPFW_CSRF_TAG", part43); -var part44 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(url,false)}" -match("MESSAGE#135:APPFW_APPFW_CSRF_TAG:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url}", processor_chain([ +var part44 = match("MESSAGE#135:APPFW_APPFW_CSRF_TAG:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url}", processor_chain([ dup9, dup3, dup4, @@ -997,8 +894,7 @@ var select17 = linear_select([ msg22, ]); -var part45 = // "Pattern{Constant('Memory allocation request for '), Field(bytes,true), Constant(' bytes failed. Call stack PCs: '), Field(fld1,false)}" -match("MESSAGE#19:APPFW_AF_MEMORY_ERR", "nwparser.payload", "Memory allocation request for %{bytes->} bytes failed. Call stack PCs: %{fld1}", processor_chain([ +var part45 = match("MESSAGE#19:APPFW_AF_MEMORY_ERR", "nwparser.payload", "Memory allocation request for %{bytes->} bytes failed. Call stack PCs: %{fld1}", processor_chain([ dup11, setc("event_description","Memory allocation request for some bytes failed"), dup19, @@ -1007,19 +903,16 @@ match("MESSAGE#19:APPFW_AF_MEMORY_ERR", "nwparser.payload", "Memory allocation r var msg23 = msg("APPFW_AF_MEMORY_ERR", part45); -var part46 = // "Pattern{Constant('Invalid rule id '), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/1_0", "nwparser.p0", "Invalid rule id %{p0}"); +var part46 = match("MESSAGE#20:APPFW_Message/1_0", "nwparser.p0", "Invalid rule id %{p0}"); -var part47 = // "Pattern{Constant('Duplicate rule id '), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/1_1", "nwparser.p0", "Duplicate rule id %{p0}"); +var part47 = match("MESSAGE#20:APPFW_Message/1_1", "nwparser.p0", "Duplicate rule id %{p0}"); var select18 = linear_select([ part46, part47, ]); -var part48 = // "Pattern{Field(fld1,false), Constant('"')}" -match("MESSAGE#20:APPFW_Message/2", "nwparser.p0", "%{fld1}\""); +var part48 = match("MESSAGE#20:APPFW_Message/2", "nwparser.p0", "%{fld1}\""); var all13 = all_match({ processors: [ @@ -1037,8 +930,7 @@ var all13 = all_match({ var msg24 = msg("APPFW_Message", all13); -var part49 = // "Pattern{Constant('"Setting default custom settings for profile '), Field(fld1,true), Constant(' ('), Field(fld2,false), Constant(')"')}" -match("MESSAGE#21:APPFW_Message:01", "nwparser.payload", "\"Setting default custom settings for profile %{fld1->} (%{fld2})\"", processor_chain([ +var part49 = match("MESSAGE#21:APPFW_Message:01", "nwparser.payload", "\"Setting default custom settings for profile %{fld1->} (%{fld2})\"", processor_chain([ dup9, setc("event_description","Setting default custom settings for profile"), dup19, @@ -1047,8 +939,7 @@ match("MESSAGE#21:APPFW_Message:01", "nwparser.payload", "\"Setting default cust var msg25 = msg("APPFW_Message:01", part49); -var part50 = // "Pattern{Constant('"Setting same CustomSettings( ) to profile. '), Field(fld2,false), Constant('"')}" -match("MESSAGE#22:APPFW_Message:02", "nwparser.payload", "\"Setting same CustomSettings( ) to profile. %{fld2}\"", processor_chain([ +var part50 = match("MESSAGE#22:APPFW_Message:02", "nwparser.payload", "\"Setting same CustomSettings( ) to profile. %{fld2}\"", processor_chain([ dup9, setc("event_description","Setting same CustomSettings( ) to profile."), dup4, @@ -1064,8 +955,7 @@ var select19 = linear_select([ var msg27 = msg("DR_HA_Message", dup113); -var part51 = // "Pattern{Field(process,true), Constant(' ended '), Field(p0,false)}" -match("MESSAGE#24:EVENT_ALERTENDED/0", "nwparser.payload", "%{process->} ended %{p0}"); +var part51 = match("MESSAGE#24:EVENT_ALERTENDED/0", "nwparser.payload", "%{process->} ended %{p0}"); var all14 = all_match({ processors: [ @@ -1082,8 +972,7 @@ var all14 = all_match({ var msg28 = msg("EVENT_ALERTENDED", all14); -var part52 = // "Pattern{Field(process,true), Constant(' started '), Field(p0,false)}" -match("MESSAGE#25:EVENT_ALERTSTARTED/0", "nwparser.payload", "%{process->} started %{p0}"); +var part52 = match("MESSAGE#25:EVENT_ALERTSTARTED/0", "nwparser.payload", "%{process->} started %{p0}"); var all15 = all_match({ processors: [ @@ -1100,8 +989,7 @@ var all15 = all_match({ var msg29 = msg("EVENT_ALERTSTARTED", all15); -var part53 = // "Pattern{Constant('CONFIG '), Field(info,false)}" -match("MESSAGE#26:EVENT_CONFIGEND", "nwparser.payload", "CONFIG %{info}", processor_chain([ +var part53 = match("MESSAGE#26:EVENT_CONFIGEND", "nwparser.payload", "CONFIG %{info}", processor_chain([ dup2, dup27, dup28, @@ -1113,8 +1001,7 @@ match("MESSAGE#26:EVENT_CONFIGEND", "nwparser.payload", "CONFIG %{info}", proces var msg30 = msg("EVENT_CONFIGEND", part53); -var part54 = // "Pattern{Constant('CONFIG '), Field(info,false)}" -match("MESSAGE#27:EVENT_CONFIGSTART", "nwparser.payload", "CONFIG %{info}", processor_chain([ +var part54 = match("MESSAGE#27:EVENT_CONFIGSTART", "nwparser.payload", "CONFIG %{info}", processor_chain([ dup2, dup27, dup30, @@ -1143,8 +1030,7 @@ var all16 = all_match({ var msg32 = msg("EVENT_DEVICEDOWN", all16); -var part55 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" -match("MESSAGE#29:EVENT_DEVICEOFS", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ +var part55 = match("MESSAGE#29:EVENT_DEVICEOFS", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ dup11, dup34, dup28, @@ -1172,8 +1058,7 @@ var all17 = all_match({ var msg34 = msg("EVENT_DEVICEUP", all17); -var part56 = // "Pattern{Constant('"'), Field(obj_name,false), Constant('"')}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_1", "nwparser.p0", "\"%{obj_name}\""); +var part56 = match("MESSAGE#31:EVENT_MONITORDOWN/1_1", "nwparser.p0", "\"%{obj_name}\""); var select20 = linear_select([ dup37, @@ -1216,8 +1101,7 @@ var all19 = all_match({ var msg36 = msg("EVENT_MONITORUP", all19); -var part57 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" -match("MESSAGE#33:EVENT_NICRESET", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ +var part57 = match("MESSAGE#33:EVENT_NICRESET", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ dup2, dup39, dup3, @@ -1226,8 +1110,7 @@ match("MESSAGE#33:EVENT_NICRESET", "nwparser.payload", "%{obj_type->} \"%{obj_na var msg37 = msg("EVENT_NICRESET", part57); -var part58 = // "Pattern{Field(obj_type,true), Constant(' '), Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#34:EVENT_ROUTEDOWN", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ +var part58 = match("MESSAGE#34:EVENT_ROUTEDOWN", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ dup11, dup40, dup28, @@ -1238,8 +1121,7 @@ match("MESSAGE#34:EVENT_ROUTEDOWN", "nwparser.payload", "%{obj_type->} %{obj_nam var msg38 = msg("EVENT_ROUTEDOWN", part58); -var part59 = // "Pattern{Field(obj_type,true), Constant(' '), Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#35:EVENT_ROUTEUP", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ +var part59 = match("MESSAGE#35:EVENT_ROUTEUP", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ dup2, dup40, dup30, @@ -1250,8 +1132,7 @@ match("MESSAGE#35:EVENT_ROUTEUP", "nwparser.payload", "%{obj_type->} %{obj_name- var msg39 = msg("EVENT_ROUTEUP", part59); -var part60 = // "Pattern{Constant('CPU_started '), Field(info,false)}" -match("MESSAGE#36:EVENT_STARTCPU", "nwparser.payload", "CPU_started %{info}", processor_chain([ +var part60 = match("MESSAGE#36:EVENT_STARTCPU", "nwparser.payload", "CPU_started %{info}", processor_chain([ dup2, setc("event_description","CPU Started"), dup3, @@ -1260,8 +1141,7 @@ match("MESSAGE#36:EVENT_STARTCPU", "nwparser.payload", "CPU_started %{info}", pr var msg40 = msg("EVENT_STARTCPU", part60); -var part61 = // "Pattern{Constant('SAVECONFIG '), Field(info,false)}" -match("MESSAGE#37:EVENT_STARTSAVECONFIG", "nwparser.payload", "SAVECONFIG %{info}", processor_chain([ +var part61 = match("MESSAGE#37:EVENT_STARTSAVECONFIG", "nwparser.payload", "SAVECONFIG %{info}", processor_chain([ dup2, setc("event_description","Save configuration started"), dup3, @@ -1270,8 +1150,7 @@ match("MESSAGE#37:EVENT_STARTSAVECONFIG", "nwparser.payload", "SAVECONFIG %{info var msg41 = msg("EVENT_STARTSAVECONFIG", part61); -var part62 = // "Pattern{Constant('System started - '), Field(info,false)}" -match("MESSAGE#38:EVENT_STARTSYS", "nwparser.payload", "System started - %{info}", processor_chain([ +var part62 = match("MESSAGE#38:EVENT_STARTSYS", "nwparser.payload", "System started - %{info}", processor_chain([ dup2, dup34, dup30, @@ -1282,8 +1161,7 @@ match("MESSAGE#38:EVENT_STARTSYS", "nwparser.payload", "System started - %{info} var msg42 = msg("EVENT_STARTSYS", part62); -var part63 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" -match("MESSAGE#39:EVENT_STATECHANGE", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ +var part63 = match("MESSAGE#39:EVENT_STATECHANGE", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ dup2, dup34, dup30, @@ -1294,8 +1172,7 @@ match("MESSAGE#39:EVENT_STATECHANGE", "nwparser.payload", "%{obj_type->} \"%{obj var msg43 = msg("EVENT_STATECHANGE", part63); -var part64 = // "Pattern{Field(obj_type,true), Constant(' ('), Field(obj_name,false), Constant(') - '), Field(event_state,true), Constant(' '), Field(info,false)}" -match("MESSAGE#40:EVENT_STATECHANGE_HEARTBEAT", "nwparser.payload", "%{obj_type->} (%{obj_name}) - %{event_state->} %{info}", processor_chain([ +var part64 = match("MESSAGE#40:EVENT_STATECHANGE_HEARTBEAT", "nwparser.payload", "%{obj_type->} (%{obj_name}) - %{event_state->} %{info}", processor_chain([ dup2, setc("event_description","Heartbeat State report"), dup3, @@ -1304,8 +1181,7 @@ match("MESSAGE#40:EVENT_STATECHANGE_HEARTBEAT", "nwparser.payload", "%{obj_type- var msg44 = msg("EVENT_STATECHANGE_HEARTBEAT", part64); -var part65 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - '), Field(event_state,true), Constant(' '), Field(info,false)}" -match("MESSAGE#41:EVENT_STATECHANGE:01", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - %{event_state->} %{info}", processor_chain([ +var part65 = match("MESSAGE#41:EVENT_STATECHANGE:01", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - %{event_state->} %{info}", processor_chain([ dup2, dup4, ])); @@ -1318,8 +1194,7 @@ var select22 = linear_select([ msg45, ]); -var part66 = // "Pattern{Constant('SAVECONFIG'), Field(info,false)}" -match("MESSAGE#42:EVENT_STOPSAVECONFIG", "nwparser.payload", "SAVECONFIG%{info}", processor_chain([ +var part66 = match("MESSAGE#42:EVENT_STOPSAVECONFIG", "nwparser.payload", "SAVECONFIG%{info}", processor_chain([ dup2, dup27, dup28, @@ -1330,8 +1205,7 @@ match("MESSAGE#42:EVENT_STOPSAVECONFIG", "nwparser.payload", "SAVECONFIG%{info}" var msg46 = msg("EVENT_STOPSAVECONFIG", part66); -var part67 = // "Pattern{Constant('System stopped - '), Field(info,false)}" -match("MESSAGE#43:EVENT_STOPSYS", "nwparser.payload", "System stopped - %{info}", processor_chain([ +var part67 = match("MESSAGE#43:EVENT_STOPSYS", "nwparser.payload", "System stopped - %{info}", processor_chain([ dup2, dup34, dup28, @@ -1342,8 +1216,7 @@ match("MESSAGE#43:EVENT_STOPSYS", "nwparser.payload", "System stopped - %{info}" var msg47 = msg("EVENT_STOPSYS", part67); -var part68 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#44:EVENT_UNKNOWN", "nwparser.payload", "info", processor_chain([ +var part68 = match_copy("MESSAGE#44:EVENT_UNKNOWN", "nwparser.payload", "info", processor_chain([ dup11, setc("event_description","Unknown Event"), dup3, @@ -1352,11 +1225,9 @@ match_copy("MESSAGE#44:EVENT_UNKNOWN", "nwparser.payload", "info", processor_cha var msg48 = msg("EVENT_UNKNOWN", part68); -var part69 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' Adding '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Adding %{p0}"); +var part69 = match("MESSAGE#45:PITBOSS_Message1/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Adding %{p0}"); -var part70 = // "Pattern{Constant('Adding '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/1_1", "nwparser.p0", "Adding %{p0}"); +var part70 = match("MESSAGE#45:PITBOSS_Message1/1_1", "nwparser.p0", "Adding %{p0}"); var select23 = linear_select([ part69, @@ -1379,11 +1250,9 @@ var all20 = all_match({ var msg49 = msg("PITBOSS_Message1", all20); -var part71 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' Deleting '), Field(p0,false)}" -match("MESSAGE#46:PITBOSS_Message2/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Deleting %{p0}"); +var part71 = match("MESSAGE#46:PITBOSS_Message2/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Deleting %{p0}"); -var part72 = // "Pattern{Constant('Deleting '), Field(p0,false)}" -match("MESSAGE#46:PITBOSS_Message2/1_1", "nwparser.p0", "Deleting %{p0}"); +var part72 = match("MESSAGE#46:PITBOSS_Message2/1_1", "nwparser.p0", "Deleting %{p0}"); var select24 = linear_select([ part71, @@ -1406,17 +1275,13 @@ var all21 = all_match({ var msg50 = msg("PITBOSS_Message2", all21); -var part73 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/0", "nwparser.payload", "\"%{fld1->} %{fld10->} %{p0}"); +var part73 = match("MESSAGE#47:PITBOSS_Message3/0", "nwparser.payload", "\"%{fld1->} %{fld10->} %{p0}"); -var part74 = // "Pattern{Constant('Pitboss policy is'), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/1_0", "nwparser.p0", "Pitboss policy is%{p0}"); +var part74 = match("MESSAGE#47:PITBOSS_Message3/1_0", "nwparser.p0", "Pitboss policy is%{p0}"); -var part75 = // "Pattern{Constant('PB_OP_CHANGE_POLICY new policy'), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/1_1", "nwparser.p0", "PB_OP_CHANGE_POLICY new policy%{p0}"); +var part75 = match("MESSAGE#47:PITBOSS_Message3/1_1", "nwparser.p0", "PB_OP_CHANGE_POLICY new policy%{p0}"); -var part76 = // "Pattern{Constant('pb_op_longer_hb'), Field(p0,false)}" -match("MESSAGE#47:PITBOSS_Message3/1_2", "nwparser.p0", "pb_op_longer_hb%{p0}"); +var part76 = match("MESSAGE#47:PITBOSS_Message3/1_2", "nwparser.p0", "pb_op_longer_hb%{p0}"); var select25 = linear_select([ part74, @@ -1424,8 +1289,7 @@ var select25 = linear_select([ part76, ]); -var part77 = // "Pattern{Field(,true), Constant(' '), Field(info,false), Constant('"')}" -match("MESSAGE#47:PITBOSS_Message3/2", "nwparser.p0", "%{} %{info}\""); +var part77 = match("MESSAGE#47:PITBOSS_Message3/2", "nwparser.p0", "%{} %{info}\""); var all22 = all_match({ processors: [ @@ -1444,11 +1308,9 @@ var all22 = all_match({ var msg51 = msg("PITBOSS_Message3", all22); -var part78 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' process '), Field(p0,false)}" -match("MESSAGE#48:PITBOSS_Message4/1_0", "nwparser.p0", "%{fld1->} %{fld10->} process %{p0}"); +var part78 = match("MESSAGE#48:PITBOSS_Message4/1_0", "nwparser.p0", "%{fld1->} %{fld10->} process %{p0}"); -var part79 = // "Pattern{Constant('process '), Field(p0,false)}" -match("MESSAGE#48:PITBOSS_Message4/1_1", "nwparser.p0", "process %{p0}"); +var part79 = match("MESSAGE#48:PITBOSS_Message4/1_1", "nwparser.p0", "process %{p0}"); var select26 = linear_select([ part78, @@ -1472,11 +1334,9 @@ var all23 = all_match({ var msg52 = msg("PITBOSS_Message4", all23); -var part80 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' New '), Field(p0,false)}" -match("MESSAGE#49:PITBOSS_Message5/1_0", "nwparser.p0", "%{fld1->} %{fld10->} New %{p0}"); +var part80 = match("MESSAGE#49:PITBOSS_Message5/1_0", "nwparser.p0", "%{fld1->} %{fld10->} New %{p0}"); -var part81 = // "Pattern{Constant('New '), Field(p0,false)}" -match("MESSAGE#49:PITBOSS_Message5/1_1", "nwparser.p0", "New %{p0}"); +var part81 = match("MESSAGE#49:PITBOSS_Message5/1_1", "nwparser.p0", "New %{p0}"); var select27 = linear_select([ part80, @@ -1508,8 +1368,7 @@ var select28 = linear_select([ msg53, ]); -var part82 = // "Pattern{Constant('"IMI: '), Field(event_description,true), Constant(' : nodeID('), Field(fld1,false), Constant(') IP('), Field(saddr,false), Constant(') instance('), Field(fld2,false), Constant(') Configuration Coordinator('), Field(fld3,false), Constant(') Nodeset('), Field(fld4,false), Constant(')"')}" -match("MESSAGE#50:ROUTING_Message", "nwparser.payload", "\"IMI: %{event_description->} : nodeID(%{fld1}) IP(%{saddr}) instance(%{fld2}) Configuration Coordinator(%{fld3}) Nodeset(%{fld4})\"", processor_chain([ +var part82 = match("MESSAGE#50:ROUTING_Message", "nwparser.payload", "\"IMI: %{event_description->} : nodeID(%{fld1}) IP(%{saddr}) instance(%{fld2}) Configuration Coordinator(%{fld3}) Nodeset(%{fld4})\"", processor_chain([ dup9, dup4, ])); @@ -1518,8 +1377,7 @@ var msg54 = msg("ROUTING_Message", part82); var msg55 = msg("ROUTING_Message:01", dup113); -var part83 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' started"')}" -match("MESSAGE#52:ROUTING_Message:02", "nwparser.payload", "\"%{fld1->} started\"", processor_chain([ +var part83 = match("MESSAGE#52:ROUTING_Message:02", "nwparser.payload", "\"%{fld1->} started\"", processor_chain([ dup9, dup4, ])); @@ -1532,8 +1390,7 @@ var select29 = linear_select([ msg56, ]); -var part84 = // "Pattern{Field(obj_type,true), Constant(' Command "'), Field(action,false), Constant('" '), Field(info,false)}" -match("MESSAGE#53:ROUTING_ZEBOS_CMD_EXECUTED", "nwparser.payload", "%{obj_type->} Command \"%{action}\" %{info}", processor_chain([ +var part84 = match("MESSAGE#53:ROUTING_ZEBOS_CMD_EXECUTED", "nwparser.payload", "%{obj_type->} Command \"%{action}\" %{info}", processor_chain([ dup2, setc("event_description","User has executed a command in ZebOS(vtysh)"), dup3, @@ -1542,31 +1399,24 @@ match("MESSAGE#53:ROUTING_ZEBOS_CMD_EXECUTED", "nwparser.payload", "%{obj_type-> var msg57 = msg("ROUTING_ZEBOS_CMD_EXECUTED", part84); -var part85 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,false), Constant('entityName = "'), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/0", "nwparser.payload", "%{obj_type->} ( %{space}entityName = \"%{p0}"); +var part85 = match("MESSAGE#54:SNMP_TRAP_SENT7/0", "nwparser.payload", "%{obj_type->} ( %{space}entityName = \"%{p0}"); -var part86 = // "Pattern{Field(obj_name,false), Constant('('), Field(info,false), Constant('...",'), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/1_0", "nwparser.p0", "%{obj_name}(%{info}...\",%{p0}"); +var part86 = match("MESSAGE#54:SNMP_TRAP_SENT7/1_0", "nwparser.p0", "%{obj_name}(%{info}...\",%{p0}"); -var part87 = // "Pattern{Field(obj_name,false), Constant('...",'), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/1_1", "nwparser.p0", "%{obj_name}...\",%{p0}"); +var part87 = match("MESSAGE#54:SNMP_TRAP_SENT7/1_1", "nwparser.p0", "%{obj_name}...\",%{p0}"); var select30 = linear_select([ part86, part87, ]); -var part88 = // "Pattern{Field(,false), Constant('alarmEntityCurState = '), Field(event_state,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#54:SNMP_TRAP_SENT7/2", "nwparser.p0", "%{}alarmEntityCurState = %{event_state}, %{p0}"); +var part88 = match("MESSAGE#54:SNMP_TRAP_SENT7/2", "nwparser.p0", "%{}alarmEntityCurState = %{event_state}, %{p0}"); -var part89 = // "Pattern{Constant('svcServiceFullName.'), Field(fld2,true), Constant(' = "'), Field(service,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_0", "nwparser.p0", "svcServiceFullName.%{fld2->} = \"%{service}\", nsPartitionName = %{fld4})"); +var part89 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_0", "nwparser.p0", "svcServiceFullName.%{fld2->} = \"%{service}\", nsPartitionName = %{fld4})"); -var part90 = // "Pattern{Constant('vsvrFullName.'), Field(fld3,true), Constant(' = "'), Field(obj_server,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_1", "nwparser.p0", "vsvrFullName.%{fld3->} = \"%{obj_server}\", nsPartitionName = %{fld4})"); +var part90 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_1", "nwparser.p0", "vsvrFullName.%{fld3->} = \"%{obj_server}\", nsPartitionName = %{fld4})"); -var part91 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(fld6,true), Constant(' = "'), Field(fld7,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_2", "nwparser.p0", "svcGrpMemberFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld4})"); +var part91 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_2", "nwparser.p0", "svcGrpMemberFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld4})"); var select31 = linear_select([ part89, @@ -1592,8 +1442,7 @@ var all25 = all_match({ var msg58 = msg("SNMP_TRAP_SENT7", all25); -var part92 = // "Pattern{Field(obj_type,true), Constant(' ( entityName = "'), Field(obj_name,false), Constant('...", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#55:SNMP_TRAP_SENT8", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name}...\", sysIpAddress = %{hostip})", processor_chain([ +var part92 = match("MESSAGE#55:SNMP_TRAP_SENT8", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name}...\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup4, @@ -1601,8 +1450,7 @@ match("MESSAGE#55:SNMP_TRAP_SENT8", "nwparser.payload", "%{obj_type->} ( entityN var msg59 = msg("SNMP_TRAP_SENT8", part92); -var part93 = // "Pattern{Field(obj_type,true), Constant(' ( haNicsMonitorFailed = '), Field(obj_name,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#56:SNMP_TRAP_SENT9", "nwparser.payload", "%{obj_type->} ( haNicsMonitorFailed = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ +var part93 = match("MESSAGE#56:SNMP_TRAP_SENT9", "nwparser.payload", "%{obj_type->} ( haNicsMonitorFailed = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup4, @@ -1610,8 +1458,7 @@ match("MESSAGE#56:SNMP_TRAP_SENT9", "nwparser.payload", "%{obj_type->} ( haNicsM var msg60 = msg("SNMP_TRAP_SENT9", part93); -var part94 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,false), Constant('haPeerSystemState = "'), Field(event_state,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#57:SNMP_TRAP_SENT10", "nwparser.payload", "%{obj_type->} ( %{space}haPeerSystemState = \"%{event_state}\", sysIpAddress = %{hostip})", processor_chain([ +var part94 = match("MESSAGE#57:SNMP_TRAP_SENT10", "nwparser.payload", "%{obj_type->} ( %{space}haPeerSystemState = \"%{event_state}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1620,8 +1467,7 @@ match("MESSAGE#57:SNMP_TRAP_SENT10", "nwparser.payload", "%{obj_type->} ( %{spac var msg61 = msg("SNMP_TRAP_SENT10", part94); -var part95 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthDiskName = "'), Field(obj_name,false), Constant('", sysHealthDiskPerusage = '), Field(fld2,false), Constant(', alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#58:SNMP_TRAP_SENT11", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{obj_name}\", sysHealthDiskPerusage = %{fld2}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part95 = match("MESSAGE#58:SNMP_TRAP_SENT11", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{obj_name}\", sysHealthDiskPerusage = %{fld2}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1630,8 +1476,7 @@ match("MESSAGE#58:SNMP_TRAP_SENT11", "nwparser.payload", "%{obj_type->} ( sysHea var msg62 = msg("SNMP_TRAP_SENT11", part95); -var part96 = // "Pattern{Field(obj_type,true), Constant(' ( vsvrName = "'), Field(dclass_counter1_string,false), Constant('", vsvrRequestRate = "'), Field(dclass_counter1,false), Constant('", alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', vsvrFullName = "'), Field(fld1,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#59:SNMP_TRAP_SENT12", "nwparser.payload", "%{obj_type->} ( vsvrName = \"%{dclass_counter1_string}\", vsvrRequestRate = \"%{dclass_counter1}\", alarmHighThreshold = %{dclass_counter2}, vsvrFullName = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ +var part96 = match("MESSAGE#59:SNMP_TRAP_SENT12", "nwparser.payload", "%{obj_type->} ( vsvrName = \"%{dclass_counter1_string}\", vsvrRequestRate = \"%{dclass_counter1}\", alarmHighThreshold = %{dclass_counter2}, vsvrFullName = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1640,8 +1485,7 @@ match("MESSAGE#59:SNMP_TRAP_SENT12", "nwparser.payload", "%{obj_type->} ( vsvrNa var msg63 = msg("SNMP_TRAP_SENT12", part96); -var part97 = // "Pattern{Field(obj_type,true), Constant(' ( monServiceName = "'), Field(fld1,false), Constant('", monitorName = "'), Field(dclass_counter1_string,false), Constant('", responseTimeoutThreshold = '), Field(dclass_counter1,false), Constant(', alarmMonrespto = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#60:SNMP_TRAP_SENT13", "nwparser.payload", "%{obj_type->} ( monServiceName = \"%{fld1}\", monitorName = \"%{dclass_counter1_string}\", responseTimeoutThreshold = %{dclass_counter1}, alarmMonrespto = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part97 = match("MESSAGE#60:SNMP_TRAP_SENT13", "nwparser.payload", "%{obj_type->} ( monServiceName = \"%{fld1}\", monitorName = \"%{dclass_counter1_string}\", responseTimeoutThreshold = %{dclass_counter1}, alarmMonrespto = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1650,8 +1494,7 @@ match("MESSAGE#60:SNMP_TRAP_SENT13", "nwparser.payload", "%{obj_type->} ( monSer var msg64 = msg("SNMP_TRAP_SENT13", part97); -var part98 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmNormalThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#61:SNMP_TRAP_SENT14", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part98 = match("MESSAGE#61:SNMP_TRAP_SENT14", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1660,8 +1503,7 @@ match("MESSAGE#61:SNMP_TRAP_SENT14", "nwparser.payload", "%{obj_type->} ( sysHea var msg65 = msg("SNMP_TRAP_SENT14", part98); -var part99 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmLowThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#62:SNMP_TRAP_SENT15", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmLowThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part99 = match("MESSAGE#62:SNMP_TRAP_SENT15", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmLowThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1670,8 +1512,7 @@ match("MESSAGE#62:SNMP_TRAP_SENT15", "nwparser.payload", "%{obj_type->} ( sysHea var msg66 = msg("SNMP_TRAP_SENT15", part99); -var part100 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#63:SNMP_TRAP_SENT16", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part100 = match("MESSAGE#63:SNMP_TRAP_SENT16", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1680,8 +1521,7 @@ match("MESSAGE#63:SNMP_TRAP_SENT16", "nwparser.payload", "%{obj_type->} ( sysHea var msg67 = msg("SNMP_TRAP_SENT16", part100); -var part101 = // "Pattern{Field(obj_type,true), Constant(' ( alarmRateLmtThresholdExceeded = "'), Field(obj_name,false), Constant(': "'), Field(info,false), Constant('...", ipAddressGathered = "'), Field(fld1,false), Constant('", stringComputed = "'), Field(fld2,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#64:SNMP_TRAP_SENT17", "nwparser.payload", "%{obj_type->} ( alarmRateLmtThresholdExceeded = \"%{obj_name}: \"%{info}...\", ipAddressGathered = \"%{fld1}\", stringComputed = \"%{fld2}\", sysIpAddress = %{hostip})", processor_chain([ +var part101 = match("MESSAGE#64:SNMP_TRAP_SENT17", "nwparser.payload", "%{obj_type->} ( alarmRateLmtThresholdExceeded = \"%{obj_name}: \"%{info}...\", ipAddressGathered = \"%{fld1}\", stringComputed = \"%{fld2}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1690,22 +1530,18 @@ match("MESSAGE#64:SNMP_TRAP_SENT17", "nwparser.payload", "%{obj_type->} ( alarmR var msg68 = msg("SNMP_TRAP_SENT17", part101); -var part102 = // "Pattern{Field(obj_type,true), Constant(' ( entityName = "'), Field(obj_name,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#65:SNMP_TRAP_SENT/0", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name->} (%{p0}"); +var part102 = match("MESSAGE#65:SNMP_TRAP_SENT/0", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name->} (%{p0}"); -var part103 = // "Pattern{Field(info,false), Constant('..." '), Field(p0,false)}" -match("MESSAGE#65:SNMP_TRAP_SENT/1_0", "nwparser.p0", "%{info}...\" %{p0}"); +var part103 = match("MESSAGE#65:SNMP_TRAP_SENT/1_0", "nwparser.p0", "%{info}...\" %{p0}"); -var part104 = // "Pattern{Field(info,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#65:SNMP_TRAP_SENT/1_1", "nwparser.p0", "%{info}\" %{p0}"); +var part104 = match("MESSAGE#65:SNMP_TRAP_SENT/1_1", "nwparser.p0", "%{info}\" %{p0}"); var select32 = linear_select([ part103, part104, ]); -var part105 = // "Pattern{Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#65:SNMP_TRAP_SENT/2", "nwparser.p0", ", sysIpAddress = %{hostip})"); +var part105 = match("MESSAGE#65:SNMP_TRAP_SENT/2", "nwparser.p0", ", sysIpAddress = %{hostip})"); var all26 = all_match({ processors: [ @@ -1723,8 +1559,7 @@ var all26 = all_match({ var msg69 = msg("SNMP_TRAP_SENT", all26); -var part106 = // "Pattern{Field(obj_type,true), Constant(' ( appfwLogMsg = '), Field(obj_name,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#66:SNMP_TRAP_SENT6", "nwparser.payload", "%{obj_type->} ( appfwLogMsg = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ +var part106 = match("MESSAGE#66:SNMP_TRAP_SENT6", "nwparser.payload", "%{obj_type->} ( appfwLogMsg = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1733,37 +1568,28 @@ match("MESSAGE#66:SNMP_TRAP_SENT6", "nwparser.payload", "%{obj_type->} ( appfwLo var msg70 = msg("SNMP_TRAP_SENT6", part106); -var part107 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/0", "nwparser.payload", "%{obj_type->} ( %{space->} %{p0}"); +var part107 = match("MESSAGE#67:SNMP_TRAP_SENT5/0", "nwparser.payload", "%{obj_type->} ( %{space->} %{p0}"); -var part108 = // "Pattern{Constant('partition id = '), Field(fld12,false), Constant(', nsUserName = "'), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/1_0", "nwparser.p0", "partition id = %{fld12}, nsUserName = \"%{p0}"); +var part108 = match("MESSAGE#67:SNMP_TRAP_SENT5/1_0", "nwparser.p0", "partition id = %{fld12}, nsUserName = \"%{p0}"); -var part109 = // "Pattern{Constant('nsUserName = "'), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/1_1", "nwparser.p0", "nsUserName = \"%{p0}"); +var part109 = match("MESSAGE#67:SNMP_TRAP_SENT5/1_1", "nwparser.p0", "nsUserName = \"%{p0}"); var select33 = linear_select([ part108, part109, ]); -var part110 = // "Pattern{Constant('",'), Field(username,true), Constant(' configurationCmd = "'), Field(action,false), Constant('", authorizationStatus = '), Field(event_state,false), Constant(', commandExecutionStatus = '), Field(disposition,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#67:SNMP_TRAP_SENT5/2", "nwparser.p0", "\",%{username->} configurationCmd = \"%{action}\", authorizationStatus = %{event_state}, commandExecutionStatus = %{disposition}, %{p0}"); +var part110 = match("MESSAGE#67:SNMP_TRAP_SENT5/2", "nwparser.p0", "\",%{username->} configurationCmd = \"%{action}\", authorizationStatus = %{event_state}, commandExecutionStatus = %{disposition}, %{p0}"); -var part111 = // "Pattern{Constant('commandFailureReason = "'), Field(result,false), Constant('", nsClientIPAddr = '), Field(saddr,false), Constant(', sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_0", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip})"); +var part111 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_0", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip})"); -var part112 = // "Pattern{Constant('commandFailureReason = "'), Field(result,false), Constant('", nsClientIPAddr = '), Field(saddr,false), Constant(', nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_1", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); +var part112 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_1", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); -var part113 = // "Pattern{Constant('nsClientIPAddr = '), Field(saddr,false), Constant(', nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_2", "nwparser.p0", "nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); +var part113 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_2", "nwparser.p0", "nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); -var part114 = // "Pattern{Constant('nsClientIPAddr = '), Field(saddr,false), Constant(', sysIpAddress ='), Field(hostip,true), Constant(' )')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_3", "nwparser.p0", "nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip->} )"); +var part114 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_3", "nwparser.p0", "nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip->} )"); -var part115 = // "Pattern{Constant('sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#67:SNMP_TRAP_SENT5/3_4", "nwparser.p0", "sysIpAddress =%{hostip})"); +var part115 = match("MESSAGE#67:SNMP_TRAP_SENT5/3_4", "nwparser.p0", "sysIpAddress =%{hostip})"); var select34 = linear_select([ part111, @@ -1790,8 +1616,7 @@ var all27 = all_match({ var msg71 = msg("SNMP_TRAP_SENT5", all27); -var part116 = // "Pattern{Field(obj_type,true), Constant(' ( nsUserName = "'), Field(username,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#68:SNMP_TRAP_SENT1", "nwparser.payload", "%{obj_type->} ( nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ +var part116 = match("MESSAGE#68:SNMP_TRAP_SENT1", "nwparser.payload", "%{obj_type->} ( nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, setf("obj_name","username"), @@ -1801,8 +1626,7 @@ match("MESSAGE#68:SNMP_TRAP_SENT1", "nwparser.payload", "%{obj_type->} ( nsUserN var msg72 = msg("SNMP_TRAP_SENT1", part116); -var part117 = // "Pattern{Field(obj_type,true), Constant(' ( nsCPUusage = '), Field(dclass_counter1,false), Constant(', alarm '), Field(trigger_val,true), Constant(' = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#69:SNMP_TRAP_SENT2", "nwparser.payload", "%{obj_type->} ( nsCPUusage = %{dclass_counter1}, alarm %{trigger_val->} = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part117 = match("MESSAGE#69:SNMP_TRAP_SENT2", "nwparser.payload", "%{obj_type->} ( nsCPUusage = %{dclass_counter1}, alarm %{trigger_val->} = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1811,8 +1635,7 @@ match("MESSAGE#69:SNMP_TRAP_SENT2", "nwparser.payload", "%{obj_type->} ( nsCPUus var msg73 = msg("SNMP_TRAP_SENT2", part117); -var part118 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthDiskName = "'), Field(filename,false), Constant('", sysHealthDiskPerusage = '), Field(dclass_counter1,false), Constant(', alarmNormalThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#70:SNMP_TRAP_SENT3", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{filename}\", sysHealthDiskPerusage = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ +var part118 = match("MESSAGE#70:SNMP_TRAP_SENT3", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{filename}\", sysHealthDiskPerusage = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1821,8 +1644,7 @@ match("MESSAGE#70:SNMP_TRAP_SENT3", "nwparser.payload", "%{obj_type->} ( sysHeal var msg74 = msg("SNMP_TRAP_SENT3", part118); -var part119 = // "Pattern{Field(obj_type,true), Constant(' ( sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#71:SNMP_TRAP_SENT4", "nwparser.payload", "%{obj_type->} ( sysIpAddress = %{hostip})", processor_chain([ +var part119 = match("MESSAGE#71:SNMP_TRAP_SENT4", "nwparser.payload", "%{obj_type->} ( sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1831,8 +1653,7 @@ match("MESSAGE#71:SNMP_TRAP_SENT4", "nwparser.payload", "%{obj_type->} ( sysIpAd var msg75 = msg("SNMP_TRAP_SENT4", part119); -var part120 = // "Pattern{Field(obj_type,true), Constant(' (entityName = "'), Field(obj_name,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#72:SNMP_TRAP_SENT18", "nwparser.payload", "%{obj_type->} (entityName = \"%{obj_name}\", sysIpAddress = %{hostip})", processor_chain([ +var part120 = match("MESSAGE#72:SNMP_TRAP_SENT18", "nwparser.payload", "%{obj_type->} (entityName = \"%{obj_name}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup4, @@ -1840,8 +1661,7 @@ match("MESSAGE#72:SNMP_TRAP_SENT18", "nwparser.payload", "%{obj_type->} (entityN var msg76 = msg("SNMP_TRAP_SENT18", part120); -var part121 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,true), Constant(' nsUserName = "'), Field(username,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#73:SNMP_TRAP_SENT19", "nwparser.payload", "%{obj_type->} ( %{space->} nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ +var part121 = match("MESSAGE#73:SNMP_TRAP_SENT19", "nwparser.payload", "%{obj_type->} ( %{space->} nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -1850,28 +1670,22 @@ match("MESSAGE#73:SNMP_TRAP_SENT19", "nwparser.payload", "%{obj_type->} ( %{spac var msg77 = msg("SNMP_TRAP_SENT19", part121); -var part122 = // "Pattern{Field(obj_type,true), Constant(' (partition id = '), Field(fld12,false), Constant(', entityName = "'), Field(p0,false)}" -match("MESSAGE#74:SNMP_TRAP_SENT21/0", "nwparser.payload", "%{obj_type->} (partition id = %{fld12}, entityName = \"%{p0}"); +var part122 = match("MESSAGE#74:SNMP_TRAP_SENT21/0", "nwparser.payload", "%{obj_type->} (partition id = %{fld12}, entityName = \"%{p0}"); -var part123 = // "Pattern{Field(obj_name,false), Constant('('), Field(fld4,false), Constant('...", '), Field(p0,false)}" -match("MESSAGE#74:SNMP_TRAP_SENT21/1_0", "nwparser.p0", "%{obj_name}(%{fld4}...\", %{p0}"); +var part123 = match("MESSAGE#74:SNMP_TRAP_SENT21/1_0", "nwparser.p0", "%{obj_name}(%{fld4}...\", %{p0}"); -var part124 = // "Pattern{Field(obj_name,false), Constant('...", '), Field(p0,false)}" -match("MESSAGE#74:SNMP_TRAP_SENT21/1_1", "nwparser.p0", "%{obj_name}...\", %{p0}"); +var part124 = match("MESSAGE#74:SNMP_TRAP_SENT21/1_1", "nwparser.p0", "%{obj_name}...\", %{p0}"); var select35 = linear_select([ part123, part124, ]); -var part125 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,true), Constant(' )')}" -match("MESSAGE#74:SNMP_TRAP_SENT21/2_0", "nwparser.p0", "svcGrpMemberFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); +var part125 = match("MESSAGE#74:SNMP_TRAP_SENT21/2_0", "nwparser.p0", "svcGrpMemberFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); -var part126 = // "Pattern{Constant('vsvrFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,true), Constant(' )')}" -match("MESSAGE#74:SNMP_TRAP_SENT21/2_1", "nwparser.p0", "vsvrFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); +var part126 = match("MESSAGE#74:SNMP_TRAP_SENT21/2_1", "nwparser.p0", "vsvrFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); -var part127 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,true), Constant(' )')}" -match("MESSAGE#74:SNMP_TRAP_SENT21/2_2", "nwparser.p0", "sysIpAddress = %{hostip->} )"); +var part127 = match("MESSAGE#74:SNMP_TRAP_SENT21/2_2", "nwparser.p0", "sysIpAddress = %{hostip->} )"); var select36 = linear_select([ part125, @@ -1895,31 +1709,24 @@ var all28 = all_match({ var msg78 = msg("SNMP_TRAP_SENT21", all28); -var part128 = // "Pattern{Field(obj_type,true), Constant(' (entityName = "'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/0", "nwparser.payload", "%{obj_type->} (entityName = \"%{p0}"); +var part128 = match("MESSAGE#75:SNMP_TRAP_SENT22/0", "nwparser.payload", "%{obj_type->} (entityName = \"%{p0}"); -var part129 = // "Pattern{Field(obj_name,false), Constant('..." '), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/1_0", "nwparser.p0", "%{obj_name}...\" %{p0}"); +var part129 = match("MESSAGE#75:SNMP_TRAP_SENT22/1_0", "nwparser.p0", "%{obj_name}...\" %{p0}"); -var part130 = // "Pattern{Field(obj_name,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/1_1", "nwparser.p0", "%{obj_name}\"%{p0}"); +var part130 = match("MESSAGE#75:SNMP_TRAP_SENT22/1_1", "nwparser.p0", "%{obj_name}\"%{p0}"); var select37 = linear_select([ part129, part130, ]); -var part131 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/2", "nwparser.p0", ", %{p0}"); +var part131 = match("MESSAGE#75:SNMP_TRAP_SENT22/2", "nwparser.p0", ", %{p0}"); -var part132 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/3_0", "nwparser.p0", "svcGrpMemberFullName.%{p0}"); +var part132 = match("MESSAGE#75:SNMP_TRAP_SENT22/3_0", "nwparser.p0", "svcGrpMemberFullName.%{p0}"); -var part133 = // "Pattern{Constant('vsvrFullName.'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/3_1", "nwparser.p0", "vsvrFullName.%{p0}"); +var part133 = match("MESSAGE#75:SNMP_TRAP_SENT22/3_1", "nwparser.p0", "vsvrFullName.%{p0}"); -var part134 = // "Pattern{Constant('svcServiceFullName.'), Field(p0,false)}" -match("MESSAGE#75:SNMP_TRAP_SENT22/3_2", "nwparser.p0", "svcServiceFullName.%{p0}"); +var part134 = match("MESSAGE#75:SNMP_TRAP_SENT22/3_2", "nwparser.p0", "svcServiceFullName.%{p0}"); var select38 = linear_select([ part132, @@ -1927,8 +1734,7 @@ var select38 = linear_select([ part134, ]); -var part135 = // "Pattern{Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#75:SNMP_TRAP_SENT22/4", "nwparser.p0", "%{fld2->} = \"%{fld3}\", nsPartitionName = %{fld1})"); +var part135 = match("MESSAGE#75:SNMP_TRAP_SENT22/4", "nwparser.p0", "%{fld2->} = \"%{fld3}\", nsPartitionName = %{fld1})"); var all29 = all_match({ processors: [ @@ -1948,8 +1754,7 @@ var all29 = all_match({ var msg79 = msg("SNMP_TRAP_SENT22", all29); -var part136 = // "Pattern{Field(obj_type,true), Constant(' (platformRateLimitPacketDropCount = '), Field(dclass_counter1,false), Constant(', platformLicensedThroughput = '), Field(fld2,false), Constant(', nsPartitionName = '), Field(fld3,false), Constant(')')}" -match("MESSAGE#76:SNMP_TRAP_SENT23", "nwparser.payload", "%{obj_type->} (platformRateLimitPacketDropCount = %{dclass_counter1}, platformLicensedThroughput = %{fld2}, nsPartitionName = %{fld3})", processor_chain([ +var part136 = match("MESSAGE#76:SNMP_TRAP_SENT23", "nwparser.payload", "%{obj_type->} (platformRateLimitPacketDropCount = %{dclass_counter1}, platformLicensedThroughput = %{fld2}, nsPartitionName = %{fld3})", processor_chain([ dup9, dup47, dup10, @@ -1958,8 +1763,7 @@ match("MESSAGE#76:SNMP_TRAP_SENT23", "nwparser.payload", "%{obj_type->} (platfor var msg80 = msg("SNMP_TRAP_SENT23", part136); -var part137 = // "Pattern{Field(obj_type,true), Constant(' (vsvrName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", vsvrCurSoValue = '), Field(fld4,false), Constant(', vsvrSoMethod = "'), Field(fld5,false), Constant('", vsvrSoThresh = "'), Field(info,false), Constant('", vsvrFullName.'), Field(fld6,true), Constant(' = "'), Field(fld7,false), Constant('", nsPartitionName = '), Field(fld8,false), Constant(')')}" -match("MESSAGE#77:SNMP_TRAP_SENT24", "nwparser.payload", "%{obj_type->} (vsvrName.%{fld2->} = \"%{fld3}\", vsvrCurSoValue = %{fld4}, vsvrSoMethod = \"%{fld5}\", vsvrSoThresh = \"%{info}\", vsvrFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld8})", processor_chain([ +var part137 = match("MESSAGE#77:SNMP_TRAP_SENT24", "nwparser.payload", "%{obj_type->} (vsvrName.%{fld2->} = \"%{fld3}\", vsvrCurSoValue = %{fld4}, vsvrSoMethod = \"%{fld5}\", vsvrSoThresh = \"%{info}\", vsvrFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld8})", processor_chain([ dup9, dup47, dup10, @@ -1968,25 +1772,20 @@ match("MESSAGE#77:SNMP_TRAP_SENT24", "nwparser.payload", "%{obj_type->} (vsvrNam var msg81 = msg("SNMP_TRAP_SENT24", part137); -var part138 = // "Pattern{Field(obj_type,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/0", "nwparser.payload", "%{obj_type->} (%{p0}"); +var part138 = match("MESSAGE#78:SNMP_TRAP_SENT25/0", "nwparser.payload", "%{obj_type->} (%{p0}"); -var part139 = // "Pattern{Constant('partition id = '), Field(fld12,false), Constant(', sslCertKeyName.'), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/1_0", "nwparser.p0", "partition id = %{fld12}, sslCertKeyName.%{p0}"); +var part139 = match("MESSAGE#78:SNMP_TRAP_SENT25/1_0", "nwparser.p0", "partition id = %{fld12}, sslCertKeyName.%{p0}"); -var part140 = // "Pattern{Constant(' sslCertKeyName.'), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/1_1", "nwparser.p0", " sslCertKeyName.%{p0}"); +var part140 = match("MESSAGE#78:SNMP_TRAP_SENT25/1_1", "nwparser.p0", " sslCertKeyName.%{p0}"); var select39 = linear_select([ part139, part140, ]); -var part141 = // "Pattern{Constant('",'), Field(fld2,true), Constant(' = "'), Field(fld1,true), Constant(' sslDaysToExpire.'), Field(fld3,true), Constant(' = '), Field(dclass_counter1,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#78:SNMP_TRAP_SENT25/2", "nwparser.p0", "\",%{fld2->} = \"%{fld1->} sslDaysToExpire.%{fld3->} = %{dclass_counter1}, %{p0}"); +var part141 = match("MESSAGE#78:SNMP_TRAP_SENT25/2", "nwparser.p0", "\",%{fld2->} = \"%{fld1->} sslDaysToExpire.%{fld3->} = %{dclass_counter1}, %{p0}"); -var part142 = // "Pattern{Constant('nsPartitionName = '), Field(fld4,false), Constant(')')}" -match("MESSAGE#78:SNMP_TRAP_SENT25/3_0", "nwparser.p0", "nsPartitionName = %{fld4})"); +var part142 = match("MESSAGE#78:SNMP_TRAP_SENT25/3_0", "nwparser.p0", "nsPartitionName = %{fld4})"); var select40 = linear_select([ part142, @@ -2010,8 +1809,7 @@ var all30 = all_match({ var msg82 = msg("SNMP_TRAP_SENT25", all30); -var part143 = // "Pattern{Field(obj_type,true), Constant(' (nsUserName = "'), Field(username,false), Constant('", nsPartitionName = '), Field(fld1,false), Constant(')')}" -match("MESSAGE#79:SNMP_TRAP_SENT26", "nwparser.payload", "%{obj_type->} (nsUserName = \"%{username}\", nsPartitionName = %{fld1})", processor_chain([ +var part143 = match("MESSAGE#79:SNMP_TRAP_SENT26", "nwparser.payload", "%{obj_type->} (nsUserName = \"%{username}\", nsPartitionName = %{fld1})", processor_chain([ dup9, dup47, dup4, @@ -2019,8 +1817,7 @@ match("MESSAGE#79:SNMP_TRAP_SENT26", "nwparser.payload", "%{obj_type->} (nsUserN var msg83 = msg("SNMP_TRAP_SENT26", part143); -var part144 = // "Pattern{Field(info,true), Constant(' (sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#80:SNMP_TRAP_SENT20", "nwparser.payload", "%{info->} (sysIpAddress = %{hostip})", processor_chain([ +var part144 = match("MESSAGE#80:SNMP_TRAP_SENT20", "nwparser.payload", "%{info->} (sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2029,8 +1826,7 @@ match("MESSAGE#80:SNMP_TRAP_SENT20", "nwparser.payload", "%{info->} (sysIpAddres var msg84 = msg("SNMP_TRAP_SENT20", part144); -var part145 = // "Pattern{Field(obj_type,false), Constant('(lldpRemLocalPortNum.'), Field(fld1,false), Constant('= "'), Field(fld5,false), Constant('", lldpRemChassisId.'), Field(fld2,false), Constant('= "'), Field(dmacaddr,false), Constant('", lldpRemPortId.'), Field(fld3,false), Constant('= "'), Field(dinterface,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#81:SNMP_TRAP_SENT28", "nwparser.payload", "%{obj_type}(lldpRemLocalPortNum.%{fld1}= \"%{fld5}\", lldpRemChassisId.%{fld2}= \"%{dmacaddr}\", lldpRemPortId.%{fld3}= \"%{dinterface}\", sysIpAddress =%{hostip})", processor_chain([ +var part145 = match("MESSAGE#81:SNMP_TRAP_SENT28", "nwparser.payload", "%{obj_type}(lldpRemLocalPortNum.%{fld1}= \"%{fld5}\", lldpRemChassisId.%{fld2}= \"%{dmacaddr}\", lldpRemPortId.%{fld3}= \"%{dinterface}\", sysIpAddress =%{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2039,8 +1835,7 @@ match("MESSAGE#81:SNMP_TRAP_SENT28", "nwparser.payload", "%{obj_type}(lldpRemLoc var msg85 = msg("SNMP_TRAP_SENT28", part145); -var part146 = // "Pattern{Field(obj_type,false), Constant('(haNicMonitorSucceeded = "'), Field(fld1,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#82:SNMP_TRAP_SENT29", "nwparser.payload", "%{obj_type}(haNicMonitorSucceeded = \"%{fld1}\", sysIpAddress =%{hostip})", processor_chain([ +var part146 = match("MESSAGE#82:SNMP_TRAP_SENT29", "nwparser.payload", "%{obj_type}(haNicMonitorSucceeded = \"%{fld1}\", sysIpAddress =%{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2049,8 +1844,7 @@ match("MESSAGE#82:SNMP_TRAP_SENT29", "nwparser.payload", "%{obj_type}(haNicMonit var msg86 = msg("SNMP_TRAP_SENT29", part146); -var part147 = // "Pattern{Field(fld1,false), Constant(':StatusPoll:'), Field(fld2,true), Constant(' - Device State changed to '), Field(disposition,true), Constant(' for '), Field(saddr,false)}" -match("MESSAGE#83:SNMP_TRAP_SENT:04", "nwparser.payload", "%{fld1}:StatusPoll:%{fld2->} - Device State changed to %{disposition->} for %{saddr}", processor_chain([ +var part147 = match("MESSAGE#83:SNMP_TRAP_SENT:04", "nwparser.payload", "%{fld1}:StatusPoll:%{fld2->} - Device State changed to %{disposition->} for %{saddr}", processor_chain([ dup9, dup4, setc("event_description","Device State changed"), @@ -2060,14 +1854,11 @@ var msg87 = msg("SNMP_TRAP_SENT:04", part147); var msg88 = msg("SNMP_TRAP_SENT:05", dup101); -var part148 = // "Pattern{Field(obj_type,true), Constant(' (appfwLogMsg = "'), Field(obj_name,true), Constant(' '), Field(info,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#136:SNMP_TRAP_SENT:01/0", "nwparser.payload", "%{obj_type->} (appfwLogMsg = \"%{obj_name->} %{info}\",%{p0}"); +var part148 = match("MESSAGE#136:SNMP_TRAP_SENT:01/0", "nwparser.payload", "%{obj_type->} (appfwLogMsg = \"%{obj_name->} %{info}\",%{p0}"); -var part149 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false)}" -match("MESSAGE#136:SNMP_TRAP_SENT:01/1_0", "nwparser.p0", "sysIpAddress = %{hostip}"); +var part149 = match("MESSAGE#136:SNMP_TRAP_SENT:01/1_0", "nwparser.p0", "sysIpAddress = %{hostip}"); -var part150 = // "Pattern{Constant('nsPartitionName ='), Field(fld1,false)}" -match("MESSAGE#136:SNMP_TRAP_SENT:01/1_1", "nwparser.p0", "nsPartitionName =%{fld1}"); +var part150 = match("MESSAGE#136:SNMP_TRAP_SENT:01/1_1", "nwparser.p0", "nsPartitionName =%{fld1}"); var select41 = linear_select([ part149, @@ -2089,8 +1880,7 @@ var all31 = all_match({ var msg89 = msg("SNMP_TRAP_SENT:01", all31); -var part151 = // "Pattern{Field(obj_type,true), Constant(' (haNicsMonitorFailed = "'), Field(fld1,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#143:SNMP_TRAP_SENT:02", "nwparser.payload", "%{obj_type->} (haNicsMonitorFailed = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ +var part151 = match("MESSAGE#143:SNMP_TRAP_SENT:02", "nwparser.payload", "%{obj_type->} (haNicsMonitorFailed = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2099,8 +1889,7 @@ match("MESSAGE#143:SNMP_TRAP_SENT:02", "nwparser.payload", "%{obj_type->} (haNic var msg90 = msg("SNMP_TRAP_SENT:02", part151); -var part152 = // "Pattern{Field(obj_type,true), Constant(' (partition id = '), Field(fld1,false), Constant(', entityName = "'), Field(obj_name,false), Constant('('), Field(fld31,false), Constant('", svcServiceFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#178:SNMP_TRAP_SENT27", "nwparser.payload", "%{obj_type->} (partition id = %{fld1}, entityName = \"%{obj_name}(%{fld31}\", svcServiceFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip})", processor_chain([ +var part152 = match("MESSAGE#178:SNMP_TRAP_SENT27", "nwparser.payload", "%{obj_type->} (partition id = %{fld1}, entityName = \"%{obj_name}(%{fld31}\", svcServiceFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip})", processor_chain([ dup9, dup47, dup10, @@ -2109,8 +1898,7 @@ match("MESSAGE#178:SNMP_TRAP_SENT27", "nwparser.payload", "%{obj_type->} (partit var msg91 = msg("SNMP_TRAP_SENT27", part152); -var part153 = // "Pattern{Field(obj_type,false), Constant('(sysHealthCounterName.PowerSupply1Status = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue.PowerSupply1Status = '), Field(dclass_counter1,false), Constant(', sysHealthPowerSupplyStatus = "'), Field(result,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" -match("MESSAGE#179:SNMP_TRAP_SENT:03", "nwparser.payload", "%{obj_type}(sysHealthCounterName.PowerSupply1Status = \"%{dclass_counter1_string}\", sysHealthCounterValue.PowerSupply1Status = %{dclass_counter1}, sysHealthPowerSupplyStatus = \"%{result}\", sysIpAddress =%{hostip})", processor_chain([ +var part153 = match("MESSAGE#179:SNMP_TRAP_SENT:03", "nwparser.payload", "%{obj_type}(sysHealthCounterName.PowerSupply1Status = \"%{dclass_counter1_string}\", sysHealthCounterValue.PowerSupply1Status = %{dclass_counter1}, sysHealthPowerSupplyStatus = \"%{result}\", sysIpAddress =%{hostip})", processor_chain([ dup9, dup47, dup4, @@ -2156,8 +1944,7 @@ var select42 = linear_select([ msg92, ]); -var part154 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Client IP '), Field(hostip,true), Constant(' - Vserver '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Client_security_expression "CLIENT.REG(''), Field(info,false), Constant('').VALUE == '), Field(trigger_val,true), Constant(' || '), Field(change_new,true), Constant(' - '), Field(result,false)}" -match("MESSAGE#85:SSLVPN_CLISEC_CHECK", "nwparser.payload", "User %{username->} - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client_security_expression \"CLIENT.REG('%{info}').VALUE == %{trigger_val->} || %{change_new->} - %{result}", processor_chain([ +var part154 = match("MESSAGE#85:SSLVPN_CLISEC_CHECK", "nwparser.payload", "User %{username->} - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client_security_expression \"CLIENT.REG('%{info}').VALUE == %{trigger_val->} || %{change_new->} - %{result}", processor_chain([ dup9, dup47, dup4, @@ -2165,16 +1952,14 @@ match("MESSAGE#85:SSLVPN_CLISEC_CHECK", "nwparser.payload", "User %{username->} var msg93 = msg("SSLVPN_CLISEC_CHECK", part154); -var part155 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - ClientIP '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_1", "nwparser.p0", "SPCBId %{sessionid->} - ClientIP %{p0}"); +var part155 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_1", "nwparser.p0", "SPCBId %{sessionid->} - ClientIP %{p0}"); var select43 = linear_select([ dup49, part155, ]); -var part156 = // "Pattern{Field(,true), Constant(' '), Field(saddr,false), Constant('- ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - Reason "'), Field(result,false), Constant('"')}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/2", "nwparser.p0", "%{} %{saddr}- ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Reason \"%{result}\""); +var part156 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/2", "nwparser.p0", "%{} %{saddr}- ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Reason \"%{result}\""); var all32 = all_match({ processors: [ @@ -2194,16 +1979,14 @@ var all32 = all_match({ var msg94 = msg("SSLLOG_SSL_HANDSHAKE_FAILURE", all32); -var part157 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' ClientIP '), Field(p0,false)}" -match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/1_0", "nwparser.p0", "SPCBId %{sessionid->} ClientIP %{p0}"); +var part157 = match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/1_0", "nwparser.p0", "SPCBId %{sessionid->} ClientIP %{p0}"); var select44 = linear_select([ part157, dup49, ]); -var part158 = // "Pattern{Constant(''), Field(saddr,true), Constant(' - ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - Session '), Field(info,false)}" -match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/2", "nwparser.p0", "%{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Session %{info}"); +var part158 = match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/2", "nwparser.p0", "%{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Session %{info}"); var all33 = all_match({ processors: [ @@ -2223,8 +2006,7 @@ var all33 = all_match({ var msg95 = msg("SSLLOG_SSL_HANDSHAKE_SUCCESS", all33); -var part159 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - SubjectName "'), Field(cert_subject,false), Constant('"')}" -match("MESSAGE#88:SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", "nwparser.payload", "SPCBId %{sessionid->} - SubjectName \"%{cert_subject}\"", processor_chain([ +var part159 = match("MESSAGE#88:SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", "nwparser.payload", "SPCBId %{sessionid->} - SubjectName \"%{cert_subject}\"", processor_chain([ dup9, dup41, dup50, @@ -2232,8 +2014,7 @@ match("MESSAGE#88:SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", "nwparser.payload", "SPCBId var msg96 = msg("SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", part159); -var part160 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - IssuerName "'), Field(fld1,false), Constant('"')}" -match("MESSAGE#89:SSLLOG_SSL_HANDSHAKE_ISSUERNAME", "nwparser.payload", "SPCBId %{sessionid->} - IssuerName \"%{fld1}\"", processor_chain([ +var part160 = match("MESSAGE#89:SSLLOG_SSL_HANDSHAKE_ISSUERNAME", "nwparser.payload", "SPCBId %{sessionid->} - IssuerName \"%{fld1}\"", processor_chain([ dup9, dup41, dup50, @@ -2241,8 +2022,7 @@ match("MESSAGE#89:SSLLOG_SSL_HANDSHAKE_ISSUERNAME", "nwparser.payload", "SPCBId var msg97 = msg("SSLLOG_SSL_HANDSHAKE_ISSUERNAME", part160); -var part161 = // "Pattern{Constant('Extracted_groups "'), Field(group,false), Constant('"')}" -match("MESSAGE#90:SSLVPN_AAAEXTRACTED_GROUPS", "nwparser.payload", "Extracted_groups \"%{group}\"", processor_chain([ +var part161 = match("MESSAGE#90:SSLVPN_AAAEXTRACTED_GROUPS", "nwparser.payload", "Extracted_groups \"%{group}\"", processor_chain([ dup2, setc("event_description","The groups extracted after user logs into SSLVPN"), dup3, @@ -2251,22 +2031,18 @@ match("MESSAGE#90:SSLVPN_AAAEXTRACTED_GROUPS", "nwparser.payload", "Extracted_gr var msg98 = msg("SSLVPN_AAAEXTRACTED_GROUPS", part161); -var part162 = // "Pattern{Constant('User '), Field(username,true), Constant(' : - Client IP '), Field(hostip,true), Constant(' - Vserver '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Client security expression CLIENT.REG(''), Field(info,false), Constant('') '), Field(p0,false)}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/0", "nwparser.payload", "User %{username->} : - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client security expression CLIENT.REG('%{info}') %{p0}"); +var part162 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/0", "nwparser.payload", "User %{username->} : - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client security expression CLIENT.REG('%{info}') %{p0}"); -var part163 = // "Pattern{Constant('EXISTS '), Field(p0,false)}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_0", "nwparser.p0", "EXISTS %{p0}"); +var part163 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_0", "nwparser.p0", "EXISTS %{p0}"); -var part164 = // "Pattern{Constant('.VALUE == '), Field(trigger_val,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_1", "nwparser.p0", ".VALUE == %{trigger_val->} %{p0}"); +var part164 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_1", "nwparser.p0", ".VALUE == %{trigger_val->} %{p0}"); var select45 = linear_select([ part163, part164, ]); -var part165 = // "Pattern{Constant('evaluated to '), Field(change_new,false), Constant('('), Field(ntype,false), Constant(')')}" -match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/2", "nwparser.p0", "evaluated to %{change_new}(%{ntype})"); +var part165 = match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/2", "nwparser.p0", "evaluated to %{change_new}(%{ntype})"); var all34 = all_match({ processors: [ @@ -2284,47 +2060,38 @@ var all34 = all_match({ var msg99 = msg("SSLVPN_CLISEC_EXP_EVAL", all34); -var part166 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - %{p0}"); +var part166 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - %{p0}"); -var part167 = // "Pattern{Constant('SessionId: '), Field(sessionid,true), Constant(' User '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_0", "nwparser.p0", "SessionId: %{sessionid->} User %{p0}"); +var part167 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_0", "nwparser.p0", "SessionId: %{sessionid->} User %{p0}"); -var part168 = // "Pattern{Field(fld5,true), Constant(' User '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_1", "nwparser.p0", "%{fld5->} User %{p0}"); +var part168 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_1", "nwparser.p0", "%{fld5->} User %{p0}"); var select46 = linear_select([ part167, part168, ]); -var part169 = // "Pattern{Field(username,true), Constant(' : Group(s) '), Field(group,true), Constant(' : '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/2", "nwparser.p0", "%{username->} : Group(s) %{group->} : %{p0}"); +var part169 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/2", "nwparser.p0", "%{username->} : Group(s) %{group->} : %{p0}"); -var part170 = // "Pattern{Constant('Vserver '), Field(hostip,true), Constant(' - '), Field(fld6,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_0", "nwparser.p0", "Vserver %{hostip->} - %{fld6->} %{p0}"); +var part170 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_0", "nwparser.p0", "Vserver %{hostip->} - %{fld6->} %{p0}"); -var part171 = // "Pattern{Constant('- '), Field(fld7,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_1", "nwparser.p0", "- %{fld7->} %{p0}"); +var part171 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_1", "nwparser.p0", "- %{fld7->} %{p0}"); var select47 = linear_select([ part170, part171, ]); -var part172 = // "Pattern{Constant('GMT '), Field(web_method,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_0", "nwparser.p0", "GMT %{web_method->} %{p0}"); +var part172 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_0", "nwparser.p0", "GMT %{web_method->} %{p0}"); -var part173 = // "Pattern{Field(web_method,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_1", "nwparser.p0", "%{web_method->} %{p0}"); +var part173 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_1", "nwparser.p0", "%{web_method->} %{p0}"); var select48 = linear_select([ part172, part173, ]); -var part174 = // "Pattern{Field(url,true), Constant(' '), Field(fld8,false)}" -match("MESSAGE#92:SSLVPN_HTTPREQUEST/5", "nwparser.p0", "%{url->} %{fld8}"); +var part174 = match("MESSAGE#92:SSLVPN_HTTPREQUEST/5", "nwparser.p0", "%{url->} %{fld8}"); var all35 = all_match({ processors: [ @@ -2346,11 +2113,9 @@ var all35 = all_match({ var msg100 = msg("SSLVPN_HTTPREQUEST", all35); -var part175 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); +var part175 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); -var part176 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2}"); +var part176 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2}"); var all36 = all_match({ processors: [ @@ -2373,17 +2138,13 @@ var all36 = all_match({ var msg101 = msg("SSLVPN_ICAEND_CONNSTAT", all36); -var part177 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - username:domainname '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - startTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - startTime %{p0}"); +var part177 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - startTime %{p0}"); -var part178 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - endTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - endTime %{p0}"); +var part178 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - endTime %{p0}"); -var part179 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - endTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_1", "nwparser.p0", "\" %{fld10}\" - endTime %{p0}"); +var part179 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_1", "nwparser.p0", "\" %{fld10}\" - endTime %{p0}"); -var part180 = // "Pattern{Field(fld10,true), Constant(' - endTime '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_2", "nwparser.p0", "%{fld10->} - endTime %{p0}"); +var part180 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_2", "nwparser.p0", "%{fld10->} - endTime %{p0}"); var select49 = linear_select([ part178, @@ -2391,14 +2152,11 @@ var select49 = linear_select([ part180, ]); -var part181 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} %{p0}"); +var part181 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} %{p0}"); -var part182 = // "Pattern{Constant('- connectionId '), Field(connectionid,false)}" -match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_0", "nwparser.p0", "- connectionId %{connectionid}"); +var part182 = match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_0", "nwparser.p0", "- connectionId %{connectionid}"); -var part183 = // "Pattern{Field(fld2,false)}" -match_copy("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_1", "nwparser.p0", "fld2"); +var part183 = match_copy("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_1", "nwparser.p0", "fld2"); var select50 = linear_select([ part182, @@ -2432,8 +2190,7 @@ var select51 = linear_select([ msg102, ]); -var part184 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Browser_type '), Field(fld2,true), Constant(' - SSLVPN_client_type '), Field(info,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#94:SSLVPN_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{fld2->} - SSLVPN_client_type %{info->} - Group(s) \"%{group}\""); +var part184 = match("MESSAGE#94:SSLVPN_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{fld2->} - SSLVPN_client_type %{info->} - Group(s) \"%{group}\""); var all38 = all_match({ processors: [ @@ -2455,8 +2212,7 @@ var all38 = all_match({ var msg103 = msg("SSLVPN_LOGIN", all38); -var part185 = // "Pattern{Field(duration_string,true), Constant(' - Http_resources_accessed '), Field(fld3,true), Constant(' - NonHttp_services_accessed '), Field(fld4,true), Constant(' - Total_TCP_connections '), Field(fld5,true), Constant(' - Total_UDP_flows '), Field(fld6,true), Constant(' - Total_policies_allowed '), Field(fld7,true), Constant(' - Total_policies_denied '), Field(fld8,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - LogoutMethod "'), Field(result,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#95:SSLVPN_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - NonHttp_services_accessed %{fld4->} - Total_TCP_connections %{fld5->} - Total_UDP_flows %{fld6->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); +var part185 = match("MESSAGE#95:SSLVPN_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - NonHttp_services_accessed %{fld4->} - Total_TCP_connections %{fld5->} - Total_UDP_flows %{fld6->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); var all39 = all_match({ processors: [ @@ -2486,8 +2242,7 @@ var all39 = all_match({ var msg104 = msg("SSLVPN_LOGOUT", all39); -var part186 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Last_contact '), Field(fld2,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#96:SSLVPN_TCPCONN_TIMEDOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Last_contact %{fld2->} - Group(s) \"%{group}\""); +var part186 = match("MESSAGE#96:SSLVPN_TCPCONN_TIMEDOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Last_contact %{fld2->} - Group(s) \"%{group}\""); var all40 = all_match({ processors: [ @@ -2509,11 +2264,9 @@ var all40 = all_match({ var msg105 = msg("SSLVPN_TCPCONN_TIMEDOUT", all40); -var part187 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); +var part187 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); -var part188 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Access '), Field(disposition,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Access %{disposition->} - Group(s) \"%{group}\""); +var part188 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Access %{disposition->} - Group(s) \"%{group}\""); var all41 = all_match({ processors: [ @@ -2536,8 +2289,7 @@ var all41 = all_match({ var msg106 = msg("SSLVPN_UDPFLOWSTAT", all41); -var part189 = // "Pattern{Constant('Server port = '), Field(dport,true), Constant(' - Server server ip = '), Field(daddr,true), Constant(' - username:domain_name = '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - application name = '), Field(application,false)}" -match("MESSAGE#98:SSLVPN_ICASTART", "nwparser.payload", "Server port = %{dport->} - Server server ip = %{daddr->} - username:domain_name = %{username}:%{ddomain->} - application name = %{application}", processor_chain([ +var part189 = match("MESSAGE#98:SSLVPN_ICASTART", "nwparser.payload", "Server port = %{dport->} - Server server ip = %{daddr->} - username:domain_name = %{username}:%{ddomain->} - application name = %{application}", processor_chain([ dup69, setc("event_description","ICA started"), dup3, @@ -2546,17 +2298,13 @@ match("MESSAGE#98:SSLVPN_ICASTART", "nwparser.payload", "Server port = %{dport-> var msg107 = msg("SSLVPN_ICASTART", part189); -var part190 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - username:domainname '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - applicationName '), Field(application,true), Constant(' - startTime '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - applicationName %{application->} - startTime %{p0}"); +var part190 = match("MESSAGE#99:SSLVPN_ICASTART:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - applicationName %{application->} - startTime %{p0}"); -var part191 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - connectionId '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - connectionId %{p0}"); +var part191 = match("MESSAGE#99:SSLVPN_ICASTART:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - connectionId %{p0}"); -var part192 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - connectionId '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/1_1", "nwparser.p0", "\" %{fld10}\" - connectionId %{p0}"); +var part192 = match("MESSAGE#99:SSLVPN_ICASTART:01/1_1", "nwparser.p0", "\" %{fld10}\" - connectionId %{p0}"); -var part193 = // "Pattern{Field(fld10,true), Constant(' - connectionId '), Field(p0,false)}" -match("MESSAGE#99:SSLVPN_ICASTART:01/1_2", "nwparser.p0", "%{fld10->} - connectionId %{p0}"); +var part193 = match("MESSAGE#99:SSLVPN_ICASTART:01/1_2", "nwparser.p0", "%{fld10->} - connectionId %{p0}"); var select52 = linear_select([ part191, @@ -2564,8 +2312,7 @@ var select52 = linear_select([ part193, ]); -var part194 = // "Pattern{Field(fld5,false)}" -match_copy("MESSAGE#99:SSLVPN_ICASTART:01/2", "nwparser.p0", "fld5"); +var part194 = match_copy("MESSAGE#99:SSLVPN_ICASTART:01/2", "nwparser.p0", "fld5"); var all42 = all_match({ processors: [ @@ -2587,14 +2334,11 @@ var select53 = linear_select([ msg108, ]); -var part195 = // "Pattern{Field(action,false), Constant(': '), Field(fld1,true), Constant(' "')}" -match("MESSAGE#100:SSLVPN_Message/1_0", "nwparser.p0", "%{action}: %{fld1->} \""); +var part195 = match("MESSAGE#100:SSLVPN_Message/1_0", "nwparser.p0", "%{action}: %{fld1->} \""); -var part196 = // "Pattern{Field(action,true), Constant(' '), Field(fld1,false), Constant('"')}" -match("MESSAGE#100:SSLVPN_Message/1_1", "nwparser.p0", "%{action->} %{fld1}\""); +var part196 = match("MESSAGE#100:SSLVPN_Message/1_1", "nwparser.p0", "%{action->} %{fld1}\""); -var part197 = // "Pattern{Field(action,false), Constant(': '), Field(fld1,false)}" -match("MESSAGE#100:SSLVPN_Message/1_2", "nwparser.p0", "%{action}: %{fld1}"); +var part197 = match("MESSAGE#100:SSLVPN_Message/1_2", "nwparser.p0", "%{action}: %{fld1}"); var select54 = linear_select([ part195, @@ -2617,11 +2361,9 @@ var all43 = all_match({ var msg109 = msg("SSLVPN_Message", all43); -var part198 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(stransaddr,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#101:SSLVPN_TCPCONNSTAT/2", "nwparser.p0", "%{} %{username}- Client_ip %{hostip->} - Nat_ip %{stransaddr->} - Vserver %{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); +var part198 = match("MESSAGE#101:SSLVPN_TCPCONNSTAT/2", "nwparser.p0", "%{} %{username}- Client_ip %{hostip->} - Nat_ip %{stransaddr->} - Vserver %{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); -var part199 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - Access '), Field(disposition,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#101:SSLVPN_TCPCONNSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - Access %{disposition->} - Group(s) \"%{group}\""); +var part199 = match("MESSAGE#101:SSLVPN_TCPCONNSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - Access %{disposition->} - Group(s) \"%{group}\""); var all44 = all_match({ processors: [ @@ -2686,8 +2428,7 @@ var all46 = all_match({ var msg112 = msg("TCP_CONN_TERMINATE", all46); -var part200 = // "Pattern{Constant('Source '), Field(saddr,false), Constant('Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" -match("MESSAGE#140:TCP_CONN_TERMINATE:01", "nwparser.payload", "Source %{saddr}Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes}", processor_chain([ +var part200 = match("MESSAGE#140:TCP_CONN_TERMINATE:01", "nwparser.payload", "Source %{saddr}Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes}", processor_chain([ dup2, dup40, dup28, @@ -2703,11 +2444,9 @@ var select55 = linear_select([ msg113, ]); -var part201 = // "Pattern{Field(fld11,true), Constant(' GMT Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT Total_bytes_send %{p0}"); +var part201 = match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT Total_bytes_send %{p0}"); -var part202 = // "Pattern{Field(fld11,true), Constant(' Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld11->} Total_bytes_send %{p0}"); +var part202 = match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld11->} Total_bytes_send %{p0}"); var select56 = linear_select([ part201, @@ -2733,22 +2472,18 @@ var all47 = all_match({ var msg114 = msg("TCP_OTHERCONN_DELINK", all47); -var part203 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start Time '), Field(p0,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Start Time %{p0}"); +var part203 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Start Time %{p0}"); -var part204 = // "Pattern{Field(fld10,true), Constant(' GMT - Delink Time '), Field(p0,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld10->} GMT - Delink Time %{p0}"); +var part204 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld10->} GMT - Delink Time %{p0}"); -var part205 = // "Pattern{Field(fld10,true), Constant(' - Delink Time '), Field(p0,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld10->} - Delink Time %{p0}"); +var part205 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld10->} - Delink Time %{p0}"); var select57 = linear_select([ part204, part205, ]); -var part206 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - '), Field(info,false)}" -match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/3", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes->} - %{info}"); +var part206 = match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/3", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes->} - %{info}"); var all48 = all_match({ processors: [ @@ -2770,8 +2505,7 @@ var all48 = all_match({ var msg115 = msg("TCP_NAT_OTHERCONN_DELINK", all48); -var part207 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#106:UI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part207 = match("MESSAGE#106:UI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup69, dup84, dup3, @@ -2783,8 +2517,7 @@ match("MESSAGE#106:UI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username- var msg116 = msg("UI_CMD_EXECUTED:Login", part207); -var part208 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "ERROR:'), Field(info,false), Constant('"')}" -match("MESSAGE#107:UI_CMD_EXECUTED:LoginFail", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"ERROR:%{info}\"", processor_chain([ +var part208 = match("MESSAGE#107:UI_CMD_EXECUTED:LoginFail", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"ERROR:%{info}\"", processor_chain([ dup5, dup84, dup3, @@ -2796,8 +2529,7 @@ match("MESSAGE#107:UI_CMD_EXECUTED:LoginFail", "nwparser.payload", "User %{usern var msg117 = msg("UI_CMD_EXECUTED:LoginFail", part208); -var part209 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#108:UI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part209 = match("MESSAGE#108:UI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup71, dup84, dup3, @@ -2811,8 +2543,7 @@ var msg118 = msg("UI_CMD_EXECUTED:Logout", part209); var msg119 = msg("UI_CMD_EXECUTED", dup108); -var part210 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('"')}" -match("MESSAGE#144:UI_CMD_EXECUTED:01_Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\"", processor_chain([ +var part210 = match("MESSAGE#144:UI_CMD_EXECUTED:01_Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\"", processor_chain([ dup69, dup84, dup3, @@ -2823,8 +2554,7 @@ match("MESSAGE#144:UI_CMD_EXECUTED:01_Login", "nwparser.payload", "User %{userna var msg120 = msg("UI_CMD_EXECUTED:01_Login", part210); -var part211 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('"')}" -match("MESSAGE#145:UI_CMD_EXECUTED:01_Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\"", processor_chain([ +var part211 = match("MESSAGE#145:UI_CMD_EXECUTED:01_Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\"", processor_chain([ dup71, dup84, dup3, @@ -2835,8 +2565,7 @@ match("MESSAGE#145:UI_CMD_EXECUTED:01_Logout", "nwparser.payload", "User %{usern var msg121 = msg("UI_CMD_EXECUTED:01_Logout", part211); -var part212 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('"')}" -match("MESSAGE#146:UI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\"", processor_chain([ +var part212 = match("MESSAGE#146:UI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\"", processor_chain([ dup88, dup89, dup3, @@ -2855,8 +2584,7 @@ var select58 = linear_select([ msg122, ]); -var part213 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Total_bytes_send '), Field(comp_sbytes,true), Constant(' - Total_bytes_recv '), Field(comp_rbytes,true), Constant(' - Denied_by_policy "'), Field(fld2,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#110:SSLVPN_NONHTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Total_bytes_send %{comp_sbytes->} - Total_bytes_recv %{comp_rbytes->} - Denied_by_policy \"%{fld2}\" - Group(s) \"%{group}\""); +var part213 = match("MESSAGE#110:SSLVPN_NONHTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Total_bytes_send %{comp_sbytes->} - Total_bytes_recv %{comp_rbytes->} - Denied_by_policy \"%{fld2}\" - Group(s) \"%{group}\""); var all49 = all_match({ processors: [ @@ -2874,24 +2602,21 @@ var all49 = all_match({ var msg123 = msg("SSLVPN_NONHTTP_RESOURCEACCESS_DENIED", all49); -var part214 = // "Pattern{Field(fld1,true), Constant(' - State Init')}" -match("MESSAGE#111:EVENT_VRIDINIT", "nwparser.payload", "%{fld1->} - State Init", processor_chain([ +var part214 = match("MESSAGE#111:EVENT_VRIDINIT", "nwparser.payload", "%{fld1->} - State Init", processor_chain([ dup9, dup4, ])); var msg124 = msg("EVENT_VRIDINIT", part214); -var part215 = // "Pattern{Constant('"REC: status '), Field(info,true), Constant(' from client '), Field(fld1,true), Constant(' for ID '), Field(id,false), Constant('"')}" -match("MESSAGE#112:CLUSTERD_Message:01", "nwparser.payload", "\"REC: status %{info->} from client %{fld1->} for ID %{id}\"", processor_chain([ +var part215 = match("MESSAGE#112:CLUSTERD_Message:01", "nwparser.payload", "\"REC: status %{info->} from client %{fld1->} for ID %{id}\"", processor_chain([ dup9, dup4, ])); var msg125 = msg("CLUSTERD_Message:01", part215); -var part216 = // "Pattern{Field(info,false), Constant('('), Field(saddr,false), Constant(') port('), Field(sport,false), Constant(') msglen('), Field(fld1,false), Constant(') rcv('), Field(packets,false), Constant(') R('), Field(result,false), Constant(') " ')}" -match("MESSAGE#113:CLUSTERD_Message:02/1_0", "nwparser.p0", "%{info}(%{saddr}) port(%{sport}) msglen(%{fld1}) rcv(%{packets}) R(%{result}) \" "); +var part216 = match("MESSAGE#113:CLUSTERD_Message:02/1_0", "nwparser.p0", "%{info}(%{saddr}) port(%{sport}) msglen(%{fld1}) rcv(%{packets}) R(%{result}) \" "); var select59 = linear_select([ part216, @@ -2916,11 +2641,9 @@ var select60 = linear_select([ msg126, ]); -var part217 = // "Pattern{Constant('"crypto: driver '), Field(fld1,true), Constant(' registers alg '), Field(fld2,true), Constant(' flags '), Field(fld3,true), Constant(' maxoplen '), Field(fld4,true), Constant(' "')}" -match("MESSAGE#114:IPSEC_Message/0_0", "nwparser.payload", "\"crypto: driver %{fld1->} registers alg %{fld2->} flags %{fld3->} maxoplen %{fld4->} \""); +var part217 = match("MESSAGE#114:IPSEC_Message/0_0", "nwparser.payload", "\"crypto: driver %{fld1->} registers alg %{fld2->} flags %{fld3->} maxoplen %{fld4->} \""); -var part218 = // "Pattern{Constant(' "'), Field(info,true), Constant(' "')}" -match("MESSAGE#114:IPSEC_Message/0_1", "nwparser.payload", " \"%{info->} \""); +var part218 = match("MESSAGE#114:IPSEC_Message/0_1", "nwparser.payload", " \"%{info->} \""); var select61 = linear_select([ part217, @@ -2939,16 +2662,14 @@ var all51 = all_match({ var msg127 = msg("IPSEC_Message", all51); -var part219 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(info,true), Constant(' "')}" -match("MESSAGE#115:NSNETSVC_Message", "nwparser.payload", "\"%{event_type}: %{info->} \"", processor_chain([ +var part219 = match("MESSAGE#115:NSNETSVC_Message", "nwparser.payload", "\"%{event_type}: %{info->} \"", processor_chain([ dup9, dup4, ])); var msg128 = msg("NSNETSVC_Message", part219); -var part220 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Remote_host '), Field(hostname,true), Constant(' - Denied_url '), Field(url,true), Constant(' - Denied_by_policy '), Field(policyname,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#116:SSLVPN_HTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{} %{username}- Vserver %{daddr}:%{dport->} - Total_bytes_send %{sbytes->} - Remote_host %{hostname->} - Denied_url %{url->} - Denied_by_policy %{policyname->} - Group(s) \"%{group}\""); +var part220 = match("MESSAGE#116:SSLVPN_HTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{} %{username}- Vserver %{daddr}:%{dport->} - Total_bytes_send %{sbytes->} - Remote_host %{hostname->} - Denied_url %{url->} - Denied_by_policy %{policyname->} - Group(s) \"%{group}\""); var all52 = all_match({ processors: [ @@ -2964,14 +2685,11 @@ var all52 = all_match({ var msg129 = msg("SSLVPN_HTTP_RESOURCEACCESS_DENIED", all52); -var part221 = // "Pattern{Constant('Client '), Field(saddr,true), Constant(' - Profile '), Field(p0,false)}" -match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/0", "nwparser.payload", "Client %{saddr->} - Profile %{p0}"); +var part221 = match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/0", "nwparser.payload", "Client %{saddr->} - Profile %{p0}"); -var part222 = // "Pattern{Field(info,false), Constant(', '), Field(event_description,true), Constant(' - URL')}" -match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_0", "nwparser.p0", "%{info}, %{event_description->} - URL"); +var part222 = match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_0", "nwparser.p0", "%{info}, %{event_description->} - URL"); -var part223 = // "Pattern{Field(info,true), Constant(' - '), Field(event_description,true), Constant(' - URL')}" -match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_1", "nwparser.p0", "%{info->} - %{event_description->} - URL"); +var part223 = match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_1", "nwparser.p0", "%{info->} - %{event_description->} - URL"); var select62 = linear_select([ part222, @@ -2991,20 +2709,15 @@ var all53 = all_match({ var msg130 = msg("NSNETSVC_REQ_PARSE_ERROR", all53); -var part224 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(fld11,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#118:Source:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{fld11->} %{p0}"); +var part224 = match("MESSAGE#118:Source:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{fld11->} %{p0}"); -var part225 = // "Pattern{Constant('GMT - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_0", "nwparser.p0", "GMT - Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part225 = match("MESSAGE#118:Source:01/1_0", "nwparser.p0", "GMT - Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); -var part226 = // "Pattern{Constant('- Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_1", "nwparser.p0", "- Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part226 = match("MESSAGE#118:Source:01/1_1", "nwparser.p0", "- Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); -var part227 = // "Pattern{Constant('GMT Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_2", "nwparser.p0", "GMT Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part227 = match("MESSAGE#118:Source:01/1_2", "nwparser.p0", "GMT Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); -var part228 = // "Pattern{Constant('Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" -match("MESSAGE#118:Source:01/1_3", "nwparser.p0", "Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); +var part228 = match("MESSAGE#118:Source:01/1_3", "nwparser.p0", "Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); var select63 = linear_select([ part225, @@ -3013,8 +2726,7 @@ var select63 = linear_select([ part228, ]); -var part229 = // "Pattern{Field(rbytes,false)}" -match_copy("MESSAGE#118:Source:01/2", "nwparser.p0", "rbytes"); +var part229 = match_copy("MESSAGE#118:Source:01/2", "nwparser.p0", "rbytes"); var all54 = all_match({ processors: [ @@ -3051,15 +2763,13 @@ var select64 = linear_select([ msg132, ]); -var part230 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(fld1,false), Constant('" - Status "'), Field(result,false), Constant('"')}" -match("MESSAGE#120:User", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{fld1}\" - Status \"%{result}\"", processor_chain([ +var part230 = match("MESSAGE#120:User", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{fld1}\" - Status \"%{result}\"", processor_chain([ dup2, ])); var msg133 = msg("User", part230); -var part231 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - ClientIP '), Field(saddr,true), Constant(' - ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - '), Field(result,false)}" -match("MESSAGE#121:SPCBId", "nwparser.payload", "SPCBId %{sessionid->} - ClientIP %{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - %{result}", processor_chain([ +var part231 = match("MESSAGE#121:SPCBId", "nwparser.payload", "SPCBId %{sessionid->} - ClientIP %{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - %{result}", processor_chain([ dup11, dup40, dup8, @@ -3078,8 +2788,7 @@ var msg138 = msg("APPFW_FIELDCONSISTENCY", dup109); var msg139 = msg("APPFW_REFERER_HEADER", dup109); -var part232 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' cs6='), Field(fld9,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#127:APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} cs6=%{fld9->} act=%{action}", processor_chain([ +var part232 = match("MESSAGE#127:APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} cs6=%{fld9->} act=%{action}", processor_chain([ dup9, dup91, ])); @@ -3122,8 +2831,7 @@ var part233 = tagval("MESSAGE#130:CITRIX_TVM", "nwparser.payload", tvm, { var msg143 = msg("CITRIX_TVM", part233); -var part234 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(url,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#131:APPFW_APPFW_POLICY_HIT", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url->} %{event_description}", processor_chain([ +var part234 = match("MESSAGE#131:APPFW_APPFW_POLICY_HIT", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url->} %{event_description}", processor_chain([ dup9, dup40, dup3, @@ -3132,8 +2840,7 @@ match("MESSAGE#131:APPFW_APPFW_POLICY_HIT", "nwparser.payload", "%{saddr->} %{fl var msg144 = msg("APPFW_APPFW_POLICY_HIT", part234); -var part235 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Unknown content-type header value='), Field(fld4,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#132:APPFW_APPFW_CONTENT_TYPE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Unknown content-type header value=%{fld4->} %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part235 = match("MESSAGE#132:APPFW_APPFW_CONTENT_TYPE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Unknown content-type header value=%{fld4->} %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, dup91, dup4, @@ -3141,8 +2848,7 @@ match("MESSAGE#132:APPFW_APPFW_CONTENT_TYPE", "nwparser.payload", "%{saddr->} %{ var msg145 = msg("APPFW_APPFW_CONTENT_TYPE", part235); -var part236 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' WSI check failed: '), Field(fld4,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#133:APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} WSI check failed: %{fld4}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part236 = match("MESSAGE#133:APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} WSI check failed: %{fld4}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, dup91, dup4, @@ -3150,8 +2856,7 @@ match("MESSAGE#133:APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", "nwparser.p var msg146 = msg("APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", part236); -var part237 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Referer header check failed: referer header URL ''), Field(web_referer,false), Constant('' not in Start URL or closure list <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#134:APPFW_APPFW_REFERER_HEADER", "nwparser.payload", "%{saddr->} %{fld2->} %{fld3->} %{rule_group->} %{url->} Referer header check failed: referer header URL '%{web_referer}' not in Start URL or closure list \u003c\u003c%{disposition}>", processor_chain([ +var part237 = match("MESSAGE#134:APPFW_APPFW_REFERER_HEADER", "nwparser.payload", "%{saddr->} %{fld2->} %{fld3->} %{rule_group->} %{url->} Referer header check failed: referer header URL '%{web_referer}' not in Start URL or closure list \u003c\u003c%{disposition}>", processor_chain([ dup9, dup40, dup3, @@ -3161,8 +2866,7 @@ match("MESSAGE#134:APPFW_APPFW_REFERER_HEADER", "nwparser.payload", "%{saddr->} var msg147 = msg("APPFW_APPFW_REFERER_HEADER", part237); -var part238 = // "Pattern{Constant('"URL'), Field(url,false), Constant('Client IP'), Field(hostip,false), Constant('Client Dest'), Field(fld1,false)}" -match("MESSAGE#141:RESPONDER_Message", "nwparser.payload", "\"URL%{url}Client IP%{hostip}Client Dest%{fld1}", processor_chain([ +var part238 = match("MESSAGE#141:RESPONDER_Message", "nwparser.payload", "\"URL%{url}Client IP%{hostip}Client Dest%{fld1}", processor_chain([ dup9, dup3, dup4, @@ -3170,8 +2874,7 @@ match("MESSAGE#141:RESPONDER_Message", "nwparser.payload", "\"URL%{url}Client IP var msg148 = msg("RESPONDER_Message", part238); -var part239 = // "Pattern{Constant('"NSRateLimit='), Field(filter,false), Constant(', ClientIP='), Field(saddr,false), Constant('"')}" -match("MESSAGE#142:RESPONDER_Message:01", "nwparser.payload", "\"NSRateLimit=%{filter}, ClientIP=%{saddr}\"", processor_chain([ +var part239 = match("MESSAGE#142:RESPONDER_Message:01", "nwparser.payload", "\"NSRateLimit=%{filter}, ClientIP=%{saddr}\"", processor_chain([ dup9, dup3, dup4, @@ -3184,8 +2887,7 @@ var select65 = linear_select([ msg149, ]); -var part240 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' - '), Field(fld2,true), Constant(' - '), Field(event_description,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#147:APPFW_AF_MALFORMED_REQ_ERR", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{event_description->} \u003c\u003c%{disposition}>", processor_chain([ +var part240 = match("MESSAGE#147:APPFW_AF_MALFORMED_REQ_ERR", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{event_description->} \u003c\u003c%{disposition}>", processor_chain([ dup11, dup3, dup4, @@ -3193,8 +2895,7 @@ match("MESSAGE#147:APPFW_AF_MALFORMED_REQ_ERR", "nwparser.payload", "%{saddr->} var msg150 = msg("APPFW_AF_MALFORMED_REQ_ERR", part240); -var part241 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' - '), Field(fld2,true), Constant(' - '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' '), Field(event_description,true), Constant(' rule ID '), Field(rule_uid,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#148:APPFW_APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{rule_group->} %{url->} %{event_description->} rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part241 = match("MESSAGE#148:APPFW_APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{rule_group->} %{url->} %{event_description->} rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, domain("web_domain","url"), root("web_root","url"), @@ -3206,8 +2907,7 @@ match("MESSAGE#148:APPFW_APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{saddr->} var msg151 = msg("APPFW_APPFW_SIGNATURE_MATCH", part241); -var part242 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Signature violation rule ID '), Field(rule_uid,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#149:APPFW_APPFW_SIGNATURE_MATCH:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Signature violation rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ +var part242 = match("MESSAGE#149:APPFW_APPFW_SIGNATURE_MATCH:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Signature violation rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ dup9, dup91, dup4, @@ -3221,8 +2921,7 @@ var select66 = linear_select([ msg152, ]); -var part243 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" -serverIP '), Field(daddr,true), Constant(' -serverPort '), Field(dport,true), Constant(' -logLevel '), Field(fld1,true), Constant(' -dateFormat '), Field(fld2,true), Constant(' -logFacility '), Field(fld3,true), Constant(' -tcp '), Field(fld4,true), Constant(' -acl '), Field(fld5,true), Constant(' -timeZone '), Field(fld6,true), Constant(' -userDefinedAuditlog '), Field(fld7,true), Constant(' -appflowExport '), Field(fld8,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#150:GUI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" -serverIP %{daddr->} -serverPort %{dport->} -logLevel %{fld1->} -dateFormat %{fld2->} -logFacility %{fld3->} -tcp %{fld4->} -acl %{fld5->} -timeZone %{fld6->} -userDefinedAuditlog %{fld7->} -appflowExport %{fld8}\" - Status \"%{disposition}\"", processor_chain([ +var part243 = match("MESSAGE#150:GUI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" -serverIP %{daddr->} -serverPort %{dport->} -logLevel %{fld1->} -dateFormat %{fld2->} -logFacility %{fld3->} -tcp %{fld4->} -acl %{fld5->} -timeZone %{fld6->} -userDefinedAuditlog %{fld7->} -appflowExport %{fld8}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, @@ -3231,8 +2930,7 @@ match("MESSAGE#150:GUI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} var msg153 = msg("GUI_CMD_EXECUTED:01", part243); -var part244 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,true), Constant(' -priority '), Field(fld1,true), Constant(' -devno '), Field(fld2,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#151:GUI_CMD_EXECUTED:02", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} -priority %{fld1->} -devno %{fld2}\" - Status \"%{disposition}\"", processor_chain([ +var part244 = match("MESSAGE#151:GUI_CMD_EXECUTED:02", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} -priority %{fld1->} -devno %{fld2}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, @@ -3241,8 +2939,7 @@ match("MESSAGE#151:GUI_CMD_EXECUTED:02", "nwparser.payload", "User %{username->} var msg154 = msg("GUI_CMD_EXECUTED:02", part244); -var part245 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#152:GUI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part245 = match("MESSAGE#152:GUI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup69, dup92, dup3, @@ -3254,8 +2951,7 @@ match("MESSAGE#152:GUI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username var msg155 = msg("GUI_CMD_EXECUTED:Login", part245); -var part246 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" -match("MESSAGE#153:GUI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ +var part246 = match("MESSAGE#153:GUI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ dup71, dup92, dup3, @@ -3269,8 +2965,7 @@ var msg156 = msg("GUI_CMD_EXECUTED:Logout", part246); var msg157 = msg("GUI_CMD_EXECUTED", dup108); -var part247 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,true), Constant(' - Status "'), Field(disposition,false), Constant('" - Message "'), Field(info,false), Constant('"')}" -match("MESSAGE#155:GUI_CMD_EXECUTED:03", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} - Status \"%{disposition}\" - Message \"%{info}\"", processor_chain([ +var part247 = match("MESSAGE#155:GUI_CMD_EXECUTED:03", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} - Status \"%{disposition}\" - Message \"%{info}\"", processor_chain([ dup88, dup89, dup4, @@ -3289,8 +2984,7 @@ var select67 = linear_select([ var msg159 = msg("CLI_CMD_EXECUTED", dup108); -var part248 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#157:API_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ +var part248 = match("MESSAGE#157:API_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ dup88, setc("event_description","API command executed in NetScaler"), dup3, @@ -3299,11 +2993,9 @@ match("MESSAGE#157:API_CMD_EXECUTED", "nwparser.payload", "User %{username->} - var msg160 = msg("API_CMD_EXECUTED", part248); -var part249 = // "Pattern{Field(result,true), Constant(' for user '), Field(username,true), Constant(' = '), Field(fld1,true), Constant(' "')}" -match("MESSAGE#158:AAA_Message/1_0", "nwparser.p0", "%{result->} for user %{username->} = %{fld1->} \""); +var part249 = match("MESSAGE#158:AAA_Message/1_0", "nwparser.p0", "%{result->} for user %{username->} = %{fld1->} \""); -var part250 = // "Pattern{Constant(''), Field(info,true), Constant(' "')}" -match("MESSAGE#158:AAA_Message/1_1", "nwparser.p0", "%{info->} \""); +var part250 = match("MESSAGE#158:AAA_Message/1_1", "nwparser.p0", "%{info->} \""); var select68 = linear_select([ part249, @@ -3323,8 +3015,7 @@ var all56 = all_match({ var msg161 = msg("AAA_Message", all56); -var part251 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': created session for <<'), Field(domain,false), Constant('> with cookie: <<'), Field(web_cookie,false), Constant('>"')}" -match("MESSAGE#159:AAATM_Message:04", "nwparser.payload", "\"%{event_type}: created session for \u003c\u003c%{domain}> with cookie: \u003c\u003c%{web_cookie}>\"", processor_chain([ +var part251 = match("MESSAGE#159:AAATM_Message:04", "nwparser.payload", "\"%{event_type}: created session for \u003c\u003c%{domain}> with cookie: \u003c\u003c%{web_cookie}>\"", processor_chain([ dup9, dup91, dup4, @@ -3332,8 +3023,7 @@ match("MESSAGE#159:AAATM_Message:04", "nwparser.payload", "\"%{event_type}: crea var msg162 = msg("AAATM_Message:04", part251); -var part252 = // "Pattern{Field(fld1,true), Constant(' for user '), Field(username,true), Constant(' "')}" -match("MESSAGE#160:AAATM_Message/1_0", "nwparser.p0", "%{fld1->} for user %{username->} \""); +var part252 = match("MESSAGE#160:AAATM_Message/1_0", "nwparser.p0", "%{fld1->} for user %{username->} \""); var select69 = linear_select([ part252, @@ -3353,8 +3043,7 @@ var all57 = all_match({ var msg163 = msg("AAATM_Message", all57); -var part253 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' creating session '), Field(info,false), Constant('"')}" -match("MESSAGE#161:AAATM_Message:01", "nwparser.payload", "\"%{fld1->} creating session %{info}\"", processor_chain([ +var part253 = match("MESSAGE#161:AAATM_Message:01", "nwparser.payload", "\"%{fld1->} creating session %{info}\"", processor_chain([ dup9, dup4, setc("event_type","creating session"), @@ -3362,8 +3051,7 @@ match("MESSAGE#161:AAATM_Message:01", "nwparser.payload", "\"%{fld1->} creating var msg164 = msg("AAATM_Message:01", part253); -var part254 = // "Pattern{Constant('"cookie idx is '), Field(fld1,false), Constant(', '), Field(info,false), Constant('"')}" -match("MESSAGE#162:AAATM_Message:02", "nwparser.payload", "\"cookie idx is %{fld1}, %{info}\"", processor_chain([ +var part254 = match("MESSAGE#162:AAATM_Message:02", "nwparser.payload", "\"cookie idx is %{fld1}, %{info}\"", processor_chain([ dup9, dup4, setc("event_type","cookie idx"), @@ -3371,8 +3059,7 @@ match("MESSAGE#162:AAATM_Message:02", "nwparser.payload", "\"cookie idx is %{fld var msg165 = msg("AAATM_Message:02", part254); -var part255 = // "Pattern{Constant('"sent request to '), Field(fld1,true), Constant(' for authentication, user <<'), Field(domain,false), Constant('\'), Field(username,false), Constant('>, client ip '), Field(saddr,false), Constant('"')}" -match("MESSAGE#163:AAATM_Message:03", "nwparser.payload", "\"sent request to %{fld1->} for authentication, user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}\"", processor_chain([ +var part255 = match("MESSAGE#163:AAATM_Message:03", "nwparser.payload", "\"sent request to %{fld1->} for authentication, user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}\"", processor_chain([ setc("eventcategory","1304000000"), dup4, setc("event_type","sent request"), @@ -3380,8 +3067,7 @@ match("MESSAGE#163:AAATM_Message:03", "nwparser.payload", "\"sent request to %{f var msg166 = msg("AAATM_Message:03", part255); -var part256 = // "Pattern{Constant('"authentication succeeded for user <<'), Field(domain,false), Constant('\'), Field(username,false), Constant('>, client ip '), Field(saddr,false), Constant(', setting up session"')}" -match("MESSAGE#164:AAATM_Message:05", "nwparser.payload", "\"authentication succeeded for user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}, setting up session\"", processor_chain([ +var part256 = match("MESSAGE#164:AAATM_Message:05", "nwparser.payload", "\"authentication succeeded for user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}, setting up session\"", processor_chain([ setc("eventcategory","1302000000"), dup4, setc("event_type","setting up session"), @@ -3401,22 +3087,18 @@ var select70 = linear_select([ msg168, ]); -var part257 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- '), Field(event_computer,true), Constant(' User '), Field(username,true), Constant(' : Group(s) '), Field(group,true), Constant(' : Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- %{event_computer->} User %{username->} : Group(s) %{group->} : Vserver %{daddr}:%{dport->} - %{fld2->} %{p0}"); +var part257 = match("MESSAGE#166:AAATM_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- %{event_computer->} User %{username->} : Group(s) %{group->} : Vserver %{daddr}:%{dport->} - %{fld2->} %{p0}"); -var part258 = // "Pattern{Field(timezone,false), Constant(': SSO is '), Field(fld3,true), Constant(' : '), Field(p0,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/1_0", "nwparser.p0", "%{timezone}: SSO is %{fld3->} : %{p0}"); +var part258 = match("MESSAGE#166:AAATM_HTTPREQUEST/1_0", "nwparser.p0", "%{timezone}: SSO is %{fld3->} : %{p0}"); -var part259 = // "Pattern{Field(timezone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/1_1", "nwparser.p0", "%{timezone->} %{p0}"); +var part259 = match("MESSAGE#166:AAATM_HTTPREQUEST/1_1", "nwparser.p0", "%{timezone->} %{p0}"); var select71 = linear_select([ part258, part259, ]); -var part260 = // "Pattern{Field(web_method,true), Constant(' '), Field(url,true), Constant(' '), Field(fld4,false)}" -match("MESSAGE#166:AAATM_HTTPREQUEST/2", "nwparser.p0", "%{web_method->} %{url->} %{fld4}"); +var part260 = match("MESSAGE#166:AAATM_HTTPREQUEST/2", "nwparser.p0", "%{web_method->} %{url->} %{fld4}"); var all58 = all_match({ processors: [ @@ -3446,16 +3128,14 @@ var msg171 = msg("SSLVPN_REMOVE_SESSION", dup114); var msg172 = msg("SSLVPN_REMOVE_SESSION_INFO", dup114); -var part261 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - ica_rtt '), Field(fld5,true), Constant(' - clientside_rxbytes '), Field(rbytes,false), Constant('- clientside_txbytes '), Field(sbytes,true), Constant(' - clientside_packet_retransmits '), Field(fld6,true), Constant(' - serverside_packet_retransmits '), Field(fld7,true), Constant(' - clientside_rtt '), Field(fld8,true), Constant(' - serverside_rtt '), Field(fld9,true), Constant(' - clientside_jitter '), Field(fld10,true), Constant(' - serverside_jitter '), Field(fld11,false)}" -match("MESSAGE#170:ICA_NETWORK_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - ica_rtt %{fld5->} - clientside_rxbytes %{rbytes}- clientside_txbytes %{sbytes->} - clientside_packet_retransmits %{fld6->} - serverside_packet_retransmits %{fld7->} - clientside_rtt %{fld8->} - serverside_rtt %{fld9->} - clientside_jitter %{fld10->} - serverside_jitter %{fld11}", processor_chain([ +var part261 = match("MESSAGE#170:ICA_NETWORK_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - ica_rtt %{fld5->} - clientside_rxbytes %{rbytes}- clientside_txbytes %{sbytes->} - clientside_packet_retransmits %{fld6->} - serverside_packet_retransmits %{fld7->} - clientside_rtt %{fld8->} - serverside_rtt %{fld9->} - clientside_jitter %{fld10->} - serverside_jitter %{fld11}", processor_chain([ dup9, dup4, ])); var msg173 = msg("ICA_NETWORK_UPDATE", part261); -var part262 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - channel_update_begin '), Field(fld5,true), Constant(' - channel_update_end '), Field(fld6,true), Constant(' - channel_id_1 '), Field(fld7,true), Constant(' - channel_id_1_val '), Field(fld8,true), Constant(' - channel_id_2 '), Field(fld9,true), Constant(' - channel_id_2_val '), Field(fld10,true), Constant(' -channel_id_3 '), Field(fld11,true), Constant(' - channel_id_3_val '), Field(fld12,true), Constant(' - channel_id_4 '), Field(fld13,true), Constant(' - channel_id_4_val '), Field(fld14,true), Constant(' -channel_id_5 '), Field(fld15,true), Constant(' - channel_id_5_val '), Field(fld16,false)}" -match("MESSAGE#171:ICA_CHANNEL_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - channel_update_begin %{fld5->} - channel_update_end %{fld6->} - channel_id_1 %{fld7->} - channel_id_1_val %{fld8->} - channel_id_2 %{fld9->} - channel_id_2_val %{fld10->} -channel_id_3 %{fld11->} - channel_id_3_val %{fld12->} - channel_id_4 %{fld13->} - channel_id_4_val %{fld14->} -channel_id_5 %{fld15->} - channel_id_5_val %{fld16}", processor_chain([ +var part262 = match("MESSAGE#171:ICA_CHANNEL_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - channel_update_begin %{fld5->} - channel_update_end %{fld6->} - channel_id_1 %{fld7->} - channel_id_1_val %{fld8->} - channel_id_2 %{fld9->} - channel_id_2_val %{fld10->} -channel_id_3 %{fld11->} - channel_id_3_val %{fld12->} - channel_id_4 %{fld13->} - channel_id_4_val %{fld14->} -channel_id_5 %{fld15->} - channel_id_5_val %{fld16}", processor_chain([ dup9, date_time({ dest: "starttime", @@ -3476,8 +3156,7 @@ match("MESSAGE#171:ICA_CHANNEL_UPDATE", "nwparser.payload", "session_guid %{fld1 var msg174 = msg("ICA_CHANNEL_UPDATE", part262); -var part263 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - nsica_session_status '), Field(fld5,true), Constant(' - nsica_session_client_ip '), Field(saddr,true), Constant(' - nsica_session_client_port '), Field(sport,true), Constant(' - nsica_session_server_ip '), Field(daddr,true), Constant(' - nsica_session_server_port '), Field(dport,true), Constant(' - nsica_session_reconnect_count '), Field(fld6,true), Constant(' - nsica_session_acr_count '), Field(fld7,true), Constant(' - connection_priority '), Field(fld8,true), Constant(' - timestamp '), Field(fld9,false)}" -match("MESSAGE#172:ICA_SESSION_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - nsica_session_status %{fld5->} - nsica_session_client_ip %{saddr->} - nsica_session_client_port %{sport->} - nsica_session_server_ip %{daddr->} - nsica_session_server_port %{dport->} - nsica_session_reconnect_count %{fld6->} - nsica_session_acr_count %{fld7->} - connection_priority %{fld8->} - timestamp %{fld9}", processor_chain([ +var part263 = match("MESSAGE#172:ICA_SESSION_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - nsica_session_status %{fld5->} - nsica_session_client_ip %{saddr->} - nsica_session_client_port %{sport->} - nsica_session_server_ip %{daddr->} - nsica_session_server_port %{dport->} - nsica_session_reconnect_count %{fld6->} - nsica_session_acr_count %{fld7->} - connection_priority %{fld8->} - timestamp %{fld9}", processor_chain([ dup9, dup4, ])); @@ -3486,16 +3165,14 @@ var msg175 = msg("ICA_SESSION_UPDATE", part263); var msg176 = msg("ICA_Message", dup111); -var part264 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - session_setup_time '), Field(fld5,true), Constant(' - client_ip '), Field(saddr,true), Constant(' - client_type '), Field(fld6,true), Constant(' - client_launcher '), Field(fld7,true), Constant(' - client_version '), Field(version,true), Constant(' - client_hostname '), Field(shost,true), Constant(' - domain_name '), Field(domain,true), Constant(' - server_name '), Field(dhost,true), Constant(' - connection_priority '), Field(fld8,false)}" -match("MESSAGE#174:ICA_SESSION_SETUP", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_setup_time %{fld5->} - client_ip %{saddr->} - client_type %{fld6->} - client_launcher %{fld7->} - client_version %{version->} - client_hostname %{shost->} - domain_name %{domain->} - server_name %{dhost->} - connection_priority %{fld8}", processor_chain([ +var part264 = match("MESSAGE#174:ICA_SESSION_SETUP", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_setup_time %{fld5->} - client_ip %{saddr->} - client_type %{fld6->} - client_launcher %{fld7->} - client_version %{version->} - client_hostname %{shost->} - domain_name %{domain->} - server_name %{dhost->} - connection_priority %{fld8}", processor_chain([ dup9, dup4, ])); var msg177 = msg("ICA_SESSION_SETUP", part264); -var part265 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - launch_mechanism '), Field(fld5,true), Constant(' - app_launch_time '), Field(fld6,true), Constant(' - app_process_id '), Field(fld7,true), Constant(' - app_name '), Field(fld8,true), Constant(' - module_path '), Field(filename,false)}" -match("MESSAGE#175:ICA_APPLICATION_LAUNCH", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - launch_mechanism %{fld5->} - app_launch_time %{fld6->} - app_process_id %{fld7->} - app_name %{fld8->} - module_path %{filename}", processor_chain([ +var part265 = match("MESSAGE#175:ICA_APPLICATION_LAUNCH", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - launch_mechanism %{fld5->} - app_launch_time %{fld6->} - app_process_id %{fld7->} - app_name %{fld8->} - module_path %{filename}", processor_chain([ dup9, date_time({ dest: "starttime", @@ -3509,8 +3186,7 @@ match("MESSAGE#175:ICA_APPLICATION_LAUNCH", "nwparser.payload", "session_guid %{ var msg178 = msg("ICA_APPLICATION_LAUNCH", part265); -var part266 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - session_end_time '), Field(fld5,false)}" -match("MESSAGE#176:ICA_SESSION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_end_time %{fld5}", processor_chain([ +var part266 = match("MESSAGE#176:ICA_SESSION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_end_time %{fld5}", processor_chain([ dup9, date_time({ dest: "endtime", @@ -3524,8 +3200,7 @@ match("MESSAGE#176:ICA_SESSION_TERMINATE", "nwparser.payload", "session_guid %{f var msg179 = msg("ICA_SESSION_TERMINATE", part266); -var part267 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - app_termination_type '), Field(fld5,true), Constant(' - app_process_id '), Field(fld6,true), Constant(' - app_termination_time '), Field(fld7,false)}" -match("MESSAGE#177:ICA_APPLICATION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - app_termination_type %{fld5->} - app_process_id %{fld6->} - app_termination_time %{fld7}", processor_chain([ +var part267 = match("MESSAGE#177:ICA_APPLICATION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - app_termination_type %{fld5->} - app_process_id %{fld6->} - app_termination_time %{fld7}", processor_chain([ dup9, date_time({ dest: "endtime", @@ -3553,8 +3228,7 @@ var all59 = all_match({ var msg181 = msg("SSLVPN_REMOVE_SESSION_DEBUG", all59); -var part268 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Browser_type '), Field(user_agent,false), Constant('- Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#181:AAATM_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{user_agent}- Group(s) \"%{group}\""); +var part268 = match("MESSAGE#181:AAATM_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{user_agent}- Group(s) \"%{group}\""); var all60 = all_match({ processors: [ @@ -3574,8 +3248,7 @@ var all60 = all_match({ var msg182 = msg("AAATM_LOGIN", all60); -var part269 = // "Pattern{Field(duration_string,true), Constant(' - Http_resources_accessed '), Field(fld3,true), Constant(' - Total_TCP_connections '), Field(fld5,true), Constant(' - Total_policies_allowed '), Field(fld7,true), Constant(' - Total_policies_denied '), Field(fld8,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(fld12,true), Constant(' - Total_compressedbytes_recv '), Field(fld13,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - LogoutMethod "'), Field(result,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" -match("MESSAGE#182:AAATM_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - Total_TCP_connections %{fld5->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{fld12->} - Total_compressedbytes_recv %{fld13->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); +var part269 = match("MESSAGE#182:AAATM_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - Total_TCP_connections %{fld5->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{fld12->} - Total_compressedbytes_recv %{fld13->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); var all61 = all_match({ processors: [ @@ -3722,149 +3395,101 @@ var chain1 = processor_chain([ }), ]); -var part270 = // "Pattern{Field(saddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); +var part270 = match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); -var part271 = // "Pattern{Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); +var part271 = match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); -var part272 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" -match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); +var part272 = match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); -var part273 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); +var part273 = match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); -var part274 = // "Pattern{Constant('HASTATE '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); +var part274 = match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); -var part275 = // "Pattern{Field(network_service,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); +var part275 = match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); -var part276 = // "Pattern{Field(info,false), Constant('"')}" -match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); +var part276 = match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); -var part277 = // "Pattern{Constant('for '), Field(dclass_counter1,false)}" -match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); +var part277 = match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); -var part278 = // "Pattern{Field(space,false)}" -match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); +var part278 = match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); -var part279 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); +var part279 = match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); -var part280 = // "Pattern{Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); +var part280 = match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); -var part281 = // "Pattern{}" -match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); +var part281 = match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); -var part282 = // "Pattern{Field(obj_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); +var part282 = match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); -var part283 = // "Pattern{Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); +var part283 = match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); -var part284 = // "Pattern{Constant(''), Field(obj_name,false)}" -match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); +var part284 = match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); -var part285 = // "Pattern{Constant('" '), Field(p0,false)}" -match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); +var part285 = match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); -var part286 = // "Pattern{Constant(''), Field(info,false), Constant('"')}" -match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); +var part286 = match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); -var part287 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false), Constant(')')}" -match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); +var part287 = match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); -var part288 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); +var part288 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); -var part289 = // "Pattern{Constant('ClientIP '), Field(p0,false)}" -match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); +var part289 = match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); -var part290 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); +var part290 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); -var part291 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); +var part291 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); -var part292 = // "Pattern{Field(fld10,true), Constant(' - End_time '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); +var part292 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); -var part293 = // "Pattern{Constant('" '), Field(fld11,true), Constant(' GMT" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); +var part293 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); -var part294 = // "Pattern{Constant('" '), Field(fld11,false), Constant('" - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); +var part294 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); -var part295 = // "Pattern{Field(fld11,true), Constant(' - Duration '), Field(p0,false)}" -match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); +var part295 = match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); -var part296 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); +var part296 = match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); -var part297 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); +var part297 = match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); -var part298 = // "Pattern{Constant('User '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); +var part298 = match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); -var part299 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); +var part299 = match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); -var part300 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); +var part300 = match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); -var part301 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver '), Field(p0,false)}" -match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); +var part301 = match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); -var part302 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start_time '), Field(p0,false)}" -match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); +var part302 = match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); -var part303 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(username,true), Constant(' - Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); +var part303 = match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); -var part304 = // "Pattern{Field(,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); +var part304 = match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); -var part305 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); +var part305 = match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); -var part306 = // "Pattern{Field(fld11,true), Constant(' GMT - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); +var part306 = match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); -var part307 = // "Pattern{Field(fld11,true), Constant(' - Total_bytes_send '), Field(p0,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); +var part307 = match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); -var part308 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" -match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); +var part308 = match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); -var part309 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); +var part309 = match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); -var part310 = // "Pattern{Field(fld10,true), Constant(' GMT - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); +var part310 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); -var part311 = // "Pattern{Field(fld10,true), Constant(' - End Time '), Field(p0,false)}" -match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); +var part311 = match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); -var part312 = // "Pattern{Field(info,true), Constant(' "')}" -match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); +var part312 = match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); -var part313 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); +var part313 = match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); -var part314 = // "Pattern{Constant('Sessionid '), Field(sessionid,true), Constant(' - User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); +var part314 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); -var part315 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); +var part315 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); -var part316 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver_ip '), Field(p0,false)}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); +var part316 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); -var part317 = // "Pattern{Field(daddr,true), Constant(' - Errmsg " '), Field(event_description,true), Constant(' "')}" -match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); +var part317 = match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); var select72 = linear_select([ dup21, @@ -3881,8 +3506,7 @@ var select74 = linear_select([ dup33, ]); -var part318 = // "Pattern{Field(fld1,false), Constant(':UserLogin:'), Field(username,true), Constant(' - '), Field(event_description,true), Constant(' from client IP Address '), Field(saddr,false)}" -match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ +var part318 = match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ dup5, dup4, ])); @@ -3920,28 +3544,24 @@ var select80 = linear_select([ dup82, ]); -var part319 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" -match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ +var part319 = match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ dup88, dup89, dup3, dup4, ])); -var part320 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var part320 = match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup9, dup91, ])); -var part321 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" -match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ +var part321 = match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ dup11, dup91, ])); -var part322 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ +var part322 = match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ dup9, dup4, ])); diff --git a/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js b/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js index 02a511984c0..0f8be954311 100644 --- a/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js +++ b/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js @@ -93,146 +93,99 @@ var dup29 = setc("ec_activity","Disable"); var dup30 = setc("eventcategory","1401050200"); -var dup31 = // "Pattern{Constant('Version='), Field(p0,false)}" -match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); +var dup31 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); -var dup32 = // "Pattern{Constant('"'), Field(version,false), Constant('";Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); +var dup32 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); -var dup33 = // "Pattern{Field(version,false), Constant(';Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); +var dup33 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); -var dup34 = // "Pattern{Constant('"'), Field(action,false), Constant('";Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); +var dup34 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); -var dup35 = // "Pattern{Field(action,false), Constant(';Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); +var dup35 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); -var dup36 = // "Pattern{Constant('"'), Field(username,false), Constant('";Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); +var dup36 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); -var dup37 = // "Pattern{Field(username,false), Constant(';Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); +var dup37 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); -var dup38 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); +var dup38 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); -var dup39 = // "Pattern{Field(hostip,false), Constant(';File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); +var dup39 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); -var dup40 = // "Pattern{Constant('"'), Field(filename,false), Constant('";Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); +var dup40 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); -var dup41 = // "Pattern{Field(filename,false), Constant(';Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); +var dup41 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); -var dup42 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); +var dup42 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); -var dup43 = // "Pattern{Field(group_object,false), Constant(';Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); +var dup43 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); -var dup44 = // "Pattern{Constant('"'), Field(directory,false), Constant('";Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); +var dup44 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); -var dup45 = // "Pattern{Field(directory,false), Constant(';Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); +var dup45 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); -var dup46 = // "Pattern{Constant('"'), Field(category,false), Constant('";RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); +var dup46 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); -var dup47 = // "Pattern{Field(category,false), Constant(';RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); +var dup47 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); -var dup48 = // "Pattern{Constant('"'), Field(id1,false), Constant('";Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); +var dup48 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); -var dup49 = // "Pattern{Field(id1,false), Constant(';Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); +var dup49 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); -var dup50 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); +var dup50 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); -var dup51 = // "Pattern{Field(event_description,false), Constant(';Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); +var dup51 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); -var dup52 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); +var dup52 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); -var dup53 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); +var dup53 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); -var dup54 = // "Pattern{Constant('"'), Field(group,false), Constant('";TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); +var dup54 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); -var dup55 = // "Pattern{Field(group,false), Constant(';TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); +var dup55 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); -var dup56 = // "Pattern{Constant('"'), Field(uid,false), Constant('";GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); +var dup56 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); -var dup57 = // "Pattern{Field(uid,false), Constant(';GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); +var dup57 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); -var dup58 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); +var dup58 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); -var dup59 = // "Pattern{Field(saddr,false), Constant(';TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); +var dup59 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); -var dup60 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); +var dup60 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); -var dup61 = // "Pattern{Field(operation_id,false), Constant(';PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); +var dup61 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); -var dup62 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); +var dup62 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); -var dup63 = // "Pattern{Field(policyname,false), Constant(';UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); +var dup63 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); -var dup64 = // "Pattern{Constant('"'), Field(fld11,false), Constant('";LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); +var dup64 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); -var dup65 = // "Pattern{Field(fld11,false), Constant(';LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); +var dup65 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); -var dup66 = // "Pattern{Constant('"'), Field(domain,false), Constant('";Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); +var dup66 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); -var dup67 = // "Pattern{Field(domain,false), Constant(';Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); +var dup67 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); -var dup68 = // "Pattern{Constant('"'), Field(fld14,false), Constant('";CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); +var dup68 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); -var dup69 = // "Pattern{Field(fld14,false), Constant(';CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); +var dup69 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); -var dup70 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); +var dup70 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); -var dup71 = // "Pattern{Field(disposition,false), Constant(';Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); +var dup71 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); -var dup72 = // "Pattern{Constant('"'), Field(dport,false), Constant('";Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); +var dup72 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); -var dup73 = // "Pattern{Field(dport,false), Constant(';Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); +var dup73 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); -var dup74 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); +var dup74 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); -var dup75 = // "Pattern{Field(db_name,false), Constant(';DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); +var dup75 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); -var dup76 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); +var dup76 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); -var dup77 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); +var dup77 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); var dup78 = setc("eventcategory","1502000000"); @@ -248,203 +201,137 @@ var dup83 = setc("eventcategory","1501000000"); var dup84 = setc("eventcategory","1206000000"); -var dup85 = // "Pattern{Constant('"'), Field(version,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); +var dup85 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); -var dup86 = // "Pattern{Field(version,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); +var dup86 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); -var dup87 = // "Pattern{Constant('Message='), Field(p0,false)}" -match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); +var dup87 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); -var dup88 = // "Pattern{Constant('"'), Field(action,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); +var dup88 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); -var dup89 = // "Pattern{Field(action,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); +var dup89 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); -var dup90 = // "Pattern{Constant('Issuer='), Field(p0,false)}" -match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); +var dup90 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); -var dup91 = // "Pattern{Constant('"'), Field(username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); +var dup91 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); -var dup92 = // "Pattern{Field(username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); +var dup92 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); -var dup93 = // "Pattern{Constant('Station='), Field(p0,false)}" -match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); +var dup93 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); -var dup94 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); +var dup94 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); -var dup95 = // "Pattern{Field(hostip,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); +var dup95 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); -var dup96 = // "Pattern{Constant('File='), Field(p0,false)}" -match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); +var dup96 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); -var dup97 = // "Pattern{Constant('"'), Field(filename,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); +var dup97 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); -var dup98 = // "Pattern{Field(filename,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); +var dup98 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); -var dup99 = // "Pattern{Constant('Safe='), Field(p0,false)}" -match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); +var dup99 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); -var dup100 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); +var dup100 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); -var dup101 = // "Pattern{Field(group_object,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); +var dup101 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); -var dup102 = // "Pattern{Constant('Location='), Field(p0,false)}" -match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); +var dup102 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); -var dup103 = // "Pattern{Constant('"'), Field(directory,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); +var dup103 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); -var dup104 = // "Pattern{Field(directory,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); +var dup104 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); -var dup105 = // "Pattern{Constant('Category='), Field(p0,false)}" -match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); +var dup105 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); -var dup106 = // "Pattern{Constant('"'), Field(category,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); +var dup106 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); -var dup107 = // "Pattern{Field(category,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); +var dup107 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); -var dup108 = // "Pattern{Constant('RequestId='), Field(p0,false)}" -match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); +var dup108 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); -var dup109 = // "Pattern{Constant('"'), Field(id1,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); +var dup109 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); -var dup110 = // "Pattern{Field(id1,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); +var dup110 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); -var dup111 = // "Pattern{Constant('Reason='), Field(p0,false)}" -match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); +var dup111 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); -var dup112 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); +var dup112 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); -var dup113 = // "Pattern{Field(event_description,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); +var dup113 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); -var dup114 = // "Pattern{Constant('Severity='), Field(p0,false)}" -match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); +var dup114 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); -var dup115 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser="'), Field(group,false), Constant('";TargetUser="'), Field(uid,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); +var dup115 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); -var dup116 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(group,false), Constant(';TargetUser='), Field(uid,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); +var dup116 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); -var dup117 = // "Pattern{Constant('"'), Field(severity,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); +var dup117 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); -var dup118 = // "Pattern{Field(severity,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); +var dup118 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); -var dup119 = // "Pattern{Constant('GatewayStation='), Field(p0,false)}" -match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); +var dup119 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); -var dup120 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); +var dup120 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); -var dup121 = // "Pattern{Field(saddr,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); +var dup121 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); -var dup122 = // "Pattern{Constant('TicketID='), Field(p0,false)}" -match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); +var dup122 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); -var dup123 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); +var dup123 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); -var dup124 = // "Pattern{Field(operation_id,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); +var dup124 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); -var dup125 = // "Pattern{Constant('PolicyID='), Field(p0,false)}" -match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); +var dup125 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); -var dup126 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); +var dup126 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); -var dup127 = // "Pattern{Field(policyname,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); +var dup127 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); -var dup128 = // "Pattern{Constant('UserName='), Field(p0,false)}" -match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); +var dup128 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); -var dup129 = // "Pattern{Constant('"'), Field(c_username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); +var dup129 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); -var dup130 = // "Pattern{Field(c_username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); +var dup130 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); -var dup131 = // "Pattern{Constant('LogonDomain='), Field(p0,false)}" -match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); +var dup131 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); -var dup132 = // "Pattern{Constant('"'), Field(domain,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); +var dup132 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); -var dup133 = // "Pattern{Field(domain,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); +var dup133 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); -var dup134 = // "Pattern{Constant('Address='), Field(p0,false)}" -match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); +var dup134 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); -var dup135 = // "Pattern{Constant('"'), Field(dhost,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); +var dup135 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); -var dup136 = // "Pattern{Field(dhost,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); +var dup136 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); -var dup137 = // "Pattern{Constant('CPMStatus='), Field(p0,false)}" -match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); +var dup137 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); -var dup138 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); +var dup138 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); -var dup139 = // "Pattern{Field(disposition,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); +var dup139 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); -var dup140 = // "Pattern{Constant('Port='), Field(p0,false)}" -match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); +var dup140 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); -var dup141 = // "Pattern{Constant('"'), Field(dport,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); +var dup141 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); -var dup142 = // "Pattern{Field(dport,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); +var dup142 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); -var dup143 = // "Pattern{Constant('Database='), Field(p0,false)}" -match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); +var dup143 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); -var dup144 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); +var dup144 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); -var dup145 = // "Pattern{Field(db_name,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); +var dup145 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); -var dup146 = // "Pattern{Constant('DeviceType='), Field(p0,false)}" -match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); +var dup146 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); -var dup147 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); +var dup147 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); -var dup148 = // "Pattern{Field(obj_type,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); +var dup148 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); -var dup149 = // "Pattern{Constant('ExtraDetails='), Field(p0,false)}" -match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); +var dup149 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); -var dup150 = // "Pattern{Field(info,false), Constant(';')}" -match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); +var dup150 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); var dup151 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { "Address": "dhost", @@ -477,8 +364,7 @@ var dup151 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { dup3, ])); -var dup152 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup152 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup1, dup2, ])); @@ -514,8 +400,7 @@ var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { dup3, ])); -var dup154 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup4, dup2, ])); @@ -555,8 +440,7 @@ var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { dup3, ])); -var dup156 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup5, dup6, dup7, @@ -599,8 +483,7 @@ var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { dup3, ])); -var dup158 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup16, dup17, @@ -639,8 +522,7 @@ var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { dup3, ])); -var dup160 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup19, dup2, ])); @@ -676,8 +558,7 @@ var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { dup3, ])); -var dup162 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup2, ])); @@ -713,8 +594,7 @@ var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { dup3, ])); -var dup164 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup21, dup2, ])); @@ -750,8 +630,7 @@ var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { dup3, ])); -var dup166 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup23, dup2, ])); @@ -787,8 +666,7 @@ var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { dup3, ])); -var dup168 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup20, dup2, ])); @@ -824,8 +702,7 @@ var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { dup3, ])); -var dup170 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup26, dup2, ])); @@ -1011,8 +888,7 @@ var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { dup3, ])); -var dup196 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup79, dup80, dup81, @@ -1050,8 +926,7 @@ var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { dup3, ])); -var dup198 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup82, dup2, ])); @@ -1087,14 +962,12 @@ var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { dup3, ])); -var dup200 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup83, dup2, ])); -var dup201 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location='), Field(directory,false), Constant(';Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false), Constant(';')}" -match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ +var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ dup4, dup2, dup3, @@ -1207,8 +1080,7 @@ var dup222 = linear_select([ dup148, ]); -var hdr1 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hproduct,true), Constant(' ProductName="'), Field(hdevice,false), Constant('",ProductAccount="'), Field(hfld1,false), Constant('",ProductProcess="'), Field(process,false), Constant('",EventId="'), Field(messageid,false), Constant('", '), Field(p0,false)}" -match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -1227,8 +1099,7 @@ match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct-> }), ])); -var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hdatetime,true), Constant(' '), Field(hproduct,true), Constant(' ProductName="'), Field(hdevice,false), Constant('",ProductAccount="'), Field(hfld4,false), Constant('",ProductProcess="'), Field(process,false), Constant('",EventId="'), Field(messageid,false), Constant('", '), Field(p0,false)}" -match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ +var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ setc("header_id","0005"), call({ dest: "nwparser.payload", @@ -1247,23 +1118,19 @@ match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} Produ }), ])); -var hdr3 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hproduct,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0002"), ])); -var hdr4 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hdatetime,true), Constant(' '), Field(hostname,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0003"), ])); -var hdr5 = // "Pattern{Constant('%CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0004"), ])); -var hdr6 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hostname,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" -match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ setc("header_id","0006"), ])); @@ -1349,8 +1216,7 @@ var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { var msg9 = msg("7:01", part1); -var part2 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup10, dup6, dup7, @@ -1403,8 +1269,7 @@ var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { var msg11 = msg("8:01", part3); -var part4 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup12, dup6, dup13, @@ -1455,8 +1320,7 @@ var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { var msg13 = msg("9:01", part5); -var part6 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup1, dup14, dup9, @@ -1550,8 +1414,7 @@ var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { var msg25 = msg("15:01", part7); -var part8 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup18, dup9, @@ -1627,8 +1490,7 @@ var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { var msg33 = msg("19:01", part9); -var part10 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup20, dup16, dup11, @@ -1676,8 +1538,7 @@ var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { var msg35 = msg("20:01", part11); -var part12 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup19, dup16, dup2, @@ -1725,8 +1586,7 @@ var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { var msg37 = msg("21:01", part13); -var part14 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup16, dup9, @@ -1782,8 +1642,7 @@ var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { var msg41 = msg("23:01", part15); -var part16 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup22, dup2, ])); @@ -2576,8 +2435,7 @@ var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { var msg201 = msg("103:01", part18); -var part19 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup27, dup6, dup7, @@ -2628,8 +2486,7 @@ var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { var msg203 = msg("104:01", part20); -var part21 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup27, dup6, dup29, @@ -2928,8 +2785,7 @@ var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { var msg261 = msg("134:01", part22); -var part23 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup30, dup2, ])); @@ -4318,8 +4174,7 @@ var select285 = linear_select([ msg568, ]); -var part24 = // "Pattern{Field(application,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld10,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" -match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); +var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); var all1 = all_match({ processors: [ @@ -4410,8 +4265,7 @@ var select287 = linear_select([ msg573, ]); -var part26 = // "Pattern{Field(application,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld12,false), Constant(';SessionDuration='), Field(duration_string,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" -match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); +var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); var all2 = all_match({ processors: [ @@ -4470,19 +4324,16 @@ var select289 = linear_select([ msg578, ]); -var part27 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="DstHost='), Field(p0,false)}" -match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); +var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); -var part28 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="DstHost='), Field(p0,false)}" -match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); +var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); var select290 = linear_select([ part27, part28, ]); -var part29 = // "Pattern{Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld10,false), Constant(';SessionDuration='), Field(duration_string,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" -match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); +var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); var all3 = all_match({ processors: [ @@ -4592,8 +4443,7 @@ var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { var msg588 = msg("308:01", part30); -var part31 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup78, dup2, ])); @@ -4642,8 +4492,7 @@ var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { var msg590 = msg("309:01", part32); -var part33 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup10, dup6, dup7, @@ -4746,8 +4595,7 @@ var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { var msg604 = msg("190:01", part34); -var part35 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup84, dup2, ])); @@ -4819,30 +4667,25 @@ var msg619 = msg("374", dup201); var msg620 = msg("376", dup201); -var part36 = // "Pattern{Constant('"'), Field(fld89,false), Constant('";LogonDomain='), Field(p0,false)}" -match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); +var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); -var part37 = // "Pattern{Field(fld89,false), Constant(';LogonDomain='), Field(p0,false)}" -match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); +var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); var select310 = linear_select([ part36, part37, ]); -var part38 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="Command='), Field(p0,false)}" -match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); +var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); -var part39 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="Command='), Field(p0,false)}" -match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); +var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); var select311 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Field(param,false), Constant(';ConnectionComponentId='), Field(fld67,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld11,false), Constant(';RDPOffset='), Field(fld12,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';VIDOffset='), Field(fld13,false), Constant(';')}" -match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); +var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); var all4 = all_match({ processors: [ @@ -4882,8 +4725,7 @@ var all4 = all_match({ var msg621 = msg("411:01", all4); -var part41 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';ProcessId='), Field(process_id,false), Constant(';ProcessName='), Field(process,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';RDPOffset='), Field(fld4,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" -match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); +var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); var select312 = linear_select([ part41, @@ -4951,8 +4793,7 @@ var select313 = linear_select([ msg622, ]); -var part42 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location="'), Field(directory,false), Constant('";Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false)}" -match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ +var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ dup4, dup2, dup3, @@ -4960,8 +4801,7 @@ match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{actio var msg623 = msg("385", part42); -var part43 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';SSHOffset='), Field(fld4,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" -match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); +var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); var select314 = linear_select([ part43, @@ -5024,8 +4864,7 @@ var all6 = all_match({ var msg624 = msg("361", all6); -var part44 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';TXTOffset='), Field(fld4,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" -match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); +var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); var select315 = linear_select([ part44, @@ -5426,344 +5265,231 @@ var chain1 = processor_chain([ }), ]); -var part45 = // "Pattern{Constant('Version='), Field(p0,false)}" -match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); +var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); -var part46 = // "Pattern{Constant('"'), Field(version,false), Constant('";Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); +var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); -var part47 = // "Pattern{Field(version,false), Constant(';Message='), Field(p0,false)}" -match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); +var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); -var part48 = // "Pattern{Constant('"'), Field(action,false), Constant('";Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); +var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); -var part49 = // "Pattern{Field(action,false), Constant(';Issuer='), Field(p0,false)}" -match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); +var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); -var part50 = // "Pattern{Constant('"'), Field(username,false), Constant('";Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); +var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); -var part51 = // "Pattern{Field(username,false), Constant(';Station='), Field(p0,false)}" -match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); +var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); -var part52 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); +var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); -var part53 = // "Pattern{Field(hostip,false), Constant(';File='), Field(p0,false)}" -match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); +var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); -var part54 = // "Pattern{Constant('"'), Field(filename,false), Constant('";Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); +var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); -var part55 = // "Pattern{Field(filename,false), Constant(';Safe='), Field(p0,false)}" -match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); +var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); -var part56 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); +var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); -var part57 = // "Pattern{Field(group_object,false), Constant(';Location='), Field(p0,false)}" -match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); +var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); -var part58 = // "Pattern{Constant('"'), Field(directory,false), Constant('";Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); +var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); -var part59 = // "Pattern{Field(directory,false), Constant(';Category='), Field(p0,false)}" -match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); +var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); -var part60 = // "Pattern{Constant('"'), Field(category,false), Constant('";RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); +var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); -var part61 = // "Pattern{Field(category,false), Constant(';RequestId='), Field(p0,false)}" -match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); +var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); -var part62 = // "Pattern{Constant('"'), Field(id1,false), Constant('";Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); +var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); -var part63 = // "Pattern{Field(id1,false), Constant(';Reason='), Field(p0,false)}" -match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); +var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); -var part64 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); +var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); -var part65 = // "Pattern{Field(event_description,false), Constant(';Severity='), Field(p0,false)}" -match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); +var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); -var part66 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); +var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); -var part67 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); +var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); -var part68 = // "Pattern{Constant('"'), Field(group,false), Constant('";TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); +var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); -var part69 = // "Pattern{Field(group,false), Constant(';TargetUser='), Field(p0,false)}" -match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); +var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); -var part70 = // "Pattern{Constant('"'), Field(uid,false), Constant('";GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); +var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); -var part71 = // "Pattern{Field(uid,false), Constant(';GatewayStation='), Field(p0,false)}" -match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); +var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); -var part72 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); +var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); -var part73 = // "Pattern{Field(saddr,false), Constant(';TicketID='), Field(p0,false)}" -match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); +var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); -var part74 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); +var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); -var part75 = // "Pattern{Field(operation_id,false), Constant(';PolicyID='), Field(p0,false)}" -match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); +var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); -var part76 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); +var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); -var part77 = // "Pattern{Field(policyname,false), Constant(';UserName='), Field(p0,false)}" -match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); +var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); -var part78 = // "Pattern{Constant('"'), Field(fld11,false), Constant('";LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); +var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); -var part79 = // "Pattern{Field(fld11,false), Constant(';LogonDomain='), Field(p0,false)}" -match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); +var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); -var part80 = // "Pattern{Constant('"'), Field(domain,false), Constant('";Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); +var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); -var part81 = // "Pattern{Field(domain,false), Constant(';Address='), Field(p0,false)}" -match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); +var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); -var part82 = // "Pattern{Constant('"'), Field(fld14,false), Constant('";CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); +var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); -var part83 = // "Pattern{Field(fld14,false), Constant(';CPMStatus='), Field(p0,false)}" -match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); +var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); -var part84 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); +var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); -var part85 = // "Pattern{Field(disposition,false), Constant(';Port='), Field(p0,false)}" -match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); +var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); -var part86 = // "Pattern{Constant('"'), Field(dport,false), Constant('";Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); +var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); -var part87 = // "Pattern{Field(dport,false), Constant(';Database='), Field(p0,false)}" -match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); +var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); -var part88 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); +var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); -var part89 = // "Pattern{Field(db_name,false), Constant(';DeviceType='), Field(p0,false)}" -match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); +var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); -var part90 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); +var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); -var part91 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="ApplicationType='), Field(p0,false)}" -match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); +var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); -var part92 = // "Pattern{Constant('"'), Field(version,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); +var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); -var part93 = // "Pattern{Field(version,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); +var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); -var part94 = // "Pattern{Constant('Message='), Field(p0,false)}" -match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); +var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); -var part95 = // "Pattern{Constant('"'), Field(action,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); +var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); -var part96 = // "Pattern{Field(action,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); +var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); -var part97 = // "Pattern{Constant('Issuer='), Field(p0,false)}" -match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); +var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); -var part98 = // "Pattern{Constant('"'), Field(username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); +var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); -var part99 = // "Pattern{Field(username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); +var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); -var part100 = // "Pattern{Constant('Station='), Field(p0,false)}" -match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); +var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); -var part101 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); +var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); -var part102 = // "Pattern{Field(hostip,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); +var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); -var part103 = // "Pattern{Constant('File='), Field(p0,false)}" -match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); +var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); -var part104 = // "Pattern{Constant('"'), Field(filename,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); +var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); -var part105 = // "Pattern{Field(filename,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); +var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); -var part106 = // "Pattern{Constant('Safe='), Field(p0,false)}" -match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); +var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); -var part107 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); +var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); -var part108 = // "Pattern{Field(group_object,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); +var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); -var part109 = // "Pattern{Constant('Location='), Field(p0,false)}" -match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); +var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); -var part110 = // "Pattern{Constant('"'), Field(directory,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); +var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); -var part111 = // "Pattern{Field(directory,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); +var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); -var part112 = // "Pattern{Constant('Category='), Field(p0,false)}" -match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); +var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); -var part113 = // "Pattern{Constant('"'), Field(category,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); +var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); -var part114 = // "Pattern{Field(category,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); +var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); -var part115 = // "Pattern{Constant('RequestId='), Field(p0,false)}" -match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); +var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); -var part116 = // "Pattern{Constant('"'), Field(id1,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); +var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); -var part117 = // "Pattern{Field(id1,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); +var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); -var part118 = // "Pattern{Constant('Reason='), Field(p0,false)}" -match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); +var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); -var part119 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); +var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); -var part120 = // "Pattern{Field(event_description,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); +var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); -var part121 = // "Pattern{Constant('Severity='), Field(p0,false)}" -match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); +var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); -var part122 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser="'), Field(group,false), Constant('";TargetUser="'), Field(uid,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); +var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); -var part123 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(group,false), Constant(';TargetUser='), Field(uid,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); +var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); -var part124 = // "Pattern{Constant('"'), Field(severity,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); +var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); -var part125 = // "Pattern{Field(severity,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); +var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); -var part126 = // "Pattern{Constant('GatewayStation='), Field(p0,false)}" -match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); +var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); -var part127 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); +var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); -var part128 = // "Pattern{Field(saddr,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); +var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); -var part129 = // "Pattern{Constant('TicketID='), Field(p0,false)}" -match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); +var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); -var part130 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); +var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); -var part131 = // "Pattern{Field(operation_id,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); +var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); -var part132 = // "Pattern{Constant('PolicyID='), Field(p0,false)}" -match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); +var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); -var part133 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); +var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); -var part134 = // "Pattern{Field(policyname,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); +var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); -var part135 = // "Pattern{Constant('UserName='), Field(p0,false)}" -match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); +var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); -var part136 = // "Pattern{Constant('"'), Field(c_username,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); +var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); -var part137 = // "Pattern{Field(c_username,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); +var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); -var part138 = // "Pattern{Constant('LogonDomain='), Field(p0,false)}" -match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); +var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); -var part139 = // "Pattern{Constant('"'), Field(domain,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); +var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); -var part140 = // "Pattern{Field(domain,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); +var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); -var part141 = // "Pattern{Constant('Address='), Field(p0,false)}" -match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); +var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); -var part142 = // "Pattern{Constant('"'), Field(dhost,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); +var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); -var part143 = // "Pattern{Field(dhost,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); +var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); -var part144 = // "Pattern{Constant('CPMStatus='), Field(p0,false)}" -match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); +var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); -var part145 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); +var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); -var part146 = // "Pattern{Field(disposition,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); +var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); -var part147 = // "Pattern{Constant('Port='), Field(p0,false)}" -match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); +var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); -var part148 = // "Pattern{Constant('"'), Field(dport,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); +var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); -var part149 = // "Pattern{Field(dport,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); +var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); -var part150 = // "Pattern{Constant('Database='), Field(p0,false)}" -match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); +var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); -var part151 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); +var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); -var part152 = // "Pattern{Field(db_name,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); +var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); -var part153 = // "Pattern{Constant('DeviceType='), Field(p0,false)}" -match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); +var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); -var part154 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";'), Field(p0,false)}" -match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); +var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); -var part155 = // "Pattern{Field(obj_type,false), Constant(';'), Field(p0,false)}" -match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); +var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); -var part156 = // "Pattern{Constant('ExtraDetails='), Field(p0,false)}" -match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); +var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); -var part157 = // "Pattern{Field(info,false), Constant(';')}" -match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); +var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { "Address": "dhost", @@ -5796,8 +5522,7 @@ var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { dup3, ])); -var part159 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup1, dup2, ])); @@ -5833,8 +5558,7 @@ var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { dup3, ])); -var part161 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup4, dup2, ])); @@ -5874,8 +5598,7 @@ var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { dup3, ])); -var part163 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup5, dup6, dup7, @@ -5918,8 +5641,7 @@ var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { dup3, ])); -var part165 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup16, dup17, @@ -5958,8 +5680,7 @@ var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { dup3, ])); -var part167 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup19, dup2, ])); @@ -5995,8 +5716,7 @@ var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { dup3, ])); -var part169 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup15, dup2, ])); @@ -6032,8 +5752,7 @@ var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { dup3, ])); -var part171 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup21, dup2, ])); @@ -6069,8 +5788,7 @@ var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { dup3, ])); -var part173 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup23, dup2, ])); @@ -6106,8 +5824,7 @@ var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { dup3, ])); -var part175 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup20, dup2, ])); @@ -6143,8 +5860,7 @@ var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { dup3, ])); -var part177 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup26, dup2, ])); @@ -6330,8 +6046,7 @@ var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { dup3, ])); -var part180 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup79, dup80, dup81, @@ -6369,8 +6084,7 @@ var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { dup3, ])); -var part182 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup82, dup2, ])); @@ -6406,14 +6120,12 @@ var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { dup3, ])); -var part184 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" -match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ +var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ dup83, dup2, ])); -var part185 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location='), Field(directory,false), Constant(';Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false), Constant(';')}" -match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ +var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ dup4, dup2, dup3, diff --git a/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js b/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js index a32c606c1ba..e749db584be 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js +++ b/x-pack/filebeat/module/f5/bigipafm/config/pipeline.js @@ -33,8 +33,7 @@ var map_getEventCategoryActivity = { var dup1 = constant("Deny"); -var hdr1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hhostname,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(hfld4,true), Constant(' '), Field(hfld5,true), Constant(' [F5@'), Field(hfld6,true), Constant(' '), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hfld1->} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ setc("header_id","0001"), setc("messageid","BIGIP_AFM"), ])); diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js b/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js index b40147eb1d5..28f099e0484 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js +++ b/x-pack/filebeat/module/fortinet/fortimail/config/pipeline.js @@ -31,20 +31,15 @@ var dup1 = call({ ], }); -var dup2 = // "Pattern{Constant('user='), Field(username,true), Constant(' ui='), Field(p0,false)}" -match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); +var dup2 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); -var dup3 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); +var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); -var dup4 = // "Pattern{Field(network_service,true), Constant(' action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); +var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); -var dup5 = // "Pattern{Constant('"'), Field(event_description,false), Constant('"')}" -match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); +var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); -var dup6 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); +var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); var dup7 = setc("eventcategory","1401000000"); @@ -70,139 +65,97 @@ var dup14 = setf("category","msgIdPart2"); var dup15 = setf("severity","hseverity"); -var dup16 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); +var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); var dup17 = setc("eventcategory","1602000000"); -var dup18 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); +var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); -var dup19 = // "Pattern{Field(network_service,false), Constant('('), Field(hostip,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); +var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); -var dup20 = // "Pattern{Field(network_service,false), Constant('action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); +var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); -var dup21 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); +var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); -var dup22 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('"msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); +var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); -var dup23 = // "Pattern{Field(sessionid,false), Constant('msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); +var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); -var dup24 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); +var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); -var dup25 = // "Pattern{Field(sessionid,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); +var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); -var dup26 = // "Pattern{Constant('from='), Field(p0,false)}" -match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); +var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); -var dup27 = // "Pattern{Constant('"'), Field(from,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); +var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); -var dup28 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); +var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); -var dup29 = // "Pattern{Constant('"'), Field(to,false), Constant('" src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); +var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); -var dup30 = // "Pattern{Field(to,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); +var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); -var dup31 = // "Pattern{Constant('"'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); +var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); -var dup32 = // "Pattern{Field(saddr,true), Constant(' session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); +var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); var dup33 = setc("eventcategory","1003010000"); var dup34 = setf("event_type","messageid"); -var dup35 = // "Pattern{Constant('session_id='), Field(p0,false)}" -match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); +var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); -var dup36 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); +var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); -var dup37 = // "Pattern{Field(sessionid,true), Constant(' from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); +var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); -var dup38 = // "Pattern{Constant('"'), Field(from,false), Constant('" mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); +var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); -var dup39 = // "Pattern{Field(from,true), Constant(' mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); +var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); -var dup40 = // "Pattern{Constant('"'), Field(agent,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); +var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); -var dup41 = // "Pattern{Field(agent,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); +var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); -var dup42 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(info,false), Constant(')"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); +var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); -var dup43 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); +var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); -var dup44 = // "Pattern{Field(saddr,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); +var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); -var dup45 = // "Pattern{Constant('"'), Field(context,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); +var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); -var dup46 = // "Pattern{Field(context,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); +var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); -var dup47 = // "Pattern{Constant('"'), Field(to,false), Constant('" direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); +var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); -var dup48 = // "Pattern{Field(to,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); +var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); -var dup49 = // "Pattern{Constant('"'), Field(direction,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); +var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); -var dup50 = // "Pattern{Field(direction,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); +var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); -var dup51 = // "Pattern{Field(fld4,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); +var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); -var dup52 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); +var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); -var dup53 = // "Pattern{Field(virusname,true), Constant(' disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); +var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); -var dup54 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); +var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); -var dup55 = // "Pattern{Field(disposition,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); +var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); -var dup56 = // "Pattern{Constant('"'), Field(filter,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); +var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); -var dup57 = // "Pattern{Field(filter,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); +var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); -var dup58 = // "Pattern{Constant('"'), Field(subject,false), Constant('"')}" -match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); +var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); -var dup59 = // "Pattern{Field(subject,false)}" -match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); +var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); var dup60 = setc("eventcategory","1207000000"); -var dup61 = // "Pattern{Field(,false), Constant('resolved='), Field(p0,false)}" -match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); +var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); var dup62 = setc("eventcategory","1207040000"); @@ -322,25 +275,21 @@ var dup82 = all_match({ ]), }); -var hdr1 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' log_part='), Field(hfld3,true), Constant(' type='), Field(msgIdPart1,true), Constant(' subtype='), Field(msgIdPart2,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0001"), dup1, ])); -var hdr2 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' log_part='), Field(hfld3,true), Constant(' type='), Field(messageid,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0002"), ])); -var hdr3 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' type='), Field(msgIdPart1,true), Constant(' subtype='), Field(msgIdPart2,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0003"), dup1, ])); -var hdr4 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' type='), Field(messageid,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0004"), ])); @@ -351,8 +300,7 @@ var select1 = linear_select([ hdr4, ]); -var part1 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' reason='), Field(result,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); +var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); var all1 = all_match({ processors: [ @@ -404,22 +352,18 @@ var msg4 = msg("event_system", dup82); var msg5 = msg("event_imap", dup82); -var part2 = // "Pattern{Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); +var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); -var part3 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant('], version='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); +var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); -var part4 = // "Pattern{Field(shost,false), Constant(', version='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); +var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); var select2 = linear_select([ part3, part4, ]); -var part5 = // "Pattern{Field(version,false), Constant(', verify='), Field(fld2,false), Constant(', cipher='), Field(s_cipher,false), Constant(', bits='), Field(fld3,false), Constant('"')}" -match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); +var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); var all3 = all_match({ processors: [ @@ -446,8 +390,7 @@ var all3 = all_match({ var msg6 = msg("event_smtp:01", all3); -var part6 = // "Pattern{Field(fld1,false), Constant(', cert-subject='), Field(cert_subject,false), Constant(', cert-issuer='), Field(fld2,false), Constant(', verifymsg='), Field(fld3,false), Constant('"')}" -match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); +var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); var all4 = all_match({ processors: [ @@ -472,8 +415,7 @@ var all4 = all_match({ var msg7 = msg("event_smtp:02", all4); -var part7 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="to=<<'), Field(to,false), Constant('>, delay='), Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant(', relay='), Field(shost,false), Constant('['), Field(saddr,false), Constant('], dsn='), Field(fld4,false), Constant(', stat='), Field(fld5,false), Constant('"')}" -match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); +var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); var all5 = all_match({ processors: [ @@ -496,31 +438,24 @@ var all5 = all_match({ var msg8 = msg("event_smtp:03", all5); -var part8 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(network_service,false), Constant('action='), Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="from=<<'), Field(from,false), Constant('>, size='), Field(bytes,false), Constant(', class='), Field(fld2,false), Constant(', nrcpts='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); +var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); -var part9 = // "Pattern{Field(fld3,false), Constant(', msgid=<<'), Field(fld4,false), Constant('>, proto='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); +var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); -var part10 = // "Pattern{Field(fld3,false), Constant(', proto='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); +var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); var select3 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Field(protocol,false), Constant(', daemon='), Field(process,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); +var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); -var part12 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant('] (may be forged)"')}" -match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); +var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); -var part13 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant(']"')}" -match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); +var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); -var part14 = // "Pattern{Field(shost,false), Constant('"')}" -match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); +var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); var select4 = linear_select([ part12, @@ -550,8 +485,7 @@ var all6 = all_match({ var msg9 = msg("event_smtp:04", all6); -var part15 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="Milter: to=<<'), Field(to,false), Constant('>, reject='), Field(fld1,false), Constant('"')}" -match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); +var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); var all7 = all_match({ processors: [ @@ -574,22 +508,18 @@ var all7 = all_match({ var msg10 = msg("event_smtp:05", all7); -var part16 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="timeout waiting for input from'), Field(p0,false)}" -match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); +var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); -var part17 = // "Pattern{Constant('['), Field(saddr,false), Constant(']during server cmd'), Field(p0,false)}" -match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); +var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); -var part18 = // "Pattern{Field(saddr,false), Constant('during server cmd'), Field(p0,false)}" -match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); +var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); var select5 = linear_select([ part17, part18, ]); -var part19 = // "Pattern{Field(fld5,false), Constant('"')}" -match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); +var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); var all8 = all_match({ processors: [ @@ -614,8 +544,7 @@ var all8 = all_match({ var msg11 = msg("event_smtp:06", all8); -var part20 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="collect:'), Field(fld1,false), Constant('timeout on connection from'), Field(shost,false), Constant(', from=<<'), Field(from,false), Constant('>"')}" -match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); +var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); var all9 = all_match({ processors: [ @@ -638,8 +567,7 @@ var all9 = all_match({ var msg12 = msg("event_smtp:07", all9); -var part21 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="DSN: to <<'), Field(to,false), Constant('>; reason:'), Field(result,false), Constant('; sessionid:'), Field(fld5,false), Constant('"')}" -match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); +var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); var all10 = all_match({ processors: [ @@ -662,8 +590,7 @@ var all10 = all_match({ var msg13 = msg("event_smtp:08", all10); -var part22 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="lost input channel from'), Field(shost,false), Constant('['), Field(saddr,false), Constant('] (may be forged) to SMTP_MTA after rcpt"')}" -match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); +var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); var all11 = all_match({ processors: [ @@ -686,8 +613,7 @@ var all11 = all_match({ var msg14 = msg("event_smtp:09", all11); -var part23 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="'), Field(shost,false), Constant('['), Field(saddr,false), Constant(']: possible SMTP attack: command='), Field(fld1,false), Constant(', count='), Field(dclass_counter1,false), Constant('"')}" -match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); +var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); var all12 = all_match({ processors: [ @@ -711,20 +637,15 @@ var all12 = all_match({ var msg15 = msg("event_smtp:10", all12); -var part24 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" log_part='), Field(id1,true), Constant(' msg="to=<<'), Field(to,false), Constant(', delay='), Field(p0,false)}" -match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); +var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); -var part25 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant(', relay='), Field(shost,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); +var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); -var part26 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); +var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); -var part27 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); +var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); -var part28 = // "Pattern{Field(fld1,false), Constant('"')}" -match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); +var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); var select6 = linear_select([ part25, @@ -755,8 +676,7 @@ var all13 = all_match({ var msg16 = msg("event_smtp:11", all13); -var part29 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' session_id='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); +var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); var all14 = all_match({ processors: [ @@ -819,8 +739,7 @@ var select7 = linear_select([ msg18, ]); -var part31 = // "Pattern{Constant('msg='), Field(p0,false)}" -match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); +var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); var all15 = all_match({ processors: [ @@ -842,19 +761,16 @@ var all15 = all_match({ var msg19 = msg("event_update", all15); -var part32 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') module='), Field(p0,false)}" -match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); +var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); -var part33 = // "Pattern{Field(network_service,true), Constant(' module='), Field(p0,false)}" -match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); +var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); var select8 = linear_select([ part32, part33, ]); -var part34 = // "Pattern{Field(fld1,true), Constant(' submodule='), Field(fld2,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); +var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); var all16 = all_match({ processors: [ @@ -906,19 +822,16 @@ var all17 = all_match({ var msg21 = msg("virus", all17); -var part35 = // "Pattern{Constant('"'), Field(to,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); +var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); -var part36 = // "Pattern{Field(to,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); +var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); var select10 = linear_select([ part35, part36, ]); -var part37 = // "Pattern{Field(fqdn,false), Constant('" client_ip="'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" -match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); +var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); var all18 = all_match({ processors: [ @@ -943,28 +856,22 @@ var all18 = all_match({ var msg22 = msg("virus_infected", all18); -var part38 = // "Pattern{Constant('from="'), Field(from,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); +var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); -var part39 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); +var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); var select11 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Constant('"'), Field(sdomain,true), Constant(' ['), Field(saddr,false), Constant(']" session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); +var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); -var part41 = // "Pattern{Field(sdomain,true), Constant(' ['), Field(saddr,false), Constant('] session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); +var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); -var part42 = // "Pattern{Constant('"['), Field(saddr,false), Constant(']" session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); +var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); -var part43 = // "Pattern{Constant('['), Field(saddr,false), Constant('] session_id='), Field(p0,false)}" -match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); +var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); var select12 = linear_select([ part40, @@ -975,8 +882,7 @@ var select12 = linear_select([ dup32, ]); -var part44 = // "Pattern{Constant('"Attachment file ('), Field(filename,false), Constant(') has sha1 hash value: '), Field(checksum,false), Constant('"')}" -match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); +var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); var select13 = linear_select([ part44, @@ -1006,8 +912,7 @@ var all19 = all_match({ var msg23 = msg("virus_file-signature", all19); -var part45 = // "Pattern{Field(,false), Constant('MSISDN='), Field(fld3,true), Constant(' resolved='), Field(p0,false)}" -match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); +var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); var all20 = all_match({ processors: [ @@ -1071,74 +976,61 @@ var all21 = all_match({ var msg25 = msg("statistics:01", all21); -var part46 = // "Pattern{Constant('"'), Field(direction,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); +var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); -var part47 = // "Pattern{Field(direction,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); +var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); var select14 = linear_select([ part46, part47, ]); -var part48 = // "Pattern{Constant('"'), Field(subject,false), Constant('" classifier='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); +var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); -var part49 = // "Pattern{Field(subject,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); +var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); var select15 = linear_select([ part48, part49, ]); -var part50 = // "Pattern{Constant('"'), Field(filter,false), Constant('" disposition='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); +var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); -var part51 = // "Pattern{Field(filter,true), Constant(' disposition='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); +var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); var select16 = linear_select([ part50, part51, ]); -var part52 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); +var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); -var part53 = // "Pattern{Field(disposition,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); +var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); var select17 = linear_select([ part52, part53, ]); -var part54 = // "Pattern{Constant('"'), Field(context,false), Constant('" virus='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); +var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); -var part55 = // "Pattern{Field(context,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); +var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); var select18 = linear_select([ part54, part55, ]); -var part56 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); +var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); -var part57 = // "Pattern{Field(virusname,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); +var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); var select19 = linear_select([ part56, part57, ]); -var part58 = // "Pattern{Field(fld4,false)}" -match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); +var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); var all22 = all_match({ processors: [ @@ -1170,17 +1062,13 @@ var all22 = all_match({ var msg26 = msg("statistics:02", all22); -var part59 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); +var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); -var part60 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant('] (may be forged)"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); +var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); -var part61 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); +var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); -var part62 = // "Pattern{Constant('['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); +var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); var select20 = linear_select([ part60, @@ -1188,22 +1076,18 @@ var select20 = linear_select([ part62, ]); -var part63 = // "Pattern{Constant('dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); +var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); -var part64 = // "Pattern{Constant(' polid="'), Field(fld5,false), Constant('" domain="'), Field(domain,false), Constant('" subject="'), Field(subject,false), Constant('" mailer="'), Field(agent,false), Constant('" resolved="'), Field(context,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); +var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); -var part65 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); +var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); var select21 = linear_select([ part64, part65, ]); -var part66 = // "Pattern{Field(,false), Constant('direction="'), Field(direction,false), Constant('" virus="'), Field(virusname,false), Constant('" disposition="'), Field(disposition,false), Constant('" classifier="'), Field(filter,false), Constant('" message_length='), Field(fld4,false)}" -match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); +var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); var all23 = all_match({ processors: [ @@ -1227,34 +1111,26 @@ var all23 = all_match({ var msg27 = msg("statistics:03", all23); -var part67 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" client_name='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); +var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); -var part68 = // "Pattern{Field(sessionid,true), Constant(' client_name='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); +var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); var select22 = linear_select([ part67, part68, ]); -var part69 = // "Pattern{Constant('"'), Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']"dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); +var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); -var part70 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); +var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); -var part71 = // "Pattern{Constant('"['), Field(saddr,false), Constant(']"dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); +var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); -var part72 = // "Pattern{Constant('['), Field(saddr,false), Constant(']dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); +var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); -var part73 = // "Pattern{Constant('"'), Field(saddr,false), Constant('"dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); +var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); -var part74 = // "Pattern{Field(saddr,false), Constant('dst_ip='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); +var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); var select23 = linear_select([ part69, @@ -1265,132 +1141,108 @@ var select23 = linear_select([ part74, ]); -var part75 = // "Pattern{Constant('"'), Field(daddr,false), Constant('" from='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); +var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); -var part76 = // "Pattern{Field(daddr,true), Constant(' from='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); +var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); var select24 = linear_select([ part75, part76, ]); -var part77 = // "Pattern{Constant('"'), Field(from,false), Constant('" hfrom='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); +var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); -var part78 = // "Pattern{Field(from,true), Constant(' hfrom='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); +var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); var select25 = linear_select([ part77, part78, ]); -var part79 = // "Pattern{Constant('"'), Field(fld3,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); +var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); -var part80 = // "Pattern{Field(fld3,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); +var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); var select26 = linear_select([ part79, part80, ]); -var part81 = // "Pattern{Constant('"'), Field(to,false), Constant('" polid='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); +var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); -var part82 = // "Pattern{Field(to,true), Constant(' polid='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); +var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); var select27 = linear_select([ part81, part82, ]); -var part83 = // "Pattern{Constant('"'), Field(fld5,false), Constant('" domain='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); +var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); -var part84 = // "Pattern{Field(fld5,true), Constant(' domain='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); +var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); var select28 = linear_select([ part83, part84, ]); -var part85 = // "Pattern{Constant('"'), Field(domain,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); +var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); -var part86 = // "Pattern{Field(domain,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); +var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); var select29 = linear_select([ part85, part86, ]); -var part87 = // "Pattern{Constant('"'), Field(subject,false), Constant('" mailer='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); +var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); -var part88 = // "Pattern{Field(subject,true), Constant(' mailer='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); +var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); var select30 = linear_select([ part87, part88, ]); -var part89 = // "Pattern{Constant('"'), Field(agent,false), Constant('" resolved='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); +var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); -var part90 = // "Pattern{Field(agent,true), Constant(' resolved='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); +var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); var select31 = linear_select([ part89, part90, ]); -var part91 = // "Pattern{Constant('"'), Field(context,false), Constant('" direction='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); +var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); -var part92 = // "Pattern{Field(context,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); +var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); var select32 = linear_select([ part91, part92, ]); -var part93 = // "Pattern{Constant('"'), Field(direction,false), Constant('" virus='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); +var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); -var part94 = // "Pattern{Field(direction,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); +var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); var select33 = linear_select([ part93, part94, ]); -var part95 = // "Pattern{Constant('"'), Field(filter,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); +var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); -var part96 = // "Pattern{Field(filter,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); +var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); var select34 = linear_select([ part95, part96, ]); -var part97 = // "Pattern{Constant('"'), Field(fld6,false), Constant('"')}" -match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); +var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); -var part98 = // "Pattern{Field(fld6,false)}" -match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); +var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); var select35 = linear_select([ part97, @@ -1472,36 +1324,29 @@ var select36 = linear_select([ msg29, ]); -var part100 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); +var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); -var part101 = // "Pattern{Field(sessionid,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); +var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); var select37 = linear_select([ part100, part101, ]); -var part102 = // "Pattern{Field(,false), Constant('from='), Field(p0,false)}" -match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); +var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); -var part103 = // "Pattern{Constant('"'), Field(to,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); +var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); -var part104 = // "Pattern{Field(to,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); +var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); var select38 = linear_select([ part103, part104, ]); -var part105 = // "Pattern{Constant('"'), Field(subject,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); +var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); -var part106 = // "Pattern{Field(subject,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); +var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); var select39 = linear_select([ part105, @@ -1533,8 +1378,7 @@ var all25 = all_match({ var msg30 = msg("spam", all25); -var part107 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name="'), Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(fld2,false), Constant(')" dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ +var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ dup62, dup8, dup9, @@ -1547,22 +1391,18 @@ match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" cli var msg31 = msg("spam:04", part107); -var part108 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name='), Field(p0,false)}" -match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); +var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); -var part109 = // "Pattern{Constant('"'), Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']" '), Field(p0,false)}" -match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); +var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); -var part110 = // "Pattern{Constant(' "'), Field(fqdn,false), Constant('" client_ip="'), Field(saddr,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); +var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); var select40 = linear_select([ part109, part110, ]); -var part111 = // "Pattern{Field(,false), Constant('dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); +var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); var all26 = all_match({ processors: [ @@ -1584,8 +1424,7 @@ var all26 = all_match({ var msg32 = msg("spam:03", all26); -var part112 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ +var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ dup62, dup8, dup9, @@ -1598,11 +1437,9 @@ match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" fro var msg33 = msg("spam:02", part112); -var part113 = // "Pattern{Constant('"'), Field(to,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); +var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); -var part114 = // "Pattern{Field(to,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); +var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); var select41 = linear_select([ part113, @@ -1658,146 +1495,99 @@ var chain1 = processor_chain([ }), ]); -var part115 = // "Pattern{Constant('user='), Field(username,true), Constant(' ui='), Field(p0,false)}" -match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); +var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); -var part116 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); +var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); -var part117 = // "Pattern{Field(network_service,true), Constant(' action='), Field(p0,false)}" -match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); +var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); -var part118 = // "Pattern{Constant('"'), Field(event_description,false), Constant('"')}" -match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); +var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); -var part119 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); +var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); -var part120 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); +var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); -var part121 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); +var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); -var part122 = // "Pattern{Field(network_service,false), Constant('('), Field(hostip,false), Constant(') action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); +var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); -var part123 = // "Pattern{Field(network_service,false), Constant('action='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); +var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); -var part124 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); +var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); -var part125 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('"msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); +var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); -var part126 = // "Pattern{Field(sessionid,false), Constant('msg="STARTTLS='), Field(p0,false)}" -match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); +var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); -var part127 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); +var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); -var part128 = // "Pattern{Field(sessionid,true), Constant(' msg='), Field(p0,false)}" -match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); +var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); -var part129 = // "Pattern{Constant('from='), Field(p0,false)}" -match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); +var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); -var part130 = // "Pattern{Constant('"'), Field(from,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); +var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); -var part131 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); +var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); -var part132 = // "Pattern{Constant('"'), Field(to,false), Constant('" src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); +var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); -var part133 = // "Pattern{Field(to,true), Constant(' src='), Field(p0,false)}" -match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); +var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); -var part134 = // "Pattern{Constant('"'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); +var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); -var part135 = // "Pattern{Field(saddr,true), Constant(' session_id='), Field(p0,false)}" -match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); +var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); -var part136 = // "Pattern{Constant('session_id='), Field(p0,false)}" -match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); +var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); -var part137 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); +var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); -var part138 = // "Pattern{Field(sessionid,true), Constant(' from='), Field(p0,false)}" -match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); +var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); -var part139 = // "Pattern{Constant('"'), Field(from,false), Constant('" mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); +var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); -var part140 = // "Pattern{Field(from,true), Constant(' mailer='), Field(p0,false)}" -match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); +var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); -var part141 = // "Pattern{Constant('"'), Field(agent,false), Constant('" client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); +var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); -var part142 = // "Pattern{Field(agent,true), Constant(' client_name="'), Field(p0,false)}" -match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); +var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); -var part143 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(info,false), Constant(')"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); +var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); -var part144 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); +var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); -var part145 = // "Pattern{Field(saddr,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); +var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); -var part146 = // "Pattern{Constant('"'), Field(context,false), Constant('" to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); +var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); -var part147 = // "Pattern{Field(context,true), Constant(' to='), Field(p0,false)}" -match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); +var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); -var part148 = // "Pattern{Constant('"'), Field(to,false), Constant('" direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); +var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); -var part149 = // "Pattern{Field(to,true), Constant(' direction='), Field(p0,false)}" -match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); +var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); -var part150 = // "Pattern{Constant('"'), Field(direction,false), Constant('" message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); +var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); -var part151 = // "Pattern{Field(direction,true), Constant(' message_length='), Field(p0,false)}" -match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); +var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); -var part152 = // "Pattern{Field(fld4,true), Constant(' virus='), Field(p0,false)}" -match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); +var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); -var part153 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); +var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); -var part154 = // "Pattern{Field(virusname,true), Constant(' disposition='), Field(p0,false)}" -match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); +var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); -var part155 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); +var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); -var part156 = // "Pattern{Field(disposition,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); +var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); -var part157 = // "Pattern{Constant('"'), Field(filter,false), Constant('" subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); +var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); -var part158 = // "Pattern{Field(filter,true), Constant(' subject='), Field(p0,false)}" -match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); +var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); -var part159 = // "Pattern{Constant('"'), Field(subject,false), Constant('"')}" -match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); +var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); -var part160 = // "Pattern{Field(subject,false)}" -match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); +var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); -var part161 = // "Pattern{Field(,false), Constant('resolved='), Field(p0,false)}" -match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); +var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); var select43 = linear_select([ dup3, diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js b/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js index ca32adec710..4cb7669b950 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/pipeline.js @@ -124,8 +124,7 @@ var dup23 = lookup({ key: dup15, }); -var hdr1 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' devname='), Field(hdevice,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(id,true), Constant(' type='), Field(hfld2,true), Constant(' subtype='), Field(hfld3,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" -match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.messageid", @@ -137,26 +136,22 @@ match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} devname=%{hde }), ])); -var hdr2 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' log_id='), Field(id,true), Constant(' '), Field(payload,false)}" -match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ setc("header_id","0002"), dup1, ])); -var hdr3 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' logver='), Field(fld1,true), Constant(' '), Field(payload,false)}" -match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ setc("header_id","0003"), dup1, ])); -var hdr4 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' dtime='), Field(hdatetime,true), Constant(' devid='), Field(hfld2,true), Constant(' devname='), Field(hdevice,true), Constant(' '), Field(payload,false)}" -match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ setc("header_id","0004"), dup2, ])); -var hdr5 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' devname="'), Field(hdevice,false), Constant('" devid="'), Field(hfld2,false), Constant('" '), Field(payload,false)}" -match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ setc("header_id","0005"), dup2, ])); @@ -169,8 +164,7 @@ var select1 = linear_select([ hdr5, ]); -var part1 = // "Pattern{Constant('user='), Field(fld1,true), Constant(' adom='), Field(domain,true), Constant(' user='), Field(username,true), Constant(' ui='), Field(fld2,true), Constant(' action='), Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ +var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ dup3, dup4, dup5, @@ -183,8 +177,7 @@ match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{dom var msg1 = msg("fortinetmgr:01", part1); -var part2 = // "Pattern{Constant('user='), Field(username,true), Constant(' adom='), Field(domain,true), Constant(' msg="'), Field(event_description,false), Constant('"')}" -match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ +var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ dup3, dup4, dup5, @@ -197,42 +190,33 @@ match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{do var msg2 = msg("fortinetmgr", part2); -var part3 = // "Pattern{Constant('user="'), Field(username,false), Constant('" userfrom='), Field(fld7,true), Constant(' msg="'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); +var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); -var part4 = // "Pattern{Constant('User'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); +var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); -var part5 = // "Pattern{Constant('user'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); +var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); var select2 = linear_select([ part4, part5, ]); -var part6 = // "Pattern{Field(,false), Constant('''), Field(fld3,false), Constant('' with profile ''), Field(fld4,false), Constant('' '), Field(fld5,true), Constant(' from '), Field(fld6,false), Constant('('), Field(hostip,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); +var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); -var part7 = // "Pattern{Constant('."'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); +var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); -var part8 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); +var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); var select3 = linear_select([ part7, part8, ]); -var part9 = // "Pattern{Field(,false), Constant('adminprof='), Field(p0,false)}" -match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); +var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); -var part10 = // "Pattern{Field(fld2,true), Constant(' sid='), Field(sid,true), Constant(' user_type="'), Field(profile,false), Constant('"')}" -match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); +var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); -var part11 = // "Pattern{Field(fld2,false)}" -match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); +var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); var select4 = linear_select([ part10, @@ -268,8 +252,7 @@ var all1 = all_match({ var msg3 = msg("fortinetmgr:04", all1); -var part12 = // "Pattern{Constant('user='), Field(username,true), Constant(' userfrom='), Field(fld4,true), Constant(' msg="'), Field(event_description,false), Constant('" adminprof='), Field(fld2,false)}" -match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ +var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ dup3, dup4, dup5, @@ -282,8 +265,7 @@ match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfr var msg4 = msg("fortinetmgr:02", part12); -var part13 = // "Pattern{Constant('user="'), Field(username,false), Constant('" msg="Login from ssh:'), Field(fld1,true), Constant(' for '), Field(fld2,true), Constant(' from '), Field(saddr,true), Constant(' port '), Field(sport,false), Constant('" remote_ip="'), Field(daddr,false), Constant('" remote_port='), Field(dport,true), Constant(' valid='), Field(fld3,true), Constant(' authmsg="'), Field(result,false), Constant('" extrainfo='), Field(fld5,false)}" -match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ +var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ dup11, dup4, dup5, @@ -302,22 +284,18 @@ match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg= var msg5 = msg("fortinetmgr:03", part13); -var part14 = // "Pattern{Constant('user="'), Field(username,false), Constant('" userfrom="'), Field(fld1,false), Constant('"msg="'), Field(p0,false)}" -match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); +var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); -var part15 = // "Pattern{Constant('dev='), Field(fld2,false), Constant(',vdom='), Field(fld3,false), Constant(',type='), Field(fld4,false), Constant(',key='), Field(fld5,false), Constant(',act='), Field(action,false), Constant(',pkgname='), Field(fld7,false), Constant(',allowaccess='), Field(fld8,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); +var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); -var part16 = // "Pattern{Field(event_description,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); +var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); var select5 = linear_select([ part15, part16, ]); -var part17 = // "Pattern{Field(domain,false), Constant('" adom="')}" -match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); +var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); var all2 = all_match({ processors: [ diff --git a/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js b/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js index 4f4110c94a8..a35f5d2a21f 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js +++ b/x-pack/filebeat/module/juniper/netscreen/config/pipeline.js @@ -49,14 +49,11 @@ var dup4 = setf("msg","$MSG"); var dup5 = setf("severity","hseverity"); -var dup6 = // "Pattern{Constant('Address '), Field(group_object,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); +var dup6 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); -var dup7 = // "Pattern{Constant('domain address '), Field(domain,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); +var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); -var dup8 = // "Pattern{Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); +var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); var dup9 = date_time({ dest: "event_time", @@ -66,26 +63,19 @@ var dup9 = date_time({ ], }); -var dup10 = // "Pattern{Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); +var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); -var dup11 = // "Pattern{Field(fld1,false)}" -match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); +var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); -var dup12 = // "Pattern{Constant('Address '), Field(p0,false)}" -match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); +var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); -var dup13 = // "Pattern{Constant('MIP('), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); +var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); -var dup14 = // "Pattern{Field(group_object,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); +var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); -var dup15 = // "Pattern{Constant('admin '), Field(p0,false)}" -match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); +var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); -var dup16 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); +var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); var dup17 = setc("eventcategory","1502000000"); @@ -93,25 +83,19 @@ var dup18 = setc("eventcategory","1703000000"); var dup19 = setc("eventcategory","1603000000"); -var dup20 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ')}" -match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); +var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); -var dup21 = // "Pattern{}" -match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); +var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); var dup22 = setc("eventcategory","1502050000"); -var dup23 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); +var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); -var dup24 = // "Pattern{Constant('password '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); +var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); -var dup25 = // "Pattern{Constant('name '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); +var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); -var dup26 = // "Pattern{Field(administrator,false)}" -match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); +var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); var dup27 = setc("eventcategory","1801010000"); @@ -131,8 +115,7 @@ var dup34 = setc("ec_activity","Logoff"); var dup35 = setc("eventcategory","1303000000"); -var dup36 = // "Pattern{Field(disposition,false)}" -match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); +var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); var dup37 = setc("eventcategory","1402020200"); @@ -140,11 +123,9 @@ var dup38 = setc("ec_theme","UserGroup"); var dup39 = setc("ec_outcome","Error"); -var dup40 = // "Pattern{Constant('via '), Field(p0,false)}" -match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); +var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); -var dup41 = // "Pattern{Field(fld1,false), Constant(')')}" -match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); +var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); var dup42 = setc("eventcategory","1402020300"); @@ -152,40 +133,31 @@ var dup43 = setc("ec_activity","Modify"); var dup44 = setc("eventcategory","1605000000"); -var dup45 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); +var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); -var dup46 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); +var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); -var dup47 = // "Pattern{Field(username,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); +var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); -var dup48 = // "Pattern{Constant('NSRP Peer . ('), Field(p0,false)}" -match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); +var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); -var dup49 = // "Pattern{Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); +var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); var dup50 = setc("eventcategory","1701020000"); var dup51 = setc("ec_theme","Configuration"); -var dup52 = // "Pattern{Constant('changed'), Field(p0,false)}" -match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); +var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); var dup53 = setc("eventcategory","1301000000"); var dup54 = setc("ec_outcome","Failure"); -var dup55 = // "Pattern{Constant('The '), Field(p0,false)}" -match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); +var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); -var dup56 = // "Pattern{Constant('interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); +var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); -var dup57 = // "Pattern{Constant('Interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); +var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); var dup58 = setc("eventcategory","1001000000"); @@ -215,68 +187,47 @@ var dup61 = call({ var dup62 = setc("eventcategory","1608010000"); -var dup63 = // "Pattern{Constant('DNS entries have been '), Field(p0,false)}" -match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); +var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); -var dup64 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); +var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); -var dup65 = // "Pattern{Field(zone,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); +var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); -var dup66 = // "Pattern{Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); +var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); -var dup67 = // "Pattern{Constant('int '), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); -var dup68 = // "Pattern{Field(dport,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); +var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); -var dup69 = // "Pattern{Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); +var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); -var dup70 = // "Pattern{Field(space,false), Constant('using protocol '), Field(p0,false)}" -match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); +var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); -var dup71 = // "Pattern{Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); +var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); -var dup72 = // "Pattern{Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); +var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); -var dup73 = // "Pattern{Constant('. '), Field(p0,false)}" -match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); +var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); -var dup74 = // "Pattern{Field(fld2,false), Constant(': SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); +var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); -var dup75 = // "Pattern{Constant('SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); +var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); -var dup76 = // "Pattern{Constant('timeout value '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); +var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); -var dup77 = // "Pattern{Constant('destination '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); +var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); -var dup78 = // "Pattern{Constant('source '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); +var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); -var dup79 = // "Pattern{Constant('A '), Field(p0,false)}" -match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); +var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); -var dup80 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup81 = // "Pattern{Constant(', int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); +var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); -var dup82 = // "Pattern{Constant('int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); +var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); -var dup83 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); var dup84 = setc("eventcategory","1002020000"); @@ -284,176 +235,123 @@ var dup85 = setc("eventcategory","1002000000"); var dup86 = setc("eventcategory","1603110000"); -var dup87 = // "Pattern{Constant('HA '), Field(p0,false)}" -match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); +var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); -var dup88 = // "Pattern{Constant('encryption '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); +var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); -var dup89 = // "Pattern{Constant('authentication '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); +var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); -var dup90 = // "Pattern{Constant('key '), Field(p0,false)}" -match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); +var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); var dup91 = setc("eventcategory","1613040200"); -var dup92 = // "Pattern{Constant('disabled'), Field(,false)}" -match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); +var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); -var dup93 = // "Pattern{Constant('set to '), Field(trigger_val,false)}" -match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); +var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); -var dup94 = // "Pattern{Constant('up'), Field(,false)}" -match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); +var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); -var dup95 = // "Pattern{Constant('down'), Field(,false)}" -match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); +var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); -var dup96 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); +var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); var dup97 = setc("eventcategory","1613050200"); -var dup98 = // "Pattern{Constant('set'), Field(,false)}" -match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); +var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); -var dup99 = // "Pattern{Constant('unset'), Field(,false)}" -match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); +var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); -var dup100 = // "Pattern{Constant('undefined '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); +var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); -var dup101 = // "Pattern{Constant('set '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); +var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); -var dup102 = // "Pattern{Constant('active '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); +var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); -var dup103 = // "Pattern{Constant('to '), Field(p0,false)}" -match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); +var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); -var dup104 = // "Pattern{Constant('created '), Field(p0,false)}" -match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); +var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); -var dup105 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); +var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); -var dup106 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); +var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); -var dup107 = // "Pattern{Constant('was '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); +var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); -var dup108 = // "Pattern{Constant(''), Field(fld2,false)}" -match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); +var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); -var dup109 = // "Pattern{Constant('threshold '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); +var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); -var dup110 = // "Pattern{Constant('interval '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); +var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); -var dup111 = // "Pattern{Constant('of '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); +var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); -var dup112 = // "Pattern{Constant('that '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); +var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); -var dup113 = // "Pattern{Constant('Zone '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); +var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); -var dup114 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); +var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); -var dup115 = // "Pattern{Constant('n '), Field(p0,false)}" -match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); +var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); -var dup116 = // "Pattern{Constant('.'), Field(,false)}" -match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); +var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); var dup117 = setc("eventcategory","1603090000"); -var dup118 = // "Pattern{Constant('for '), Field(p0,false)}" -match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); +var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); -var dup119 = // "Pattern{Constant('the '), Field(p0,false)}" -match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); +var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); -var dup120 = // "Pattern{Constant('removed '), Field(p0,false)}" -match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); +var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); var dup121 = setc("eventcategory","1603030000"); -var dup122 = // "Pattern{Constant('interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); +var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); -var dup123 = // "Pattern{Constant('the interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); +var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); -var dup124 = // "Pattern{Field(interface,false)}" -match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); +var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); -var dup125 = // "Pattern{Constant('s '), Field(p0,false)}" -match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); +var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); -var dup126 = // "Pattern{Constant('on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); +var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); -var dup127 = // "Pattern{Constant('has been '), Field(p0,false)}" -match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); +var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); -var dup128 = // "Pattern{Constant(''), Field(disposition,false), Constant('.')}" -match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); +var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); -var dup129 = // "Pattern{Constant('removed from '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); +var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); -var dup130 = // "Pattern{Constant('added to '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); +var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); -var dup131 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); +var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); -var dup132 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup133 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); +var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); -var dup134 = // "Pattern{Constant('set to '), Field(fld2,false)}" -match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); +var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); -var dup135 = // "Pattern{Constant('gateway '), Field(p0,false)}" -match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); +var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); -var dup136 = // "Pattern{Field(,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); +var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); -var dup137 = // "Pattern{Constant('port number '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); +var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); -var dup138 = // "Pattern{Constant('has been '), Field(disposition,false)}" -match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); +var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); -var dup139 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); +var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); -var dup140 = // "Pattern{Constant('port '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); +var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); var dup141 = setc("eventcategory","1702030000"); -var dup142 = // "Pattern{Constant('up '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); +var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); -var dup143 = // "Pattern{Constant('down '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); +var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); var dup144 = setc("eventcategory","1601000000"); -var dup145 = // "Pattern{Constant('('), Field(fld1,false), Constant(') ')}" -match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); +var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); var dup146 = date_time({ dest: "event_time", @@ -473,360 +371,251 @@ var dup150 = setc("ec_theme","TEV"); var dup151 = setc("eventcategory","1103010000"); -var dup152 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); +var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); -var dup153 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); +var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); -var dup154 = // "Pattern{Constant('address pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); +var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); -var dup155 = // "Pattern{Constant('pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); +var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); -var dup156 = // "Pattern{Constant('enabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); +var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); -var dup157 = // "Pattern{Constant('disabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); +var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); -var dup158 = // "Pattern{Constant('AH '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); +var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); -var dup159 = // "Pattern{Constant('ESP '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); +var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); -var dup160 = // "Pattern{Constant('Â’'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_0", "nwparser.p0", "Â’%{p0}"); +var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); -var dup161 = // "Pattern{Constant('&'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_1", "nwparser.p0", "\u0026%{p0}"); +var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); -var dup162 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); +var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); -var dup163 = // "Pattern{Constant('Source'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); +var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); -var dup164 = // "Pattern{Constant('Destination'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); +var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); -var dup165 = // "Pattern{Constant('from '), Field(p0,false)}" -match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); +var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); -var dup166 = // "Pattern{Constant('policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); +var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); -var dup167 = // "Pattern{Constant('Attempt to enable '), Field(p0,false)}" -match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); +var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); -var dup168 = // "Pattern{Constant('traffic logging via syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); +var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); -var dup169 = // "Pattern{Constant('syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); +var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); -var dup170 = // "Pattern{Constant('Syslog '), Field(p0,false)}" -match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); +var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); -var dup171 = // "Pattern{Constant('host '), Field(p0,false)}" -match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); +var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); -var dup172 = // "Pattern{Constant('domain name '), Field(p0,false)}" -match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); +var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); -var dup173 = // "Pattern{Constant('has been changed to '), Field(fld2,false)}" -match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); +var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); -var dup174 = // "Pattern{Constant('security facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); +var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); -var dup175 = // "Pattern{Constant('facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); +var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); -var dup176 = // "Pattern{Constant('local0'), Field(,false)}" -match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); +var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); -var dup177 = // "Pattern{Constant('local1'), Field(,false)}" -match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); +var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); -var dup178 = // "Pattern{Constant('local2'), Field(,false)}" -match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); +var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); -var dup179 = // "Pattern{Constant('local3'), Field(,false)}" -match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); +var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); -var dup180 = // "Pattern{Constant('local4'), Field(,false)}" -match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); +var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); -var dup181 = // "Pattern{Constant('local5'), Field(,false)}" -match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); +var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); -var dup182 = // "Pattern{Constant('local6'), Field(,false)}" -match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); +var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); -var dup183 = // "Pattern{Constant('local7'), Field(,false)}" -match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); +var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); -var dup184 = // "Pattern{Constant('auth/sec'), Field(,false)}" -match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); +var dup184 = setc("eventcategory","1603020000"); -var dup185 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); +var dup185 = setc("eventcategory","1803000000"); -var dup186 = setc("eventcategory","1603020000"); +var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); -var dup187 = setc("eventcategory","1803000000"); +var dup187 = setc("eventcategory","1603010000"); -var dup188 = // "Pattern{Constant('All '), Field(p0,false)}" -match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); +var dup188 = setc("eventcategory","1603100000"); -var dup189 = setc("eventcategory","1603010000"); +var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); -var dup190 = setc("eventcategory","1603100000"); +var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); -var dup191 = // "Pattern{Constant('primary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); +var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); -var dup192 = // "Pattern{Constant('secondary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); +var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); -var dup193 = // "Pattern{Constant('t '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); +var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); -var dup194 = // "Pattern{Constant('w '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); +var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); -var dup195 = // "Pattern{Constant('server '), Field(p0,false)}" -match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); +var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); -var dup196 = // "Pattern{Constant('has '), Field(p0,false)}" -match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); +var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); -var dup197 = // "Pattern{Constant('SCS'), Field(p0,false)}" -match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); +var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); -var dup198 = // "Pattern{Constant('bound to '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); +var dup198 = setc("eventcategory","1801030000"); -var dup199 = // "Pattern{Constant('unbound from '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); +var dup199 = setc("eventcategory","1302010200"); -var dup200 = setc("eventcategory","1801030000"); +var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); -var dup201 = setc("eventcategory","1302010200"); +var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); -var dup202 = // "Pattern{Constant('PKA RSA '), Field(p0,false)}" -match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); +var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); -var dup203 = // "Pattern{Constant('unbind '), Field(p0,false)}" -match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); +var dup203 = setc("eventcategory","1304000000"); -var dup204 = // "Pattern{Constant('PKA key '), Field(p0,false)}" -match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); +var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); -var dup205 = setc("eventcategory","1304000000"); +var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); -var dup206 = // "Pattern{Constant('Multiple login failures '), Field(p0,false)}" -match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); +var dup206 = setc("eventcategory","1401030000"); -var dup207 = // "Pattern{Constant('occurred for '), Field(p0,false)}" -match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); +var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); -var dup208 = setc("eventcategory","1401030000"); +var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); -var dup209 = // "Pattern{Constant('aborted'), Field(,false)}" -match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); +var dup209 = setc("eventcategory","1605020000"); -var dup210 = // "Pattern{Constant('performed'), Field(,false)}" -match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); +var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); -var dup211 = setc("eventcategory","1605020000"); +var dup211 = setc("ec_subject","Certificate"); -var dup212 = // "Pattern{Constant('IP pool of DHCP server on '), Field(p0,false)}" -match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); +var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); -var dup213 = setc("ec_subject","Certificate"); +var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); -var dup214 = // "Pattern{Constant('certificate '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); +var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); -var dup215 = // "Pattern{Constant('CRL '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); +var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); -var dup216 = // "Pattern{Constant('auto '), Field(p0,false)}" -match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); +var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); -var dup217 = // "Pattern{Constant('RSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); +var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); -var dup218 = // "Pattern{Constant('DSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); +var dup218 = setc("ec_subject","CryptoKey"); -var dup219 = // "Pattern{Constant('key pair.'), Field(,false)}" -match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); +var dup219 = setc("ec_subject","Configuration"); -var dup220 = setc("ec_subject","CryptoKey"); +var dup220 = setc("ec_activity","Request"); -var dup221 = setc("ec_subject","Configuration"); +var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); -var dup222 = setc("ec_activity","Request"); +var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); -var dup223 = // "Pattern{Constant('FIPS test for '), Field(p0,false)}" -match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); +var dup223 = setc("eventcategory","1612000000"); -var dup224 = // "Pattern{Constant('ECDSA '), Field(p0,false)}" -match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); +var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); -var dup225 = setc("eventcategory","1612000000"); +var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); -var dup226 = // "Pattern{Constant('yes '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); +var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); -var dup227 = // "Pattern{Constant('no '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); +var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); -var dup228 = // "Pattern{Constant('location '), Field(p0,false)}" -match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); +var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); -var dup229 = // "Pattern{Field(,true), Constant(' '), Field(interface,false)}" -match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); +var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); -var dup230 = // "Pattern{Constant('arp re'), Field(p0,false)}" -match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); +var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); -var dup231 = // "Pattern{Constant('q '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); +var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); -var dup232 = // "Pattern{Constant('ply '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); +var dup232 = setc("eventcategory","1201000000"); -var dup233 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); +var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); -var dup234 = setc("eventcategory","1201000000"); +var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); -var dup235 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" -match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); +var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); -var dup236 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); +var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); -var dup237 = // "Pattern{Constant('NACN Policy Manager '), Field(p0,false)}" -match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); +var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); -var dup238 = // "Pattern{Constant('1 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); +var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); -var dup239 = // "Pattern{Constant('2 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); +var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup240 = // "Pattern{Constant('unset '), Field(p0,false)}" -match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); +var dup240 = setc("eventcategory","1401000000"); -var dup241 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); -var dup242 = setc("eventcategory","1401000000"); +var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); -var dup243 = // "Pattern{Constant('SSH '), Field(p0,false)}" -match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); +var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); -var dup244 = // "Pattern{Constant('SCS: NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); +var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); -var dup245 = // "Pattern{Constant('NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); +var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); -var dup246 = // "Pattern{Constant('S'), Field(p0,false)}" -match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); +var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); -var dup247 = // "Pattern{Constant('CS: SSH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); +var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); -var dup248 = // "Pattern{Constant('SH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); +var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); -var dup249 = // "Pattern{Constant('the root system '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); +var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); -var dup250 = // "Pattern{Constant('vsys '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); +var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); -var dup251 = // "Pattern{Constant('CS: SSH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); +var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); -var dup252 = // "Pattern{Constant('SH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); +var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); -var dup253 = // "Pattern{Constant('a '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); +var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); -var dup254 = // "Pattern{Constant('ert '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); +var dup254 = setc("eventcategory","1608000000"); -var dup255 = // "Pattern{Constant('SSL '), Field(p0,false)}" -match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); +var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); -var dup256 = setc("eventcategory","1608000000"); +var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); -var dup257 = // "Pattern{Constant('id: '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); +var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); -var dup258 = // "Pattern{Constant('ID '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); +var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); -var dup259 = // "Pattern{Constant('permit '), Field(p0,false)}" -match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); +var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); -var dup260 = // "Pattern{Constant('IGMP '), Field(p0,false)}" -match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); +var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); -var dup261 = // "Pattern{Constant('IGMP will '), Field(p0,false)}" -match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); +var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); -var dup262 = // "Pattern{Constant('not do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); +var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); -var dup263 = // "Pattern{Constant('do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); +var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); -var dup264 = // "Pattern{Constant('shut down '), Field(p0,false)}" -match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); +var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); -var dup265 = // "Pattern{Constant('NSRP: '), Field(p0,false)}" -match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); +var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); -var dup266 = // "Pattern{Constant('Unit '), Field(p0,false)}" -match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); +var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var dup267 = // "Pattern{Constant('local unit= '), Field(p0,false)}" -match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); +var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); -var dup268 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); -var dup269 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Sec'), Field(p0,false)}" -match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); +var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); -var dup270 = // "Pattern{Constant('ruity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); +var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); -var dup271 = // "Pattern{Constant('urity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); +var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var dup272 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state')}" -match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); +var dup272 = setc("eventcategory","1805010000"); -var dup273 = // "Pattern{Constant(''), Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var dup273 = setc("eventcategory","1805000000"); -var dup274 = setc("eventcategory","1805010000"); - -var dup275 = setc("eventcategory","1805000000"); - -var dup276 = date_time({ +var dup274 = date_time({ dest: "starttime", args: ["fld2"], fmts: [ @@ -834,7 +623,7 @@ var dup276 = date_time({ ], }); -var dup277 = call({ +var dup275 = call({ dest: "nwparser.bytes", fn: CALC, args: [ @@ -844,13 +633,13 @@ var dup277 = call({ ], }); -var dup278 = setc("action","Deny"); +var dup276 = setc("action","Deny"); -var dup279 = setc("disposition","Deny"); +var dup277 = setc("disposition","Deny"); -var dup280 = setc("direction","outgoing"); +var dup278 = setc("direction","outgoing"); -var dup281 = call({ +var dup279 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -862,36 +651,29 @@ var dup281 = call({ ], }); -var dup282 = setc("direction","incoming"); +var dup280 = setc("direction","incoming"); -var dup283 = setc("eventcategory","1801000000"); +var dup281 = setc("eventcategory","1801000000"); -var dup284 = setf("action","disposition"); +var dup282 = setf("action","disposition"); -var dup285 = // "Pattern{Constant('start_time='), Field(p0,false)}" -match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); +var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); -var dup286 = // "Pattern{Constant('\"'), Field(fld2,false), Constant('\"'), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); +var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); -var dup287 = // "Pattern{Constant(' "'), Field(fld2,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); +var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); -var dup288 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); +var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); -var dup289 = // "Pattern{Constant('Admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); +var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); -var dup290 = // "Pattern{Constant('Vsys admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); +var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); -var dup291 = // "Pattern{Constant('Telnet '), Field(p0,false)}" -match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); +var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); -var dup292 = setc("eventcategory","1401050200"); +var dup290 = setc("eventcategory","1401050200"); -var dup293 = call({ +var dup291 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -901,7 +683,7 @@ var dup293 = call({ ], }); -var dup294 = call({ +var dup292 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -913,117 +695,85 @@ var dup294 = call({ ], }); -var dup295 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); +var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); -var dup296 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); +var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); -var dup297 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.'), Field(p0,false)}" -match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); +var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); -var dup298 = // "Pattern{Field(obj_type,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup299 = setc("eventcategory","1204000000"); +var dup297 = setc("eventcategory","1204000000"); -var dup300 = // "Pattern{Field(signame,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var dup301 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); +var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); -var dup302 = // "Pattern{Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); +var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); -var dup303 = setc("eventcategory","1801020000"); +var dup301 = setc("eventcategory","1801020000"); -var dup304 = setc("disposition","failed"); +var dup302 = setc("disposition","failed"); -var dup305 = // "Pattern{Constant('ut '), Field(p0,false)}" -match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); +var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); -var dup306 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); +var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); -var dup307 = // "Pattern{Constant('user '), Field(p0,false)}" -match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); +var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); -var dup308 = // "Pattern{Constant('the '), Field(logon_type,false)}" -match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); +var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); -var dup309 = // "Pattern{Constant('WebAuth user '), Field(p0,false)}" -match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); +var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); -var dup310 = // "Pattern{Constant('backup1 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); +var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); -var dup311 = // "Pattern{Constant('backup2 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); +var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); -var dup312 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); +var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); -var dup313 = // "Pattern{Constant('assigned '), Field(p0,false)}" -match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); +var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); -var dup314 = // "Pattern{Constant('assigned to '), Field(p0,false)}" -match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); +var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); -var dup315 = setc("eventcategory","1803020000"); +var dup313 = setc("eventcategory","1803020000"); -var dup316 = setc("eventcategory","1613030000"); +var dup314 = setc("eventcategory","1613030000"); -var dup317 = // "Pattern{Constant('''), Field(administrator,false), Constant('' '), Field(p0,false)}" -match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); +var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); -var dup318 = // "Pattern{Constant('SSH: P'), Field(p0,false)}" -match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); +var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); -var dup319 = // "Pattern{Constant('KA '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); +var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); -var dup320 = // "Pattern{Constant('assword '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); +var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); -var dup321 = // "Pattern{Constant('\''), Field(administrator,false), Constant('\' '), Field(p0,false)}" -match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); +var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); -var dup322 = // "Pattern{Constant('at host '), Field(saddr,false)}" -match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); +var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); -var dup323 = // "Pattern{Field(,false), Constant('S'), Field(p0,false)}" -match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); +var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); -var dup324 = // "Pattern{Constant('CS '), Field(p0,false)}" -match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); +var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); -var dup325 = setc("event_description","Cannot connect to NSM server"); +var dup323 = setc("event_description","Cannot connect to NSM server"); -var dup326 = setc("eventcategory","1603040000"); +var dup324 = setc("eventcategory","1603040000"); -var dup327 = // "Pattern{Constant('from server.ini file.'), Field(,false)}" -match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); +var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); -var dup328 = // "Pattern{Constant('pattern '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); +var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); -var dup329 = // "Pattern{Constant('server.ini '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); +var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); -var dup330 = // "Pattern{Constant('file.'), Field(,false)}" -match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); +var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); -var dup331 = // "Pattern{Constant('AV pattern '), Field(p0,false)}" -match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); +var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); -var dup332 = // "Pattern{Constant('added into '), Field(p0,false)}" -match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); +var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); -var dup333 = // "Pattern{Constant('loader '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); +var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); -var dup334 = call({ +var dup332 = call({ dest: "nwparser.inout", fn: DIRCHK, args: [ @@ -1035,13 +785,12 @@ var dup334 = call({ ], }); -var dup335 = linear_select([ +var dup333 = linear_select([ dup10, dup11, ]); -var dup336 = // "Pattern{Constant('Policy ID='), Field(policy_id,true), Constant(' Rate='), Field(fld2,true), Constant(' exceeds threshold')}" -match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ +var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ dup1, dup2, dup3, @@ -1049,38 +798,37 @@ match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=% dup5, ])); -var dup337 = linear_select([ +var dup335 = linear_select([ dup13, dup14, ]); -var dup338 = linear_select([ +var dup336 = linear_select([ dup15, dup16, ]); -var dup339 = linear_select([ +var dup337 = linear_select([ dup56, dup57, ]); -var dup340 = linear_select([ +var dup338 = linear_select([ dup65, dup66, ]); -var dup341 = linear_select([ +var dup339 = linear_select([ dup68, dup69, ]); -var dup342 = linear_select([ +var dup340 = linear_select([ dup71, dup72, ]); -var dup343 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(interface,false), Constant(')')}" -match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ +var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ dup58, dup2, dup3, @@ -1089,138 +837,135 @@ match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{s dup61, ])); -var dup344 = linear_select([ +var dup342 = linear_select([ dup74, dup75, ]); -var dup345 = linear_select([ +var dup343 = linear_select([ dup81, dup82, ]); -var dup346 = linear_select([ +var dup344 = linear_select([ dup24, dup90, ]); -var dup347 = linear_select([ +var dup345 = linear_select([ dup94, dup95, ]); -var dup348 = linear_select([ +var dup346 = linear_select([ dup98, dup99, ]); -var dup349 = linear_select([ +var dup347 = linear_select([ dup100, dup101, dup102, ]); -var dup350 = linear_select([ +var dup348 = linear_select([ dup113, dup114, ]); -var dup351 = linear_select([ +var dup349 = linear_select([ dup111, dup16, ]); -var dup352 = linear_select([ +var dup350 = linear_select([ dup127, dup107, ]); -var dup353 = linear_select([ +var dup351 = linear_select([ dup8, dup21, ]); -var dup354 = linear_select([ +var dup352 = linear_select([ dup122, dup133, ]); -var dup355 = linear_select([ +var dup353 = linear_select([ dup142, dup143, ]); -var dup356 = linear_select([ +var dup354 = linear_select([ dup145, dup21, ]); -var dup357 = linear_select([ +var dup355 = linear_select([ dup127, dup106, ]); -var dup358 = linear_select([ +var dup356 = linear_select([ dup152, dup96, ]); -var dup359 = linear_select([ +var dup357 = linear_select([ dup154, dup155, ]); -var dup360 = linear_select([ +var dup358 = linear_select([ dup156, dup157, ]); -var dup361 = linear_select([ +var dup359 = linear_select([ dup99, dup134, ]); -var dup362 = linear_select([ +var dup360 = linear_select([ dup158, dup159, ]); -var dup363 = linear_select([ - dup160, +var dup361 = linear_select([ dup161, + dup162, ]); -var dup364 = linear_select([ +var dup362 = linear_select([ dup163, - dup164, -]); - -var dup365 = linear_select([ - dup165, dup103, ]); -var dup366 = linear_select([ - dup164, - dup163, +var dup363 = linear_select([ + dup162, + dup161, ]); -var dup367 = linear_select([ +var dup364 = linear_select([ dup46, dup47, ]); -var dup368 = linear_select([ - dup168, - dup169, +var dup365 = linear_select([ + dup166, + dup167, ]); -var dup369 = linear_select([ - dup174, - dup175, +var dup366 = linear_select([ + dup172, + dup173, ]); -var dup370 = linear_select([ +var dup367 = linear_select([ + dup174, + dup175, dup176, dup177, dup178, @@ -1228,47 +973,44 @@ var dup370 = linear_select([ dup180, dup181, dup182, - dup183, - dup184, ]); -var dup371 = linear_select([ +var dup368 = linear_select([ dup49, dup21, ]); -var dup372 = linear_select([ - dup191, - dup192, +var dup369 = linear_select([ + dup189, + dup190, ]); -var dup373 = linear_select([ +var dup370 = linear_select([ dup96, dup152, ]); -var dup374 = linear_select([ - dup198, - dup199, +var dup371 = linear_select([ + dup196, + dup197, ]); -var dup375 = linear_select([ +var dup372 = linear_select([ dup24, - dup202, + dup200, ]); -var dup376 = linear_select([ +var dup373 = linear_select([ dup103, - dup165, + dup163, ]); -var dup377 = linear_select([ - dup207, +var dup374 = linear_select([ + dup205, dup118, ]); -var dup378 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -1276,88 +1018,87 @@ match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var dup379 = linear_select([ - dup214, +var dup376 = linear_select([ + dup212, + dup213, +]); + +var dup377 = linear_select([ dup215, + dup216, ]); -var dup380 = linear_select([ - dup217, - dup218, +var dup378 = linear_select([ + dup222, + dup215, ]); -var dup381 = linear_select([ +var dup379 = linear_select([ dup224, - dup217, + dup225, ]); -var dup382 = linear_select([ - dup226, - dup227, +var dup380 = linear_select([ + dup231, + dup124, ]); -var dup383 = linear_select([ - dup233, - dup124, +var dup381 = linear_select([ + dup229, + dup230, ]); -var dup384 = linear_select([ - dup231, - dup232, +var dup382 = linear_select([ + dup233, + dup234, ]); -var dup385 = linear_select([ - dup235, +var dup383 = linear_select([ dup236, + dup237, ]); -var dup386 = linear_select([ - dup238, - dup239, +var dup384 = linear_select([ + dup242, + dup243, ]); -var dup387 = linear_select([ - dup244, +var dup385 = linear_select([ dup245, + dup246, ]); -var dup388 = linear_select([ +var dup386 = linear_select([ dup247, dup248, ]); -var dup389 = linear_select([ +var dup387 = linear_select([ dup249, dup250, ]); -var dup390 = linear_select([ +var dup388 = linear_select([ dup251, dup252, ]); -var dup391 = linear_select([ - dup253, - dup254, -]); - -var dup392 = linear_select([ - dup262, - dup263, +var dup389 = linear_select([ + dup260, + dup261, ]); -var dup393 = linear_select([ - dup266, - dup267, +var dup390 = linear_select([ + dup264, + dup265, ]); -var dup394 = linear_select([ - dup270, - dup271, +var dup391 = linear_select([ + dup268, + dup269, ]); -var dup395 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ +var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -1365,18 +1106,17 @@ match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in th dup5, ])); -var dup396 = linear_select([ - dup286, - dup287, +var dup393 = linear_select([ + dup284, + dup285, ]); -var dup397 = linear_select([ - dup289, - dup290, +var dup394 = linear_select([ + dup287, + dup288, ]); -var dup398 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -1386,8 +1126,7 @@ match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var dup399 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to zone '), Field(zone,false), Constant(', proto '), Field(protocol,true), Constant(' (int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup4, dup59, @@ -1398,116 +1137,112 @@ match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var dup400 = linear_select([ - dup302, +var dup397 = linear_select([ + dup300, dup26, ]); -var dup401 = linear_select([ +var dup398 = linear_select([ dup115, - dup305, + dup303, ]); -var dup402 = linear_select([ +var dup399 = linear_select([ dup125, dup96, ]); -var dup403 = linear_select([ - dup191, - dup310, - dup311, +var dup400 = linear_select([ + dup189, + dup308, + dup309, ]); -var dup404 = linear_select([ - dup312, +var dup401 = linear_select([ + dup310, dup16, ]); -var dup405 = linear_select([ - dup319, - dup320, +var dup402 = linear_select([ + dup317, + dup318, ]); -var dup406 = linear_select([ - dup321, - dup317, +var dup403 = linear_select([ + dup319, + dup315, ]); -var dup407 = linear_select([ - dup324, - dup252, +var dup404 = linear_select([ + dup322, + dup250, ]); -var dup408 = linear_select([ +var dup405 = linear_select([ + dup327, dup329, - dup331, ]); -var dup409 = linear_select([ - dup332, +var dup406 = linear_select([ + dup330, dup129, ]); -var dup410 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var dup411 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup60, ])); -var dup412 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var dup413 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup61, ])); -var dup414 = all_match({ +var dup411 = all_match({ processors: [ - dup265, - dup393, - dup268, + dup263, + dup390, + dup266, ], on_success: processor_chain([ dup1, @@ -1518,11 +1253,11 @@ var dup414 = all_match({ ]), }); -var dup415 = all_match({ +var dup412 = all_match({ processors: [ - dup269, - dup394, - dup272, + dup267, + dup391, + dup270, ], on_success: processor_chain([ dup1, @@ -1533,11 +1268,11 @@ var dup415 = all_match({ ]), }); -var dup416 = all_match({ +var dup413 = all_match({ processors: [ dup80, - dup345, - dup295, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -1550,14 +1285,14 @@ var dup416 = all_match({ ]), }); -var dup417 = all_match({ +var dup414 = all_match({ processors: [ - dup298, - dup345, + dup296, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, @@ -1568,14 +1303,14 @@ var dup417 = all_match({ ]), }); -var dup418 = all_match({ +var dup415 = all_match({ processors: [ - dup300, - dup345, + dup298, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, @@ -1586,32 +1321,25 @@ var dup418 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' [No Name]system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr2 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' ['), Field(hvsys,false), Constant(']system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" -match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ setc("header_id","0003"), ])); -var hdr3 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" -match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ setc("header_id","0004"), ])); -var hdr4 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); +var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); -var part1 = // "Pattern{Constant('[No Name]system'), Field(p0,false)}" -match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); +var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); -var part2 = // "Pattern{Constant('['), Field(hvsys,false), Constant(']system'), Field(p0,false)}" -match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); +var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); -var part3 = // "Pattern{Constant('system'), Field(p0,false)}" -match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); +var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); var select1 = linear_select([ part1, @@ -1619,8 +1347,7 @@ var select1 = linear_select([ part3, ]); -var part4 = // "Pattern{Constant('-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); +var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); var all1 = all_match({ processors: [ @@ -1640,8 +1367,7 @@ var select2 = linear_select([ all1, ]); -var part5 = // "Pattern{Field(zone,true), Constant(' address '), Field(interface,true), Constant(' with ip address '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ +var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1651,8 +1377,7 @@ match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} w var msg1 = msg("00001", part5); -var part6 = // "Pattern{Field(zone,true), Constant(' address '), Field(interface,true), Constant(' with domain name '), Field(domain,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ +var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1662,16 +1387,14 @@ match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface-> var msg2 = msg("00001:01", part6); -var part7 = // "Pattern{Constant('ip address '), Field(hostip,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); +var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); var select3 = linear_select([ part7, dup7, ]); -var part8 = // "Pattern{Field(zone,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); +var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); var all2 = all_match({ processors: [ @@ -1690,8 +1413,7 @@ var all2 = all_match({ var msg3 = msg("00001:02", all2); -var part9 = // "Pattern{Constant('arp entry '), Field(hostip,true), Constant(' interface changed!')}" -match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ +var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ dup1, dup2, dup3, @@ -1701,19 +1423,16 @@ match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface var msg4 = msg("00001:03", part9); -var part10 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); +var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); var select4 = linear_select([ part10, dup7, ]); -var part11 = // "Pattern{Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' session'), Field(p0,false)}" -match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); +var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); -var part12 = // "Pattern{Constant('.'), Field(fld1,false)}" -match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); +var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); var select5 = linear_select([ dup8, @@ -1739,13 +1458,12 @@ var all3 = all_match({ var msg5 = msg("00001:04", all3); -var part13 = // "Pattern{Field(fld2,false), Constant(': Address '), Field(group_object,true), Constant(' for ip address '), Field(hostip,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' session '), Field(p0,false)}" -match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); +var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); var all4 = all_match({ processors: [ part13, - dup335, + dup333, ], on_success: processor_chain([ dup1, @@ -1759,8 +1477,7 @@ var all4 = all_match({ var msg6 = msg("00001:05", all4); -var part14 = // "Pattern{Constant('Address group '), Field(group_object,true), Constant(' '), Field(info,false)}" -match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ +var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -1770,20 +1487,18 @@ match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} var msg7 = msg("00001:06", part14); -var msg8 = msg("00001:07", dup336); +var msg8 = msg("00001:07", dup334); -var part15 = // "Pattern{Constant('for IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); +var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); -var part16 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('via NSRP Peer session. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); +var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); var all5 = all_match({ processors: [ dup12, - dup337, + dup335, part15, - dup338, + dup336, part16, ], on_success: processor_chain([ @@ -1798,13 +1513,12 @@ var all5 = all_match({ var msg9 = msg("00001:08", all5); -var part17 = // "Pattern{Constant('for IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' session. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); +var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); var all6 = all_match({ processors: [ dup12, - dup337, + dup335, part17, ], on_success: processor_chain([ @@ -1832,8 +1546,7 @@ var select6 = linear_select([ msg10, ]); -var part18 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ +var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1843,8 +1556,7 @@ match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} var msg11 = msg("00002:03", part18); -var part19 = // "Pattern{Constant('E-mail address '), Field(user_address,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ +var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1854,8 +1566,7 @@ match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address- var msg12 = msg("00002:04", part19); -var part20 = // "Pattern{Constant('E-mail notification has been '), Field(disposition,false)}" -match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ +var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1865,8 +1576,7 @@ match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been % var msg13 = msg("00002:05", part20); -var part21 = // "Pattern{Constant('Inclusion of traffic logs with e-mail notification of event alarms has been '), Field(disposition,false)}" -match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ +var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1876,8 +1586,7 @@ match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with var msg14 = msg("00002:06", part21); -var part22 = // "Pattern{Constant('LCD display has been '), Field(action,true), Constant(' and the LCD control keys have been '), Field(disposition,false)}" -match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ +var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1887,8 +1596,7 @@ match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action- var msg15 = msg("00002:07", part22); -var part23 = // "Pattern{Constant('HTTP component blocking for '), Field(fld2,true), Constant(' is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup4, @@ -1898,8 +1606,7 @@ match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{ var msg16 = msg("00002:55", part23); -var part24 = // "Pattern{Constant('LCD display has been '), Field(disposition,false)}" -match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ +var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1909,8 +1616,7 @@ match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposi var msg17 = msg("00002:08", part24); -var part25 = // "Pattern{Constant('LCD control keys have been '), Field(disposition,false)}" -match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ +var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1920,8 +1626,7 @@ match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{d var msg18 = msg("00002:09", part25); -var part26 = // "Pattern{Constant('Mail server '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ +var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -1931,8 +1636,7 @@ match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has be var msg19 = msg("00002:10", part26); -var part27 = // "Pattern{Constant('Management restriction for '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ +var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ dup17, dup2, dup3, @@ -1942,8 +1646,7 @@ match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{h var msg20 = msg("00002:11", part27); -var part28 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to default port '), Field(change_new,false)}" -match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ +var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -1953,8 +1656,7 @@ match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been var msg21 = msg("00002:12", part28); -var part29 = // "Pattern{Constant('System configuration has been '), Field(disposition,false)}" -match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ +var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ dup18, dup2, dup3, @@ -1964,24 +1666,20 @@ match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been var msg22 = msg("00002:15", part29); -var msg23 = msg("00002:17", dup336); +var msg23 = msg("00002:17", dup334); -var part30 = // "Pattern{Constant('Unexpected error from e'), Field(p0,false)}" -match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); +var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); -var part31 = // "Pattern{Constant('-mail '), Field(p0,false)}" -match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); +var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); -var part32 = // "Pattern{Constant('mail '), Field(p0,false)}" -match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); +var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); var select7 = linear_select([ part31, part32, ]); -var part33 = // "Pattern{Constant('server('), Field(fld2,false), Constant('):')}" -match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); +var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); var all7 = all_match({ processors: [ @@ -2000,8 +1698,7 @@ var all7 = all_match({ var msg24 = msg("00002:18", all7); -var part34 = // "Pattern{Constant('Web Admin '), Field(change_attribute,true), Constant(' value has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -2011,11 +1708,9 @@ match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute-> var msg25 = msg("00002:19", part34); -var part35 = // "Pattern{Constant('Root admin password restriction of minimum '), Field(fld2,true), Constant(' characters has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); +var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); -var part36 = // "Pattern{Constant('from Console '), Field(,false)}" -match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); +var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); var select8 = linear_select([ part36, @@ -2039,11 +1734,9 @@ var all8 = all_match({ var msg26 = msg("00002:20", all8); -var part37 = // "Pattern{Constant('Root admin '), Field(p0,false)}" -match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); +var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); -var part38 = // "Pattern{Field(fld2,true), Constant(' admin '), Field(p0,false)}" -match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); +var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); var select9 = linear_select([ part37, @@ -2055,8 +1748,7 @@ var select10 = linear_select([ dup25, ]); -var part39 = // "Pattern{Constant('has been changed by admin '), Field(administrator,false)}" -match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); +var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); var all9 = all_match({ processors: [ @@ -2076,14 +1768,11 @@ var all9 = all_match({ var msg27 = msg("00002:21", all9); -var part40 = // "Pattern{Field(change_attribute,true), Constant(' from '), Field(protocol,true), Constant(' before administrative session disconnects has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); +var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); -var part41 = // "Pattern{Field(administrator,true), Constant(' from Console')}" -match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); +var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); -var part42 = // "Pattern{Field(administrator,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); +var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); var select11 = linear_select([ part41, @@ -2107,11 +1796,9 @@ var all10 = all_match({ var msg28 = msg("00002:22", all10); -var part43 = // "Pattern{Constant('Root admin access restriction through console only has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); +var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); -var part44 = // "Pattern{Constant('from Console'), Field(,false)}" -match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); +var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); var select12 = linear_select([ dup20, @@ -2135,14 +1822,11 @@ var all11 = all_match({ var msg29 = msg("00002:23", all11); -var part45 = // "Pattern{Constant('Admin access restriction of '), Field(protocol,true), Constant(' administration through tunnel only has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); +var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); -var part46 = // "Pattern{Constant('host '), Field(saddr,false)}" -match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); +var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); -var part47 = // "Pattern{Constant('Console'), Field(,false)}" -match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); +var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); var select13 = linear_select([ part46, @@ -2165,8 +1849,7 @@ var all12 = all_match({ var msg30 = msg("00002:24", all12); -var part48 = // "Pattern{Constant('Admin AUTH: Local instance of an '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ setc("eventcategory","1402000000"), dup2, dup3, @@ -2176,8 +1859,7 @@ match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of var msg31 = msg("00002:25", part48); -var part49 = // "Pattern{Constant('Cannot connect to e-mail server '), Field(hostip,false), Constant('.')}" -match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ +var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ dup27, dup2, dup3, @@ -2187,8 +1869,7 @@ match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail serve var msg32 = msg("00002:26", part49); -var part50 = // "Pattern{Constant('Mail server is not configured.'), Field(,false)}" -match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ +var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ dup18, dup2, dup3, @@ -2198,8 +1879,7 @@ match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured. var msg33 = msg("00002:27", part50); -var part51 = // "Pattern{Constant('Mail recipients were not configured.'), Field(,false)}" -match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ +var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ dup18, dup2, dup3, @@ -2209,8 +1889,7 @@ match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not confi var msg34 = msg("00002:28", part51); -var part52 = // "Pattern{Constant('Single use password restriction for read-write administrators has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ +var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -2220,8 +1899,7 @@ match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restrictio var msg35 = msg("00002:29", part52); -var part53 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ +var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ dup28, dup29, dup30, @@ -2235,8 +1913,7 @@ match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\ var msg36 = msg("00002:30", part53); -var part54 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged out for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ +var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ dup33, dup29, dup34, @@ -2248,8 +1925,7 @@ match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\ var msg37 = msg("00002:41", part54); -var part55 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,true), Constant(' '), Field(space,true), Constant(' ('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ +var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ dup35, dup29, dup30, @@ -2262,19 +1938,16 @@ match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\ var msg38 = msg("00002:31", part55); -var part56 = // "Pattern{Constant('E-mail notification '), Field(p0,false)}" -match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); +var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); -var part57 = // "Pattern{Constant('Transparent virutal '), Field(p0,false)}" -match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); +var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); var select14 = linear_select([ part56, part57, ]); -var part58 = // "Pattern{Constant('wire mode has been '), Field(disposition,false)}" -match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); +var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); var all13 = all_match({ processors: [ @@ -2292,8 +1965,7 @@ var all13 = all_match({ var msg39 = msg("00002:32", all13); -var part59 = // "Pattern{Constant('Malicious URL '), Field(url,true), Constant(' has been '), Field(disposition,true), Constant(' for zone '), Field(zone,false)}" -match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ +var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ dup1, dup2, dup3, @@ -2303,22 +1975,18 @@ match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has bee var msg40 = msg("00002:35", part59); -var part60 = // "Pattern{Constant('Bypass'), Field(p0,false)}" -match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); +var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); -var part61 = // "Pattern{Constant('-others-IPSec '), Field(p0,false)}" -match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); +var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); -var part62 = // "Pattern{Constant(' non-IP traffic '), Field(p0,false)}" -match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); +var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); var select15 = linear_select([ part61, part62, ]); -var part63 = // "Pattern{Constant('option has been '), Field(disposition,false)}" -match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); +var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); var all14 = all_match({ processors: [ @@ -2337,20 +2005,15 @@ var all14 = all_match({ var msg41 = msg("00002:36", all14); -var part64 = // "Pattern{Constant('Logging of '), Field(p0,false)}" -match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); +var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); -var part65 = // "Pattern{Constant('dropped '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); +var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); -var part66 = // "Pattern{Constant('IKE '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); +var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); -var part67 = // "Pattern{Constant('SNMP '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); +var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); -var part68 = // "Pattern{Constant('ICMP '), Field(p0,false)}" -match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); +var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); var select16 = linear_select([ part65, @@ -2359,8 +2022,7 @@ var select16 = linear_select([ part68, ]); -var part69 = // "Pattern{Constant('traffic to self has been '), Field(disposition,false)}" -match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); +var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); var all15 = all_match({ processors: [ @@ -2379,11 +2041,9 @@ var all15 = all_match({ var msg42 = msg("00002:37", all15); -var part70 = // "Pattern{Constant('Logging of dropped traffic to self (excluding multicast) has been '), Field(p0,false)}" -match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); +var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); -var part71 = // "Pattern{Field(disposition,true), Constant(' on '), Field(zone,false)}" -match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); +var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); var select17 = linear_select([ part71, @@ -2406,8 +2066,7 @@ var all16 = all_match({ var msg43 = msg("00002:38", all16); -var part72 = // "Pattern{Constant('Traffic shaping is '), Field(disposition,false)}" -match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ +var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -2417,8 +2076,7 @@ match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{dispositi var msg44 = msg("00002:39", part72); -var part73 = // "Pattern{Constant('Admin account created for ''), Field(username,false), Constant('' by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ +var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ dup37, dup29, setc("ec_activity","Create"), @@ -2432,8 +2090,7 @@ match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{u var msg45 = msg("00002:40", part73); -var part74 = // "Pattern{Constant('ADMIN AUTH: Privilege requested for unknown user '), Field(username,false), Constant('. Possible HA syncronization problem.')}" -match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ +var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ dup35, dup31, dup39, @@ -2445,25 +2102,20 @@ match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requeste var msg46 = msg("00002:44", part74); -var part75 = // "Pattern{Field(change_attribute,true), Constant(' for account ''), Field(change_old,false), Constant('' has been '), Field(disposition,true), Constant(' to ''), Field(change_new,false), Constant('' '), Field(p0,false)}" -match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); +var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); -var part76 = // "Pattern{Constant('by '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); +var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); var select18 = linear_select([ part76, dup40, ]); -var part77 = // "Pattern{Constant(''), Field(logon_type,true), Constant(' from host '), Field(p0,false)}" -match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); +var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); -var part78 = // "Pattern{Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); +var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); -var part79 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); +var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); var select19 = linear_select([ part78, @@ -2492,22 +2144,18 @@ var all17 = all_match({ var msg47 = msg("00002:42", all17); -var part80 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); +var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); -var part81 = // "Pattern{Constant('''), Field(username,false), Constant('''), Field(p0,false)}" -match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); +var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); -var part82 = // "Pattern{Constant('"'), Field(username,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); +var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); var select20 = linear_select([ part81, part82, ]); -var part83 = // "Pattern{Field(,false), Constant('by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); +var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); var all18 = all_match({ processors: [ @@ -2530,8 +2178,7 @@ var all18 = all_match({ var msg48 = msg("00002:43", all18); -var part84 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for "'), Field(username,false), Constant('" by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ +var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ dup42, dup29, dup43, @@ -2545,8 +2192,7 @@ match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} var msg49 = msg("00002:50", part84); -var part85 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for "'), Field(username,false), Constant('" by '), Field(administrator,true), Constant(' '), Field(fld2,true), Constant(' via '), Field(logon_type,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ +var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ dup42, dup29, dup43, @@ -2560,8 +2206,7 @@ match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} var msg50 = msg("00002:51", part85); -var part86 = // "Pattern{Constant('Extraneous exit is issued by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ +var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -2572,20 +2217,15 @@ match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by % var msg51 = msg("00002:45", part86); -var part87 = // "Pattern{Constant('Ping of Death attack protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); +var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); -var part88 = // "Pattern{Constant('Src Route IP option filtering '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); +var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); -var part89 = // "Pattern{Constant('Teardrop attack protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); +var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); -var part90 = // "Pattern{Constant('Land attack protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); +var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); -var part91 = // "Pattern{Constant('SYN flood protection '), Field(p0,false)}" -match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); +var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); var select21 = linear_select([ part87, @@ -2595,8 +2235,7 @@ var select21 = linear_select([ part91, ]); -var part92 = // "Pattern{Constant('is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); +var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); var all19 = all_match({ processors: [ @@ -2615,25 +2254,20 @@ var all19 = all_match({ var msg52 = msg("00002:47", all19); -var part93 = // "Pattern{Constant('Dropping pkts if not '), Field(p0,false)}" -match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); +var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); -var part94 = // "Pattern{Constant('exactly same with incoming if '), Field(p0,false)}" -match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); +var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); -var part95 = // "Pattern{Constant('in route table '), Field(p0,false)}" -match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); +var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); var select22 = linear_select([ part94, part95, ]); -var part96 = // "Pattern{Constant('(IP spoof protection) is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); +var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); -var part97 = // "Pattern{Constant('NSRP Peer. ('), Field(p0,false)}" -match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); +var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); var select23 = linear_select([ part97, @@ -2660,20 +2294,15 @@ var all20 = all_match({ var msg53 = msg("00002:48", all20); -var part98 = // "Pattern{Field(signame,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); +var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); -var part99 = // "Pattern{Constant('protection'), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); +var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); -var part100 = // "Pattern{Constant('limiting'), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); +var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); -var part101 = // "Pattern{Constant('detection'), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); +var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); -var part102 = // "Pattern{Constant('filtering '), Field(p0,false)}" -match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); +var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); var select24 = linear_select([ part99, @@ -2682,11 +2311,9 @@ var select24 = linear_select([ part102, ]); -var part103 = // "Pattern{Field(,false), Constant('is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); +var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); -var part104 = // "Pattern{Constant('admin via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); +var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); var select25 = linear_select([ dup46, @@ -2720,8 +2347,7 @@ var all21 = all_match({ var msg54 = msg("00002:52", all21); -var part105 = // "Pattern{Constant('Admin password for account "'), Field(username,false), Constant('" has been '), Field(disposition,true), Constant(' by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ +var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ dup42, dup43, dup38, @@ -2734,14 +2360,11 @@ match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"% var msg55 = msg("00002:53", part105); -var part106 = // "Pattern{Constant('Traffic shaping clearing DSCP selector is turned O'), Field(p0,false)}" -match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); +var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); -var part107 = // "Pattern{Constant('FF'), Field(p0,false)}" -match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); +var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); -var part108 = // "Pattern{Constant('N'), Field(p0,false)}" -match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); +var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); var select27 = linear_select([ part107, @@ -2768,19 +2391,16 @@ var all22 = all_match({ var msg56 = msg("00002:54", all22); -var part109 = // "Pattern{Field(change_attribute,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); +var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); -var part110 = // "Pattern{Constant('has been changed'), Field(p0,false)}" -match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); +var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); var select28 = linear_select([ part110, dup52, ]); -var part111 = // "Pattern{Field(,false), Constant('from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); +var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); var all23 = all_match({ processors: [ @@ -2799,8 +2419,7 @@ var all23 = all_match({ var msg57 = msg("00002", all23); -var part112 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' failed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ +var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ dup53, dup9, dup2, @@ -2862,8 +2481,7 @@ var select29 = linear_select([ msg58, ]); -var part113 = // "Pattern{Constant('Multiple authentication failures have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ +var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ dup53, dup31, dup54, @@ -2875,8 +2493,7 @@ match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures var msg59 = msg("00003", part113); -var part114 = // "Pattern{Constant('Multiple authentication failures have been detected!'), Field(,false)}" -match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ +var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ dup53, dup31, dup54, @@ -2888,8 +2505,7 @@ match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failur var msg60 = msg("00003:01", part114); -var part115 = // "Pattern{Constant('The console debug buffer has been '), Field(disposition,false)}" -match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ +var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2899,8 +2515,7 @@ match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has b var msg61 = msg("00003:02", part115); -var part116 = // "Pattern{Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ +var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ dup44, dup2, dup3, @@ -2910,19 +2525,16 @@ match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed var msg62 = msg("00003:03", part116); -var part117 = // "Pattern{Constant('serial'), Field(p0,false)}" -match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); +var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); -var part118 = // "Pattern{Constant('local'), Field(p0,false)}" -match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); +var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); var select30 = linear_select([ part117, part118, ]); -var part119 = // "Pattern{Field(,false), Constant('console has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false), Constant('.')}" -match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); +var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); var all24 = all_match({ processors: [ @@ -2949,8 +2561,7 @@ var select31 = linear_select([ msg63, ]); -var part120 = // "Pattern{Field(info,false), Constant('DNS server IP has been changed')}" -match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ +var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ dup44, dup2, dup3, @@ -2960,8 +2571,7 @@ match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been cha var msg64 = msg("00004", part120); -var part121 = // "Pattern{Constant('DNS cache table has been '), Field(disposition,false)}" -match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ +var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2971,8 +2581,7 @@ match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{dis var msg65 = msg("00004:01", part121); -var part122 = // "Pattern{Constant('Daily DNS lookup has been '), Field(disposition,false)}" -match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ +var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2982,8 +2591,7 @@ match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{di var msg66 = msg("00004:02", part122); -var part123 = // "Pattern{Constant('Daily DNS lookup time has been '), Field(disposition,false)}" -match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ +var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -2993,16 +2601,14 @@ match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been var msg67 = msg("00004:03", part123); -var part124 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); +var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); -var part125 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' '), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); +var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); var all25 = all_match({ processors: [ part124, - dup339, + dup337, part125, ], on_success: processor_chain([ @@ -3018,8 +2624,7 @@ var all25 = all_match({ var msg68 = msg("00004:04", all25); -var part126 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,false)}" -match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ +var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ dup58, dup2, dup4, @@ -3030,8 +2635,7 @@ match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{s var msg69 = msg("00004:05", part126); -var part127 = // "Pattern{Constant('DNS lookup time has been changed to start at '), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' with an interval of '), Field(fld4,false)}" -match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ +var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ dup1, dup2, dup3, @@ -3041,8 +2645,7 @@ match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been chang var msg70 = msg("00004:06", part127); -var part128 = // "Pattern{Constant('DNS cache table entries have been refreshed as result of external event.'), Field(,false)}" -match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ +var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ dup44, dup2, dup3, @@ -3052,8 +2655,7 @@ match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have b var msg71 = msg("00004:07", part128); -var part129 = // "Pattern{Constant('DNS Proxy module has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ +var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -3063,8 +2665,7 @@ match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{di var msg72 = msg("00004:08", part129); -var part130 = // "Pattern{Constant('DNS Proxy module has more concurrent client requests than allowed.'), Field(,false)}" -match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ +var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ dup62, dup2, dup3, @@ -3074,8 +2675,7 @@ match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more conc var msg73 = msg("00004:09", part130); -var part131 = // "Pattern{Constant('DNS Proxy server select table entries exceeded maximum limit.'), Field(,false)}" -match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ +var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ dup62, dup2, dup3, @@ -3085,8 +2685,7 @@ match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table var msg74 = msg("00004:10", part131); -var part132 = // "Pattern{Constant('Proxy server select table added with domain '), Field(domain,false), Constant(', interface '), Field(interface,false), Constant(', primary-ip '), Field(fld2,false), Constant(', secondary-ip '), Field(fld3,false), Constant(', tertiary-ip '), Field(fld4,false), Constant(', failover '), Field(disposition,false)}" -match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ +var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3096,8 +2695,7 @@ match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table adde var msg75 = msg("00004:11", part132); -var part133 = // "Pattern{Constant('DNS Proxy server select table entry '), Field(disposition,true), Constant(' with domain '), Field(domain,false)}" -match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ +var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ dup1, dup2, dup3, @@ -3107,8 +2705,7 @@ match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table var msg76 = msg("00004:12", part133); -var part134 = // "Pattern{Constant('DDNS server '), Field(domain,true), Constant(' returned incorrect ip '), Field(fld2,false), Constant(', local-ip should be '), Field(fld3,false)}" -match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ +var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ dup19, dup2, dup3, @@ -3118,11 +2715,9 @@ match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} return var msg77 = msg("00004:13", part134); -var part135 = // "Pattern{Constant('automatically refreshed '), Field(p0,false)}" -match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); +var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); -var part136 = // "Pattern{Constant('refreshed by HA '), Field(p0,false)}" -match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); +var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); var select32 = linear_select([ part135, @@ -3147,8 +2742,7 @@ var all26 = all_match({ var msg78 = msg("00004:14", all26); -var part137 = // "Pattern{Constant('DNS entries have been refreshed as result of DNS server address change. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ +var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -3159,8 +2753,7 @@ match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshe var msg79 = msg("00004:15", part137); -var part138 = // "Pattern{Constant('DNS entries have been manually refreshed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ +var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -3174,7 +2767,7 @@ var msg80 = msg("00004:16", part138); var all27 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -3212,8 +2805,7 @@ var select33 = linear_select([ msg81, ]); -var part139 = // "Pattern{Field(signame,true), Constant(' alarm threshold from the same source has been changed to '), Field(trigger_val,false)}" -match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ +var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ dup1, dup2, dup3, @@ -3223,8 +2815,7 @@ match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from var msg82 = msg("00005", part139); -var part140 = // "Pattern{Constant('Logging of '), Field(fld2,true), Constant(' traffic to self has been '), Field(disposition,false)}" -match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ +var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3234,8 +2825,7 @@ match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic t var msg83 = msg("00005:01", part140); -var part141 = // "Pattern{Constant('SYN flood '), Field(fld2,true), Constant(' has been changed to '), Field(fld3,false)}" -match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ +var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ dup1, dup2, dup3, @@ -3245,29 +2835,25 @@ match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been c var msg84 = msg("00005:02", part141); -var part142 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(p0,false)}" -match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); +var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); -var part143 = // "Pattern{Field(fld99,false), Constant('interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); +var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); -var part144 = // "Pattern{Constant('in zone '), Field(zone,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); +var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); var select34 = linear_select([ part144, dup73, ]); -var part145 = // "Pattern{Constant(''), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); +var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); var all28 = all_match({ processors: [ part142, - dup341, + dup339, dup70, - dup342, + dup340, part143, select34, part145, @@ -3285,10 +2871,9 @@ var all28 = all_match({ var msg85 = msg("00005:03", all28); -var msg86 = msg("00005:04", dup343); +var msg86 = msg("00005:04", dup341); -var part146 = // "Pattern{Constant('SYN flood drop pak in '), Field(fld2,true), Constant(' mode when receiving unknown dst mac has been '), Field(disposition,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ +var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ setc("eventcategory","1001020100"), dup2, dup3, @@ -3298,12 +2883,11 @@ match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2-> var msg87 = msg("00005:05", part146); -var part147 = // "Pattern{Constant('flood timeout has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); +var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); var all29 = all_match({ processors: [ - dup344, + dup342, part147, ], on_success: processor_chain([ @@ -3317,20 +2901,15 @@ var all29 = all_match({ var msg88 = msg("00005:06", all29); -var part148 = // "Pattern{Constant('SYN flood '), Field(p0,false)}" -match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); +var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); -var part149 = // "Pattern{Constant('alarm threshold '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); +var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); -var part150 = // "Pattern{Constant('packet queue size '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); +var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); -var part151 = // "Pattern{Constant('attack threshold '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); +var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); -var part152 = // "Pattern{Constant('same source IP threshold '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); +var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); var select35 = linear_select([ part149, @@ -3340,8 +2919,7 @@ var select35 = linear_select([ part152, ]); -var part153 = // "Pattern{Constant('is set to '), Field(trigger_val,false), Constant('.')}" -match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); +var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); var all30 = all_match({ processors: [ @@ -3360,20 +2938,18 @@ var all30 = all_match({ var msg89 = msg("00005:07", all30); -var part154 = // "Pattern{Constant('flood same '), Field(p0,false)}" -match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); +var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); var select36 = linear_select([ dup77, dup78, ]); -var part155 = // "Pattern{Constant('ip threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); +var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); var all31 = all_match({ processors: [ - dup344, + dup342, part154, select36, part155, @@ -3389,8 +2965,7 @@ var all31 = all_match({ var msg90 = msg("00005:08", all31); -var part156 = // "Pattern{Constant('Screen service '), Field(service,true), Constant(' is '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ +var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ dup1, dup2, dup3, @@ -3400,8 +2975,7 @@ match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is var msg91 = msg("00005:09", part156); -var part157 = // "Pattern{Constant('Screen service '), Field(service,true), Constant(' is '), Field(disposition,true), Constant(' on '), Field(zone,false)}" -match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ +var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ dup1, dup2, dup3, @@ -3411,23 +2985,17 @@ match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is var msg92 = msg("00005:10", part157); -var part158 = // "Pattern{Constant('The SYN flood '), Field(p0,false)}" -match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); +var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); -var part159 = // "Pattern{Constant('alarm threshold'), Field(,false)}" -match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); +var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); -var part160 = // "Pattern{Constant('packet queue size'), Field(,false)}" -match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); +var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); -var part161 = // "Pattern{Constant('timeout value'), Field(,false)}" -match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); +var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); -var part162 = // "Pattern{Constant('attack threshold'), Field(,false)}" -match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); +var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); -var part163 = // "Pattern{Constant('same source IP'), Field(,false)}" -match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); +var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); var select37 = linear_select([ part159, @@ -3453,8 +3021,7 @@ var all32 = all_match({ var msg93 = msg("00005:11", all32); -var part164 = // "Pattern{Constant('The SYN-ACK-ACK proxy threshold value has been set to '), Field(trigger_val,true), Constant(' on '), Field(interface,false), Constant('.')}" -match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ +var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ dup1, dup2, dup3, @@ -3464,8 +3031,7 @@ match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshol var msg94 = msg("00005:12", part164); -var part165 = // "Pattern{Constant('The session limit threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ +var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -3475,8 +3041,7 @@ match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold ha var msg95 = msg("00005:13", part165); -var part166 = // "Pattern{Constant('syn proxy drop packet with unknown mac!'), Field(,false)}" -match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ +var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ dup19, dup2, dup3, @@ -3486,8 +3051,7 @@ match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unk var msg96 = msg("00005:14", part166); -var part167 = // "Pattern{Field(signame,true), Constant(' alarm threshold has been changed to '), Field(trigger_val,false)}" -match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ +var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ dup1, dup2, dup3, @@ -3497,8 +3061,7 @@ match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold h var msg97 = msg("00005:15", part167); -var part168 = // "Pattern{Field(signame,true), Constant(' threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" -match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ +var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -3508,19 +3071,16 @@ match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has bee var msg98 = msg("00005:16", part168); -var part169 = // "Pattern{Constant('destination-based '), Field(p0,false)}" -match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); +var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); -var part170 = // "Pattern{Constant('source-based '), Field(p0,false)}" -match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); +var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); var select38 = linear_select([ part169, part170, ]); -var part171 = // "Pattern{Constant('session-limit threshold has been set at '), Field(trigger_val,true), Constant(' in zone '), Field(zone,false), Constant('.')}" -match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); +var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); var all33 = all_match({ processors: [ @@ -3542,7 +3102,7 @@ var msg99 = msg("00005:17", all33); var all34 = all_match({ processors: [ dup80, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -3559,8 +3119,7 @@ var all34 = all_match({ var msg100 = msg("00005:18", all34); -var part172 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ dup84, dup2, dup3, @@ -3572,8 +3131,7 @@ match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{s var msg101 = msg("00005:19", part172); -var part173 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' int '), Field(interface,false), Constant(').'), Field(space,true), Constant(' Occurred '), Field(fld2,true), Constant(' times. ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" -match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ +var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ dup84, dup9, dup2, @@ -3608,8 +3166,7 @@ var select39 = linear_select([ msg102, ]); -var part174 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup85, dup2, dup3, @@ -3621,8 +3178,7 @@ match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! var msg103 = msg("00006", part174); -var part175 = // "Pattern{Constant('Hostname set to "'), Field(hostname,false), Constant('"')}" -match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ +var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ dup1, dup2, dup3, @@ -3632,8 +3188,7 @@ match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname} var msg104 = msg("00006:01", part175); -var part176 = // "Pattern{Constant('Domain set to '), Field(domain,false)}" -match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ +var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ dup1, dup2, dup3, @@ -3643,8 +3198,7 @@ match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", pro var msg105 = msg("00006:02", part176); -var part177 = // "Pattern{Constant('An optional ScreenOS feature has been activated via a software key.'), Field(,false)}" -match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ +var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ dup1, dup2, dup3, @@ -3654,13 +3208,12 @@ match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature var msg106 = msg("00006:03", part177); -var part178 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); +var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); var all35 = all_match({ processors: [ part178, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -3680,7 +3233,7 @@ var msg107 = msg("00006:04", all35); var all36 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -3706,8 +3259,7 @@ var select40 = linear_select([ msg108, ]); -var part179 = // "Pattern{Constant('HA cluster ID has been changed to '), Field(fld2,false)}" -match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ +var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -3717,8 +3269,7 @@ match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed t var msg109 = msg("00007", part179); -var part180 = // "Pattern{Field(change_attribute,true), Constant(' of the local NetScreen device has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ +var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -3728,14 +3279,11 @@ match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the var msg110 = msg("00007:01", part180); -var part181 = // "Pattern{Constant('HA state of the local device has changed to backup because a device with a '), Field(p0,false)}" -match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); +var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); -var part182 = // "Pattern{Constant('higher priority has been detected'), Field(,false)}" -match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); +var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); -var part183 = // "Pattern{Constant('lower MAC value has been detected'), Field(,false)}" -match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); +var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); var select41 = linear_select([ part182, @@ -3758,8 +3306,7 @@ var all37 = all_match({ var msg111 = msg("00007:02", all37); -var part184 = // "Pattern{Constant('HA state of the local device has changed to init because IP tracking has failed'), Field(,false)}" -match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ +var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ dup86, dup2, dup3, @@ -3774,15 +3321,14 @@ var select42 = linear_select([ dup89, ]); -var part185 = // "Pattern{Constant('has been changed'), Field(,false)}" -match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); +var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); var all38 = all_match({ processors: [ dup87, select42, dup23, - dup346, + dup344, part185, ], on_success: processor_chain([ @@ -3796,8 +3342,7 @@ var all38 = all_match({ var msg113 = msg("00007:04", all38); -var part186 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because a master already exists'), Field(,false)}" -match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ +var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ dup1, dup2, dup3, @@ -3807,8 +3352,7 @@ match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device ha var msg114 = msg("00007:05", part186); -var part187 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster'), Field(,false)}" -match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ +var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ dup1, dup2, dup3, @@ -3818,8 +3362,7 @@ match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device ha var msg115 = msg("00007:06", part187); -var part188 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster'), Field(,false)}" -match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ +var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ dup1, dup2, dup3, @@ -3829,8 +3372,7 @@ match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device ha var msg116 = msg("00007:07", part188); -var part189 = // "Pattern{Constant('HA: Local device has been elected master because no other master exists'), Field(,false)}" -match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ +var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ dup1, dup2, dup3, @@ -3840,8 +3382,7 @@ match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been ele var msg117 = msg("00007:08", part189); -var part190 = // "Pattern{Constant('HA: Local device priority has been changed to '), Field(fld2,false)}" -match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ +var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -3851,8 +3392,7 @@ match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has var msg118 = msg("00007:09", part190); -var part191 = // "Pattern{Constant('HA: Previous master has promoted the local NetScreen device to master'), Field(,false)}" -match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ +var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ dup1, dup2, dup3, @@ -3862,8 +3402,7 @@ match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promo var msg119 = msg("00007:10", part191); -var part192 = // "Pattern{Constant('IP tracking device failover threshold has been '), Field(p0,false)}" -match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); +var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); var select43 = linear_select([ dup92, @@ -3886,8 +3425,7 @@ var all39 = all_match({ var msg120 = msg("00007:11", all39); -var part193 = // "Pattern{Constant('IP tracking has been '), Field(disposition,false)}" -match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ +var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3897,8 +3435,7 @@ match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{dispos var msg121 = msg("00007:12", part193); -var part194 = // "Pattern{Constant('IP tracking to '), Field(hostip,true), Constant(' with interval '), Field(fld2,true), Constant(' threshold '), Field(trigger_val,true), Constant(' weight '), Field(fld4,true), Constant(' interface '), Field(interface,true), Constant(' method '), Field(fld5,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ +var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3908,8 +3445,7 @@ match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} wi var msg122 = msg("00007:13", part194); -var part195 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup85, dup2, dup3, @@ -3921,8 +3457,7 @@ match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} var msg123 = msg("00007:14", part195); -var part196 = // "Pattern{Constant('Primary HA interface has been changed to '), Field(interface,false)}" -match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ +var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -3932,8 +3467,7 @@ match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been var msg124 = msg("00007:15", part196); -var part197 = // "Pattern{Constant('Reporting of HA configuration and status changes to NetScreen-Global Manager has been '), Field(disposition,false)}" -match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ +var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3943,8 +3477,7 @@ match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration var msg125 = msg("00007:16", part197); -var part198 = // "Pattern{Constant('Tracked IP '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ +var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -3954,28 +3487,22 @@ match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has be var msg126 = msg("00007:17", part198); -var part199 = // "Pattern{Constant('Tracked IP '), Field(hostip,true), Constant(' options have been changed from int '), Field(fld2,true), Constant(' thr '), Field(fld3,true), Constant(' wgt '), Field(fld4,true), Constant(' inf '), Field(fld5,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); +var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); -var part200 = // "Pattern{Constant('ping '), Field(p0,false)}" -match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); +var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); -var part201 = // "Pattern{Constant('ARP '), Field(p0,false)}" -match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); +var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); var select44 = linear_select([ part200, part201, ]); -var part202 = // "Pattern{Constant('to '), Field(fld6,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); +var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); -var part203 = // "Pattern{Constant('ping'), Field(,false)}" -match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); +var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); -var part204 = // "Pattern{Constant('ARP'), Field(,false)}" -match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); +var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); var select45 = linear_select([ part203, @@ -4000,8 +3527,7 @@ var all40 = all_match({ var msg127 = msg("00007:18", all40); -var part205 = // "Pattern{Constant('Change '), Field(change_attribute,true), Constant(' path from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ +var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ dup1, dup2, dup3, @@ -4011,13 +3537,12 @@ match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} var msg128 = msg("00007:20", part205); -var part206 = // "Pattern{Constant('HA Slave is '), Field(p0,false)}" -match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); +var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); var all41 = all_match({ processors: [ part206, - dup347, + dup345, ], on_success: processor_chain([ dup44, @@ -4030,8 +3555,7 @@ var all41 = all_match({ var msg129 = msg("00007:21", all41); -var part207 = // "Pattern{Constant('HA change group id to '), Field(groupid,false)}" -match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ +var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ dup1, dup2, dup3, @@ -4041,8 +3565,7 @@ match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{group var msg130 = msg("00007:22", part207); -var part208 = // "Pattern{Constant('HA change priority to '), Field(fld2,false)}" -match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ +var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -4052,8 +3575,7 @@ match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2} var msg131 = msg("00007:23", part208); -var part209 = // "Pattern{Constant('HA change state to init'), Field(,false)}" -match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ +var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ dup1, dup2, dup3, @@ -4063,8 +3585,7 @@ match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", var msg132 = msg("00007:24", part209); -var part210 = // "Pattern{Constant('HA: Change state to initial state.'), Field(,false)}" -match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ +var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ dup1, dup2, dup3, @@ -4074,14 +3595,11 @@ match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial s var msg133 = msg("00007:25", part210); -var part211 = // "Pattern{Constant('HA: Change state to slave for '), Field(p0,false)}" -match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); +var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); -var part212 = // "Pattern{Constant('tracking ip failed'), Field(,false)}" -match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); +var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); -var part213 = // "Pattern{Constant('linkdown'), Field(,false)}" -match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); +var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); var select46 = linear_select([ part212, @@ -4104,8 +3622,7 @@ var all42 = all_match({ var msg134 = msg("00007:26", all42); -var part214 = // "Pattern{Constant('HA: Change to master command issued from original master to change state'), Field(,false)}" -match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ +var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ dup1, dup2, dup3, @@ -4115,8 +3632,7 @@ match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command var msg135 = msg("00007:27", part214); -var part215 = // "Pattern{Constant('HA: Elected master no other master'), Field(,false)}" -match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ +var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ dup1, dup2, dup3, @@ -4126,23 +3642,17 @@ match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other m var msg136 = msg("00007:28", part215); -var part216 = // "Pattern{Constant('HA: Elected slave '), Field(p0,false)}" -match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); +var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); -var part217 = // "Pattern{Constant('lower priority'), Field(,false)}" -match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); +var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); -var part218 = // "Pattern{Constant('MAC value is larger'), Field(,false)}" -match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); +var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); -var part219 = // "Pattern{Constant('master already exists'), Field(,false)}" -match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); +var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); -var part220 = // "Pattern{Constant('detect new master with higher priority'), Field(,false)}" -match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); +var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); -var part221 = // "Pattern{Constant('detect new master with smaller MAC value'), Field(,false)}" -match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); +var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); var select47 = linear_select([ part217, @@ -4168,8 +3678,7 @@ var all43 = all_match({ var msg137 = msg("00007:29", all43); -var part222 = // "Pattern{Constant('HA: Promoted master command issued from original master to change state'), Field(,false)}" -match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ +var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ dup1, dup2, dup3, @@ -4179,13 +3688,12 @@ match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command i var msg138 = msg("00007:30", part222); -var part223 = // "Pattern{Constant('HA: ha link '), Field(p0,false)}" -match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); +var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); var all44 = all_match({ processors: [ part223, - dup347, + dup345, ], on_success: processor_chain([ dup44, @@ -4198,23 +3706,21 @@ var all44 = all_match({ var msg139 = msg("00007:31", all44); -var part224 = // "Pattern{Constant('NSRP '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); +var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); var select48 = linear_select([ dup89, dup88, ]); -var part225 = // "Pattern{Constant('changed.'), Field(,false)}" -match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); +var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); var all45 = all_match({ processors: [ part224, select48, dup23, - dup346, + dup344, part225, ], on_success: processor_chain([ @@ -4228,30 +3734,25 @@ var all45 = all_match({ var msg140 = msg("00007:32", all45); -var part226 = // "Pattern{Constant('NSRP: VSD '), Field(p0,false)}" -match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); +var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); -var part227 = // "Pattern{Constant('Virtual Security Device group '), Field(p0,false)}" -match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); +var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); var select49 = linear_select([ part226, part227, ]); -var part228 = // "Pattern{Constant(''), Field(fld2,true), Constant(' change'), Field(p0,false)}" -match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); +var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); -var part229 = // "Pattern{Constant('d '), Field(p0,false)}" -match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); +var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); var select50 = linear_select([ part229, dup96, ]); -var part230 = // "Pattern{Constant('to '), Field(fld3,true), Constant(' mode.')}" -match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); +var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); var all46 = all_match({ processors: [ @@ -4271,8 +3772,7 @@ var all46 = all_match({ var msg141 = msg("00007:33", all46); -var part231 = // "Pattern{Constant('NSRP: message '), Field(fld2,true), Constant(' dropped: invalid encryption password.')}" -match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ +var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ dup97, dup2, dup3, @@ -4282,8 +3782,7 @@ match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropp var msg142 = msg("00007:34", part231); -var part232 = // "Pattern{Constant('NSRP: nsrp interface change to '), Field(interface,false), Constant('.')}" -match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ +var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ dup44, dup2, dup3, @@ -4293,8 +3792,7 @@ match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change t var msg143 = msg("00007:35", part232); -var part233 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' local unit='), Field(fld3,true), Constant(' duplicate from unit='), Field(fld4,false)}" -match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ +var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ dup44, dup2, dup3, @@ -4304,13 +3802,12 @@ match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid var msg144 = msg("00007:36", part233); -var part234 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); +var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); var all47 = all_match({ processors: [ part234, - dup348, + dup346, ], on_success: processor_chain([ dup44, @@ -4323,17 +3820,13 @@ var all47 = all_match({ var msg145 = msg("00007:37", all47); -var part235 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' peer='), Field(fld3,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); +var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); -var part236 = // "Pattern{Constant('state '), Field(p0,false)}" -match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); +var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); -var part237 = // "Pattern{Constant('missed heartbeat'), Field(,false)}" -match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); +var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); -var part238 = // "Pattern{Constant('group detached'), Field(,false)}" -match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); +var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); var select51 = linear_select([ part237, @@ -4343,9 +3836,9 @@ var select51 = linear_select([ var all48 = all_match({ processors: [ part235, - dup349, + dup347, dup103, - dup349, + dup347, part236, select51, ], @@ -4360,13 +3853,12 @@ var all48 = all_match({ var msg146 = msg("00007:38", all48); -var part239 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); +var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); var all49 = all_match({ processors: [ part239, - dup348, + dup346, ], on_success: processor_chain([ dup44, @@ -4379,8 +3871,7 @@ var all49 = all_match({ var msg147 = msg("00007:39", all49); -var part240 = // "Pattern{Constant('Remove pathname '), Field(fld2,true), Constant(' (ifnum='), Field(fld3,false), Constant(') as secondary HA path')}" -match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ +var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ dup44, dup2, dup3, @@ -4390,8 +3881,7 @@ match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (if var msg148 = msg("00007:40", part240); -var part241 = // "Pattern{Constant('Session sync ended by unit='), Field(fld2,false)}" -match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ +var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ dup44, dup2, dup3, @@ -4401,8 +3891,7 @@ match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{ var msg149 = msg("00007:41", part241); -var part242 = // "Pattern{Constant('Set secondary HA path to '), Field(fld2,true), Constant(' (ifnum='), Field(fld3,false), Constant(')')}" -match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ +var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ dup1, dup2, dup3, @@ -4412,8 +3901,7 @@ match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fl var msg150 = msg("00007:42", part242); -var part243 = // "Pattern{Constant('VSD '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ +var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4423,8 +3911,7 @@ match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} cha var msg151 = msg("00007:43", part243); -var part244 = // "Pattern{Constant('vsd group id='), Field(groupid,true), Constant(' is '), Field(disposition,true), Constant(' total number='), Field(fld3,false)}" -match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ +var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ dup1, dup2, dup3, @@ -4434,8 +3921,7 @@ match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is var msg152 = msg("00007:44", part244); -var part245 = // "Pattern{Constant('vsd group '), Field(group,true), Constant(' local unit '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ +var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4445,8 +3931,7 @@ match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local un var msg153 = msg("00007:45", part245); -var part246 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup85, dup2, dup3, @@ -4458,8 +3943,7 @@ match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detecte var msg154 = msg("00007:46", part246); -var part247 = // "Pattern{Constant('The HA channel changed to interface '), Field(interface,false)}" -match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ +var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ dup1, dup2, dup3, @@ -4469,8 +3953,7 @@ match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to int var msg155 = msg("00007:47", part247); -var part248 = // "Pattern{Constant('Message '), Field(fld2,true), Constant(' was dropped because it contained an invalid encryption password.')}" -match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ +var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ dup97, dup2, dup3, @@ -4481,8 +3964,7 @@ match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped var msg156 = msg("00007:48", part248); -var part249 = // "Pattern{Constant('The '), Field(change_attribute,true), Constant(' of all Virtual Security Device groups changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ +var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ setc("eventcategory","1604000000"), dup2, dup3, @@ -4492,22 +3974,18 @@ match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of var msg157 = msg("00007:49", part249); -var part250 = // "Pattern{Constant('Device '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); +var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); -var part251 = // "Pattern{Constant('has joined '), Field(p0,false)}" -match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); +var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); -var part252 = // "Pattern{Constant('quit current '), Field(p0,false)}" -match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); +var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); var select52 = linear_select([ part251, part252, ]); -var part253 = // "Pattern{Constant('NSRP cluster '), Field(fld3,false)}" -match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); +var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); var all50 = all_match({ processors: [ @@ -4526,11 +4004,9 @@ var all50 = all_match({ var msg158 = msg("00007:50", all50); -var part254 = // "Pattern{Constant('Virtual Security Device group '), Field(group,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); +var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); -var part255 = // "Pattern{Constant('deleted '), Field(p0,false)}" -match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); +var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); var select53 = linear_select([ dup104, @@ -4542,8 +4018,7 @@ var select54 = linear_select([ dup73, ]); -var part256 = // "Pattern{Constant('The total number of members in the group '), Field(p0,false)}" -match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); +var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); var select55 = linear_select([ dup106, @@ -4571,8 +4046,7 @@ var all51 = all_match({ var msg159 = msg("00007:51", all51); -var part257 = // "Pattern{Constant('Virtual Security Device group '), Field(group,true), Constant(' '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ +var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4582,8 +4056,7 @@ match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group var msg160 = msg("00007:52", part257); -var part258 = // "Pattern{Constant('The secondary HA path of the devices was set to interface '), Field(interface,true), Constant(' with ifnum '), Field(fld2,false)}" -match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ +var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -4593,8 +4066,7 @@ match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the var msg161 = msg("00007:53", part258); -var part259 = // "Pattern{Constant('The '), Field(change_attribute,true), Constant(' of the devices changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ +var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -4604,8 +4076,7 @@ match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of var msg162 = msg("00007:54", part259); -var part260 = // "Pattern{Constant('The interface '), Field(interface,true), Constant(' with ifnum '), Field(fld2,true), Constant(' was removed from the secondary HA path of the devices.')}" -match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ +var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ dup1, dup2, dup3, @@ -4615,8 +4086,7 @@ match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} var msg163 = msg("00007:55", part260); -var part261 = // "Pattern{Constant('The probe that detects the status of High Availability link '), Field(fld2,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ +var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -4636,8 +4106,7 @@ var select57 = linear_select([ dup112, ]); -var part262 = // "Pattern{Constant('the probe detecting the status of High Availability link '), Field(fld2,true), Constant(' was set to '), Field(fld3,false)}" -match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); +var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); var all52 = all_match({ processors: [ @@ -4658,8 +4127,7 @@ var all52 = all_match({ var msg165 = msg("00007:57", all52); -var part263 = // "Pattern{Constant('A request by device '), Field(fld2,true), Constant(' for session synchronization(s) was accepted.')}" -match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ +var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ dup44, dup2, dup3, @@ -4669,8 +4137,7 @@ match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} var msg166 = msg("00007:58", part263); -var part264 = // "Pattern{Constant('The current session synchronization by device '), Field(fld2,true), Constant(' completed.')}" -match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ +var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ dup1, dup2, dup3, @@ -4680,8 +4147,7 @@ match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchroni var msg167 = msg("00007:59", part264); -var part265 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' direction was set to '), Field(direction,false)}" -match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ +var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ dup1, dup2, dup3, @@ -4691,8 +4157,7 @@ match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group var msg168 = msg("00007:60", part265); -var part266 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' was set.')}" -match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ +var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ dup1, dup2, dup3, @@ -4702,8 +4167,7 @@ match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group var msg169 = msg("00007:61", part266); -var part267 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' was unset.')}" -match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ +var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ dup1, dup2, dup3, @@ -4713,8 +4177,7 @@ match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group var msg170 = msg("00007:62", part267); -var part268 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' was unset.')}" -match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ +var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ dup1, dup2, dup3, @@ -4724,17 +4187,15 @@ match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} w var msg171 = msg("00007:63", part268); -var part269 = // "Pattern{Constant(''), Field(fld2,true), Constant(' was removed from the monitoring list '), Field(p0,false)}" -match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); +var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); -var part270 = // "Pattern{Constant(''), Field(fld3,false)}" -match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); +var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); var all53 = all_match({ processors: [ - dup350, + dup348, part269, - dup351, + dup349, part270, ], on_success: processor_chain([ @@ -4748,33 +4209,28 @@ var all53 = all_match({ var msg172 = msg("00007:64", all53); -var part271 = // "Pattern{Constant(''), Field(fld2,true), Constant(' with weight '), Field(fld3,true), Constant(' was added'), Field(p0,false)}" -match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); +var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); -var part272 = // "Pattern{Constant(' to or updated on '), Field(p0,false)}" -match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); +var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); -var part273 = // "Pattern{Constant('/updated to '), Field(p0,false)}" -match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); +var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); var select58 = linear_select([ part272, part273, ]); -var part274 = // "Pattern{Constant('the monitoring list '), Field(p0,false)}" -match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); +var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); -var part275 = // "Pattern{Constant(''), Field(fld4,false)}" -match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); +var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); var all54 = all_match({ processors: [ - dup350, + dup348, part271, select58, part274, - dup351, + dup349, part275, ], on_success: processor_chain([ @@ -4788,22 +4244,18 @@ var all54 = all_match({ var msg173 = msg("00007:65", all54); -var part276 = // "Pattern{Constant('The monitoring '), Field(p0,false)}" -match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); +var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); -var part277 = // "Pattern{Constant('Monitoring '), Field(p0,false)}" -match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); +var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); var select59 = linear_select([ part276, part277, ]); -var part278 = // "Pattern{Constant('threshold was modified to '), Field(trigger_val,true), Constant(' o'), Field(p0,false)}" -match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); +var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); -var part279 = // "Pattern{Constant('f '), Field(p0,false)}" -match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); +var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); var select60 = linear_select([ part279, @@ -4828,8 +4280,7 @@ var all55 = all_match({ var msg174 = msg("00007:66", all55); -var part280 = // "Pattern{Constant('NSRP data forwarding '), Field(disposition,false), Constant('.')}" -match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ +var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -4839,28 +4290,22 @@ match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{dispos var msg175 = msg("00007:67", part280); -var part281 = // "Pattern{Constant('NSRP b'), Field(p0,false)}" -match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); +var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); -var part282 = // "Pattern{Constant('lack '), Field(p0,false)}" -match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); +var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); -var part283 = // "Pattern{Constant('ack '), Field(p0,false)}" -match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); +var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); var select61 = linear_select([ part282, part283, ]); -var part284 = // "Pattern{Constant('hole prevention '), Field(disposition,false), Constant('. Master(s) of Virtual Security Device groups '), Field(p0,false)}" -match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); +var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); -var part285 = // "Pattern{Constant('may not exist '), Field(p0,false)}" -match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); +var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); -var part286 = // "Pattern{Constant('always exists '), Field(p0,false)}" -match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); +var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); var select62 = linear_select([ part285, @@ -4886,8 +4331,7 @@ var all56 = all_match({ var msg176 = msg("00007:68", all56); -var part287 = // "Pattern{Constant('NSRP Run Time Object synchronization between devices was '), Field(disposition,false)}" -match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ +var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -4897,8 +4341,7 @@ match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchron var msg177 = msg("00007:69", part287); -var part288 = // "Pattern{Constant('The NSRP encryption key was changed.'), Field(,false)}" -match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ +var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ dup1, dup2, dup3, @@ -4908,8 +4351,7 @@ match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was c var msg178 = msg("00007:70", part288); -var part289 = // "Pattern{Constant('NSRP transparent Active-Active mode was '), Field(disposition,false), Constant('.')}" -match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ +var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -4919,8 +4361,7 @@ match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Activ var msg179 = msg("00007:71", part289); -var part290 = // "Pattern{Constant('NSRP: nsrp link probe enable on '), Field(interface,false)}" -match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ +var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ dup1, dup2, dup3, @@ -5005,8 +4446,7 @@ var select63 = linear_select([ msg180, ]); -var part291 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5018,10 +4458,9 @@ match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! var msg181 = msg("00008", part291); -var msg182 = msg("00008:01", dup343); +var msg182 = msg("00008:01", dup341); -var part292 = // "Pattern{Constant('NTP settings have been changed'), Field(,false)}" -match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ +var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ dup1, dup2, dup3, @@ -5031,8 +4470,7 @@ match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been change var msg183 = msg("00008:02", part292); -var part293 = // "Pattern{Constant('The system clock has been updated through NTP'), Field(,false)}" -match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ +var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ dup1, dup2, dup3, @@ -5042,17 +4480,13 @@ match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been upd var msg184 = msg("00008:03", part293); -var part294 = // "Pattern{Constant('System clock '), Field(p0,false)}" -match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); +var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); -var part295 = // "Pattern{Constant('configurations have been'), Field(p0,false)}" -match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); +var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); -var part296 = // "Pattern{Constant('was'), Field(p0,false)}" -match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); +var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); -var part297 = // "Pattern{Constant('is'), Field(p0,false)}" -match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); +var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); var select64 = linear_select([ part295, @@ -5060,23 +4494,17 @@ var select64 = linear_select([ part297, ]); -var part298 = // "Pattern{Field(,false), Constant('changed'), Field(p0,false)}" -match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); +var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); -var part299 = // "Pattern{Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); +var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); -var part300 = // "Pattern{Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); +var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); -var part301 = // "Pattern{Constant(' by '), Field(username,false)}" -match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); +var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); -var part302 = // "Pattern{Constant(' manually.'), Field(,false)}" -match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); +var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); -var part303 = // "Pattern{Constant(' manually'), Field(,false)}" -match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); +var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); var select65 = linear_select([ part299, @@ -5106,8 +4534,7 @@ var all57 = all_match({ var msg185 = msg("00008:04", all57); -var part304 = // "Pattern{Constant('failed to get clock through NTP'), Field(,false)}" -match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ +var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ dup117, dup2, dup3, @@ -5117,8 +4544,7 @@ match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through N var msg186 = msg("00008:05", part304); -var part305 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5130,8 +4556,7 @@ match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detecte var msg187 = msg("00008:06", part305); -var part306 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5143,8 +4568,7 @@ match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detecte var msg188 = msg("00008:07", part306); -var part307 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup3, @@ -5156,8 +4580,7 @@ match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} var msg189 = msg("00008:08", part307); -var part308 = // "Pattern{Constant('system clock is changed manually'), Field(,false)}" -match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ +var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ dup1, dup2, dup3, @@ -5167,13 +4590,12 @@ match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manua var msg190 = msg("00008:09", part308); -var part309 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,false), Constant('(zone '), Field(p0,false)}" -match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); +var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); var all58 = all_match({ processors: [ part309, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -5204,8 +4626,7 @@ var select66 = linear_select([ msg191, ]); -var part310 = // "Pattern{Constant('802.1Q VLAN trunking for the interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ +var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5215,8 +4636,7 @@ match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the int var msg192 = msg("00009", part310); -var part311 = // "Pattern{Constant('802.1Q VLAN tag '), Field(fld1,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ +var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5226,8 +4646,7 @@ match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has var msg193 = msg("00009:01", part311); -var part312 = // "Pattern{Constant('DHCP on the interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ +var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5237,8 +4656,7 @@ match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{inter var msg194 = msg("00009:02", part312); -var part313 = // "Pattern{Field(change_attribute,true), Constant(' for interface '), Field(interface,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -5248,8 +4666,7 @@ match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for int var msg195 = msg("00009:03", part313); -var part314 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5261,11 +4678,9 @@ match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detecte var msg196 = msg("00009:05", part314); -var part315 = // "Pattern{Field(fld2,false), Constant(': The 802.1Q tag '), Field(p0,false)}" -match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); +var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); -var part316 = // "Pattern{Constant('The 802.1Q tag '), Field(p0,false)}" -match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); +var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); var select67 = linear_select([ part315, @@ -5277,22 +4692,18 @@ var select68 = linear_select([ dup16, ]); -var part317 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); +var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); -var part318 = // "Pattern{Constant('changed to '), Field(p0,false)}" -match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); +var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); var select69 = linear_select([ dup120, part318, ]); -var part319 = // "Pattern{Field(info,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); +var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); -var part320 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); +var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); var select70 = linear_select([ part319, @@ -5320,30 +4731,25 @@ var all59 = all_match({ var msg197 = msg("00009:06", all59); -var part321 = // "Pattern{Constant('Maximum bandwidth '), Field(fld2,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); +var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); -var part322 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is less than t'), Field(p0,false)}" -match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); +var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); -var part323 = // "Pattern{Constant('he total '), Field(p0,false)}" -match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); +var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); -var part324 = // "Pattern{Constant('otal '), Field(p0,false)}" -match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); +var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); var select71 = linear_select([ part323, part324, ]); -var part325 = // "Pattern{Constant('guaranteed bandwidth '), Field(fld3,false)}" -match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); +var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); var all60 = all_match({ processors: [ part321, - dup339, + dup337, part322, select71, part325, @@ -5359,8 +4765,7 @@ var all60 = all_match({ var msg198 = msg("00009:07", all60); -var part326 = // "Pattern{Constant('The configured bandwidth setting on the interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,false)}" -match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ +var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -5370,14 +4775,11 @@ match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth sett var msg199 = msg("00009:09", part326); -var part327 = // "Pattern{Constant('The operational mode for the interface '), Field(interface,true), Constant(' has been changed to '), Field(p0,false)}" -match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); +var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); -var part328 = // "Pattern{Constant('Route'), Field(,false)}" -match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); +var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); -var part329 = // "Pattern{Constant('NAT'), Field(,false)}" -match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); +var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); var select72 = linear_select([ part328, @@ -5400,19 +4802,16 @@ var all61 = all_match({ var msg200 = msg("00009:10", all61); -var part330 = // "Pattern{Field(fld1,false), Constant(': VLAN '), Field(p0,false)}" -match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); +var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); -var part331 = // "Pattern{Constant('VLAN '), Field(p0,false)}" -match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); +var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); var select73 = linear_select([ part330, part331, ]); -var part332 = // "Pattern{Constant('tag '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); +var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); var all62 = all_match({ processors: [ @@ -5430,8 +4829,7 @@ var all62 = all_match({ var msg201 = msg("00009:11", all62); -var part333 = // "Pattern{Constant('DHCP client has been '), Field(disposition,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ +var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ dup1, dup2, dup3, @@ -5441,8 +4839,7 @@ match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{dispos var msg202 = msg("00009:12", part333); -var part334 = // "Pattern{Constant('DHCP relay agent settings on '), Field(interface,true), Constant(' have been '), Field(disposition,false)}" -match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ +var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5452,14 +4849,11 @@ match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on var msg203 = msg("00009:13", part334); -var part335 = // "Pattern{Constant('Global-PRO has been '), Field(p0,false)}" -match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); +var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); -var part336 = // "Pattern{Constant('Global PRO has been '), Field(p0,false)}" -match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); +var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); -var part337 = // "Pattern{Constant('DNS proxy was '), Field(p0,false)}" -match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); +var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); var select74 = linear_select([ part335, @@ -5467,16 +4861,14 @@ var select74 = linear_select([ part337, ]); -var part338 = // "Pattern{Constant(''), Field(disposition,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); +var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); var select75 = linear_select([ dup122, dup123, ]); -var part339 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); +var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); var select76 = linear_select([ part339, @@ -5502,11 +4894,9 @@ var all63 = all_match({ var msg204 = msg("00009:14", all63); -var part340 = // "Pattern{Constant('Route between secondary IP'), Field(p0,false)}" -match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); +var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); -var part341 = // "Pattern{Constant(' addresses '), Field(p0,false)}" -match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); +var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); var select77 = linear_select([ part341, @@ -5518,7 +4908,7 @@ var all64 = all_match({ part340, select77, dup126, - dup352, + dup350, dup128, ], on_success: processor_chain([ @@ -5532,11 +4922,9 @@ var all64 = all_match({ var msg205 = msg("00009:15", all64); -var part342 = // "Pattern{Constant('Secondary IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); +var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); -var part343 = // "Pattern{Constant('deleted from '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); +var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); var select78 = linear_select([ dup129, @@ -5544,13 +4932,12 @@ var select78 = linear_select([ part343, ]); -var part344 = // "Pattern{Constant('interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); +var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); var all65 = all_match({ processors: [ part342, - dup352, + dup350, dup23, select78, part344, @@ -5566,22 +4953,18 @@ var all65 = all_match({ var msg206 = msg("00009:16", all65); -var part345 = // "Pattern{Constant('Secondary IP address '), Field(p0,false)}" -match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); +var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); -var part346 = // "Pattern{Field(hostip,false), Constant('/'), Field(mask,true), Constant(' was added to interface '), Field(p0,false)}" -match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); +var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); -var part347 = // "Pattern{Field(hostip,true), Constant(' was added to interface '), Field(p0,false)}" -match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); +var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); var select79 = linear_select([ part346, part347, ]); -var part348 = // "Pattern{Field(interface,false), Constant('.')}" -match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); +var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); var all66 = all_match({ processors: [ @@ -5600,8 +4983,7 @@ var all66 = all_match({ var msg207 = msg("00009:17", all66); -var part349 = // "Pattern{Constant('The configured bandwidth on the interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,false)}" -match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ +var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -5611,8 +4993,7 @@ match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on t var msg208 = msg("00009:18", part349); -var part350 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ +var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5622,8 +5003,7 @@ match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with var msg209 = msg("00009:19", part350); -var part351 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ +var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5633,31 +5013,24 @@ match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has var msg210 = msg("00009:27", part351); -var part352 = // "Pattern{Field(fld2,false), Constant(': '), Field(service,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); +var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); -var part353 = // "Pattern{Field(service,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); +var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); var select80 = linear_select([ part352, part353, ]); -var part354 = // "Pattern{Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); +var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); -var part355 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); +var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); -var part356 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); +var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); -var part357 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); +var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); -var part358 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); +var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); var select81 = linear_select([ part355, @@ -5684,13 +5057,12 @@ var all67 = all_match({ var msg211 = msg("00009:20", all67); -var part359 = // "Pattern{Constant('Source Route IP option! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); var all68 = all_match({ processors: [ part359, - dup345, + dup343, dup131, ], on_success: processor_chain([ @@ -5707,8 +5079,7 @@ var all68 = all_match({ var msg212 = msg("00009:21", all68); -var part360 = // "Pattern{Constant('MTU for interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ +var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -5719,8 +5090,7 @@ match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface var msg213 = msg("00009:22", part360); -var part361 = // "Pattern{Constant('Secondary IP address '), Field(hostip,true), Constant(' has been added to interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ +var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ dup44, dup2, dup9, @@ -5731,22 +5101,18 @@ match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip var msg214 = msg("00009:23", part361); -var part362 = // "Pattern{Constant('Web has been enabled on interface '), Field(interface,true), Constant(' by admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); +var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); -var part363 = // "Pattern{Field(logon_type,true), Constant(' '), Field(space,false), Constant('('), Field(p0,false)}" -match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); +var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); -var part364 = // "Pattern{Field(logon_type,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); +var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); var select82 = linear_select([ part363, part364, ]); -var part365 = // "Pattern{Constant(')'), Field(fld1,false)}" -match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); +var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); var all69 = all_match({ processors: [ @@ -5766,8 +5132,7 @@ var all69 = all_match({ var msg215 = msg("00009:24", all69); -var part366 = // "Pattern{Constant('Web has been enabled on interface '), Field(interface,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ +var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ dup1, dup2, dup9, @@ -5778,13 +5143,12 @@ match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on inter var msg216 = msg("00009:25", part366); -var part367 = // "Pattern{Field(protocol,true), Constant(' has been '), Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' by '), Field(username,true), Constant(' via NSRP Peer . '), Field(p0,false)}" -match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); +var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); var all70 = all_match({ processors: [ part367, - dup335, + dup333, ], on_success: processor_chain([ dup1, @@ -5827,28 +5191,22 @@ var select83 = linear_select([ msg217, ]); -var part368 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); +var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); -var part369 = // "Pattern{Constant('using protocol '), Field(p0,false)}" -match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); +var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); -var part370 = // "Pattern{Constant('proto '), Field(p0,false)}" -match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); +var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); var select84 = linear_select([ part369, part370, ]); -var part371 = // "Pattern{Constant(''), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); +var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); -var part372 = // "Pattern{Constant('( zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); +var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); -var part373 = // "Pattern{Constant('zone '), Field(zone,true), Constant(' int '), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); +var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); var select85 = linear_select([ part372, @@ -5856,8 +5214,7 @@ var select85 = linear_select([ dup126, ]); -var part374 = // "Pattern{Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times'), Field(p0,false)}" -match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); +var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); var all71 = all_match({ processors: [ @@ -5866,7 +5223,7 @@ var all71 = all_match({ part371, select85, part374, - dup353, + dup351, ], on_success: processor_chain([ dup58, @@ -5882,8 +5239,7 @@ var all71 = all_match({ var msg218 = msg("00010", all71); -var part375 = // "Pattern{Constant('MIP '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ +var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5893,8 +5249,7 @@ match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has b var msg219 = msg("00010:01", part375); -var part376 = // "Pattern{Constant('Mapped IP '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ +var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -5907,7 +5262,7 @@ var msg220 = msg("00010:02", part376); var all72 = all_match({ processors: [ dup132, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -5931,8 +5286,7 @@ var select86 = linear_select([ msg221, ]); -var part377 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -5944,16 +5298,14 @@ match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{spo var msg222 = msg("00011", part377); -var part378 = // "Pattern{Constant('Route to '), Field(daddr,false), Constant('/'), Field(fld2,true), Constant(' [ '), Field(p0,false)}" -match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); +var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); var select87 = linear_select([ dup57, dup56, ]); -var part379 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' gateway '), Field(fld3,true), Constant(' ] has been '), Field(disposition,false)}" -match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); +var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); var all73 = all_match({ processors: [ @@ -5972,8 +5324,7 @@ var all73 = all_match({ var msg223 = msg("00011:01", all73); -var part380 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ +var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ dup58, dup2, dup3, @@ -5983,28 +5334,22 @@ match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} var msg224 = msg("00011:02", part380); -var part381 = // "Pattern{Constant('An '), Field(p0,false)}" -match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); +var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); -var part382 = // "Pattern{Constant('import '), Field(p0,false)}" -match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); +var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); -var part383 = // "Pattern{Constant('export '), Field(p0,false)}" -match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); +var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); var select88 = linear_select([ part382, part383, ]); -var part384 = // "Pattern{Constant('rule in virtual router '), Field(node,true), Constant(' to virtual router '), Field(fld4,true), Constant(' with '), Field(p0,false)}" -match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); +var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); -var part385 = // "Pattern{Constant('route-map '), Field(fld3,true), Constant(' and protocol '), Field(protocol,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); +var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); -var part386 = // "Pattern{Constant('IP-prefix '), Field(hostip,false), Constant('/'), Field(interface,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); +var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); var select89 = linear_select([ part385, @@ -6030,16 +5375,14 @@ var all74 = all_match({ var msg225 = msg("00011:03", all74); -var part387 = // "Pattern{Constant('A route in virtual router '), Field(node,true), Constant(' that has IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' through '), Field(p0,false)}" -match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); +var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); -var part388 = // "Pattern{Constant(''), Field(interface,true), Constant(' and gateway '), Field(fld3,true), Constant(' with metric '), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); +var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); var all75 = all_match({ processors: [ part387, - dup354, + dup352, part388, ], on_success: processor_chain([ @@ -6053,19 +5396,16 @@ var all75 = all_match({ var msg226 = msg("00011:04", all75); -var part389 = // "Pattern{Constant('sharable virtual router using name'), Field(p0,false)}" -match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); +var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); -var part390 = // "Pattern{Constant('virtual router with name'), Field(p0,false)}" -match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); +var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); var select90 = linear_select([ part389, part390, ]); -var part391 = // "Pattern{Field(,true), Constant(' '), Field(node,true), Constant(' and id '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); +var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); var all76 = all_match({ processors: [ @@ -6084,8 +5424,7 @@ var all76 = all_match({ var msg227 = msg("00011:05", all76); -var part392 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup4, @@ -6097,8 +5436,7 @@ match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} var msg228 = msg("00011:07", part392); -var part393 = // "Pattern{Constant('Route(s) in virtual router '), Field(node,true), Constant(' with an IP address '), Field(hostip,true), Constant(' and gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ +var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6108,8 +5446,7 @@ match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{ var msg229 = msg("00011:08", part393); -var part394 = // "Pattern{Constant('The auto-route-export feature in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ +var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6119,8 +5456,7 @@ match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature var msg230 = msg("00011:09", part394); -var part395 = // "Pattern{Constant('The maximum number of routes that can be created in virtual router '), Field(node,true), Constant(' is '), Field(fld2,false)}" -match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ +var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -6130,8 +5466,7 @@ match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes var msg231 = msg("00011:10", part395); -var part396 = // "Pattern{Constant('The maximum routes limit in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ +var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6141,8 +5476,7 @@ match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in v var msg232 = msg("00011:11", part396); -var part397 = // "Pattern{Constant('The router-id of virtual router '), Field(node,true), Constant(' used by OSPF BGP routing instances id has been uninitialized')}" -match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ +var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ dup1, dup2, dup3, @@ -6152,8 +5486,7 @@ match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual rout var msg233 = msg("00011:12", part397); -var part398 = // "Pattern{Constant('The router-id that can be used by OSPF BGP routing instances in virtual router '), Field(node,true), Constant(' has been set to '), Field(fld2,false)}" -match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ +var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -6163,11 +5496,9 @@ match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be use var msg234 = msg("00011:13", part398); -var part399 = // "Pattern{Constant('The routing preference for protocol '), Field(protocol,true), Constant(' in virtual router '), Field(node,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); +var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); -var part400 = // "Pattern{Constant('reset'), Field(,false)}" -match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); +var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); var select91 = linear_select([ dup134, @@ -6190,8 +5521,7 @@ var all77 = all_match({ var msg235 = msg("00011:14", all77); -var part401 = // "Pattern{Constant('The system default-route in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ +var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6201,8 +5531,7 @@ match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in v var msg236 = msg("00011:15", part401); -var part402 = // "Pattern{Constant('The system default-route through virtual router '), Field(node,true), Constant(' has been added in virtual router '), Field(fld2,false)}" -match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ +var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -6212,17 +5541,13 @@ match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route thro var msg237 = msg("00011:16", part402); -var part403 = // "Pattern{Constant('The virtual router '), Field(node,true), Constant(' has been made '), Field(p0,false)}" -match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); +var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); -var part404 = // "Pattern{Constant('sharable'), Field(,false)}" -match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); +var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); -var part405 = // "Pattern{Constant('unsharable'), Field(,false)}" -match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); +var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); -var part406 = // "Pattern{Constant('default virtual router for virtual system '), Field(fld2,false)}" -match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); +var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); var select92 = linear_select([ part404, @@ -6246,44 +5571,36 @@ var all78 = all_match({ var msg238 = msg("00011:17", all78); -var part407 = // "Pattern{Constant('Source route(s) '), Field(p0,false)}" -match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); +var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); -var part408 = // "Pattern{Constant('A source route '), Field(p0,false)}" -match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); +var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); var select93 = linear_select([ part407, part408, ]); -var part409 = // "Pattern{Constant('in virtual router '), Field(node,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); +var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); -var part410 = // "Pattern{Constant('with route addresses of '), Field(p0,false)}" -match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); +var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); -var part411 = // "Pattern{Constant('that has IP address '), Field(p0,false)}" -match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); +var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); var select94 = linear_select([ part410, part411, ]); -var part412 = // "Pattern{Constant(''), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' through interface '), Field(interface,true), Constant(' and '), Field(p0,false)}" -match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); +var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); -var part413 = // "Pattern{Constant('a default gateway address '), Field(p0,false)}" -match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); +var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); var select95 = linear_select([ part413, dup135, ]); -var part414 = // "Pattern{Constant(''), Field(fld3,true), Constant(' with metric '), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); +var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); var all79 = all_match({ processors: [ @@ -6293,7 +5610,7 @@ var all79 = all_match({ part412, select95, part414, - dup352, + dup350, dup128, ], on_success: processor_chain([ @@ -6307,36 +5624,29 @@ var all79 = all_match({ var msg239 = msg("00011:18", all79); -var part415 = // "Pattern{Constant('Source Route(s) in virtual router '), Field(node,true), Constant(' with '), Field(p0,false)}" -match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); +var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); -var part416 = // "Pattern{Constant('route addresses of '), Field(p0,false)}" -match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); +var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); -var part417 = // "Pattern{Constant('an IP address '), Field(p0,false)}" -match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); +var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); var select96 = linear_select([ part416, part417, ]); -var part418 = // "Pattern{Constant(''), Field(hostip,false), Constant('/'), Field(fld3,true), Constant(' and '), Field(p0,false)}" -match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); +var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); -var part419 = // "Pattern{Constant('a default gateway address of '), Field(p0,false)}" -match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); +var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); var select97 = linear_select([ part419, dup135, ]); -var part420 = // "Pattern{Constant(''), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); +var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); -var part421 = // "Pattern{Constant('has been'), Field(p0,false)}" -match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); +var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); var select98 = linear_select([ dup107, @@ -6364,16 +5674,14 @@ var all80 = all_match({ var msg240 = msg("00011:19", all80); -var part422 = // "Pattern{Field(fld2,false), Constant(': A '), Field(p0,false)}" -match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); +var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); var select99 = linear_select([ part422, dup79, ]); -var part423 = // "Pattern{Constant('route has been created in virtual router "'), Field(node,false), Constant('"'), Field(space,false), Constant('with an IP address '), Field(hostip,true), Constant(' and next-hop as virtual router "'), Field(fld3,false), Constant('"')}" -match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); +var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); var all81 = all_match({ processors: [ @@ -6391,8 +5699,7 @@ var all81 = all_match({ var msg241 = msg("00011:20", all81); -var part424 = // "Pattern{Constant('SIBR route(s) in virtual router '), Field(node,true), Constant(' for interface '), Field(interface,true), Constant(' with an IP address '), Field(hostip,true), Constant(' and gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ +var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6402,8 +5709,7 @@ match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual rout var msg242 = msg("00011:21", part424); -var part425 = // "Pattern{Constant('SIBR route in virtual router '), Field(node,true), Constant(' for interface '), Field(interface,true), Constant(' that has IP address '), Field(hostip,true), Constant(' through interface '), Field(fld3,true), Constant(' and gateway '), Field(fld4,true), Constant(' with metric '), Field(fld5,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ +var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6416,7 +5722,7 @@ var msg243 = msg("00011:22", part425); var all82 = all_match({ processors: [ dup132, - dup345, + dup343, dup131, ], on_success: processor_chain([ @@ -6441,8 +5747,7 @@ var all82 = all_match({ var msg244 = msg("00011:23", all82); -var part426 = // "Pattern{Constant('Route in virtual router "'), Field(node,false), Constant('" that has IP address '), Field(hostip,true), Constant(' through interface '), Field(interface,true), Constant(' and gateway '), Field(fld2,true), Constant(' with metric '), Field(fld3,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ +var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -6453,8 +5758,7 @@ match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{n var msg245 = msg("00011:24", part426); -var part427 = // "Pattern{Constant('Route(s) in virtual router "'), Field(node,false), Constant('" with an IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' and gateway '), Field(fld3,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ +var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -6465,8 +5769,7 @@ match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \" var msg246 = msg("00011:25", part427); -var part428 = // "Pattern{Constant('Route in virtual router "'), Field(node,false), Constant('" with IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' and next-hop as virtual router "'), Field(fld3,false), Constant('" created. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ +var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -6506,8 +5809,7 @@ var select100 = linear_select([ msg247, ]); -var part429 = // "Pattern{Constant('Service group '), Field(group,true), Constant(' comments have been '), Field(disposition,false)}" -match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ +var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6517,8 +5819,7 @@ match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comm var msg248 = msg("00012:02", part429); -var part430 = // "Pattern{Constant('Service group '), Field(change_old,true), Constant(' '), Field(change_attribute,true), Constant(' has been changed to '), Field(change_new,false)}" -match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ +var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -6528,8 +5829,7 @@ match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} var msg249 = msg("00012:03", part430); -var part431 = // "Pattern{Field(fld2,true), Constant(' Service group '), Field(group,true), Constant(' has '), Field(disposition,true), Constant(' member '), Field(username,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ +var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ dup1, dup2, dup3, @@ -6539,8 +5839,7 @@ match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{gro var msg250 = msg("00012:04", part431); -var part432 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(') ('), Field(fld3,false), Constant(')')}" -match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ +var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ dup58, dup2, dup3, @@ -6551,8 +5850,7 @@ match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{ var msg251 = msg("00012:05", part432); -var part433 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -6564,8 +5862,7 @@ match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detecte var msg252 = msg("00012:06", part433); -var part434 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -6577,8 +5874,7 @@ match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detecte var msg253 = msg("00012:07", part434); -var part435 = // "Pattern{Field(fld2,false), Constant(': Service '), Field(service,true), Constant(' has been '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ +var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -6592,7 +5888,7 @@ var msg254 = msg("00012:08", part435); var all83 = all_match({ processors: [ dup80, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -6612,7 +5908,7 @@ var msg255 = msg("00012:09", all83); var all84 = all_match({ processors: [ dup132, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -6629,8 +5925,7 @@ var all84 = all_match({ var msg256 = msg("00012:10", all84); -var part436 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -6643,8 +5938,7 @@ match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{ var msg257 = msg("00012:11", part436); -var part437 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(zone,false), Constant(') '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ +var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -6655,8 +5949,7 @@ match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{ var msg258 = msg("00012:12", part437); -var part438 = // "Pattern{Constant('Service group '), Field(group,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ +var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6666,8 +5959,7 @@ match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has bee var msg259 = msg("00012", part438); -var part439 = // "Pattern{Constant('Service '), Field(service,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ +var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -6693,8 +5985,7 @@ var select101 = linear_select([ msg260, ]); -var part440 = // "Pattern{Constant('Global Manager error in decoding bytes has been detected'), Field(,false)}" -match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ +var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ dup86, dup2, dup3, @@ -6704,8 +5995,7 @@ match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding var msg261 = msg("00013", part440); -var part441 = // "Pattern{Constant('Intruder has attempted to connect to the NetScreen-Global Manager port! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -6718,8 +6008,7 @@ match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to con var msg262 = msg("00013:01", part441); -var part442 = // "Pattern{Constant('URL Filtering '), Field(fld2,true), Constant(' has been changed to '), Field(fld3,false)}" -match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ +var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ dup1, dup2, dup3, @@ -6729,8 +6018,7 @@ match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has b var msg263 = msg("00013:02", part442); -var part443 = // "Pattern{Constant('Web Filtering has been '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ +var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ dup50, dup43, dup51, @@ -6749,8 +6037,7 @@ var select102 = linear_select([ msg264, ]); -var part444 = // "Pattern{Field(change_attribute,true), Constant(' in minutes has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ +var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -6760,14 +6047,11 @@ match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes var msg265 = msg("00014", part444); -var part445 = // "Pattern{Constant('The group member '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); +var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); -var part446 = // "Pattern{Constant('to a group'), Field(,false)}" -match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); +var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); -var part447 = // "Pattern{Constant('from a group'), Field(,false)}" -match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); +var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); var select103 = linear_select([ part446, @@ -6790,8 +6074,7 @@ var all85 = all_match({ var msg266 = msg("00014:01", all85); -var part448 = // "Pattern{Constant('The user group '), Field(group,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,false)}" -match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ +var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ dup1, dup2, dup3, @@ -6801,8 +6084,7 @@ match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has var msg267 = msg("00014:02", part448); -var part449 = // "Pattern{Constant('The user '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(administrator,false)}" -match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ +var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -6812,8 +6094,7 @@ match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has be var msg268 = msg("00014:03", part449); -var part450 = // "Pattern{Constant('Communication error with '), Field(hostname,true), Constant(' server { '), Field(hostip,true), Constant(' }: SrvErr ('), Field(fld2,false), Constant('), SockErr ('), Field(fld3,false), Constant('), Valid ('), Field(fld4,false), Constant('),Connected ('), Field(fld5,false), Constant(')')}" -match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ +var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ dup19, dup2, dup3, @@ -6823,8 +6104,7 @@ match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{ho var msg269 = msg("00014:04", part450); -var part451 = // "Pattern{Constant('System clock configurations have been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ +var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -6834,8 +6114,7 @@ match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations h var msg270 = msg("00014:05", part451); -var part452 = // "Pattern{Constant('System clock is '), Field(disposition,true), Constant(' manually.')}" -match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ +var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ dup1, dup2, dup3, @@ -6845,8 +6124,7 @@ match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition var msg271 = msg("00014:06", part452); -var part453 = // "Pattern{Constant('System up time is '), Field(disposition,true), Constant(' by '), Field(fld2,false)}" -match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ +var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -6856,8 +6134,7 @@ match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{dispositi var msg272 = msg("00014:07", part453); -var part454 = // "Pattern{Constant('Communication error with '), Field(hostname,true), Constant(' server['), Field(hostip,false), Constant(']: SrvErr('), Field(fld2,false), Constant('),SockErr('), Field(fld3,false), Constant('),Valid('), Field(fld4,false), Constant('),Connected('), Field(fld5,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ +var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ dup27, dup2, dup3, @@ -6880,8 +6157,7 @@ var select104 = linear_select([ msg273, ]); -var part455 = // "Pattern{Constant('Authentication type has been changed to '), Field(authmethod,false)}" -match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ +var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ dup1, dup2, dup3, @@ -6891,8 +6167,7 @@ match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been cha var msg274 = msg("00015", part455); -var part456 = // "Pattern{Constant('IP tracking to '), Field(daddr,true), Constant(' has '), Field(disposition,false)}" -match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ +var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ dup86, dup2, dup3, @@ -6902,17 +6177,13 @@ match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has var msg275 = msg("00015:01", part456); -var part457 = // "Pattern{Constant('LDAP '), Field(p0,false)}" -match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); +var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); -var part458 = // "Pattern{Constant('server name '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); +var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); -var part459 = // "Pattern{Constant('distinguished name '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); +var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); -var part460 = // "Pattern{Constant('common name '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); +var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); var select105 = linear_select([ part458, @@ -6938,8 +6209,7 @@ var all86 = all_match({ var msg276 = msg("00015:02", all86); -var part461 = // "Pattern{Constant('Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link'), Field(,false)}" -match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ +var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ dup44, dup2, dup3, @@ -6949,11 +6219,9 @@ match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down var msg277 = msg("00015:03", part461); -var part462 = // "Pattern{Constant('RADIUS server '), Field(p0,false)}" -match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); +var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); -var part463 = // "Pattern{Constant('secret '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); +var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); var select106 = linear_select([ dup139, @@ -6978,17 +6246,13 @@ var all87 = all_match({ var msg278 = msg("00015:04", all87); -var part464 = // "Pattern{Constant('SecurID '), Field(p0,false)}" -match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); +var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); -var part465 = // "Pattern{Constant('authentication port '), Field(p0,false)}" -match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); +var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); -var part466 = // "Pattern{Constant('duress mode '), Field(p0,false)}" -match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); +var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); -var part467 = // "Pattern{Constant('number of retries value '), Field(p0,false)}" -match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); +var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); var select107 = linear_select([ part465, @@ -7014,19 +6278,16 @@ var all88 = all_match({ var msg279 = msg("00015:05", all88); -var part468 = // "Pattern{Constant('Master '), Field(p0,false)}" -match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); +var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); -var part469 = // "Pattern{Constant('Backup '), Field(p0,false)}" -match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); +var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); var select108 = linear_select([ part468, part469, ]); -var part470 = // "Pattern{Constant('SecurID server IP address has been '), Field(disposition,false)}" -match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); +var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); var all89 = all_match({ processors: [ @@ -7044,8 +6305,7 @@ var all89 = all_match({ var msg280 = msg("00015:06", all89); -var part471 = // "Pattern{Constant('HA change from slave to master'), Field(,false)}" -match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ +var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ dup1, dup2, dup3, @@ -7055,8 +6315,7 @@ match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to maste var msg281 = msg("00015:07", part471); -var part472 = // "Pattern{Constant('inconsistent configuration between master and slave'), Field(,false)}" -match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ +var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ dup141, dup2, dup3, @@ -7066,19 +6325,16 @@ match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration be var msg282 = msg("00015:08", part472); -var part473 = // "Pattern{Constant('configuration '), Field(p0,false)}" -match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); +var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); -var part474 = // "Pattern{Constant('Configuration '), Field(p0,false)}" -match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); +var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); var select109 = linear_select([ part473, part474, ]); -var part475 = // "Pattern{Constant('out of sync between local unit and remote unit'), Field(,false)}" -match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); +var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); var all90 = all_match({ processors: [ @@ -7096,8 +6352,7 @@ var all90 = all_match({ var msg283 = msg("00015:09", all90); -var part476 = // "Pattern{Constant('HA control channel change to '), Field(interface,false)}" -match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ +var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -7107,8 +6362,7 @@ match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to var msg284 = msg("00015:10", part476); -var part477 = // "Pattern{Constant('HA data channel change to '), Field(interface,false)}" -match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ +var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -7118,31 +6372,27 @@ match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{i var msg285 = msg("00015:11", part477); -var part478 = // "Pattern{Constant('control '), Field(p0,false)}" -match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); +var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); -var part479 = // "Pattern{Constant('data '), Field(p0,false)}" -match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); +var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); var select110 = linear_select([ part478, part479, ]); -var part480 = // "Pattern{Constant('channel moved from link '), Field(p0,false)}" -match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); +var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); -var part481 = // "Pattern{Constant('('), Field(interface,false), Constant(')')}" -match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); +var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); var all91 = all_match({ processors: [ dup87, select110, part480, - dup355, + dup353, dup103, - dup355, + dup353, part481, ], on_success: processor_chain([ @@ -7156,8 +6406,7 @@ var all91 = all_match({ var msg286 = msg("00015:12", all91); -var part482 = // "Pattern{Constant('HA: Slave is down'), Field(,false)}" -match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ +var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ dup144, dup2, dup3, @@ -7167,13 +6416,12 @@ match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", proces var msg287 = msg("00015:13", part482); -var part483 = // "Pattern{Constant('NSRP link '), Field(p0,false)}" -match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); +var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); var all92 = all_match({ processors: [ part483, - dup355, + dup353, dup116, ], on_success: processor_chain([ @@ -7187,8 +6435,7 @@ var all92 = all_match({ var msg288 = msg("00015:14", all92); -var part484 = // "Pattern{Constant('no HA '), Field(fld2,true), Constant(' channel available ('), Field(fld3,true), Constant(' used by other channel)')}" -match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ +var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ dup117, dup2, dup3, @@ -7198,8 +6445,7 @@ match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel avail var msg289 = msg("00015:15", part484); -var part485 = // "Pattern{Constant('The NSRP configuration is out of synchronization between the local device and the peer device.'), Field(,false)}" -match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ +var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ dup18, dup2, dup3, @@ -7209,8 +6455,7 @@ match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out var msg290 = msg("00015:16", part485); -var part486 = // "Pattern{Constant('NSRP '), Field(change_attribute,true), Constant(' '), Field(change_old,true), Constant(' changed to link channel '), Field(change_new,false)}" -match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ +var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -7220,8 +6465,7 @@ match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{ var msg291 = msg("00015:17", part486); -var part487 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' on peer device '), Field(fld2,true), Constant(' changed from '), Field(fld3,true), Constant(' to '), Field(fld4,true), Constant(' state.')}" -match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ +var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ dup121, dup2, dup3, @@ -7232,8 +6476,7 @@ match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} w var msg292 = msg("00015:18", part487); -var part488 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' on local device '), Field(fld2,false), Constant(', detected a duplicate direction on the peer device '), Field(fld3,false)}" -match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ +var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ dup18, dup2, dup3, @@ -7243,8 +6486,7 @@ match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} w var msg293 = msg("00015:19", part488); -var part489 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' changed on the local device from '), Field(fld2,true), Constant(' to up state, it had peer device '), Field(fld3,false)}" -match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ +var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -7254,14 +6496,11 @@ match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} w var msg294 = msg("00015:20", part489); -var part490 = // "Pattern{Constant('Peer device '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); +var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); -var part491 = // "Pattern{Constant('disappeared '), Field(p0,false)}" -match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); +var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); -var part492 = // "Pattern{Constant('was discovered '), Field(p0,false)}" -match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); +var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); var select111 = linear_select([ part491, @@ -7285,14 +6524,11 @@ var all93 = all_match({ var msg295 = msg("00015:21", all93); -var part493 = // "Pattern{Constant('The local '), Field(p0,false)}" -match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); +var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); -var part494 = // "Pattern{Constant('The peer '), Field(p0,false)}" -match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); +var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); -var part495 = // "Pattern{Constant('Peer '), Field(p0,false)}" -match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); +var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); var select112 = linear_select([ part493, @@ -7300,14 +6536,13 @@ var select112 = linear_select([ part495, ]); -var part496 = // "Pattern{Constant('device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed '), Field(change_attribute,true), Constant(' from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); +var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); var all94 = all_match({ processors: [ select112, part496, - dup356, + dup354, ], on_success: processor_chain([ dup44, @@ -7321,8 +6556,7 @@ var all94 = all_match({ var msg296 = msg("00015:22", all94); -var part497 = // "Pattern{Constant('WebAuth is set to '), Field(fld2,false)}" -match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ +var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -7332,8 +6566,7 @@ match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", p var msg297 = msg("00015:23", part497); -var part498 = // "Pattern{Constant('Default firewall authentication server has been changed to '), Field(hostname,false)}" -match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ +var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ dup1, dup2, dup3, @@ -7343,8 +6576,7 @@ match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authenticati var msg298 = msg("00015:24", part498); -var part499 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' attempted to verify the encrypted password '), Field(fld2,false), Constant('. Verification was successful')}" -match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ +var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ setc("eventcategory","1613050100"), dup2, dup3, @@ -7354,8 +6586,7 @@ match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} var msg299 = msg("00015:25", part499); -var part500 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' attempted to verify the encrypted password '), Field(fld2,false), Constant('. Verification failed')}" -match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ +var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ dup97, dup2, dup3, @@ -7365,14 +6596,11 @@ match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} var msg300 = msg("00015:29", part500); -var part501 = // "Pattern{Constant('unit '), Field(fld2,true), Constant(' just dis'), Field(p0,false)}" -match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); +var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); -var part502 = // "Pattern{Constant('appeared'), Field(,false)}" -match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); +var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); -var part503 = // "Pattern{Constant('covered'), Field(,false)}" -match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); +var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); var select113 = linear_select([ part502, @@ -7395,8 +6623,7 @@ var all95 = all_match({ var msg301 = msg("00015:26", all95); -var part504 = // "Pattern{Constant('NSRP: HA data channel change to '), Field(interface,false), Constant('. ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ +var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ dup44, dup2, dup3, @@ -7407,8 +6634,7 @@ match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change var msg302 = msg("00015:33", part504); -var part505 = // "Pattern{Constant('NSRP: '), Field(fld2,false)}" -match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ +var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -7418,8 +6644,7 @@ match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_cha var msg303 = msg("00015:27", part505); -var part506 = // "Pattern{Constant('Auth server '), Field(hostname,true), Constant(' RADIUS retry timeout has been set to default of '), Field(fld2,false)}" -match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ +var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -7429,16 +6654,14 @@ match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RAD var msg304 = msg("00015:28", part506); -var part507 = // "Pattern{Constant('Number of RADIUS retries for auth server '), Field(hostname,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); +var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); -var part508 = // "Pattern{Constant('set to '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); +var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); var all96 = all_match({ processors: [ part507, - dup357, + dup355, part508, ], on_success: processor_chain([ @@ -7453,8 +6676,7 @@ var all96 = all_match({ var msg305 = msg("00015:30", all96); -var part509 = // "Pattern{Constant('Forced timeout for Auth server '), Field(hostname,true), Constant(' is unset to its default value, '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ +var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -7465,8 +6687,7 @@ match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth serve var msg306 = msg("00015:31", part509); -var part510 = // "Pattern{Constant('Accounting port of server RADIUS is set to '), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ +var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ dup50, dup43, dup51, @@ -7515,8 +6736,7 @@ var select114 = linear_select([ msg307, ]); -var part511 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup147, dup148, dup149, @@ -7531,8 +6751,7 @@ match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{spo var msg308 = msg("00016", part511); -var part512 = // "Pattern{Constant('Address VIP ('), Field(fld2,false), Constant(') for '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ +var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ dup1, dup148, dup149, @@ -7545,8 +6764,7 @@ match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{f var msg309 = msg("00016:01", part512); -var part513 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(') has been '), Field(disposition,false)}" -match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ +var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ dup1, dup148, dup149, @@ -7559,8 +6777,7 @@ match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disp var msg310 = msg("00016:02", part513); -var part514 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ +var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ dup147, dup148, dup149, @@ -7573,8 +6790,7 @@ match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{ var msg311 = msg("00016:03", part514); -var part515 = // "Pattern{Constant('VIP multi-port was '), Field(disposition,false)}" -match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ +var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7584,8 +6800,7 @@ match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposit var msg312 = msg("00016:05", part515); -var part516 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup147, dup148, dup149, @@ -7600,13 +6815,12 @@ match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detecte var msg313 = msg("00016:06", part516); -var part517 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' ( zone '), Field(p0,false)}" -match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); +var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); var all97 = all_match({ processors: [ part517, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -7626,8 +6840,7 @@ var all97 = all_match({ var msg314 = msg("00016:07", all97); -var part518 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' HTTP '), Field(fld4,false), Constant(') Modify by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ setc("eventcategory","1001020305"), dup2, dup3, @@ -7638,8 +6851,7 @@ match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP % var msg315 = msg("00016:08", part518); -var part519 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' HTTP '), Field(fld4,false), Constant(') New by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ setc("eventcategory","1001030305"), dup2, dup3, @@ -7662,8 +6874,7 @@ var select115 = linear_select([ msg316, ]); -var part520 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup151, dup2, dup3, @@ -7674,22 +6885,18 @@ match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{spo var msg317 = msg("00017", part520); -var part521 = // "Pattern{Constant('Gateway '), Field(fld2,true), Constant(' at '), Field(fld3,true), Constant(' in '), Field(fld5,true), Constant(' mode with ID '), Field(p0,false)}" -match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); +var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); -var part522 = // "Pattern{Constant('['), Field(fld4,false), Constant('] '), Field(p0,false)}" -match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); +var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); -var part523 = // "Pattern{Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); +var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); var select116 = linear_select([ part522, part523, ]); -var part524 = // "Pattern{Constant('has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(fld,false)}" -match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); +var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); var all98 = all_match({ processors: [ @@ -7708,28 +6915,24 @@ var all98 = all_match({ var msg318 = msg("00017:23", all98); -var part525 = // "Pattern{Field(fld1,false), Constant(': Gateway '), Field(p0,false)}" -match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); +var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); -var part526 = // "Pattern{Constant('Gateway '), Field(p0,false)}" -match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); +var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); var select117 = linear_select([ part525, part526, ]); -var part527 = // "Pattern{Constant(''), Field(fld2,true), Constant(' at '), Field(fld3,true), Constant(' in '), Field(fld5,true), Constant(' mode with ID'), Field(p0,false)}" -match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); +var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); -var part528 = // "Pattern{Constant(''), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); +var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); var all99 = all_match({ processors: [ select117, part527, - dup358, + dup356, part528, ], on_success: processor_chain([ @@ -7743,8 +6946,7 @@ var all99 = all_match({ var msg319 = msg("00017:01", all99); -var part529 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Gateway settings have been '), Field(disposition,false)}" -match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ +var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7754,8 +6956,7 @@ match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settin var msg320 = msg("00017:02", part529); -var part530 = // "Pattern{Constant('IKE key '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ +var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7765,13 +6966,12 @@ match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{ var msg321 = msg("00017:03", part530); -var part531 = // "Pattern{Constant(''), Field(group_object,true), Constant(' with range '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); +var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); var all100 = all_match({ processors: [ dup153, - dup359, + dup357, part531, ], on_success: processor_chain([ @@ -7785,8 +6985,7 @@ var all100 = all_match({ var msg322 = msg("00017:04", all100); -var part532 = // "Pattern{Constant('IPSec NAT-T for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ +var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7796,14 +6995,11 @@ match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group-> var msg323 = msg("00017:05", part532); -var part533 = // "Pattern{Constant('The DF-BIT for VPN '), Field(group,true), Constant(' has been set to '), Field(p0,false)}" -match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); +var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); -var part534 = // "Pattern{Constant('clear '), Field(p0,false)}" -match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); +var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); -var part535 = // "Pattern{Constant('copy '), Field(p0,false)}" -match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); +var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); var select118 = linear_select([ part534, @@ -7828,20 +7024,15 @@ var all101 = all_match({ var msg324 = msg("00017:06", all101); -var part536 = // "Pattern{Constant('The DF-BIT for VPN '), Field(group,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); +var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); -var part537 = // "Pattern{Constant('clear'), Field(,false)}" -match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); +var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); -var part538 = // "Pattern{Constant('cleared'), Field(,false)}" -match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); +var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); -var part539 = // "Pattern{Constant('copy'), Field(,false)}" -match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); +var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); -var part540 = // "Pattern{Constant('copied'), Field(,false)}" -match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); +var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); var select119 = linear_select([ part537, @@ -7867,8 +7058,7 @@ var all102 = all_match({ var msg325 = msg("00017:07", all102); -var part541 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and SPI '), Field(fld3,false), Constant('/'), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ +var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7878,28 +7068,22 @@ match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway % var msg326 = msg("00017:08", part541); -var part542 = // "Pattern{Field(fld1,false), Constant(': VPN '), Field(p0,false)}" -match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); +var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); -var part543 = // "Pattern{Constant('VPN '), Field(p0,false)}" -match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); +var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); var select120 = linear_select([ part542, part543, ]); -var part544 = // "Pattern{Constant(''), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); +var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); -var part545 = // "Pattern{Constant('no-rekey '), Field(p0,false)}" -match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); +var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); -var part546 = // "Pattern{Constant('rekey, '), Field(p0,false)}" -match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); +var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); -var part547 = // "Pattern{Constant('rekey '), Field(p0,false)}" -match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); +var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); var select121 = linear_select([ part545, @@ -7907,14 +7091,11 @@ var select121 = linear_select([ part547, ]); -var part548 = // "Pattern{Constant('and p2-proposal '), Field(fld3,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); +var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); -var part549 = // "Pattern{Field(disposition,true), Constant(' from peer unit')}" -match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); +var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); -var part550 = // "Pattern{Field(disposition,true), Constant(' from host '), Field(saddr,false)}" -match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); +var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); var select122 = linear_select([ part549, @@ -7941,13 +7122,12 @@ var all103 = all_match({ var msg327 = msg("00017:09", all103); -var part551 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false), Constant('. Src IF '), Field(sinterface,true), Constant(' dst IP '), Field(daddr,true), Constant(' with rekeying '), Field(p0,false)}" -match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); +var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); var all104 = all_match({ processors: [ part551, - dup360, + dup358, dup116, ], on_success: processor_chain([ @@ -7961,8 +7141,7 @@ var all104 = all_match({ var msg328 = msg("00017:10", all104); -var part552 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ +var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -7972,11 +7151,9 @@ match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{grou var msg329 = msg("00017:11", part552); -var part553 = // "Pattern{Constant('VPN monitoring '), Field(p0,false)}" -match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); +var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); -var part554 = // "Pattern{Constant('frequency '), Field(p0,false)}" -match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); +var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); var select123 = linear_select([ dup109, @@ -7989,7 +7166,7 @@ var all105 = all_match({ part553, select123, dup127, - dup361, + dup359, ], on_success: processor_chain([ dup1, @@ -8002,8 +7179,7 @@ var all105 = all_match({ var msg330 = msg("00017:12", all105); -var part555 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal '), Field(fld3,true), Constant(' has been added by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8014,8 +7190,7 @@ match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway % var msg331 = msg("00017:26", part555); -var part556 = // "Pattern{Constant('No IP pool has been assigned. You cannot allocate an IP address.'), Field(,false)}" -match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ +var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ dup18, dup2, dup3, @@ -8025,8 +7200,7 @@ match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. var msg332 = msg("00017:13", part556); -var part557 = // "Pattern{Constant('P1 proposal '), Field(fld2,true), Constant(' with '), Field(protocol_detail,false), Constant(', DH group '), Field(group,false), Constant(', ESP '), Field(encryption_type,false), Constant(', auth '), Field(authmethod,false), Constant(', and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8037,16 +7211,14 @@ match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{ var msg333 = msg("00017:14", part557); -var part558 = // "Pattern{Constant('P2 proposal '), Field(fld2,true), Constant(' with DH group '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); +var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); -var part559 = // "Pattern{Constant(''), Field(encryption_type,true), Constant(' auth '), Field(authmethod,true), Constant(' and lifetime ('), Field(fld3,false), Constant(') ('), Field(fld4,false), Constant(') has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); +var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); var all106 = all_match({ processors: [ part558, - dup362, + dup360, part559, ], on_success: processor_chain([ @@ -8060,16 +7232,14 @@ var all106 = all_match({ var msg334 = msg("00017:15", all106); -var part560 = // "Pattern{Constant('P1 proposal '), Field(fld2,true), Constant(' with '), Field(protocol_detail,true), Constant(' DH group '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); +var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); -var part561 = // "Pattern{Constant(''), Field(encryption_type,true), Constant(' auth '), Field(authmethod,true), Constant(' and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); +var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); var all107 = all_match({ processors: [ part560, - dup362, + dup360, part561, ], on_success: processor_chain([ @@ -8083,13 +7253,12 @@ var all107 = all_match({ var msg335 = msg("00017:31", all107); -var part562 = // "Pattern{Constant('vpnmonitor interval is '), Field(p0,false)}" -match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); +var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); var all108 = all_match({ processors: [ part562, - dup361, + dup359, ], on_success: processor_chain([ dup1, @@ -8102,8 +7271,7 @@ var all108 = all_match({ var msg336 = msg("00017:16", all108); -var part563 = // "Pattern{Constant('vpnmonitor threshold is '), Field(p0,false)}" -match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); +var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); var select124 = linear_select([ dup99, @@ -8126,13 +7294,12 @@ var all109 = all_match({ var msg337 = msg("00017:17", all109); -var part564 = // "Pattern{Constant(''), Field(group_object,true), Constant(' with range '), Field(fld2,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); +var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); var all110 = all_match({ processors: [ dup153, - dup359, + dup357, part564, ], on_success: processor_chain([ @@ -8148,16 +7315,14 @@ var all110 = all_match({ var msg338 = msg("00017:18", all110); -var part565 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at '), Field(p0,false)}" -match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); +var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); -var part566 = // "Pattern{Field(,true), Constant(' '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); +var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); var all111 = all_match({ processors: [ part565, - dup339, + dup337, part566, ], on_success: processor_chain([ @@ -8175,7 +7340,7 @@ var msg339 = msg("00017:19", all111); var all112 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -8191,8 +7356,7 @@ var all112 = all_match({ var msg340 = msg("00017:20", all112); -var part567 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup151, dup2, dup3, @@ -8203,8 +7367,7 @@ match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} var msg341 = msg("00017:21", part567); -var part568 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8215,8 +7378,7 @@ match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway % var msg342 = msg("00017:22", part568); -var part569 = // "Pattern{Constant('VPN "'), Field(group,false), Constant('" has been bound to tunnel interface '), Field(interface,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ +var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8227,8 +7389,7 @@ match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bou var msg343 = msg("00017:24", part569); -var part570 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal standard has been added by admin '), Field(administrator,true), Constant(' via NSRP Peer ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ +var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8239,8 +7400,7 @@ match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway % var msg344 = msg("00017:25", part570); -var part571 = // "Pattern{Constant('P2 proposal '), Field(fld2,true), Constant(' with DH group '), Field(group,false), Constant(', ESP, enc '), Field(encryption_type,false), Constant(', auth '), Field(authmethod,false), Constant(', and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8251,8 +7411,7 @@ match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH var msg345 = msg("00017:28", part571); -var part572 = // "Pattern{Constant('L2TP "'), Field(fld2,false), Constant('", all-L2TP-users secret "'), Field(fld3,false), Constant('" keepalive '), Field(fld4,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup1, dup2, dup4, @@ -8295,8 +7454,7 @@ var select125 = linear_select([ msg346, ]); -var part573 = // "Pattern{Constant('Positions of policies '), Field(fld2,true), Constant(' and '), Field(fld3,true), Constant(' have been exchanged')}" -match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ +var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ dup1, dup2, dup3, @@ -8306,8 +7464,7 @@ match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} var msg347 = msg("00018", part573); -var part574 = // "Pattern{Constant('Deny Policy Alarm'), Field(,false)}" -match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ +var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ setc("eventcategory","1502010000"), dup2, dup4, @@ -8317,31 +7474,17 @@ match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", proces var msg348 = msg("00018:01", part574); -var part575 = // "Pattern{Constant('Device'), Field(p0,false)}" -match("MESSAGE#347:00018:02/0", "nwparser.payload", "Device%{p0}"); - -var part576 = // "Pattern{Constant('s '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#347:00018:02/2", "nwparser.p0", "s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}"); - -var all113 = all_match({ - processors: [ - part575, - dup363, - part576, - ], - on_success: processor_chain([ - dup1, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); -var msg349 = msg("00018:02", all113); +var msg349 = msg("00018:02", part575); -var part577 = // "Pattern{Field(fld2,true), Constant(' Policy ('), Field(policy_id,false), Constant(', '), Field(info,true), Constant(' ) was '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8350,10 +7493,9 @@ match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id dup5, ])); -var msg350 = msg("00018:04", part577); +var msg350 = msg("00018:04", part576); -var part578 = // "Pattern{Field(fld2,true), Constant(' Policy ('), Field(policy_id,false), Constant(', '), Field(info,true), Constant(' ) was '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer')}" -match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ +var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ dup17, dup2, dup3, @@ -8361,30 +7503,26 @@ match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id dup5, ])); -var msg351 = msg("00018:16", part578); +var msg351 = msg("00018:16", part577); -var part579 = // "Pattern{Field(fld2,true), Constant(' Policy '), Field(policy_id,true), Constant(' has been moved '), Field(p0,false)}" -match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); +var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); -var part580 = // "Pattern{Constant('before '), Field(p0,false)}" -match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); +var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); -var part581 = // "Pattern{Constant('after '), Field(p0,false)}" -match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); +var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); var select126 = linear_select([ + part579, part580, - part581, ]); -var part582 = // "Pattern{Constant(''), Field(fld3,true), Constant(' by admin '), Field(administrator,false)}" -match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); +var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); -var all114 = all_match({ +var all113 = all_match({ processors: [ - part579, + part578, select126, - part582, + part581, ], on_success: processor_chain([ dup17, @@ -8395,10 +7533,9 @@ var all114 = all_match({ ]), }); -var msg352 = msg("00018:06", all114); +var msg352 = msg("00018:06", all113); -var part583 = // "Pattern{Constant('Policy '), Field(policy_id,true), Constant(' application was modified to '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8407,10 +7544,9 @@ match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} applica dup5, ])); -var msg353 = msg("00018:08", part583); +var msg353 = msg("00018:08", part582); -var part584 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup3, dup2, @@ -8419,30 +7555,26 @@ match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info} dup5, ])); -var msg354 = msg("00018:09", part584); +var msg354 = msg("00018:09", part583); -var part585 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(p0,false)}" -match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); +var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); -var part586 = // "Pattern{Field(disposition,true), Constant(' from peer unit by '), Field(p0,false)}" -match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); +var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); -var part587 = // "Pattern{Field(disposition,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); +var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); var select127 = linear_select([ + part585, part586, - part587, ]); -var part588 = // "Pattern{Field(username,true), Constant(' via '), Field(interface,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); +var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); -var all115 = all_match({ +var all114 = all_match({ processors: [ - part585, + part584, select127, - part588, + part587, ], on_success: processor_chain([ dup17, @@ -8454,35 +7586,31 @@ var all115 = all_match({ ]), }); -var msg355 = msg("00018:10", all115); +var msg355 = msg("00018:10", all114); -var part589 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); +var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); -var part590 = // "Pattern{Constant('Attack group '), Field(signame,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); +var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); var select128 = linear_select([ + part588, part589, - part590, ]); -var part591 = // "Pattern{Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); +var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); -var part592 = // "Pattern{Constant('to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); +var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); var select129 = linear_select([ - part592, + part591, dup16, ]); -var all116 = all_match({ +var all115 = all_match({ processors: [ - dup162, + dup160, select128, - part591, + part590, select129, dup10, ], @@ -8496,34 +7624,29 @@ var all116 = all_match({ ]), }); -var msg356 = msg("00018:11", all116); +var msg356 = msg("00018:11", all115); -var part593 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the '), Field(p0,false)}" -match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); +var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); -var part594 = // "Pattern{Constant('application '), Field(p0,false)}" -match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); +var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); -var part595 = // "Pattern{Constant('attack severity '), Field(p0,false)}" -match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); +var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); -var part596 = // "Pattern{Constant('DI attack component '), Field(p0,false)}" -match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); +var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); var select130 = linear_select([ + part593, part594, part595, - part596, ]); -var part597 = // "Pattern{Constant('was modified by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); +var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); -var all117 = all_match({ +var all116 = all_match({ processors: [ - part593, + part592, select130, - part597, + part596, ], on_success: processor_chain([ dup17, @@ -8535,17 +7658,16 @@ var all117 = all_match({ ]), }); -var msg357 = msg("00018:12", all117); +var msg357 = msg("00018:12", all116); -var part598 = // "Pattern{Field(,false), Constant('address '), Field(dhost,false), Constant('('), Field(daddr,false), Constant(') was '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); +var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); -var all118 = all_match({ +var all117 = all_match({ processors: [ - dup364, - part598, - dup365, - dup166, + dup361, + part597, + dup362, + dup164, ], on_success: processor_chain([ dup17, @@ -8557,17 +7679,16 @@ var all118 = all_match({ ]), }); -var msg358 = msg("00018:32", all118); +var msg358 = msg("00018:32", all117); -var part599 = // "Pattern{Field(,false), Constant('address '), Field(dhost,true), Constant(' was '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); +var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); -var all119 = all_match({ +var all118 = all_match({ processors: [ - dup364, - part599, - dup365, - dup166, + dup361, + part598, + dup362, + dup164, ], on_success: processor_chain([ dup17, @@ -8579,24 +7700,22 @@ var all119 = all_match({ ]), }); -var msg359 = msg("00018:22", all119); +var msg359 = msg("00018:22", all118); -var part600 = // "Pattern{Field(agent,true), Constant(' was '), Field(disposition,true), Constant(' from policy '), Field(policy_id,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); +var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); var select131 = linear_select([ dup78, dup77, ]); -var part601 = // "Pattern{Constant('address by admin '), Field(administrator,true), Constant(' via NSRP Peer')}" -match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); +var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); -var all120 = all_match({ +var all119 = all_match({ processors: [ - part600, + part599, select131, - part601, + part600, ], on_success: processor_chain([ dup17, @@ -8607,50 +7726,42 @@ var all120 = all_match({ ]), }); -var msg360 = msg("00018:15", all120); +var msg360 = msg("00018:15", all119); -var part602 = // "Pattern{Field(agent,true), Constant(' was '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); +var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); -var part603 = // "Pattern{Constant('to'), Field(p0,false)}" -match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); +var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); -var part604 = // "Pattern{Constant('from'), Field(p0,false)}" -match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); +var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); var select132 = linear_select([ + part602, part603, - part604, ]); -var part605 = // "Pattern{Field(,false), Constant('policy '), Field(policy_id,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); +var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); -var part606 = // "Pattern{Constant('service '), Field(p0,false)}" -match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); +var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); -var part607 = // "Pattern{Constant('source address '), Field(p0,false)}" -match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); +var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); -var part608 = // "Pattern{Constant('destination address '), Field(p0,false)}" -match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); +var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); var select133 = linear_select([ + part605, part606, part607, - part608, ]); -var part609 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); +var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); -var all121 = all_match({ +var all120 = all_match({ processors: [ - part602, + part601, select132, - part605, + part604, select133, - part609, + part608, ], on_success: processor_chain([ dup17, @@ -8662,10 +7773,9 @@ var all121 = all_match({ ]), }); -var msg361 = msg("00018:14", all121); +var msg361 = msg("00018:14", all120); -var part610 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ +var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8674,10 +7784,9 @@ match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{di dup5, ])); -var msg362 = msg("00018:29", part610); +var msg362 = msg("00018:29", part609); -var part611 = // "Pattern{Field(agent,true), Constant(' was added to policy '), Field(policy_id,true), Constant(' '), Field(rule_group,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer '), Field(space,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ +var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8686,10 +7795,9 @@ match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to polic dup5, ])); -var msg363 = msg("00018:07", part611); +var msg363 = msg("00018:07", part610); -var part612 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8698,10 +7806,9 @@ match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{di dup5, ])); -var msg364 = msg("00018:18", part612); +var msg364 = msg("00018:18", part611); -var part613 = // "Pattern{Constant('AntiSpam ns-profile was '), Field(disposition,true), Constant(' from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8710,10 +7817,9 @@ match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{dis dup5, ])); -var msg365 = msg("00018:17", part613); +var msg365 = msg("00018:17", part612); -var part614 = // "Pattern{Constant('Source address Info '), Field(info,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8722,52 +7828,45 @@ match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} dup5, ])); -var msg366 = msg("00018:19", part614); +var msg366 = msg("00018:19", part613); -var part615 = // "Pattern{Constant('Destination '), Field(p0,false)}" -match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); +var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); -var part616 = // "Pattern{Constant('Source '), Field(p0,false)}" -match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); +var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); var select134 = linear_select([ + part614, part615, - part616, ]); -var part617 = // "Pattern{Constant('address '), Field(info,true), Constant(' was added to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); +var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); -var part618 = // "Pattern{Constant('from host '), Field(p0,false)}" -match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); +var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); var select135 = linear_select([ - part618, + part617, dup103, ]); -var part619 = // "Pattern{Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); +var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); -var part620 = // "Pattern{Field(daddr,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); +var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); var select136 = linear_select([ + part618, part619, - part620, ]); -var part621 = // "Pattern{Field(dport,false), Constant(':('), Field(fld1,false), Constant(')')}" -match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); +var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); -var all122 = all_match({ +var all121 = all_match({ processors: [ select134, - part617, + part616, select135, dup23, select136, - part621, + part620, ], on_success: processor_chain([ dup17, @@ -8779,10 +7878,9 @@ var all122 = all_match({ ]), }); -var msg367 = msg("00018:23", all122); +var msg367 = msg("00018:23", all121); -var part622 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was deleted from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8791,10 +7889,9 @@ match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was dele dup5, ])); -var msg368 = msg("00018:21", part622); +var msg368 = msg("00018:21", part621); -var part623 = // "Pattern{Constant('Policy ('), Field(policyname,false), Constant(') was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -8803,15 +7900,14 @@ match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{ dup5, ])); -var msg369 = msg("00018:24", part623); +var msg369 = msg("00018:24", part622); -var part624 = // "Pattern{Field(,false), Constant('address '), Field(info,true), Constant(' was added to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); +var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); -var all123 = all_match({ +var all122 = all_match({ processors: [ - dup366, - part624, + dup363, + part623, ], on_success: processor_chain([ dup17, @@ -8823,15 +7919,14 @@ var all123 = all_match({ ]), }); -var msg370 = msg("00018:25", all123); +var msg370 = msg("00018:25", all122); -var part625 = // "Pattern{Field(,false), Constant('address '), Field(info,true), Constant(' was deleted from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); +var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); -var all124 = all_match({ +var all123 = all_match({ processors: [ - dup366, - part625, + dup363, + part624, ], on_success: processor_chain([ dup17, @@ -8843,23 +7938,21 @@ var all124 = all_match({ ]), }); -var msg371 = msg("00018:30", all124); +var msg371 = msg("00018:30", all123); -var part626 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the application was modified to '), Field(disposition,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); +var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); -var part627 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); +var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); var select137 = linear_select([ dup48, - part627, + part626, ]); -var all125 = all_match({ +var all124 = all_match({ processors: [ - part626, - dup367, + part625, + dup364, select137, dup41, ], @@ -8873,10 +7966,9 @@ var all125 = all_match({ ]), }); -var msg372 = msg("00018:26", all125); +var msg372 = msg("00018:26", all124); -var part628 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the DI attack component was modified by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup17, dup2, dup4, @@ -8884,10 +7976,9 @@ match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the D dup9, ])); -var msg373 = msg("00018:27", part628); +var msg373 = msg("00018:27", part627); -var part629 = // "Pattern{Constant('In policy '), Field(policyname,false), Constant(', the DI attack component was modified by admin '), Field(administrator,true), Constant(' via '), Field(logon_type,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ +var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ dup17, dup2, dup4, @@ -8896,10 +7987,9 @@ match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the setc("info","the DI attack component was modified"), ])); -var msg374 = msg("00018:28", part629); +var msg374 = msg("00018:28", part628); -var part630 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(disposition,false)}" -match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ +var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ dup17, dup2, dup3, @@ -8907,10 +7997,9 @@ match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info} dup5, ])); -var msg375 = msg("00018:03", part630); +var msg375 = msg("00018:03", part629); -var part631 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the option '), Field(fld2,true), Constant(' was '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ +var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -8919,7 +8008,7 @@ match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the dup5, ])); -var msg376 = msg("00018:31", part631); +var msg376 = msg("00018:31", part630); var select138 = linear_select([ msg347, @@ -8954,8 +8043,7 @@ var select138 = linear_select([ msg376, ]); -var part632 = // "Pattern{Constant('Attempt to enable WebTrends has '), Field(disposition,true), Constant(' because WebTrends settings have not yet been configured')}" -match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ +var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ dup18, dup2, dup3, @@ -8963,16 +8051,15 @@ match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has dup5, ])); -var msg377 = msg("00019", part632); +var msg377 = msg("00019", part631); -var part633 = // "Pattern{Constant('has '), Field(disposition,true), Constant(' because syslog settings have not yet been configured')}" -match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); +var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); -var all126 = all_match({ +var all125 = all_match({ processors: [ - dup167, - dup368, - part633, + dup165, + dup365, + part632, ], on_success: processor_chain([ dup1, @@ -8983,25 +8070,22 @@ var all126 = all_match({ ]), }); -var msg378 = msg("00019:01", all126); +var msg378 = msg("00019:01", all125); -var part634 = // "Pattern{Constant('Socket cannot be assigned for '), Field(p0,false)}" -match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); +var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); -var part635 = // "Pattern{Constant('WebTrends'), Field(,false)}" -match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); +var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); -var part636 = // "Pattern{Constant('syslog'), Field(,false)}" -match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); +var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); var select139 = linear_select([ + part634, part635, - part636, ]); -var all127 = all_match({ +var all126 = all_match({ processors: [ - part634, + part633, select139, ], on_success: processor_chain([ @@ -9013,10 +8097,9 @@ var all127 = all_match({ ]), }); -var msg379 = msg("00019:02", all127); +var msg379 = msg("00019:02", all126); -var part637 = // "Pattern{Constant('Syslog VPN encryption has been '), Field(disposition,false)}" -match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ +var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ dup91, dup2, dup3, @@ -9024,27 +8107,27 @@ match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has bee dup5, ])); -var msg380 = msg("00019:03", part637); +var msg380 = msg("00019:03", part636); var select140 = linear_select([ - dup171, + dup169, dup78, ]); var select141 = linear_select([ dup139, - dup172, + dup170, dup137, dup122, ]); -var all128 = all_match({ +var all127 = all_match({ processors: [ - dup170, + dup168, select140, dup23, select141, - dup173, + dup171, ], on_success: processor_chain([ dup1, @@ -9055,36 +8138,28 @@ var all128 = all_match({ ]), }); -var msg381 = msg("00019:04", all128); +var msg381 = msg("00019:04", all127); -var part638 = // "Pattern{Constant('Syslog message level has been changed to '), Field(p0,false)}" -match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); +var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); -var part639 = // "Pattern{Constant('debug'), Field(,false)}" -match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); +var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); -var part640 = // "Pattern{Constant('information'), Field(,false)}" -match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); +var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); -var part641 = // "Pattern{Constant('notification'), Field(,false)}" -match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); +var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); -var part642 = // "Pattern{Constant('warning'), Field(,false)}" -match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); +var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); -var part643 = // "Pattern{Constant('error'), Field(,false)}" -match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); +var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); -var part644 = // "Pattern{Constant('critical'), Field(,false)}" -match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); +var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); -var part645 = // "Pattern{Constant('alert'), Field(,false)}" -match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); +var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); -var part646 = // "Pattern{Constant('emergency'), Field(,false)}" -match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); +var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); var select142 = linear_select([ + part638, part639, part640, part641, @@ -9092,12 +8167,11 @@ var select142 = linear_select([ part643, part644, part645, - part646, ]); -var all129 = all_match({ +var all128 = all_match({ processors: [ - part638, + part637, select142, ], on_success: processor_chain([ @@ -9109,17 +8183,16 @@ var all129 = all_match({ ]), }); -var msg382 = msg("00019:05", all129); +var msg382 = msg("00019:05", all128); -var part647 = // "Pattern{Constant('has been changed to '), Field(p0,false)}" -match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); +var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); -var all130 = all_match({ +var all129 = all_match({ processors: [ - dup170, - dup369, - part647, - dup370, + dup168, + dup366, + part646, + dup367, ], on_success: processor_chain([ dup1, @@ -9130,10 +8203,9 @@ var all130 = all_match({ ]), }); -var msg383 = msg("00019:06", all130); +var msg383 = msg("00019:06", all129); -var part648 = // "Pattern{Constant('WebTrends VPN encryption has been '), Field(disposition,false)}" -match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ +var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ dup91, dup2, dup3, @@ -9141,10 +8213,9 @@ match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has dup5, ])); -var msg384 = msg("00019:07", part648); +var msg384 = msg("00019:07", part647); -var part649 = // "Pattern{Constant('WebTrends has been '), Field(disposition,false)}" -match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ +var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9152,22 +8223,21 @@ match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposit dup5, ])); -var msg385 = msg("00019:08", part649); +var msg385 = msg("00019:08", part648); -var part650 = // "Pattern{Constant('WebTrends host '), Field(p0,false)}" -match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); +var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); var select143 = linear_select([ dup139, - dup172, + dup170, dup137, ]); -var all131 = all_match({ +var all130 = all_match({ processors: [ - part650, + part649, select143, - dup173, + dup171, ], on_success: processor_chain([ dup1, @@ -9178,22 +8248,20 @@ var all131 = all_match({ ]), }); -var msg386 = msg("00019:09", all131); +var msg386 = msg("00019:09", all130); -var part651 = // "Pattern{Constant('Traffic logging via syslog '), Field(p0,false)}" -match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); +var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); -var part652 = // "Pattern{Constant('Syslog '), Field(p0,false)}" -match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); +var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); var select144 = linear_select([ + part650, part651, - part652, ]); -var all132 = all_match({ +var all131 = all_match({ processors: [ - dup185, + dup183, select144, dup138, ], @@ -9206,16 +8274,15 @@ var all132 = all_match({ ]), }); -var msg387 = msg("00019:10", all132); +var msg387 = msg("00019:10", all131); -var part653 = // "Pattern{Constant('has '), Field(disposition,true), Constant(' because there is no syslog server defined')}" -match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); +var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); -var all133 = all_match({ +var all132 = all_match({ processors: [ - dup167, - dup368, - part653, + dup165, + dup365, + part652, ], on_success: processor_chain([ dup18, @@ -9226,10 +8293,9 @@ var all133 = all_match({ ]), }); -var msg388 = msg("00019:11", all133); +var msg388 = msg("00019:11", all132); -var part654 = // "Pattern{Constant('Removing all syslog servers'), Field(,false)}" -match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ +var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ dup1, dup2, dup3, @@ -9237,24 +8303,22 @@ match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{ dup5, ])); -var msg389 = msg("00019:12", part654); +var msg389 = msg("00019:12", part653); -var part655 = // "Pattern{Constant('Syslog server '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); +var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); var select145 = linear_select([ dup107, dup106, ]); -var part656 = // "Pattern{Constant(''), Field(disposition,false)}" -match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); +var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); -var all134 = all_match({ +var all133 = all_match({ processors: [ - part655, + part654, select145, - part656, + part655, ], on_success: processor_chain([ dup1, @@ -9265,17 +8329,16 @@ var all134 = all_match({ ]), }); -var msg390 = msg("00019:13", all134); +var msg390 = msg("00019:13", all133); -var part657 = // "Pattern{Constant('for '), Field(hostip,true), Constant(' has been changed to '), Field(p0,false)}" -match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); +var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); -var all135 = all_match({ +var all134 = all_match({ processors: [ - dup170, - dup369, - part657, - dup370, + dup168, + dup366, + part656, + dup367, ], on_success: processor_chain([ dup50, @@ -9288,10 +8351,9 @@ var all135 = all_match({ ]), }); -var msg391 = msg("00019:14", all135); +var msg391 = msg("00019:14", all134); -var part658 = // "Pattern{Constant('Syslog cannot connect to the TCP server '), Field(hostip,false), Constant('; the connection is closed.')}" -match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ +var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ dup27, dup2, dup3, @@ -9299,10 +8361,9 @@ match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the dup5, ])); -var msg392 = msg("00019:15", part658); +var msg392 = msg("00019:15", part657); -var part659 = // "Pattern{Constant('All syslog servers were removed.'), Field(,false)}" -match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ +var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ setc("eventcategory","1701030000"), setc("ec_activity","Delete"), dup51, @@ -9312,10 +8373,9 @@ match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were remov dup5, ])); -var msg393 = msg("00019:16", part659); +var msg393 = msg("00019:16", part658); -var part660 = // "Pattern{Constant('Syslog server '), Field(hostip,true), Constant(' host port number has been changed to '), Field(network_port,true), Constant(' '), Field(fld5,false)}" -match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ +var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ dup50, dup43, dup51, @@ -9325,25 +8385,22 @@ match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} hos dup5, ])); -var msg394 = msg("00019:17", part660); +var msg394 = msg("00019:17", part659); -var part661 = // "Pattern{Constant('Traffic logging '), Field(p0,false)}" -match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); +var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); -var part662 = // "Pattern{Constant('via syslog '), Field(p0,false)}" -match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); +var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); -var part663 = // "Pattern{Constant('for syslog server '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); +var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); var select146 = linear_select([ + part661, part662, - part663, ]); -var all136 = all_match({ +var all135 = all_match({ processors: [ - part661, + part660, select146, dup138, ], @@ -9356,10 +8413,9 @@ var all136 = all_match({ ]), }); -var msg395 = msg("00019:18", all136); +var msg395 = msg("00019:18", all135); -var part664 = // "Pattern{Constant('Transport protocol for syslog server '), Field(hostip,true), Constant(' was changed to udp')}" -match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ +var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ dup50, dup43, dup51, @@ -9369,10 +8425,9 @@ match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog dup5, ])); -var msg396 = msg("00019:19", part664); +var msg396 = msg("00019:19", part663); -var part665 = // "Pattern{Constant('The traffic/IDP syslog is enabled on backup device by netscreen via web from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ +var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ dup50, dup43, dup51, @@ -9382,7 +8437,7 @@ match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is ena dup5, ])); -var msg397 = msg("00019:20", part665); +var msg397 = msg("00019:20", part664); var select147 = linear_select([ msg377, @@ -9408,8 +8463,7 @@ var select147 = linear_select([ msg397, ]); -var part666 = // "Pattern{Constant('Schedule '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ +var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9417,42 +8471,37 @@ match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{di dup5, ])); -var msg398 = msg("00020", part666); +var msg398 = msg("00020", part665); -var part667 = // "Pattern{Constant('System memory is low '), Field(p0,false)}" -match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); +var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); -var part668 = // "Pattern{Constant('( '), Field(p0,false)}" -match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); +var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); var select148 = linear_select([ dup152, - part668, + part667, ]); -var part669 = // "Pattern{Constant(''), Field(fld2,true), Constant(' bytes allocated out of '), Field(p0,false)}" -match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); +var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); -var part670 = // "Pattern{Constant('total '), Field(fld3,true), Constant(' bytes')}" -match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); +var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); -var part671 = // "Pattern{Field(fld4,true), Constant(' bytes total')}" -match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); +var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); var select149 = linear_select([ + part669, part670, - part671, ]); -var all137 = all_match({ +var all136 = all_match({ processors: [ - part667, + part666, select148, - part669, + part668, select149, ], on_success: processor_chain([ - dup186, + dup184, dup2, dup3, dup4, @@ -9460,18 +8509,17 @@ var all137 = all_match({ ]), }); -var msg399 = msg("00020:01", all137); +var msg399 = msg("00020:01", all136); -var part672 = // "Pattern{Constant('System memory is low ('), Field(fld2,true), Constant(' allocated out of '), Field(fld3,true), Constant(' ) '), Field(fld4,true), Constant(' times in '), Field(fld5,false)}" -match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ - dup186, +var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ + dup184, dup2, dup3, dup4, dup5, ])); -var msg400 = msg("00020:02", part672); +var msg400 = msg("00020:02", part671); var select150 = linear_select([ msg398, @@ -9479,8 +8527,7 @@ var select150 = linear_select([ msg400, ]); -var part673 = // "Pattern{Constant('DIP '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ +var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9488,10 +8535,9 @@ match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposi dup5, ])); -var msg401 = msg("00021", part673); +var msg401 = msg("00021", part672); -var part674 = // "Pattern{Constant('IP pool '), Field(fld2,true), Constant(' with range '), Field(info,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ +var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9499,10 +8545,9 @@ match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range dup5, ])); -var msg402 = msg("00021:01", part674); +var msg402 = msg("00021:01", part673); -var part675 = // "Pattern{Constant('DNS server is not configured'), Field(,false)}" -match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ +var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ dup18, dup2, dup3, @@ -9510,21 +8555,19 @@ match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured% dup5, ])); -var msg403 = msg("00021:02", part675); +var msg403 = msg("00021:02", part674); -var part676 = // "Pattern{Constant('Connection refused by the DNS server'), Field(,false)}" -match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ - dup187, +var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ + dup185, dup2, dup3, dup4, dup5, ])); -var msg404 = msg("00021:03", part676); +var msg404 = msg("00021:03", part675); -var part677 = // "Pattern{Constant('Unknown DNS error'), Field(,false)}" -match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ +var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ dup117, dup2, dup3, @@ -9532,10 +8575,9 @@ match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", proces dup5, ])); -var msg405 = msg("00021:04", part677); +var msg405 = msg("00021:04", part676); -var part678 = // "Pattern{Constant('DIP port-translatation stickiness was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ +var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -9544,10 +8586,9 @@ match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation sticki dup5, ])); -var msg406 = msg("00021:05", part678); +var msg406 = msg("00021:05", part677); -var part679 = // "Pattern{Constant('DIP port-translation stickiness was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ +var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ dup1, dup2, dup4, @@ -9556,7 +8597,7 @@ match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickine setc("info","DIP port-translation stickiness was modified"), ])); -var msg407 = msg("00021:06", part679); +var msg407 = msg("00021:06", part678); var select151 = linear_select([ msg401, @@ -9568,25 +8609,22 @@ var select151 = linear_select([ msg407, ]); -var part680 = // "Pattern{Constant('power supplies '), Field(p0,false)}" -match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); +var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); -var part681 = // "Pattern{Constant('fans '), Field(p0,false)}" -match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); +var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); var select152 = linear_select([ + part679, part680, - part681, ]); -var part682 = // "Pattern{Constant('are '), Field(fld2,true), Constant(' functioning properly')}" -match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); +var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); -var all138 = all_match({ +var all137 = all_match({ processors: [ - dup188, + dup186, select152, - part682, + part681, ], on_success: processor_chain([ dup44, @@ -9597,34 +8635,30 @@ var all138 = all_match({ ]), }); -var msg408 = msg("00022", all138); +var msg408 = msg("00022", all137); -var part683 = // "Pattern{Constant('At least one power supply '), Field(p0,false)}" -match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); +var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); -var part684 = // "Pattern{Constant('The power supply '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); +var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); -var part685 = // "Pattern{Constant('At least one fan '), Field(p0,false)}" -match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); +var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); var select153 = linear_select([ + part682, part683, part684, - part685, ]); -var part686 = // "Pattern{Constant('is not functioning properly'), Field(p0,false)}" -match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); +var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); -var all139 = all_match({ +var all138 = all_match({ processors: [ select153, - part686, - dup371, + part685, + dup368, ], on_success: processor_chain([ - dup189, + dup187, dup2, dup3, dup9, @@ -9633,10 +8667,9 @@ var all139 = all_match({ ]), }); -var msg409 = msg("00022:01", all139); +var msg409 = msg("00022:01", all138); -var part687 = // "Pattern{Constant('Global Manager VPN management tunnel has been '), Field(disposition,false)}" -match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ +var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9644,10 +8677,9 @@ match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management dup5, ])); -var msg410 = msg("00022:02", part687); +var msg410 = msg("00022:02", part686); -var part688 = // "Pattern{Constant('Global Manager domain name has been defined as '), Field(domain,false)}" -match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ +var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ dup1, dup2, dup3, @@ -9655,38 +8687,32 @@ match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name ha dup5, ])); -var msg411 = msg("00022:03", part688); +var msg411 = msg("00022:03", part687); -var part689 = // "Pattern{Constant('Reporting of the '), Field(p0,false)}" -match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); +var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); -var part690 = // "Pattern{Constant('network activities '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); +var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); -var part691 = // "Pattern{Constant('device resources '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); +var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); -var part692 = // "Pattern{Constant('event logs '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); +var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); -var part693 = // "Pattern{Constant('summary logs '), Field(p0,false)}" -match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); +var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); var select154 = linear_select([ + part689, part690, part691, part692, - part693, ]); -var part694 = // "Pattern{Constant('to Global Manager has been '), Field(disposition,false)}" -match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); +var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); -var all140 = all_match({ +var all139 = all_match({ processors: [ - part689, + part688, select154, - part694, + part693, ], on_success: processor_chain([ dup1, @@ -9697,10 +8723,9 @@ var all140 = all_match({ ]), }); -var msg412 = msg("00022:04", all140); +var msg412 = msg("00022:04", all139); -var part695 = // "Pattern{Constant('Global Manager has been '), Field(disposition,false)}" -match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ +var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -9708,30 +8733,26 @@ match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{dis dup5, ])); -var msg413 = msg("00022:05", part695); +var msg413 = msg("00022:05", part694); -var part696 = // "Pattern{Constant('Global Manager '), Field(p0,false)}" -match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); +var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); -var part697 = // "Pattern{Constant('report '), Field(p0,false)}" -match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); +var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); -var part698 = // "Pattern{Constant('listen '), Field(p0,false)}" -match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); +var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); var select155 = linear_select([ + part696, part697, - part698, ]); -var part699 = // "Pattern{Constant('port has been set to '), Field(interface,false)}" -match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); +var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); -var all141 = all_match({ +var all140 = all_match({ processors: [ - part696, + part695, select155, - part699, + part698, ], on_success: processor_chain([ dup1, @@ -9742,10 +8763,9 @@ var all141 = all_match({ ]), }); -var msg414 = msg("00022:06", all141); +var msg414 = msg("00022:06", all140); -var part700 = // "Pattern{Constant('The Global Manager keep-alive value has been changed to '), Field(fld2,false)}" -match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ +var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -9753,59 +8773,51 @@ match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive dup5, ])); -var msg415 = msg("00022:07", part700); +var msg415 = msg("00022:07", part699); -var part701 = // "Pattern{Constant('System temperature '), Field(p0,false)}" -match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); +var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); -var part702 = // "Pattern{Constant('System's temperature: '), Field(p0,false)}" -match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); +var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); -var part703 = // "Pattern{Constant('The system temperature '), Field(p0,false)}" -match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); +var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); var select156 = linear_select([ + part700, part701, part702, - part703, ]); -var part704 = // "Pattern{Constant('('), Field(fld2,true), Constant(' C'), Field(p0,false)}" -match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); +var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); -var part705 = // "Pattern{Constant('entigrade, '), Field(p0,false)}" -match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); +var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); var select157 = linear_select([ - part705, + part704, dup96, ]); -var part706 = // "Pattern{Constant(''), Field(fld3,true), Constant(' F'), Field(p0,false)}" -match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); +var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); -var part707 = // "Pattern{Constant('ahrenheit '), Field(p0,false)}" -match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); +var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); var select158 = linear_select([ - part707, + part706, dup96, ]); -var part708 = // "Pattern{Constant(') is too high'), Field(,false)}" -match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); +var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); -var all142 = all_match({ +var all141 = all_match({ processors: [ select156, - part704, + part703, select157, - part706, + part705, select158, - part708, + part707, ], on_success: processor_chain([ - dup190, + dup188, dup2, dup3, dup4, @@ -9813,29 +8825,27 @@ var all142 = all_match({ ]), }); -var msg416 = msg("00022:08", all142); +var msg416 = msg("00022:08", all141); -var part709 = // "Pattern{Constant('power supply is no'), Field(p0,false)}" -match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); +var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); var select159 = linear_select([ - dup193, - dup194, + dup191, + dup192, ]); -var part710 = // "Pattern{Constant('functioning properly'), Field(,false)}" -match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); +var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); -var all143 = all_match({ +var all142 = all_match({ processors: [ dup55, - dup372, - part709, + dup369, + part708, select159, - part710, + part709, ], on_success: processor_chain([ - dup190, + dup188, dup2, dup3, dup4, @@ -9843,25 +8853,22 @@ var all143 = all_match({ ]), }); -var msg417 = msg("00022:09", all143); +var msg417 = msg("00022:09", all142); -var part711 = // "Pattern{Constant('The NetScreen device was unable to upgrade the file system'), Field(p0,false)}" -match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); +var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); -var part712 = // "Pattern{Constant(' due to an internal conflict'), Field(,false)}" -match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); +var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); -var part713 = // "Pattern{Constant(', but the old file system is intact'), Field(,false)}" -match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); +var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); var select160 = linear_select([ + part711, part712, - part713, ]); -var all144 = all_match({ +var all143 = all_match({ processors: [ - part711, + part710, select160, ], on_success: processor_chain([ @@ -9873,25 +8880,22 @@ var all144 = all_match({ ]), }); -var msg418 = msg("00022:10", all144); +var msg418 = msg("00022:10", all143); -var part714 = // "Pattern{Constant('The NetScreen device was unable to upgrade '), Field(p0,false)}" -match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); +var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); -var part715 = // "Pattern{Constant('due to an internal conflict'), Field(,false)}" -match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); +var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); -var part716 = // "Pattern{Constant('the loader, but the loader is intact'), Field(,false)}" -match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); +var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); var select161 = linear_select([ + part714, part715, - part716, ]); -var all145 = all_match({ +var all144 = all_match({ processors: [ - part714, + part713, select161, ], on_success: processor_chain([ @@ -9903,27 +8907,25 @@ var all145 = all_match({ ]), }); -var msg419 = msg("00022:11", all145); +var msg419 = msg("00022:11", all144); -var part717 = // "Pattern{Constant('Battery is no'), Field(p0,false)}" -match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); +var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); var select162 = linear_select([ - dup194, - dup193, + dup192, + dup191, ]); -var part718 = // "Pattern{Constant('functioning properly.'), Field(,false)}" -match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); +var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); -var all146 = all_match({ +var all145 = all_match({ processors: [ - part717, + part716, select162, - part718, + part717, ], on_success: processor_chain([ - dup190, + dup188, dup2, dup3, dup4, @@ -9931,10 +8933,9 @@ var all146 = all_match({ ]), }); -var msg420 = msg("00022:12", all146); +var msg420 = msg("00022:12", all145); -var part719 = // "Pattern{Constant('System's temperature ('), Field(fld2,true), Constant(' Centigrade, '), Field(fld3,true), Constant(' Fahrenheit) is OK now.')}" -match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ +var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ dup44, dup2, dup3, @@ -9942,10 +8943,9 @@ match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2- dup5, ])); -var msg421 = msg("00022:13", part719); +var msg421 = msg("00022:13", part718); -var part720 = // "Pattern{Constant('The power supply '), Field(fld2,true), Constant(' is functioning properly. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ +var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -9954,7 +8954,7 @@ match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is dup5, ])); -var msg422 = msg("00022:14", part720); +var msg422 = msg("00022:14", part719); var select163 = linear_select([ msg408, @@ -9974,38 +8974,35 @@ var select163 = linear_select([ msg422, ]); -var part721 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' is not responding')}" -match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ - dup189, +var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ + dup187, dup2, dup3, dup4, dup5, ])); -var msg423 = msg("00023", part721); +var msg423 = msg("00023", part720); -var part722 = // "Pattern{Constant('VIP/load balance server '), Field(hostip,true), Constant(' cannot be contacted')}" -match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ - dup189, +var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ + dup187, dup2, dup3, dup4, dup5, ])); -var msg424 = msg("00023:01", part722); +var msg424 = msg("00023:01", part721); -var part723 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' cannot be contacted')}" -match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ - dup189, +var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ + dup187, dup2, dup3, dup4, dup5, ])); -var msg425 = msg("00023:02", part723); +var msg425 = msg("00023:02", part722); var select164 = linear_select([ msg423, @@ -10013,35 +9010,31 @@ var select164 = linear_select([ msg425, ]); -var part724 = // "Pattern{Constant('The DHCP '), Field(p0,false)}" -match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); +var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); -var part725 = // "Pattern{Constant(' DHCP '), Field(p0,false)}" -match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); +var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); var select165 = linear_select([ + part723, part724, - part725, ]); -var part726 = // "Pattern{Constant('IP address pool has '), Field(p0,false)}" -match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); +var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); -var part727 = // "Pattern{Constant('options have been '), Field(p0,false)}" -match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); +var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); var select166 = linear_select([ + part725, part726, - part727, ]); -var all147 = all_match({ +var all146 = all_match({ processors: [ select165, - dup195, + dup193, select166, dup52, - dup371, + dup368, ], on_success: processor_chain([ dup1, @@ -10053,38 +9046,32 @@ var all147 = all_match({ ]), }); -var msg426 = msg("00024", all147); +var msg426 = msg("00024", all146); -var part728 = // "Pattern{Constant('Traffic log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); +var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); -var part729 = // "Pattern{Constant('Alarm log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); +var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); -var part730 = // "Pattern{Constant('Event log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); +var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); -var part731 = // "Pattern{Constant('Self log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); +var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); -var part732 = // "Pattern{Constant('Asset Recovery log '), Field(p0,false)}" -match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); +var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); var select167 = linear_select([ + part727, part728, part729, part730, part731, - part732, ]); -var part733 = // "Pattern{Constant('has overflowed'), Field(,false)}" -match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); +var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); -var all148 = all_match({ +var all147 = all_match({ processors: [ select167, - part733, + part732, ], on_success: processor_chain([ dup117, @@ -10095,30 +9082,26 @@ var all148 = all_match({ ]), }); -var msg427 = msg("00024:01", all148); +var msg427 = msg("00024:01", all147); -var part734 = // "Pattern{Constant('DHCP relay agent settings on '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); +var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); -var part735 = // "Pattern{Constant('are '), Field(p0,false)}" -match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); +var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); -var part736 = // "Pattern{Constant('have been '), Field(p0,false)}" -match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); +var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); var select168 = linear_select([ + part734, part735, - part736, ]); -var part737 = // "Pattern{Constant(''), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); +var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); -var all149 = all_match({ +var all148 = all_match({ processors: [ - part734, + part733, select168, - part737, + part736, ], on_success: processor_chain([ dup1, @@ -10130,24 +9113,22 @@ var all149 = all_match({ ]), }); -var msg428 = msg("00024:02", all149); +var msg428 = msg("00024:02", all148); -var part738 = // "Pattern{Constant('DHCP server IP address pool '), Field(p0,false)}" -match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); +var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); var select169 = linear_select([ - dup196, + dup194, dup106, ]); -var part739 = // "Pattern{Constant('changed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); +var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); -var all150 = all_match({ +var all149 = all_match({ processors: [ - part738, + part737, select169, - part739, + part738, ], on_success: processor_chain([ dup1, @@ -10159,7 +9140,7 @@ var all150 = all_match({ ]), }); -var msg429 = msg("00024:03", all150); +var msg429 = msg("00024:03", all149); var select170 = linear_select([ msg426, @@ -10168,8 +9149,7 @@ var select170 = linear_select([ msg429, ]); -var part740 = // "Pattern{Constant('The DHCP server IP address pool has changed'), Field(,false)}" -match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ +var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ dup1, dup2, dup3, @@ -10177,10 +9157,9 @@ match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool dup5, ])); -var msg430 = msg("00025", part740); +var msg430 = msg("00025", part739); -var part741 = // "Pattern{Constant('PKI: The current device '), Field(disposition,true), Constant(' to save the certificate authority configuration.')}" -match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ +var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ dup86, dup2, dup3, @@ -10188,10 +9167,9 @@ match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{dis dup5, ])); -var msg431 = msg("00025:01", part741); +var msg431 = msg("00025:01", part740); -var part742 = // "Pattern{Field(disposition,true), Constant(' to send the X509 request file via e-mail')}" -match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ +var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ dup86, dup2, dup3, @@ -10199,10 +9177,9 @@ match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the dup5, ])); -var msg432 = msg("00025:02", part742); +var msg432 = msg("00025:02", part741); -var part743 = // "Pattern{Field(disposition,true), Constant(' to save the CA configuration')}" -match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ +var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ dup86, dup2, dup3, @@ -10210,10 +9187,9 @@ match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the dup5, ])); -var msg433 = msg("00025:03", part743); +var msg433 = msg("00025:03", part742); -var part744 = // "Pattern{Constant('Cannot load more X509 certificates. The '), Field(result,false)}" -match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ +var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ dup86, dup2, dup3, @@ -10221,7 +9197,7 @@ match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certifi dup5, ])); -var msg434 = msg("00025:04", part744); +var msg434 = msg("00025:04", part743); var select171 = linear_select([ msg430, @@ -10231,8 +9207,7 @@ var select171 = linear_select([ msg434, ]); -var part745 = // "Pattern{Field(signame,true), Constant(' have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup3, @@ -10242,10 +9217,9 @@ match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! dup61, ])); -var msg435 = msg("00026", part745); +var msg435 = msg("00026", part744); -var part746 = // "Pattern{Field(signame,true), Constant(' have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on interface '), Field(interface,false)}" -match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ +var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ dup58, dup2, dup3, @@ -10254,21 +9228,19 @@ match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detect dup61, ])); -var msg436 = msg("00026:13", part746); +var msg436 = msg("00026:13", part745); -var part747 = // "Pattern{Constant('PKA key has been '), Field(p0,false)}" -match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); +var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); -var part748 = // "Pattern{Constant('admin user '), Field(administrator,false), Constant('. (Key ID = '), Field(fld2,false), Constant(')')}" -match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); +var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); -var all151 = all_match({ +var all150 = all_match({ processors: [ - dup197, - dup373, + dup195, + dup370, + part746, + dup371, part747, - dup374, - part748, ], on_success: processor_chain([ dup1, @@ -10279,35 +9251,31 @@ var all151 = all_match({ ]), }); -var msg437 = msg("00026:01", all151); +var msg437 = msg("00026:01", all150); -var part749 = // "Pattern{Constant(': SCS '), Field(p0,false)}" -match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); +var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); var select172 = linear_select([ - part749, + part748, dup96, ]); -var part750 = // "Pattern{Constant('has been '), Field(disposition,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); +var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); -var part751 = // "Pattern{Constant('root system '), Field(p0,false)}" -match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); +var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); -var part752 = // "Pattern{Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); +var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); var select173 = linear_select([ + part750, part751, - part752, ]); -var all152 = all_match({ +var all151 = all_match({ processors: [ - dup197, + dup195, select172, - part750, + part749, select173, dup116, ], @@ -10320,16 +9288,15 @@ var all152 = all_match({ ]), }); -var msg438 = msg("00026:02", all152); +var msg438 = msg("00026:02", all151); -var part753 = // "Pattern{Constant(''), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); +var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); -var all153 = all_match({ +var all152 = all_match({ processors: [ - dup197, - dup373, - part753, + dup195, + dup370, + part752, ], on_success: processor_chain([ dup1, @@ -10340,33 +9307,30 @@ var all153 = all_match({ ]), }); -var msg439 = msg("00026:03", all153); +var msg439 = msg("00026:03", all152); -var part754 = // "Pattern{Constant('SCS: Connection has been terminated for admin user '), Field(administrator,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,false)}" -match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ - dup200, +var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ + dup198, dup2, dup4, dup5, dup3, ])); -var msg440 = msg("00026:04", part754); +var msg440 = msg("00026:04", part753); -var part755 = // "Pattern{Constant('SCS: Host client has requested NO cipher from '), Field(interface,false)}" -match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ - dup200, +var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ + dup198, dup2, dup3, dup4, dup5, ])); -var msg441 = msg("00026:05", part755); +var msg441 = msg("00026:05", part754); -var part756 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' has been authenticated using PKA RSA from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. (key-ID='), Field(fld2,false)}" -match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ - dup201, +var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ + dup199, dup29, dup30, dup31, @@ -10377,11 +9341,10 @@ match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} h dup5, ])); -var msg442 = msg("00026:06", part756); +var msg442 = msg("00026:06", part755); -var part757 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' has been authenticated using password from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" -match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ - dup201, +var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ + dup199, dup29, dup30, dup31, @@ -10392,22 +9355,20 @@ match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} h dup5, ])); -var msg443 = msg("00026:07", part757); +var msg443 = msg("00026:07", part756); -var part758 = // "Pattern{Constant('SSH user '), Field(username,true), Constant(' has been authenticated using '), Field(p0,false)}" -match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); +var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); -var part759 = // "Pattern{Constant('from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' [ with key ID '), Field(fld2,true), Constant(' ]')}" -match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); +var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); -var all154 = all_match({ +var all153 = all_match({ processors: [ + part757, + dup372, part758, - dup375, - part759, ], on_success: processor_chain([ - dup201, + dup199, dup29, dup30, dup31, @@ -10419,10 +9380,9 @@ var all154 = all_match({ ]), }); -var msg444 = msg("00026:08", all154); +var msg444 = msg("00026:08", all153); -var part760 = // "Pattern{Constant('IPSec tunnel on int '), Field(interface,true), Constant(' with tunnel ID '), Field(fld2,true), Constant(' received a packet with a bad SPI.')}" -match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ +var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ dup19, dup2, dup3, @@ -10430,45 +9390,40 @@ match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interfa dup5, ])); -var msg445 = msg("00026:09", part760); +var msg445 = msg("00026:09", part759); -var part761 = // "Pattern{Constant('SSH: '), Field(p0,false)}" -match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); +var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); -var part762 = // "Pattern{Constant('Failed '), Field(p0,false)}" -match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); +var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); -var part763 = // "Pattern{Constant('Attempt '), Field(p0,false)}" -match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); +var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); var select174 = linear_select([ + part761, part762, - part763, ]); -var part764 = // "Pattern{Constant('bind duplicate '), Field(p0,false)}" -match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); +var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); var select175 = linear_select([ - part764, - dup203, + part763, + dup201, ]); -var part765 = // "Pattern{Constant('admin user ''), Field(administrator,false), Constant('' (Key ID '), Field(fld2,false), Constant(')')}" -match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); +var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); -var all155 = all_match({ +var all154 = all_match({ processors: [ - part761, + part760, select174, dup103, select175, - dup204, - dup376, - part765, + dup202, + dup373, + part764, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -10476,10 +9431,9 @@ var all155 = all_match({ ]), }); -var msg446 = msg("00026:10", all155); +var msg446 = msg("00026:10", all154); -var part766 = // "Pattern{Constant('SSH: Maximum number of PKA keys ('), Field(fld2,false), Constant(') has been bound to user ''), Field(username,false), Constant('' Key not bound. (Key ID '), Field(fld3,false), Constant(')')}" -match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ +var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ dup44, dup2, dup3, @@ -10487,10 +9441,9 @@ match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA ke dup5, ])); -var msg447 = msg("00026:11", part766); +var msg447 = msg("00026:11", part765); -var part767 = // "Pattern{Constant('IKE '), Field(fld2,false), Constant(': Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed')}" -match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ +var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ dup44, dup2, dup3, @@ -10498,7 +9451,7 @@ match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbea dup5, ])); -var msg448 = msg("00026:12", part767); +var msg448 = msg("00026:12", part766); var select176 = linear_select([ msg435, @@ -10517,33 +9470,29 @@ var select176 = linear_select([ msg448, ]); -var part768 = // "Pattern{Constant('user '), Field(username,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); +var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); -var part769 = // "Pattern{Constant('IP address '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); +var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); -var part770 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); +var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); -var part771 = // "Pattern{Constant('console'), Field(,false)}" -match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); +var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); var select177 = linear_select([ + part768, part769, part770, - part771, ]); -var all156 = all_match({ +var all155 = all_match({ processors: [ - dup206, - dup377, - part768, + dup204, + dup374, + part767, select177, ], on_success: processor_chain([ - dup208, + dup206, dup30, dup31, dup54, @@ -10554,10 +9503,9 @@ var all156 = all_match({ ]), }); -var msg449 = msg("00027", all156); +var msg449 = msg("00027", all155); -var part772 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to default port '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ +var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10565,10 +9513,9 @@ match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg450 = msg("00027:01", part772); +var msg450 = msg("00027:01", part771); -var part773 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ +var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10576,10 +9523,9 @@ match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg451 = msg("00027:02", part773); +var msg451 = msg("00027:02", part772); -var part774 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to port '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ +var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10587,10 +9533,9 @@ match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg452 = msg("00027:03", part774); +var msg452 = msg("00027:03", part773); -var part775 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to port '), Field(change_new,false)}" -match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ +var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -10598,43 +9543,38 @@ match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg453 = msg("00027:04", part775); +var msg453 = msg("00027:04", part774); -var part776 = // "Pattern{Constant('ScreenOS '), Field(version,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); +var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); -var part777 = // "Pattern{Constant('Serial '), Field(p0,false)}" -match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); +var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); -var part778 = // "Pattern{Constant('serial '), Field(p0,false)}" -match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); +var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); var select178 = linear_select([ + part776, part777, - part778, ]); -var part779 = // "Pattern{Constant('# '), Field(fld2,false), Constant(': Asset recovery '), Field(p0,false)}" -match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); +var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); -var part780 = // "Pattern{Constant('performed '), Field(p0,false)}" -match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); +var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); var select179 = linear_select([ - part780, + part779, dup127, ]); var select180 = linear_select([ - dup209, - dup210, + dup207, + dup208, ]); -var all157 = all_match({ +var all156 = all_match({ processors: [ - part776, + part775, select178, - part779, + part778, select179, dup23, select180, @@ -10648,19 +9588,18 @@ var all157 = all_match({ ]), }); -var msg454 = msg("00027:05", all157); +var msg454 = msg("00027:05", all156); -var part781 = // "Pattern{Constant('Device Reset (Asset Recovery) has been '), Field(p0,false)}" -match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); +var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); var select181 = linear_select([ - dup210, - dup209, + dup208, + dup207, ]); -var all158 = all_match({ +var all157 = all_match({ processors: [ - part781, + part780, select181, ], on_success: processor_chain([ @@ -10672,10 +9611,9 @@ var all158 = all_match({ ]), }); -var msg455 = msg("00027:06", all158); +var msg455 = msg("00027:06", all157); -var part782 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('. '), Field(info,false)}" -match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ +var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -10683,10 +9621,9 @@ match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); -var msg456 = msg("00027:07", part782); +var msg456 = msg("00027:07", part781); -var part783 = // "Pattern{Constant('System configuration has been erased'), Field(,false)}" -match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ +var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ dup1, dup2, dup3, @@ -10694,10 +9631,9 @@ match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been dup5, ])); -var msg457 = msg("00027:08", part783); +var msg457 = msg("00027:08", part782); -var part784 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' is due to expire in '), Field(fld3,false), Constant('.')}" -match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ +var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ dup44, dup2, dup3, @@ -10705,10 +9641,9 @@ match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due dup5, ])); -var msg458 = msg("00027:09", part784); +var msg458 = msg("00027:09", part783); -var part785 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' has expired.')}" -match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ +var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ dup44, dup2, dup3, @@ -10716,10 +9651,9 @@ match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has exp dup5, ])); -var msg459 = msg("00027:10", part785); +var msg459 = msg("00027:10", part784); -var part786 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' expired after 30-day grace period.')}" -match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ +var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ dup44, dup2, dup3, @@ -10727,27 +9661,24 @@ match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired dup5, ])); -var msg460 = msg("00027:11", part786); +var msg460 = msg("00027:11", part785); -var part787 = // "Pattern{Constant('Request to retrieve license key failed to reach '), Field(p0,false)}" -match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); +var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); -var part788 = // "Pattern{Constant('the server '), Field(p0,false)}" -match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); +var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); var select182 = linear_select([ - part788, - dup195, + part787, + dup193, ]); -var part789 = // "Pattern{Constant('by '), Field(fld2,false), Constant('. Server url: '), Field(url,false)}" -match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); +var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); -var all159 = all_match({ +var all158 = all_match({ processors: [ - part787, + part786, select182, - part789, + part788, ], on_success: processor_chain([ dup19, @@ -10758,19 +9689,18 @@ var all159 = all_match({ ]), }); -var msg461 = msg("00027:12", all159); +var msg461 = msg("00027:12", all158); -var part790 = // "Pattern{Constant('user '), Field(username,false)}" -match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); +var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); -var all160 = all_match({ +var all159 = all_match({ processors: [ - dup206, - dup377, - part790, + dup204, + dup374, + part789, ], on_success: processor_chain([ - dup208, + dup206, dup30, dup31, dup54, @@ -10781,30 +9711,26 @@ var all160 = all_match({ ]), }); -var msg462 = msg("00027:13", all160); +var msg462 = msg("00027:13", all159); -var part791 = // "Pattern{Constant('Configuration Erasure Process '), Field(p0,false)}" -match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); +var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); -var part792 = // "Pattern{Constant('has been initiated '), Field(p0,false)}" -match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); +var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); -var part793 = // "Pattern{Constant('aborted '), Field(p0,false)}" -match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); +var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); var select183 = linear_select([ + part791, part792, - part793, ]); -var part794 = // "Pattern{Constant('.'), Field(space,false), Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); +var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); -var all161 = all_match({ +var all160 = all_match({ processors: [ - part791, + part790, select183, - part794, + part793, ], on_success: processor_chain([ dup1, @@ -10816,10 +9742,9 @@ var all161 = all_match({ ]), }); -var msg463 = msg("00027:14", all161); +var msg463 = msg("00027:14", all160); -var part795 = // "Pattern{Constant('Waiting for 2nd confirmation. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ +var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -10828,10 +9753,9 @@ match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. dup5, ])); -var msg464 = msg("00027:15", part795); +var msg464 = msg("00027:15", part794); -var part796 = // "Pattern{Constant('Admin '), Field(fld3,true), Constant(' policy id '), Field(policy_id,true), Constant(' name "'), Field(fld2,true), Constant(' has been re-enabled by NetScreen system after being locked due to excessive failed login attempts ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ +var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -10840,10 +9764,9 @@ match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{ dup5, ])); -var msg465 = msg("00027:16", part796); +var msg465 = msg("00027:16", part795); -var part797 = // "Pattern{Constant('Admin '), Field(username,true), Constant(' is locked and will be unlocked after '), Field(duration,true), Constant(' minutes ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ +var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -10851,10 +9774,9 @@ match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locke dup9, ])); -var msg466 = msg("00027:17", part797); +var msg466 = msg("00027:17", part796); -var part798 = // "Pattern{Constant('Login attempt by admin '), Field(username,true), Constant(' from '), Field(saddr,true), Constant(' is refused as this account is locked ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ +var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -10862,10 +9784,9 @@ match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{use dup9, ])); -var msg467 = msg("00027:18", part798); +var msg467 = msg("00027:18", part797); -var part799 = // "Pattern{Constant('Admin '), Field(username,true), Constant(' has been re-enabled by NetScreen system after being locked due to excessive failed login attempts ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ +var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -10873,7 +9794,7 @@ match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been dup9, ])); -var msg468 = msg("00027:19", part799); +var msg468 = msg("00027:19", part798); var select184 = linear_select([ msg449, @@ -10898,28 +9819,24 @@ var select184 = linear_select([ msg468, ]); -var part800 = // "Pattern{Constant('An Intruder'), Field(p0,false)}" -match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); +var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); -var part801 = // "Pattern{Constant('Intruder'), Field(p0,false)}" -match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); +var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); -var part802 = // "Pattern{Constant('An intruter'), Field(p0,false)}" -match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); +var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); var select185 = linear_select([ + part799, part800, part801, - part802, ]); -var part803 = // "Pattern{Field(,false), Constant('has attempted to connect to the NetScreen-Global PRO port! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); +var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); -var all162 = all_match({ +var all161 = all_match({ processors: [ select185, - part803, + part802, ], on_success: processor_chain([ dup58, @@ -10933,52 +9850,46 @@ var all162 = all_match({ ]), }); -var msg469 = msg("00028", all162); +var msg469 = msg("00028", all161); -var part804 = // "Pattern{Constant('DNS has been refreshed'), Field(,false)}" -match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ - dup211, +var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg470 = msg("00029", part804); +var msg470 = msg("00029", part803); -var part805 = // "Pattern{Constant('DHCP file write: out of memory.'), Field(,false)}" -match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ - dup186, +var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ + dup184, dup2, dup3, dup4, dup5, ])); -var msg471 = msg("00029:01", part805); +var msg471 = msg("00029:01", part804); -var part806 = // "Pattern{Constant('The DHCP process cannot open file '), Field(fld2,true), Constant(' to '), Field(p0,false)}" -match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); +var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); -var part807 = // "Pattern{Constant('read '), Field(p0,false)}" -match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); +var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); -var part808 = // "Pattern{Constant('write '), Field(p0,false)}" -match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); +var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); var select186 = linear_select([ + part806, part807, - part808, ]); -var part809 = // "Pattern{Constant('data.'), Field(,false)}" -match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); +var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); -var all163 = all_match({ +var all162 = all_match({ processors: [ - part806, + part805, select186, - part809, + part808, ], on_success: processor_chain([ dup117, @@ -10989,32 +9900,28 @@ var all163 = all_match({ ]), }); -var msg472 = msg("00029:02", all163); +var msg472 = msg("00029:02", all162); -var part810 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is full. Unable to '), Field(p0,false)}" -match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); +var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); -var part811 = // "Pattern{Constant('commit '), Field(p0,false)}" -match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); +var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); -var part812 = // "Pattern{Constant('offer '), Field(p0,false)}" -match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); +var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); var select187 = linear_select([ + part810, part811, - part812, ]); -var part813 = // "Pattern{Constant('IP address to client at '), Field(fld2,false)}" -match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); +var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); -var all164 = all_match({ +var all163 = all_match({ processors: [ - dup212, - dup339, - part810, + dup210, + dup337, + part809, select187, - part813, + part812, ], on_success: processor_chain([ dup117, @@ -11025,10 +9932,9 @@ var all164 = all_match({ ]), }); -var msg473 = msg("00029:03", all164); +var msg473 = msg("00029:03", all163); -var part814 = // "Pattern{Constant('DHCP server set to OFF on '), Field(interface,true), Constant(' (another server found on '), Field(hostip,false), Constant(').')}" -match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ +var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ dup44, dup2, dup3, @@ -11036,7 +9942,7 @@ match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{i dup5, ])); -var msg474 = msg("00029:04", part814); +var msg474 = msg("00029:04", part813); var select188 = linear_select([ msg470, @@ -11046,8 +9952,7 @@ var select188 = linear_select([ msg474, ]); -var part815 = // "Pattern{Constant('CA configuration is invalid'), Field(,false)}" -match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ +var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ dup18, dup2, dup3, @@ -11055,25 +9960,22 @@ match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", dup5, ])); -var msg475 = msg("00030", part815); +var msg475 = msg("00030", part814); -var part816 = // "Pattern{Constant('DSS checking of CRLs has been changed from '), Field(p0,false)}" -match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); +var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); -var part817 = // "Pattern{Constant('0 to 1'), Field(,false)}" -match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); +var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); -var part818 = // "Pattern{Constant('1 to 0'), Field(,false)}" -match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); +var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); var select189 = linear_select([ + part816, part817, - part818, ]); -var all165 = all_match({ +var all164 = all_match({ processors: [ - part816, + part815, select189, ], on_success: processor_chain([ @@ -11085,10 +9987,9 @@ var all165 = all_match({ ]), }); -var msg476 = msg("00030:01", all165); +var msg476 = msg("00030:01", all164); -var part819 = // "Pattern{Constant('For the X509 certificate '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -11096,10 +9997,9 @@ match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{ch dup5, ])); -var msg477 = msg("00030:05", part819); +var msg477 = msg("00030:05", part818); -var part820 = // "Pattern{Constant('In the X509 certificate request the '), Field(fld2,true), Constant(' field has been changed from '), Field(fld3,false)}" -match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ +var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ dup1, dup2, dup3, @@ -11107,10 +10007,9 @@ match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate reque dup5, ])); -var msg478 = msg("00030:06", part820); +var msg478 = msg("00030:06", part819); -var part821 = // "Pattern{Constant('RA X509 certificate cannot be loaded'), Field(,false)}" -match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ +var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ dup19, dup2, dup3, @@ -11118,10 +10017,9 @@ match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be dup5, ])); -var msg479 = msg("00030:07", part821); +var msg479 = msg("00030:07", part820); -var part822 = // "Pattern{Constant('Self-signed X509 certificate cannot be generated'), Field(,false)}" -match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ +var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ dup86, dup2, dup3, @@ -11129,10 +10027,9 @@ match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate dup5, ])); -var msg480 = msg("00030:10", part822); +var msg480 = msg("00030:10", part821); -var part823 = // "Pattern{Constant('The public key for ScreenOS image has successfully been updated'), Field(,false)}" -match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ +var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ dup1, dup2, dup3, @@ -11140,25 +10037,22 @@ match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS i dup5, ])); -var msg481 = msg("00030:12", part823); +var msg481 = msg("00030:12", part822); -var part824 = // "Pattern{Constant('The public key used for ScreenOS image authentication cannot be '), Field(p0,false)}" -match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); +var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); -var part825 = // "Pattern{Constant('decoded'), Field(,false)}" -match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); +var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); -var part826 = // "Pattern{Constant('loaded'), Field(,false)}" -match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); +var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); var select190 = linear_select([ + part824, part825, - part826, ]); -var all166 = all_match({ +var all165 = all_match({ processors: [ - part824, + part823, select190, ], on_success: processor_chain([ @@ -11172,48 +10066,41 @@ var all166 = all_match({ ]), }); -var msg482 = msg("00030:13", all166); +var msg482 = msg("00030:13", all165); -var part827 = // "Pattern{Constant('CA IDENT '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); +var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); -var part828 = // "Pattern{Constant('Challenge password '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); +var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); -var part829 = // "Pattern{Constant('CA CGI URL '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); +var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); -var part830 = // "Pattern{Constant('RA CGI URL '), Field(p0,false)}" -match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); +var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); var select191 = linear_select([ + part826, part827, part828, part829, - part830, ]); -var part831 = // "Pattern{Constant('for SCEP '), Field(p0,false)}" -match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); +var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); -var part832 = // "Pattern{Constant('requests '), Field(p0,false)}" -match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); +var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); var select192 = linear_select([ - part832, + part831, dup16, ]); -var part833 = // "Pattern{Constant('has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); +var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); -var all167 = all_match({ +var all166 = all_match({ processors: [ dup55, select191, - part831, + part830, select192, - part833, + part832, ], on_success: processor_chain([ dup1, @@ -11224,14 +10111,13 @@ var all167 = all_match({ ]), }); -var msg483 = msg("00030:14", all167); +var msg483 = msg("00030:14", all166); -var msg484 = msg("00030:02", dup378); +var msg484 = msg("00030:02", dup375); -var part834 = // "Pattern{Constant('X509 certificate for ScreenOS image authentication is invalid'), Field(,false)}" -match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ +var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11240,10 +10126,9 @@ match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS dup5, ])); -var msg485 = msg("00030:15", part834); +var msg485 = msg("00030:15", part833); -var part835 = // "Pattern{Constant('X509 certificate has been deleted'), Field(,false)}" -match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ +var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ dup1, dup2, dup3, @@ -11251,10 +10136,9 @@ match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been del dup5, ])); -var msg486 = msg("00030:16", part835); +var msg486 = msg("00030:16", part834); -var part836 = // "Pattern{Constant('PKI CRL: no revoke info accept per config DN '), Field(interface,false), Constant('.')}" -match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ +var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ dup1, dup2, dup3, @@ -11262,30 +10146,26 @@ match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accep dup5, ])); -var msg487 = msg("00030:18", part836); +var msg487 = msg("00030:18", part835); -var part837 = // "Pattern{Constant('PKI: A configurable item '), Field(change_attribute,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); +var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); -var part838 = // "Pattern{Constant('mode '), Field(p0,false)}" -match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); +var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); -var part839 = // "Pattern{Constant('field'), Field(p0,false)}" -match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); +var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); var select193 = linear_select([ + part837, part838, - part839, ]); -var part840 = // "Pattern{Field(,false), Constant('has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); +var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); -var all168 = all_match({ +var all167 = all_match({ processors: [ - part837, + part836, select193, - part840, + part839, ], on_success: processor_chain([ dup1, @@ -11296,10 +10176,9 @@ var all168 = all_match({ ]), }); -var msg488 = msg("00030:19", all168); +var msg488 = msg("00030:19", all167); -var part841 = // "Pattern{Constant('PKI: NSRP cold sync start for total of '), Field(fld2,true), Constant(' items.')}" -match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ +var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ dup44, dup2, dup3, @@ -11307,10 +10186,9 @@ match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for dup5, ])); -var msg489 = msg("00030:30", part841); +var msg489 = msg("00030:30", part840); -var part842 = // "Pattern{Constant('PKI: NSRP sync received cold sync item '), Field(fld2,true), Constant(' out of order expect '), Field(fld3,true), Constant(' of '), Field(fld4,false), Constant('.')}" -match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ +var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ dup86, dup2, dup3, @@ -11318,10 +10196,9 @@ match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold dup5, ])); -var msg490 = msg("00030:31", part842); +var msg490 = msg("00030:31", part841); -var part843 = // "Pattern{Constant('PKI: NSRP sync received cold sync item '), Field(fld2,true), Constant(' without first item.')}" -match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ +var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ dup86, dup2, dup3, @@ -11329,10 +10206,9 @@ match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold dup5, ])); -var msg491 = msg("00030:32", part843); +var msg491 = msg("00030:32", part842); -var part844 = // "Pattern{Constant('PKI: NSRP sync received normal item during cold sync.'), Field(,false)}" -match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ +var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ dup44, dup2, dup3, @@ -11340,10 +10216,9 @@ match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received norma dup5, ])); -var msg492 = msg("00030:33", part844); +var msg492 = msg("00030:33", part843); -var part845 = // "Pattern{Constant('PKI: The CRL '), Field(policy_id,true), Constant(' is deleted.')}" -match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ +var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ dup1, dup2, dup3, @@ -11351,10 +10226,9 @@ match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} i dup5, ])); -var msg493 = msg("00030:34", part845); +var msg493 = msg("00030:34", part844); -var part846 = // "Pattern{Constant('PKI: The NSRP high availability synchronization '), Field(fld2,true), Constant(' failed.')}" -match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ +var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ dup86, dup2, dup3, @@ -11362,10 +10236,9 @@ match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availabili dup5, ])); -var msg494 = msg("00030:35", part846); +var msg494 = msg("00030:35", part845); -var part847 = // "Pattern{Constant('PKI: The '), Field(change_attribute,true), Constant(' has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ +var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ dup1, dup2, dup3, @@ -11373,12 +10246,11 @@ match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute-> dup5, ])); -var msg495 = msg("00030:36", part847); +var msg495 = msg("00030:36", part846); -var part848 = // "Pattern{Constant('PKI: The X.509 certificate for the ScreenOS image authentication is invalid.'), Field(,false)}" -match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ +var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11387,12 +10259,11 @@ match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate fo dup5, ])); -var msg496 = msg("00030:37", part848); +var msg496 = msg("00030:37", part847); -var part849 = // "Pattern{Constant('PKI: The X.509 local certificate cannot be sync to vsd member.'), Field(,false)}" -match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ +var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11401,31 +10272,28 @@ match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certific dup5, ])); -var msg497 = msg("00030:38", part849); +var msg497 = msg("00030:38", part848); -var part850 = // "Pattern{Constant('PKI: The X.509 certificate '), Field(p0,false)}" -match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); +var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); -var part851 = // "Pattern{Constant('revocation list '), Field(p0,false)}" -match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); +var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); var select194 = linear_select([ - part851, + part850, dup16, ]); -var part852 = // "Pattern{Constant('cannot be loaded during NSRP synchronization.'), Field(,false)}" -match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); +var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); -var all169 = all_match({ +var all168 = all_match({ processors: [ - part850, + part849, select194, - part852, + part851, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11435,23 +10303,21 @@ var all169 = all_match({ ]), }); -var msg498 = msg("00030:39", all169); +var msg498 = msg("00030:39", all168); -var part853 = // "Pattern{Constant('X509 '), Field(p0,false)}" -match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); +var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); -var part854 = // "Pattern{Constant('cannot be loaded'), Field(,false)}" -match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); +var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); -var all170 = all_match({ +var all169 = all_match({ processors: [ + part852, + dup376, part853, - dup379, - part854, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11461,31 +10327,28 @@ var all170 = all_match({ ]), }); -var msg499 = msg("00030:17", all170); +var msg499 = msg("00030:17", all169); -var part855 = // "Pattern{Constant('PKI: The certificate '), Field(fld2,true), Constant(' will expire '), Field(p0,false)}" -match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); +var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); -var part856 = // "Pattern{Constant('please '), Field(p0,false)}" -match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); +var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); var select195 = linear_select([ - dup216, - part856, + dup214, + part855, ]); -var part857 = // "Pattern{Constant('renew.'), Field(,false)}" -match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); +var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); -var all171 = all_match({ +var all170 = all_match({ processors: [ - part855, + part854, select195, - part857, + part856, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11495,12 +10358,11 @@ var all171 = all_match({ ]), }); -var msg500 = msg("00030:40", all171); +var msg500 = msg("00030:40", all170); -var part858 = // "Pattern{Constant('PKI: The certificate revocation list has expired issued by certificate authority '), Field(fld2,false), Constant('.')}" -match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ +var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11509,12 +10371,11 @@ match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocati dup5, ])); -var msg501 = msg("00030:41", part858); +var msg501 = msg("00030:41", part857); -var part859 = // "Pattern{Constant('PKI: The configuration content of certificate authority '), Field(fld2,true), Constant(' is not valid.')}" -match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ +var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11523,12 +10384,11 @@ match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration conten dup5, ])); -var msg502 = msg("00030:42", part859); +var msg502 = msg("00030:42", part858); -var part860 = // "Pattern{Constant('PKI: The device cannot allocate this object id number '), Field(fld2,false), Constant('.')}" -match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ +var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11537,12 +10397,11 @@ match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot alloca dup5, ])); -var msg503 = msg("00030:43", part860); +var msg503 = msg("00030:43", part859); -var part861 = // "Pattern{Constant('PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].'), Field(,false)}" -match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ +var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11551,12 +10410,11 @@ match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extrac dup5, ])); -var msg504 = msg("00030:44", part861); +var msg504 = msg("00030:44", part860); -var part862 = // "Pattern{Constant('PKI: The device cannot find the PKI object '), Field(fld2,true), Constant(' during cold sync.')}" -match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ +var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11565,12 +10423,11 @@ match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find t dup5, ])); -var msg505 = msg("00030:45", part862); +var msg505 = msg("00030:45", part861); -var part863 = // "Pattern{Constant('PKI: The device cannot load X.509 certificate onto the device certificate '), Field(fld2,false), Constant('.')}" -match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ +var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11579,12 +10436,11 @@ match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X dup5, ])); -var msg506 = msg("00030:46", part863); +var msg506 = msg("00030:46", part862); -var part864 = // "Pattern{Constant('PKI: The device cannot load a certificate pending SCEP completion.'), Field(,false)}" -match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ +var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11593,12 +10449,11 @@ match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a dup5, ])); -var msg507 = msg("00030:47", part864); +var msg507 = msg("00030:47", part863); -var part865 = // "Pattern{Constant('PKI: The device cannot load an X.509 certificate revocation list (CRL).'), Field(,false)}" -match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ +var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11607,12 +10462,11 @@ match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load a dup5, ])); -var msg508 = msg("00030:48", part865); +var msg508 = msg("00030:48", part864); -var part866 = // "Pattern{Constant('PKI: The device cannot load the CA certificate received through SCEP.'), Field(,false)}" -match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ +var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11621,12 +10475,11 @@ match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg509 = msg("00030:49", part866); +var msg509 = msg("00030:49", part865); -var part867 = // "Pattern{Constant('PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.'), Field(,false)}" -match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ +var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11635,12 +10488,11 @@ match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg510 = msg("00030:50", part867); +var msg510 = msg("00030:50", part866); -var part868 = // "Pattern{Constant('PKI: The device cannot load the X.509 local certificate received through SCEP.'), Field(,false)}" -match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ +var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11649,12 +10501,11 @@ match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg511 = msg("00030:51", part868); +var msg511 = msg("00030:51", part867); -var part869 = // "Pattern{Constant('PKI: The device cannot load the X.509 '), Field(product,true), Constant(' during boot.')}" -match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ +var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11663,12 +10514,11 @@ match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg512 = msg("00030:52", part869); +var msg512 = msg("00030:52", part868); -var part870 = // "Pattern{Constant('PKI: The device cannot load the X.509 certificate file.'), Field(,false)}" -match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ +var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11677,12 +10527,11 @@ match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load t dup5, ])); -var msg513 = msg("00030:53", part870); +var msg513 = msg("00030:53", part869); -var part871 = // "Pattern{Constant('PKI: The device completed the coldsync of the PKI object at '), Field(fld2,true), Constant(' attempt.')}" -match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ +var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ dup44, - dup213, + dup211, dup31, dup2, dup3, @@ -11690,20 +10539,19 @@ match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the dup5, ])); -var msg514 = msg("00030:54", part871); +var msg514 = msg("00030:54", part870); -var part872 = // "Pattern{Constant('PKI: The device could not generate '), Field(p0,false)}" -match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); +var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); -var all172 = all_match({ +var all171 = all_match({ processors: [ - part872, - dup380, - dup219, + part871, + dup377, + dup217, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11713,12 +10561,11 @@ var all172 = all_match({ ]), }); -var msg515 = msg("00030:55", all172); +var msg515 = msg("00030:55", all171); -var part873 = // "Pattern{Constant('PKI: The device detected an invalid RSA key.'), Field(,false)}" -match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ +var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11727,12 +10574,11 @@ match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an i dup5, ])); -var msg516 = msg("00030:56", part873); +var msg516 = msg("00030:56", part872); -var part874 = // "Pattern{Constant('PKI: The device detected an invalid digital signature algorithm (DSA) key.'), Field(,false)}" -match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ +var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ dup35, - dup220, + dup218, dup31, dup39, dup2, @@ -11741,12 +10587,11 @@ match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an i dup5, ])); -var msg517 = msg("00030:57", part874); +var msg517 = msg("00030:57", part873); -var part875 = // "Pattern{Constant('PKI: The device failed to coldsync the PKI object at '), Field(fld2,true), Constant(' attempt.')}" -match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ +var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ dup86, - dup220, + dup218, dup31, dup54, dup2, @@ -11755,38 +10600,24 @@ match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to col dup5, ])); -var msg518 = msg("00030:58", part875); - -var part876 = // "Pattern{Constant('PKI: The device failed to decode the public key of the image'), Field(p0,false)}" -match("MESSAGE#512:00030:59/0", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{p0}"); +var msg518 = msg("00030:58", part874); -var part877 = // "Pattern{Constant('s signer certificate.'), Field(,false)}" -match("MESSAGE#512:00030:59/2", "nwparser.p0", "s signer certificate.%{}"); - -var all173 = all_match({ - processors: [ - part876, - dup363, - part877, - ], - on_success: processor_chain([ - dup35, - dup220, - dup31, - dup54, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); -var msg519 = msg("00030:59", all173); +var msg519 = msg("00030:59", part875); -var part878 = // "Pattern{Constant('PKI: The device failed to install the RSA key.'), Field(,false)}" -match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ +var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ dup35, - dup220, + dup218, dup31, dup54, dup2, @@ -11795,12 +10626,11 @@ match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to ins dup5, ])); -var msg520 = msg("00030:60", part878); +var msg520 = msg("00030:60", part876); -var part879 = // "Pattern{Constant('PKI: The device failed to retrieve the pending certificate '), Field(fld2,false), Constant('.')}" -match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ +var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup54, dup2, @@ -11809,12 +10639,11 @@ match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to ret dup5, ])); -var msg521 = msg("00030:61", part879); +var msg521 = msg("00030:61", part877); -var part880 = // "Pattern{Constant('PKI: The device failed to save the certificate authority related configuration.'), Field(,false)}" -match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ +var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup54, dup2, @@ -11823,12 +10652,11 @@ match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to sav dup5, ])); -var msg522 = msg("00030:62", part880); +var msg522 = msg("00030:62", part878); -var part881 = // "Pattern{Constant('PKI: The device failed to store the authority configuration.'), Field(,false)}" -match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ +var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ dup18, - dup221, + dup219, dup51, dup54, dup2, @@ -11837,12 +10665,11 @@ match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to sto dup5, ])); -var msg523 = msg("00030:63", part881); +var msg523 = msg("00030:63", part879); -var part882 = // "Pattern{Constant('PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.'), Field(,false)}" -match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ +var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ dup18, - dup220, + dup218, dup51, dup54, dup2, @@ -11851,12 +10678,11 @@ match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to syn dup5, ])); -var msg524 = msg("00030:64", part882); +var msg524 = msg("00030:64", part880); -var part883 = // "Pattern{Constant('PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.'), Field(,false)}" -match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ +var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ dup18, - dup220, + dup218, dup51, dup54, dup2, @@ -11865,12 +10691,11 @@ match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to syn dup5, ])); -var msg525 = msg("00030:65", part883); +var msg525 = msg("00030:65", part881); -var part884 = // "Pattern{Constant('PKI: The device has detected an invalid X.509 object attribute '), Field(fld2,false), Constant('.')}" -match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ +var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11879,12 +10704,11 @@ match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected dup5, ])); -var msg526 = msg("00030:66", part884); +var msg526 = msg("00030:66", part882); -var part885 = // "Pattern{Constant('PKI: The device has detected invalid X.509 object content.'), Field(,false)}" -match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ +var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11893,12 +10717,11 @@ match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected dup5, ])); -var msg527 = msg("00030:67", part885); +var msg527 = msg("00030:67", part883); -var part886 = // "Pattern{Constant('PKI: The device has failed to load an invalid X.509 object.'), Field(,false)}" -match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ +var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -11907,10 +10730,9 @@ match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to dup5, ])); -var msg528 = msg("00030:68", part886); +var msg528 = msg("00030:68", part884); -var part887 = // "Pattern{Constant('PKI: The device is loading the version 0 PKI data.'), Field(,false)}" -match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ +var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ dup44, dup2, dup3, @@ -11918,16 +10740,15 @@ match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading th dup5, ])); -var msg529 = msg("00030:69", part887); +var msg529 = msg("00030:69", part885); -var part888 = // "Pattern{Constant('PKI: The device successfully generated a new '), Field(p0,false)}" -match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); +var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); -var all174 = all_match({ +var all172 = all_match({ processors: [ - part888, - dup380, - dup219, + part886, + dup377, + dup217, ], on_success: processor_chain([ dup44, @@ -11938,87 +10759,56 @@ var all174 = all_match({ ]), }); -var msg530 = msg("00030:70", all174); +var msg530 = msg("00030:70", all172); -var part889 = // "Pattern{Constant('PKI: The public key of image'), Field(p0,false)}" -match("MESSAGE#524:00030:71/0", "nwparser.payload", "PKI: The public key of image%{p0}"); +var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); -var part890 = // "Pattern{Constant('s signer has been loaded successfully, for future image authentication.'), Field(,false)}" -match("MESSAGE#524:00030:71/2", "nwparser.p0", "s signer has been loaded successfully, for future image authentication.%{}"); +var msg531 = msg("00030:71", part887); -var all175 = all_match({ - processors: [ - part889, - dup363, - part890, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); -var msg531 = msg("00030:71", all175); +var msg532 = msg("00030:72", part888); -var part891 = // "Pattern{Constant('PKI: The signature of the image'), Field(p0,false)}" -match("MESSAGE#525:00030:72/0", "nwparser.payload", "PKI: The signature of the image%{p0}"); +var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); -var part892 = // "Pattern{Constant('s signer certificate cannot be verified.'), Field(,false)}" -match("MESSAGE#525:00030:72/2", "nwparser.p0", "s signer certificate cannot be verified.%{}"); +var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); -var all176 = all_match({ - processors: [ - part891, - dup363, - part892, - ], - on_success: processor_chain([ - dup35, - dup213, - dup31, - dup39, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg532 = msg("00030:72", all176); - -var part893 = // "Pattern{Constant('PKI: The '), Field(p0,false)}" -match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); +var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); -var part894 = // "Pattern{Constant('file name '), Field(p0,false)}" -match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); - -var part895 = // "Pattern{Constant('friendly name of a certificate '), Field(p0,false)}" -match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); - -var part896 = // "Pattern{Constant('vsys name '), Field(p0,false)}" -match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); +var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); var select196 = linear_select([ - part894, - part895, - part896, + part890, + part891, + part892, ]); -var part897 = // "Pattern{Constant('is too long '), Field(fld2,true), Constant(' to do NSRP synchronization allowed '), Field(fld3,false), Constant('.')}" -match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); +var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); -var all177 = all_match({ +var all173 = all_match({ processors: [ - part893, + part889, select196, - part897, + part893, ], on_success: processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -12028,10 +10818,9 @@ var all177 = all_match({ ]), }); -var msg533 = msg("00030:73", all177); +var msg533 = msg("00030:73", all173); -var part898 = // "Pattern{Constant('PKI: Upgrade from earlier version save to file.'), Field(,false)}" -match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ +var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ dup44, dup2, dup3, @@ -12039,10 +10828,9 @@ match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier ver dup5, ])); -var msg534 = msg("00030:74", part898); +var msg534 = msg("00030:74", part894); -var part899 = // "Pattern{Constant('PKI: X.509 certificate has been deleted distinguished name '), Field(username,false), Constant('.')}" -match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ +var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ dup44, dup2, dup3, @@ -12050,19 +10838,17 @@ match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has be dup5, ])); -var msg535 = msg("00030:75", part899); +var msg535 = msg("00030:75", part895); -var part900 = // "Pattern{Constant('PKI: X.509 '), Field(p0,false)}" -match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); +var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); -var part901 = // "Pattern{Constant('file has been loaded successfully filename '), Field(fld2,false), Constant('.')}" -match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); +var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); -var all178 = all_match({ +var all174 = all_match({ processors: [ - part900, - dup379, - part901, + part896, + dup376, + part897, ], on_success: processor_chain([ dup44, @@ -12073,12 +10859,11 @@ var all178 = all_match({ ]), }); -var msg536 = msg("00030:76", all178); +var msg536 = msg("00030:76", all174); -var part902 = // "Pattern{Constant('PKI: failed to install DSA key.'), Field(,false)}" -match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ +var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ dup18, - dup220, + dup218, dup51, dup54, dup2, @@ -12087,13 +10872,12 @@ match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA ke dup5, ])); -var msg537 = msg("00030:77", part902); +var msg537 = msg("00030:77", part898); -var part903 = // "Pattern{Constant('PKI: no FQDN available when requesting certificate.'), Field(,false)}" -match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ +var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ dup35, - dup213, - dup222, + dup211, + dup220, dup31, dup39, dup2, @@ -12102,13 +10886,12 @@ match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when r dup5, ])); -var msg538 = msg("00030:78", part903); +var msg538 = msg("00030:78", part899); -var part904 = // "Pattern{Constant('PKI: no cert revocation check per config DN '), Field(username,false), Constant('.')}" -match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ +var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ dup35, - dup213, - dup222, + dup211, + dup220, dup31, dup39, dup2, @@ -12117,10 +10900,9 @@ match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check dup5, ])); -var msg539 = msg("00030:79", part904); +var msg539 = msg("00030:79", part900); -var part905 = // "Pattern{Constant('PKI: no nsrp sync for pre 2.5 objects.'), Field(,false)}" -match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ +var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ dup44, dup2, dup3, @@ -12128,10 +10910,9 @@ match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 dup5, ])); -var msg540 = msg("00030:80", part905); +var msg540 = msg("00030:80", part901); -var part906 = // "Pattern{Constant('X509 certificate with subject name '), Field(fld2,true), Constant(' is deleted.')}" -match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ +var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ dup44, dup2, dup3, @@ -12139,10 +10920,9 @@ match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject dup5, ])); -var msg541 = msg("00030:81", part906); +var msg541 = msg("00030:81", part902); -var part907 = // "Pattern{Constant('create new authcfg for CA '), Field(fld2,false)}" -match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ +var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -12150,12 +10930,11 @@ match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{f dup5, ])); -var msg542 = msg("00030:82", part907); +var msg542 = msg("00030:82", part903); -var part908 = // "Pattern{Constant('loadCert: Cannot acquire authcfg for this CA cert '), Field(fld2,false), Constant('.')}" -match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ +var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ dup35, - dup213, + dup211, dup31, dup39, dup2, @@ -12164,10 +10943,9 @@ match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire auth dup5, ])); -var msg543 = msg("00030:83", part908); +var msg543 = msg("00030:83", part904); -var part909 = // "Pattern{Constant('upgrade to 4.0 copy authcfg from global.'), Field(,false)}" -match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ +var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ dup44, dup2, dup3, @@ -12175,10 +10953,9 @@ match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg f dup5, ])); -var msg544 = msg("00030:84", part909); +var msg544 = msg("00030:84", part905); -var part910 = // "Pattern{Constant('System CPU utilization is high ('), Field(fld2,true), Constant(' alarm threshold: '), Field(trigger_val,false), Constant(') '), Field(info,false)}" -match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ +var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ setc("eventcategory","1603080000"), dup2, dup3, @@ -12186,19 +10963,18 @@ match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is hig dup5, ])); -var msg545 = msg("00030:85", part910); +var msg545 = msg("00030:85", part906); -var part911 = // "Pattern{Constant('Pair-wise invoked by started after key generation. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); +var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); -var all179 = all_match({ +var all175 = all_match({ processors: [ - dup223, - dup381, - part911, + dup221, + dup378, + part907, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup4, dup5, @@ -12206,11 +10982,10 @@ var all179 = all_match({ ]), }); -var msg546 = msg("00030:86", all179); +var msg546 = msg("00030:86", all175); -var part912 = // "Pattern{Constant('SYSTEM CPU utilization is high ('), Field(fld2,true), Constant(' > '), Field(fld3,true), Constant(' ) '), Field(fld4,true), Constant(' times in '), Field(fld5,true), Constant(' minute ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" -match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ - dup211, +var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup209, dup2, dup3, dup4, @@ -12218,19 +10993,18 @@ match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is hi dup9, ])); -var msg547 = msg("00030:87", part912); +var msg547 = msg("00030:87", part908); -var part913 = // "Pattern{Constant('Pair-wise invoked by passed. ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" -match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); +var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); -var all180 = all_match({ +var all176 = all_match({ processors: [ - dup223, - dup381, - part913, + dup221, + dup378, + part909, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup4, dup5, @@ -12238,7 +11012,7 @@ var all180 = all_match({ ]), }); -var msg548 = msg("00030:88", all180); +var msg548 = msg("00030:88", all176); var select197 = linear_select([ msg475, @@ -12317,8 +11091,7 @@ var select197 = linear_select([ msg548, ]); -var part914 = // "Pattern{Constant('ARP detected IP conflict: IP address '), Field(hostip,true), Constant(' changed from '), Field(sinterface,true), Constant(' to interface '), Field(dinterface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ +var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ dup121, dup2, dup3, @@ -12327,10 +11100,9 @@ match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP dup5, ])); -var msg549 = msg("00031:13", part914); +var msg549 = msg("00031:13", part910); -var part915 = // "Pattern{Constant('SNMP AuthenTraps have been '), Field(disposition,false)}" -match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ +var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -12338,10 +11110,9 @@ match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{dis dup5, ])); -var msg550 = msg("00031", part915); +var msg550 = msg("00031", part911); -var part916 = // "Pattern{Constant('SNMP VPN has been '), Field(disposition,false)}" -match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ +var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -12349,29 +11120,25 @@ match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{dispositi dup5, ])); -var msg551 = msg("00031:01", part916); +var msg551 = msg("00031:01", part912); -var part917 = // "Pattern{Constant('SNMP community '), Field(fld2,true), Constant(' attributes-write access '), Field(p0,false)}" -match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); +var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); -var part918 = // "Pattern{Constant('; receive traps '), Field(p0,false)}" -match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); +var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); -var part919 = // "Pattern{Constant('; receive traffic alarms '), Field(p0,false)}" -match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); +var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); -var part920 = // "Pattern{Constant('-have been modified'), Field(,false)}" -match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); +var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); -var all181 = all_match({ +var all177 = all_match({ processors: [ - part917, - dup382, - part918, - dup382, - part919, - dup382, - part920, + part913, + dup379, + part914, + dup379, + part915, + dup379, + part916, ], on_success: processor_chain([ dup1, @@ -12382,24 +11149,22 @@ var all181 = all_match({ ]), }); -var msg552 = msg("00031:02", all181); +var msg552 = msg("00031:02", all177); -var part921 = // "Pattern{Field(fld2,true), Constant(' SNMP host '), Field(hostip,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); +var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); var select198 = linear_select([ dup130, dup129, ]); -var part922 = // "Pattern{Constant('SNMP community '), Field(fld3,false)}" -match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); +var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); -var all182 = all_match({ +var all178 = all_match({ processors: [ - part921, + part917, select198, - part922, + part918, ], on_success: processor_chain([ dup1, @@ -12410,27 +11175,24 @@ var all182 = all_match({ ]), }); -var msg553 = msg("00031:03", all182); +var msg553 = msg("00031:03", all178); -var part923 = // "Pattern{Constant('SNMP '), Field(p0,false)}" -match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); +var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); -var part924 = // "Pattern{Constant('contact '), Field(p0,false)}" -match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); +var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); var select199 = linear_select([ - part924, - dup228, + part920, + dup226, ]); -var part925 = // "Pattern{Constant('description has been modified'), Field(,false)}" -match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); +var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); -var all183 = all_match({ +var all179 = all_match({ processors: [ - part923, + part919, select199, - part925, + part921, ], on_success: processor_chain([ dup1, @@ -12441,24 +11203,22 @@ var all183 = all_match({ ]), }); -var msg554 = msg("00031:04", all183); +var msg554 = msg("00031:04", all179); -var part926 = // "Pattern{Constant('SNMP system '), Field(p0,false)}" -match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); +var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); var select200 = linear_select([ - dup228, + dup226, dup25, ]); -var part927 = // "Pattern{Constant('has been changed to '), Field(fld2,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); +var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); -var all184 = all_match({ +var all180 = all_match({ processors: [ - part926, + part922, select200, - part927, + part923, ], on_success: processor_chain([ dup1, @@ -12470,58 +11230,49 @@ var all184 = all_match({ ]), }); -var msg555 = msg("00031:11", all184); +var msg555 = msg("00031:11", all180); -var part928 = // "Pattern{Field(fld2,false), Constant(': SNMP community name "'), Field(fld3,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); +var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); -var part929 = // "Pattern{Constant('attributes -- '), Field(p0,false)}" -match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); +var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); -var part930 = // "Pattern{Constant('-- '), Field(p0,false)}" -match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); +var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); var select201 = linear_select([ - part929, - part930, + part925, + part926, ]); -var part931 = // "Pattern{Constant('write access, '), Field(p0,false)}" -match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); +var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); -var part932 = // "Pattern{Constant('; receive traps, '), Field(p0,false)}" -match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); +var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); -var part933 = // "Pattern{Constant('; receive traffic alarms, '), Field(p0,false)}" -match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); +var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); -var part934 = // "Pattern{Constant('-'), Field(p0,false)}" -match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); +var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); -var part935 = // "Pattern{Constant('- '), Field(p0,false)}" -match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); +var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); var select202 = linear_select([ - part935, + part931, dup96, ]); -var part936 = // "Pattern{Constant('have been modified'), Field(,false)}" -match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); +var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); -var all185 = all_match({ +var all181 = all_match({ processors: [ - part928, + part924, select201, - part931, - dup382, - part932, - dup382, - part933, - dup382, - part934, + part927, + dup379, + part928, + dup379, + part929, + dup379, + part930, select202, - part936, + part932, ], on_success: processor_chain([ dup1, @@ -12532,16 +11283,15 @@ var all185 = all_match({ ]), }); -var msg556 = msg("00031:08", all185); +var msg556 = msg("00031:08", all181); -var part937 = // "Pattern{Constant('Detect IP conflict ('), Field(fld2,false), Constant(') on '), Field(p0,false)}" -match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); +var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); -var all186 = all_match({ +var all182 = all_match({ processors: [ - part937, - dup339, - dup229, + part933, + dup337, + dup227, ], on_success: processor_chain([ dup121, @@ -12552,43 +11302,39 @@ var all186 = all_match({ ]), }); -var msg557 = msg("00031:05", all186); +var msg557 = msg("00031:05", all182); -var part938 = // "Pattern{Constant('q, '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); +var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); var select203 = linear_select([ - part938, - dup231, - dup232, + part934, + dup229, + dup230, ]); -var part939 = // "Pattern{Constant('detect IP conflict ( '), Field(hostip,true), Constant(' )'), Field(p0,false)}" -match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); +var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); var select204 = linear_select([ dup105, dup96, ]); -var part940 = // "Pattern{Constant('mac'), Field(p0,false)}" -match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); +var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); -var part941 = // "Pattern{Constant(''), Field(macaddr,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); +var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); -var all187 = all_match({ +var all183 = all_match({ processors: [ - dup230, + dup228, select203, - part939, + part935, select204, - part940, - dup358, - part941, - dup354, + part936, + dup356, + part937, + dup352, dup23, - dup383, + dup380, ], on_success: processor_chain([ dup121, @@ -12600,18 +11346,17 @@ var all187 = all_match({ ]), }); -var msg558 = msg("00031:06", all187); +var msg558 = msg("00031:06", all183); -var part942 = // "Pattern{Constant('detects a duplicate virtual security device group master IP address '), Field(hostip,false), Constant(', MAC address '), Field(macaddr,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); +var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); -var all188 = all_match({ +var all184 = all_match({ processors: [ - dup230, - dup384, - part942, - dup339, - dup229, + dup228, + dup381, + part938, + dup337, + dup227, ], on_success: processor_chain([ dup121, @@ -12622,17 +11367,16 @@ var all188 = all_match({ ]), }); -var msg559 = msg("00031:07", all188); +var msg559 = msg("00031:07", all184); -var part943 = // "Pattern{Constant('detected an IP conflict (IP '), Field(hostip,false), Constant(', MAC '), Field(macaddr,false), Constant(') on interface '), Field(p0,false)}" -match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); +var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); -var all189 = all_match({ +var all185 = all_match({ processors: [ - dup230, - dup384, - part943, - dup383, + dup228, + dup381, + part939, + dup380, ], on_success: processor_chain([ dup121, @@ -12644,10 +11388,9 @@ var all189 = all_match({ ]), }); -var msg560 = msg("00031:09", all189); +var msg560 = msg("00031:09", all185); -var part944 = // "Pattern{Field(fld2,false), Constant(': SNMP community "'), Field(fld3,false), Constant('" has been moved. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ +var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -12656,10 +11399,9 @@ match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{f dup5, ])); -var msg561 = msg("00031:10", part944); +var msg561 = msg("00031:10", part940); -var part945 = // "Pattern{Field(fld2,true), Constant(' system contact has been changed to '), Field(fld3,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ +var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -12668,7 +11410,7 @@ match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has dup5, ])); -var msg562 = msg("00031:12", part945); +var msg562 = msg("00031:12", part941); var select205 = linear_select([ msg549, @@ -12687,9 +11429,8 @@ var select205 = linear_select([ msg562, ]); -var part946 = // "Pattern{Field(signame,true), Constant(' has been detected and blocked! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup234, +var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, dup2, dup3, dup59, @@ -12698,11 +11439,10 @@ match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected a dup61, ])); -var msg563 = msg("00032", part946); +var msg563 = msg("00032", part942); -var part947 = // "Pattern{Field(signame,true), Constant(' has been detected and blocked! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ - dup234, +var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup232, dup2, dup3, dup4, @@ -12710,33 +11450,28 @@ match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detecte dup61, ])); -var msg564 = msg("00032:01", part947); +var msg564 = msg("00032:01", part943); -var part948 = // "Pattern{Constant('Vsys '), Field(fld2,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); +var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); -var part949 = // "Pattern{Constant('changed to '), Field(fld3,false)}" -match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); +var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); -var part950 = // "Pattern{Constant('created'), Field(,false)}" -match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); +var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); -var part951 = // "Pattern{Constant('deleted'), Field(,false)}" -match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); +var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); -var part952 = // "Pattern{Constant('removed'), Field(,false)}" -match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); +var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); var select206 = linear_select([ - part949, - part950, - part951, - part952, + part945, + part946, + part947, + part948, ]); -var all190 = all_match({ +var all186 = all_match({ processors: [ - part948, + part944, select206, ], on_success: processor_chain([ @@ -12748,11 +11483,10 @@ var all190 = all_match({ ]), }); -var msg565 = msg("00032:03", all190); +var msg565 = msg("00032:03", all186); -var part953 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ - dup234, +var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, dup2, dup3, dup4, @@ -12761,10 +11495,9 @@ match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup61, ])); -var msg566 = msg("00032:04", part953); +var msg566 = msg("00032:04", part949); -var part954 = // "Pattern{Field(change_attribute,true), Constant(' for vsys '), Field(fld2,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -12772,9 +11505,9 @@ match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsy dup5, ])); -var msg567 = msg("00032:05", part954); +var msg567 = msg("00032:05", part950); -var msg568 = msg("00032:02", dup378); +var msg568 = msg("00032:02", dup375); var select207 = linear_select([ msg563, @@ -12785,8 +11518,7 @@ var select207 = linear_select([ msg568, ]); -var part955 = // "Pattern{Constant('NSM has been '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ +var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -12796,28 +11528,25 @@ match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. setc("agent","NSM"), ])); -var msg569 = msg("00033:25", part955); +var msg569 = msg("00033:25", part951); -var part956 = // "Pattern{Constant('timeout value has been '), Field(p0,false)}" -match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); +var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); -var part957 = // "Pattern{Constant('returned'), Field(p0,false)}" -match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); +var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); var select208 = linear_select([ dup52, - part957, + part953, ]); -var part958 = // "Pattern{Field(,false), Constant('to '), Field(fld2,false)}" -match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); +var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); -var all191 = all_match({ +var all187 = all_match({ processors: [ - dup385, - part956, + dup382, + part952, select208, - part958, + part954, ], on_success: processor_chain([ dup1, @@ -12828,29 +11557,26 @@ var all191 = all_match({ ]), }); -var msg570 = msg("00033", all191); +var msg570 = msg("00033", all187); -var part959 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" -match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); +var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); -var part960 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); +var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); var select209 = linear_select([ - part959, - part960, + part955, + part956, ]); -var part961 = // "Pattern{Constant('host has been set to '), Field(fld4,false)}" -match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); +var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); -var all192 = all_match({ +var all188 = all_match({ processors: [ - dup162, + dup160, select209, dup23, - dup372, - part961, + dup369, + part957, ], on_success: processor_chain([ dup1, @@ -12861,17 +11587,16 @@ var all192 = all_match({ ]), }); -var msg571 = msg("00033:03", all192); +var msg571 = msg("00033:03", all188); -var part962 = // "Pattern{Constant('host has been '), Field(disposition,false)}" -match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); +var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); -var all193 = all_match({ +var all189 = all_match({ processors: [ - dup385, + dup382, dup23, - dup372, - part962, + dup369, + part958, ], on_success: processor_chain([ dup1, @@ -12882,10 +11607,9 @@ var all193 = all_match({ ]), }); -var msg572 = msg("00033:02", all193); +var msg572 = msg("00033:02", all189); -var part963 = // "Pattern{Constant('Reporting of '), Field(fld2,true), Constant(' to '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ +var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -12893,10 +11617,9 @@ match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{f dup5, ])); -var msg573 = msg("00033:04", part963); +var msg573 = msg("00033:04", part959); -var part964 = // "Pattern{Constant('Global PRO has been '), Field(disposition,false)}" -match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ +var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -12904,10 +11627,9 @@ match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposi dup5, ])); -var msg574 = msg("00033:05", part964); +var msg574 = msg("00033:05", part960); -var part965 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('. The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ +var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ dup27, dup2, dup3, @@ -12917,10 +11639,9 @@ match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{s dup61, ])); -var msg575 = msg("00033:06", part965); +var msg575 = msg("00033:06", part961); -var part966 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('. The threshold was exceeded '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ +var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ dup27, dup2, dup3, @@ -12930,10 +11651,9 @@ match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{s dup61, ])); -var msg576 = msg("00033:01", part966); +var msg576 = msg("00033:01", part962); -var part967 = // "Pattern{Constant('User-defined service '), Field(service,true), Constant(' has been '), Field(disposition,true), Constant(' from '), Field(fld2,true), Constant(' distribution')}" -match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ +var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ dup1, dup2, dup3, @@ -12941,16 +11661,15 @@ match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{servic dup5, ])); -var msg577 = msg("00033:07", part967); +var msg577 = msg("00033:07", part963); -var part968 = // "Pattern{Constant('?s CA certificate field has not been specified.'), Field(,false)}" -match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); +var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); -var all194 = all_match({ +var all190 = all_match({ processors: [ - dup237, - dup386, - part968, + dup235, + dup383, + part964, ], on_success: processor_chain([ dup1, @@ -12961,16 +11680,15 @@ var all194 = all_match({ ]), }); -var msg578 = msg("00033:08", all194); +var msg578 = msg("00033:08", all190); -var part969 = // "Pattern{Constant('?s Cert-Subject field has not been specified.'), Field(,false)}" -match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); +var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); -var all195 = all_match({ +var all191 = all_match({ processors: [ - dup237, - dup386, - part969, + dup235, + dup383, + part965, ], on_success: processor_chain([ dup1, @@ -12981,24 +11699,22 @@ var all195 = all_match({ ]), }); -var msg579 = msg("00033:09", all195); +var msg579 = msg("00033:09", all191); -var part970 = // "Pattern{Constant('?s host field has been '), Field(p0,false)}" -match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); +var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); -var part971 = // "Pattern{Constant('set to '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); +var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); var select210 = linear_select([ - part971, - dup240, + part967, + dup238, ]); -var all196 = all_match({ +var all192 = all_match({ processors: [ - dup237, - dup386, - part970, + dup235, + dup383, + part966, select210, dup116, ], @@ -13011,21 +11727,19 @@ var all196 = all_match({ ]), }); -var msg580 = msg("00033:10", all196); +var msg580 = msg("00033:10", all192); -var part972 = // "Pattern{Constant('?s outgoing interface used to report NACN to Policy Manager '), Field(p0,false)}" -match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); +var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); -var part973 = // "Pattern{Constant('has not been specified.'), Field(,false)}" -match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); +var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); -var all197 = all_match({ +var all193 = all_match({ processors: [ - dup237, - dup386, - part972, - dup386, - part973, + dup235, + dup383, + part968, + dup383, + part969, ], on_success: processor_chain([ dup1, @@ -13036,21 +11750,20 @@ var all197 = all_match({ ]), }); -var msg581 = msg("00033:11", all197); +var msg581 = msg("00033:11", all193); -var part974 = // "Pattern{Constant('?s password field has been '), Field(p0,false)}" -match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); +var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); var select211 = linear_select([ dup101, - dup240, + dup238, ]); -var all198 = all_match({ +var all194 = all_match({ processors: [ - dup237, - dup386, - part974, + dup235, + dup383, + part970, select211, dup116, ], @@ -13063,27 +11776,24 @@ var all198 = all_match({ ]), }); -var msg582 = msg("00033:12", all198); +var msg582 = msg("00033:12", all194); -var part975 = // "Pattern{Constant('?s policy-domain field has been '), Field(p0,false)}" -match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); +var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); -var part976 = // "Pattern{Constant('unset .'), Field(,false)}" -match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); +var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); -var part977 = // "Pattern{Constant('set to '), Field(domain,false), Constant('.')}" -match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); +var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); var select212 = linear_select([ - part976, - part977, + part972, + part973, ]); -var all199 = all_match({ +var all195 = all_match({ processors: [ - dup237, - dup386, - part975, + dup235, + dup383, + part971, select212, ], on_success: processor_chain([ @@ -13095,16 +11805,15 @@ var all199 = all_match({ ]), }); -var msg583 = msg("00033:13", all199); +var msg583 = msg("00033:13", all195); -var part978 = // "Pattern{Constant('?s CA certificate field has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); +var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); -var all200 = all_match({ +var all196 = all_match({ processors: [ - dup237, - dup386, - part978, + dup235, + dup383, + part974, ], on_success: processor_chain([ dup1, @@ -13115,16 +11824,15 @@ var all200 = all_match({ ]), }); -var msg584 = msg("00033:14", all200); +var msg584 = msg("00033:14", all196); -var part979 = // "Pattern{Constant('?s Cert-Subject field has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); +var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); -var all201 = all_match({ +var all197 = all_match({ processors: [ - dup237, - dup386, - part979, + dup235, + dup383, + part975, ], on_success: processor_chain([ dup1, @@ -13135,16 +11843,15 @@ var all201 = all_match({ ]), }); -var msg585 = msg("00033:15", all201); +var msg585 = msg("00033:15", all197); -var part980 = // "Pattern{Constant('?s outgoing-interface field has been set to '), Field(interface,false), Constant('.')}" -match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); +var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); -var all202 = all_match({ +var all198 = all_match({ processors: [ - dup237, - dup386, - part980, + dup235, + dup383, + part976, ], on_success: processor_chain([ dup1, @@ -13155,27 +11862,24 @@ var all202 = all_match({ ]), }); -var msg586 = msg("00033:16", all202); +var msg586 = msg("00033:16", all198); -var part981 = // "Pattern{Constant('?s port field has been '), Field(p0,false)}" -match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); +var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); -var part982 = // "Pattern{Constant('set to '), Field(network_port,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); +var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); -var part983 = // "Pattern{Constant('reset to the default value '), Field(p0,false)}" -match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); +var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); var select213 = linear_select([ - part982, - part983, + part978, + part979, ]); -var all203 = all_match({ +var all199 = all_match({ processors: [ - dup237, - dup386, - part981, + dup235, + dup383, + part977, select213, dup116, ], @@ -13188,21 +11892,19 @@ var all203 = all_match({ ]), }); -var msg587 = msg("00033:17", all203); +var msg587 = msg("00033:17", all199); -var part984 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(p0,false)}" -match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); +var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); -var part985 = // "Pattern{Field(fld99,false), Constant('arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' time.')}" -match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); +var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); -var all204 = all_match({ +var all200 = all_match({ processors: [ - part984, - dup341, + part980, + dup339, dup70, - dup342, - part985, + dup340, + part981, ], on_success: processor_chain([ dup27, @@ -13215,10 +11917,9 @@ var all204 = all_match({ ]), }); -var msg588 = msg("00033:19", all204); +var msg588 = msg("00033:19", all200); -var part986 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' time.')}" -match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ +var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ dup27, dup2, dup4, @@ -13228,12 +11929,12 @@ match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} t dup60, ])); -var msg589 = msg("00033:20", part986); +var msg589 = msg("00033:20", part982); -var all205 = all_match({ +var all201 = all_match({ processors: [ - dup241, - dup345, + dup239, + dup343, dup83, ], on_success: processor_chain([ @@ -13248,15 +11949,14 @@ var all205 = all_match({ ]), }); -var msg590 = msg("00033:21", all205); +var msg590 = msg("00033:21", all201); -var part987 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); -var all206 = all_match({ +var all202 = all_match({ processors: [ - part987, - dup345, + part983, + dup343, dup83, ], on_success: processor_chain([ @@ -13271,10 +11971,9 @@ var all206 = all_match({ ]), }); -var msg591 = msg("00033:22", all206); +var msg591 = msg("00033:22", all202); -var part988 = // "Pattern{Constant('NSM primary server with name '), Field(hostname,true), Constant(' was set: addr '), Field(hostip,false), Constant(', port '), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ +var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -13283,10 +11982,9 @@ match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name dup5, ])); -var msg592 = msg("00033:23", part988); +var msg592 = msg("00033:23", part984); -var part989 = // "Pattern{Constant('session threshold From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(info,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ +var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ setc("eventcategory","1001030500"), dup2, dup3, @@ -13295,7 +11993,7 @@ match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{sadd dup5, ])); -var msg593 = msg("00033:24", part989); +var msg593 = msg("00033:24", part985); var select214 = linear_select([ msg569, @@ -13325,49 +12023,44 @@ var select214 = linear_select([ msg593, ]); -var part990 = // "Pattern{Constant('SCS: Failed '), Field(p0,false)}" -match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); +var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); -var part991 = // "Pattern{Constant('Failed '), Field(p0,false)}" -match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); +var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); var select215 = linear_select([ - part990, - part991, + part986, + part987, ]); -var part992 = // "Pattern{Constant('bind '), Field(p0,false)}" -match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); +var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); -var part993 = // "Pattern{Constant('retrieve '), Field(p0,false)}" -match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); +var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); var select216 = linear_select([ - part992, - dup203, - part993, + part988, + dup201, + part989, ]); var select217 = linear_select([ - dup198, + dup196, dup103, - dup165, + dup163, ]); -var part994 = // "Pattern{Constant('SSH user '), Field(username,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" -match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); +var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); -var all207 = all_match({ +var all203 = all_match({ processors: [ select215, dup103, select216, - dup204, + dup202, select217, - part994, + part990, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13375,42 +12068,37 @@ var all207 = all_match({ ]), }); -var msg594 = msg("00034", all207); +var msg594 = msg("00034", all203); -var part995 = // "Pattern{Constant('SCS: Incompatible '), Field(p0,false)}" -match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); +var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); -var part996 = // "Pattern{Constant('Incompatible '), Field(p0,false)}" -match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); +var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); var select218 = linear_select([ - part995, - part996, + part991, + part992, ]); -var part997 = // "Pattern{Constant('SSH version '), Field(version,true), Constant(' has been received from '), Field(p0,false)}" -match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); +var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); -var part998 = // "Pattern{Constant('the SSH '), Field(p0,false)}" -match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); +var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); var select219 = linear_select([ - part998, - dup243, + part994, + dup241, ]); -var part999 = // "Pattern{Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); +var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); -var all208 = all_match({ +var all204 = all_match({ processors: [ select218, - part997, + part993, select219, - part999, + part995, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13418,29 +12106,27 @@ var all208 = all_match({ ]), }); -var msg595 = msg("00034:01", all208); +var msg595 = msg("00034:01", all204); -var part1000 = // "Pattern{Constant('Maximum number of SCS sessions '), Field(fld2,true), Constant(' has been reached. Connection request from SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been '), Field(disposition,false)}" -match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ - dup242, +var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg596 = msg("00034:02", part1000); +var msg596 = msg("00034:02", part996); -var part1001 = // "Pattern{Constant('device failed to authenticate the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); +var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); -var all209 = all_match({ +var all205 = all_match({ processors: [ - dup387, - part1001, + dup384, + part997, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13448,56 +12134,50 @@ var all209 = all_match({ ]), }); -var msg597 = msg("00034:03", all209); +var msg597 = msg("00034:03", all205); -var part1002 = // "Pattern{Constant('SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" -match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ - dup242, +var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg598 = msg("00034:04", part1002); +var msg598 = msg("00034:04", part998); -var part1003 = // "Pattern{Constant('NetScreen device failed to generate a PKA RSA challenge for SSH user '), Field(username,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" -match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ - dup242, +var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg599 = msg("00034:05", part1003); +var msg599 = msg("00034:05", part999); -var part1004 = // "Pattern{Constant('device failed to '), Field(p0,false)}" -match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); +var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); -var part1005 = // "Pattern{Constant('identify itself '), Field(p0,false)}" -match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); +var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); -var part1006 = // "Pattern{Constant('send the identification string '), Field(p0,false)}" -match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); +var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); var select220 = linear_select([ - part1005, - part1006, + part1001, + part1002, ]); -var part1007 = // "Pattern{Constant('to the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); +var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); -var all210 = all_match({ +var all206 = all_match({ processors: [ - dup387, - part1004, + dup384, + part1000, select220, - part1007, + part1003, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13505,73 +12185,65 @@ var all210 = all_match({ ]), }); -var msg600 = msg("00034:06", all210); +var msg600 = msg("00034:06", all206); -var part1008 = // "Pattern{Constant('SCS connection has been terminated for admin user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ - dup242, +var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg601 = msg("00034:07", part1008); +var msg601 = msg("00034:07", part1004); -var part1009 = // "Pattern{Constant('SCS: SCS has been '), Field(disposition,true), Constant(' for '), Field(username,true), Constant(' with '), Field(fld2,true), Constant(' existing PKA keys already bound to '), Field(fld3,true), Constant(' SSH users.')}" -match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ - dup242, +var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg602 = msg("00034:08", part1009); +var msg602 = msg("00034:08", part1005); -var part1010 = // "Pattern{Constant('SCS has been '), Field(disposition,true), Constant(' for '), Field(username,true), Constant(' with '), Field(fld2,true), Constant(' PKA keys already bound to '), Field(fld3,true), Constant(' SSH users')}" -match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ - dup242, +var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg603 = msg("00034:09", part1010); +var msg603 = msg("00034:09", part1006); -var part1011 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); +var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); -var part1012 = // "Pattern{Constant(''), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); +var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); -var part1013 = // "Pattern{Constant('with'), Field(p0,false)}" -match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); +var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); -var part1014 = // "Pattern{Constant('at'), Field(p0,false)}" -match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); +var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); var select221 = linear_select([ - part1013, - part1014, + part1009, + part1010, ]); -var part1015 = // "Pattern{Field(,false), Constant('IP '), Field(hostip,true), Constant(' but '), Field(disposition,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); +var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); -var all211 = all_match({ +var all207 = all_match({ processors: [ - dup246, - dup388, - part1011, - dup354, - part1012, + dup244, + dup385, + part1007, + dup352, + part1008, select221, - part1015, + part1011, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13579,24 +12251,22 @@ var all211 = all_match({ ]), }); -var msg604 = msg("00034:10", all211); +var msg604 = msg("00034:10", all207); -var part1016 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); +var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); -var part1017 = // "Pattern{Constant('but '), Field(disposition,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); +var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); -var all212 = all_match({ +var all208 = all_match({ processors: [ - dup246, - dup388, - part1016, - dup389, - part1017, + dup244, + dup385, + part1012, + dup386, + part1013, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13604,24 +12274,22 @@ var all212 = all_match({ ]), }); -var msg605 = msg("00034:12", all212); +var msg605 = msg("00034:12", all208); -var part1018 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); +var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); -var part1019 = // "Pattern{Constant('because '), Field(result,false)}" -match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); +var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); -var all213 = all_match({ +var all209 = all_match({ processors: [ - dup246, - dup388, - part1018, - dup389, - part1019, + dup244, + dup385, + part1014, + dup386, + part1015, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13629,30 +12297,28 @@ var all213 = all_match({ ]), }); -var msg606 = msg("00034:11", all213); +var msg606 = msg("00034:11", all209); -var part1020 = // "Pattern{Constant('SSH client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection because '), Field(result,false)}" -match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ - dup242, +var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg607 = msg("00034:15", part1020); +var msg607 = msg("00034:15", part1016); -var part1021 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' cannot log in via SCS to '), Field(service,true), Constant(' using the shared '), Field(interface,true), Constant(' interface because '), Field(result,false)}" -match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); +var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); -var all214 = all_match({ +var all210 = all_match({ processors: [ - dup246, - dup390, - part1021, + dup244, + dup387, + part1017, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13660,19 +12326,18 @@ var all214 = all_match({ ]), }); -var msg608 = msg("00034:18", all214); +var msg608 = msg("00034:18", all210); -var part1022 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' the PKA RSA challenge')}" -match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); +var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); -var all215 = all_match({ +var all211 = all_match({ processors: [ - dup246, - dup390, - part1022, + dup244, + dup387, + part1018, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13680,49 +12345,43 @@ var all215 = all_match({ ]), }); -var msg609 = msg("00034:20", all215); +var msg609 = msg("00034:20", all211); -var part1023 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has requested '), Field(p0,false)}" -match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); +var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); -var part1024 = // "Pattern{Constant('authentication which is not '), Field(p0,false)}" -match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); +var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); -var part1025 = // "Pattern{Constant('supported '), Field(p0,false)}" -match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); +var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); var select222 = linear_select([ - part1025, + part1021, dup156, ]); -var part1026 = // "Pattern{Constant('for that '), Field(p0,false)}" -match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); +var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); -var part1027 = // "Pattern{Constant('client'), Field(,false)}" -match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); +var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); -var part1028 = // "Pattern{Constant('user'), Field(,false)}" -match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); +var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); var select223 = linear_select([ - part1027, - part1028, + part1023, + part1024, ]); -var all216 = all_match({ +var all212 = all_match({ processors: [ - dup246, - dup390, - part1023, - dup375, - part1024, + dup244, + dup387, + part1019, + dup372, + part1020, select222, - part1026, + part1022, select223, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13730,41 +12389,37 @@ var all216 = all_match({ ]), }); -var msg610 = msg("00034:21", all216); +var msg610 = msg("00034:21", all212); -var part1029 = // "Pattern{Constant('SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has unsuccessfully attempted to log in via SCS to vsys '), Field(fld2,true), Constant(' using the shared untrusted interface')}" -match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ - dup242, +var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg611 = msg("00034:22", part1029); +var msg611 = msg("00034:22", part1025); -var part1030 = // "Pattern{Constant('SCS: Unable '), Field(p0,false)}" -match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); +var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); -var part1031 = // "Pattern{Constant('Unable '), Field(p0,false)}" -match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); +var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); var select224 = linear_select([ - part1030, - part1031, + part1026, + part1027, ]); -var part1032 = // "Pattern{Constant('to validate cookie from the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); +var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); -var all217 = all_match({ +var all213 = all_match({ processors: [ - dup162, + dup160, select224, - part1032, + part1028, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13772,32 +12427,29 @@ var all217 = all_match({ ]), }); -var msg612 = msg("00034:23", all217); +var msg612 = msg("00034:23", all213); -var part1033 = // "Pattern{Constant('AC '), Field(username,true), Constant(' is advertising URL '), Field(fld2,false)}" -match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ - dup242, +var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg613 = msg("00034:24", part1033); +var msg613 = msg("00034:24", part1029); -var part1034 = // "Pattern{Constant('Message from AC '), Field(username,false), Constant(': '), Field(fld2,false)}" -match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ - dup242, +var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg614 = msg("00034:25", part1034); +var msg614 = msg("00034:25", part1030); -var part1035 = // "Pattern{Constant('PPPoE Settings changed'), Field(,false)}" -match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ +var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ dup1, dup2, dup3, @@ -13805,10 +12457,9 @@ match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", p dup5, ])); -var msg615 = msg("00034:26", part1035); +var msg615 = msg("00034:26", part1031); -var part1036 = // "Pattern{Constant('PPPoE is '), Field(disposition,true), Constant(' on '), Field(interface,true), Constant(' interface')}" -match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ +var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ dup1, dup2, dup3, @@ -13816,121 +12467,99 @@ match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on dup5, ])); -var msg616 = msg("00034:27", part1036); - -var part1037 = // "Pattern{Constant('PPPoE'), Field(p0,false)}" -match("MESSAGE#608:00034:28/0", "nwparser.payload", "PPPoE%{p0}"); +var msg616 = msg("00034:27", part1032); -var part1038 = // "Pattern{Constant('s session closed by AC'), Field(,false)}" -match("MESSAGE#608:00034:28/2", "nwparser.p0", "s session closed by AC%{}"); - -var all218 = all_match({ - processors: [ - part1037, - dup363, - part1038, - ], - on_success: processor_chain([ - dup211, - dup2, - dup3, - dup4, - dup5, - ]), -}); +var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, +])); -var msg617 = msg("00034:28", all218); +var msg617 = msg("00034:28", part1033); -var part1039 = // "Pattern{Constant('SCS: Disabled for '), Field(username,false), Constant('. Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup242, +var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg618 = msg("00034:29", part1039); +var msg618 = msg("00034:29", part1034); -var part1040 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to remove PKA key removed.')}" -match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ - dup242, +var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg619 = msg("00034:30", part1040); +var msg619 = msg("00034:30", part1035); -var part1041 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to retrieve host key')}" -match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ - dup242, +var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg620 = msg("00034:31", part1041); +var msg620 = msg("00034:31", part1036); -var part1042 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to send identification string to client host at '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" -match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ - dup242, +var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg621 = msg("00034:32", part1042); +var msg621 = msg("00034:32", part1037); -var part1043 = // "Pattern{Constant('SCS: Max '), Field(fld2,true), Constant(' sessions reached unabel to accept connection : '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ - dup242, +var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg622 = msg("00034:33", part1043); +var msg622 = msg("00034:33", part1038); -var part1044 = // "Pattern{Constant('SCS: Maximum number for SCS sessions '), Field(fld2,true), Constant(' has been reached. Connection request from SSH user at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ - dup242, +var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg623 = msg("00034:34", part1044); +var msg623 = msg("00034:34", part1039); -var part1045 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has unsuccessfully attempted to log in via SCS to '), Field(service,true), Constant(' using the shared untrusted interface because SCS is disabled on that interface.')}" -match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ - dup242, +var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg624 = msg("00034:35", part1045); +var msg624 = msg("00034:35", part1040); -var part1046 = // "Pattern{Constant('SCS: Unsupported cipher type '), Field(fld2,true), Constant(' requested from: '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ - dup242, +var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg625 = msg("00034:36", part1046); +var msg625 = msg("00034:36", part1041); -var part1047 = // "Pattern{Constant('The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed'), Field(,false)}" -match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ +var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ dup1, dup2, dup3, @@ -13938,21 +12567,19 @@ match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol o dup5, ])); -var msg626 = msg("00034:37", part1047); +var msg626 = msg("00034:37", part1042); -var part1048 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to retreive PKA key bound to SSH user '), Field(username,true), Constant(' (Key ID '), Field(fld2,false), Constant(')')}" -match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ - dup242, +var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg627 = msg("00034:38", part1048); +var msg627 = msg("00034:38", part1043); -var part1049 = // "Pattern{Constant('SSH: Error processing packet from host '), Field(saddr,true), Constant(' (Code '), Field(fld2,false), Constant(')')}" -match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ +var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ dup19, dup2, dup3, @@ -13960,10 +12587,9 @@ match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet dup5, ])); -var msg628 = msg("00034:39", part1049); +var msg628 = msg("00034:39", part1044); -var part1050 = // "Pattern{Constant('SSH: Device failed to send initialization string to client at '), Field(saddr,false)}" -match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ +var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ dup19, dup2, dup3, @@ -13971,22 +12597,20 @@ match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send in dup5, ])); -var msg629 = msg("00034:40", part1050); +var msg629 = msg("00034:40", part1045); -var part1051 = // "Pattern{Constant('SCP: Admin user ''), Field(administrator,false), Constant('' attempted to transfer file '), Field(p0,false)}" -match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); +var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); -var part1052 = // "Pattern{Constant('the device with insufficient privilege.'), Field(,false)}" -match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); +var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); -var all219 = all_match({ +var all214 = all_match({ processors: [ - part1051, - dup376, - part1052, + part1046, + dup373, + part1047, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -13994,21 +12618,19 @@ var all219 = all_match({ ]), }); -var msg630 = msg("00034:41", all219); +var msg630 = msg("00034:41", all214); -var part1053 = // "Pattern{Constant('SSH: Maximum number of SSH sessions ('), Field(fld2,false), Constant(') exceeded. Connection request from SSH user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' denied.')}" -match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ - dup242, +var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg631 = msg("00034:42", part1053); +var msg631 = msg("00034:42", part1048); -var part1054 = // "Pattern{Constant('Ethernet driver ran out of rx bd (port '), Field(network_port,false), Constant(')')}" -match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ +var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ dup19, dup2, dup3, @@ -14016,10 +12638,9 @@ match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx dup5, ])); -var msg632 = msg("00034:43", part1054); +var msg632 = msg("00034:43", part1049); -var part1055 = // "Pattern{Constant('Potential replay attack detected on SSH connection initiated from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ +var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -14027,7 +12648,7 @@ match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack dete dup9, ])); -var msg633 = msg("00034:44", part1055); +var msg633 = msg("00034:44", part1050); var select225 = linear_select([ msg594, @@ -14072,8 +12693,7 @@ var select225 = linear_select([ msg633, ]); -var part1056 = // "Pattern{Constant('PKI Verify Error: '), Field(resultcode,false), Constant(':'), Field(result,false)}" -match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ +var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ dup117, dup2, dup3, @@ -14081,10 +12701,9 @@ match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}: dup5, ])); -var msg634 = msg("00035", part1056); +var msg634 = msg("00035", part1051); -var part1057 = // "Pattern{Constant('SSL - Error MessageID in incoming mail - '), Field(fld2,false)}" -match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ +var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ dup117, dup2, dup3, @@ -14092,10 +12711,9 @@ match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in inco dup5, ])); -var msg635 = msg("00035:01", part1057); +var msg635 = msg("00035:01", part1052); -var part1058 = // "Pattern{Constant('SSL - cipher type '), Field(fld2,true), Constant(' is not allowed in export or firewall only system')}" -match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ +var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ dup117, dup2, dup3, @@ -14103,10 +12721,9 @@ match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} i dup5, ])); -var msg636 = msg("00035:02", part1058); +var msg636 = msg("00035:02", part1053); -var part1059 = // "Pattern{Constant('SSL CA changed'), Field(,false)}" -match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ +var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ dup1, dup2, dup3, @@ -14114,34 +12731,29 @@ match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor dup5, ])); -var msg637 = msg("00035:03", part1059); +var msg637 = msg("00035:03", part1054); -var part1060 = // "Pattern{Constant('SSL Error when retrieve local c'), Field(p0,false)}" -match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); +var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); -var part1061 = // "Pattern{Constant('a(verify) '), Field(p0,false)}" -match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); +var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); -var part1062 = // "Pattern{Constant('ert(verify) '), Field(p0,false)}" -match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); +var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); -var part1063 = // "Pattern{Constant('ert(all) '), Field(p0,false)}" -match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); +var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); var select226 = linear_select([ - part1061, - part1062, - part1063, + part1056, + part1057, + part1058, ]); -var part1064 = // "Pattern{Constant(': '), Field(fld2,false)}" -match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); +var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); -var all220 = all_match({ +var all215 = all_match({ processors: [ - part1060, + part1055, select226, - part1064, + part1059, ], on_success: processor_chain([ dup117, @@ -14152,10 +12764,9 @@ var all220 = all_match({ ]), }); -var msg638 = msg("00035:04", all220); +var msg638 = msg("00035:04", all215); -var part1065 = // "Pattern{Constant('SSL No ssl context. Not ready for connections.'), Field(,false)}" -match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ +var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ dup117, dup2, dup3, @@ -14163,19 +12774,17 @@ match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready dup5, ])); -var msg639 = msg("00035:05", part1065); +var msg639 = msg("00035:05", part1060); -var part1066 = // "Pattern{Constant('SSL c'), Field(p0,false)}" -match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); +var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); -var part1067 = // "Pattern{Constant('changed to none'), Field(,false)}" -match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); +var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); -var all221 = all_match({ +var all216 = all_match({ processors: [ - part1066, - dup391, - part1067, + part1061, + dup388, + part1062, ], on_success: processor_chain([ dup1, @@ -14186,10 +12795,9 @@ var all221 = all_match({ ]), }); -var msg640 = msg("00035:06", all221); +var msg640 = msg("00035:06", all216); -var part1068 = // "Pattern{Constant('SSL cert subject mismatch: '), Field(fld2,true), Constant(' recieved '), Field(fld3,true), Constant(' is expected')}" -match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ +var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ dup19, dup2, dup3, @@ -14197,10 +12805,9 @@ match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{ dup5, ])); -var msg641 = msg("00035:07", part1068); +var msg641 = msg("00035:07", part1063); -var part1069 = // "Pattern{Constant('SSL certificate changed'), Field(,false)}" -match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ +var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ dup1, dup2, dup3, @@ -14208,19 +12815,18 @@ match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", dup5, ])); -var msg642 = msg("00035:08", part1069); +var msg642 = msg("00035:08", part1064); -var part1070 = // "Pattern{Constant('enabled'), Field(,false)}" -match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); +var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); var select227 = linear_select([ - part1070, + part1065, dup92, ]); -var all222 = all_match({ +var all217 = all_match({ processors: [ - dup255, + dup253, select227, ], on_success: processor_chain([ @@ -14232,29 +12838,26 @@ var all222 = all_match({ ]), }); -var msg643 = msg("00035:09", all222); +var msg643 = msg("00035:09", all217); -var part1071 = // "Pattern{Constant('SSL memory allocation fails in process_c'), Field(p0,false)}" -match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); +var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); -var part1072 = // "Pattern{Constant('a()'), Field(,false)}" -match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); +var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); -var part1073 = // "Pattern{Constant('ert()'), Field(,false)}" -match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); +var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); var select228 = linear_select([ - part1072, - part1073, + part1067, + part1068, ]); -var all223 = all_match({ +var all218 = all_match({ processors: [ - part1071, + part1066, select228, ], on_success: processor_chain([ - dup186, + dup184, dup2, dup3, dup4, @@ -14262,25 +12865,22 @@ var all223 = all_match({ ]), }); -var msg644 = msg("00035:10", all223); +var msg644 = msg("00035:10", all218); -var part1074 = // "Pattern{Constant('SSL no ssl c'), Field(p0,false)}" -match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); +var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); -var part1075 = // "Pattern{Constant('a'), Field(,false)}" -match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); +var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); -var part1076 = // "Pattern{Constant('ert'), Field(,false)}" -match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); +var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); var select229 = linear_select([ - part1075, - part1076, + part1070, + part1071, ]); -var all224 = all_match({ +var all219 = all_match({ processors: [ - part1074, + part1069, select229, ], on_success: processor_chain([ @@ -14292,19 +12892,17 @@ var all224 = all_match({ ]), }); -var msg645 = msg("00035:11", all224); +var msg645 = msg("00035:11", all219); -var part1077 = // "Pattern{Constant('SSL set c'), Field(p0,false)}" -match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); +var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); -var part1078 = // "Pattern{Constant('id is invalid '), Field(fld2,false)}" -match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); +var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); -var all225 = all_match({ +var all220 = all_match({ processors: [ - part1077, - dup391, - part1078, + part1072, + dup388, + part1073, ], on_success: processor_chain([ dup19, @@ -14315,24 +12913,22 @@ var all225 = all_match({ ]), }); -var msg646 = msg("00035:12", all225); +var msg646 = msg("00035:12", all220); -var part1079 = // "Pattern{Constant('verify '), Field(p0,false)}" -match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); +var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); var select230 = linear_select([ dup101, - part1079, + part1074, ]); -var part1080 = // "Pattern{Constant('cert failed. Key type is not RSA'), Field(,false)}" -match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); +var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); -var all226 = all_match({ +var all221 = all_match({ processors: [ - dup255, + dup253, select230, - part1080, + part1075, ], on_success: processor_chain([ dup19, @@ -14343,10 +12939,9 @@ var all226 = all_match({ ]), }); -var msg647 = msg("00035:13", all226); +var msg647 = msg("00035:13", all221); -var part1081 = // "Pattern{Constant('SSL ssl context init failed'), Field(,false)}" -match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ +var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ dup19, dup2, dup3, @@ -14354,29 +12949,26 @@ match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{ dup5, ])); -var msg648 = msg("00035:14", part1081); +var msg648 = msg("00035:14", part1076); -var part1082 = // "Pattern{Field(change_attribute,true), Constant(' has been changed '), Field(p0,false)}" -match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); +var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); -var part1083 = // "Pattern{Constant('from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); +var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); -var part1084 = // "Pattern{Constant('to '), Field(fld2,false)}" -match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); +var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); var select231 = linear_select([ - part1083, - part1084, + part1078, + part1079, ]); -var all227 = all_match({ +var all222 = all_match({ processors: [ - part1082, + part1077, select231, ], on_success: processor_chain([ - dup186, + dup184, dup2, dup3, dup4, @@ -14384,10 +12976,9 @@ var all227 = all_match({ ]), }); -var msg649 = msg("00035:15", all227); +var msg649 = msg("00035:15", all222); -var part1085 = // "Pattern{Constant('web SSL certificate changed to by '), Field(username,true), Constant(' via web from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(fld5,false)}" -match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ +var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ dup1, dup2, dup3, @@ -14395,7 +12986,7 @@ match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed t dup5, ])); -var msg650 = msg("00035:16", part1085); +var msg650 = msg("00035:16", part1080); var select232 = linear_select([ msg634, @@ -14417,39 +13008,35 @@ var select232 = linear_select([ msg650, ]); -var part1086 = // "Pattern{Constant('An optional ScreenOS feature has been activated via a software key'), Field(,false)}" -match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ - dup211, +var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg651 = msg("00036", part1086); +var msg651 = msg("00036", part1081); -var part1087 = // "Pattern{Field(fld2,true), Constant(' license keys were updated successfully by '), Field(p0,false)}" -match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); +var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); -var part1088 = // "Pattern{Constant('manual '), Field(p0,false)}" -match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); +var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); var select233 = linear_select([ - dup216, - part1088, + dup214, + part1083, ]); -var part1089 = // "Pattern{Constant('retrieval'), Field(,false)}" -match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); +var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); -var all228 = all_match({ +var all223 = all_match({ processors: [ - part1087, + part1082, select233, - part1089, + part1084, ], on_success: processor_chain([ - dup256, + dup254, dup2, dup3, dup4, @@ -14457,30 +13044,27 @@ var all228 = all_match({ ]), }); -var msg652 = msg("00036:01", all228); +var msg652 = msg("00036:01", all223); var select234 = linear_select([ msg651, msg652, ]); -var part1090 = // "Pattern{Constant('Intra-zone block for zone '), Field(zone,true), Constant(' was set to o'), Field(p0,false)}" -match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); +var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); -var part1091 = // "Pattern{Constant('n'), Field(,false)}" -match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); +var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); -var part1092 = // "Pattern{Constant('ff'), Field(,false)}" -match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); +var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); var select235 = linear_select([ - part1091, - part1092, + part1086, + part1087, ]); -var all229 = all_match({ +var all224 = all_match({ processors: [ - part1090, + part1085, select235, ], on_success: processor_chain([ @@ -14492,25 +13076,23 @@ var all229 = all_match({ ]), }); -var msg653 = msg("00037", all229); +var msg653 = msg("00037", all224); -var part1093 = // "Pattern{Constant('New zone '), Field(zone,true), Constant(' ( '), Field(p0,false)}" -match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); +var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); var select236 = linear_select([ - dup257, - dup258, + dup255, + dup256, ]); -var part1094 = // "Pattern{Constant(''), Field(fld2,false), Constant(') was created.'), Field(p0,false)}" -match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); +var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); -var all230 = all_match({ +var all225 = all_match({ processors: [ - part1093, + part1088, select236, - part1094, - dup353, + part1089, + dup351, ], on_success: processor_chain([ dup1, @@ -14522,10 +13104,9 @@ var all230 = all_match({ ]), }); -var msg654 = msg("00037:01", all230); +var msg654 = msg("00037:01", all225); -var part1095 = // "Pattern{Constant('Tunnel zone '), Field(src_zone,true), Constant(' was bound to out zone '), Field(dst_zone,false), Constant('.')}" -match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ +var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ dup1, dup2, dup3, @@ -14533,39 +13114,34 @@ match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was dup5, ])); -var msg655 = msg("00037:02", part1095); +var msg655 = msg("00037:02", part1090); -var part1096 = // "Pattern{Constant('was was '), Field(p0,false)}" -match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); +var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); -var part1097 = // "Pattern{Field(zone,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); +var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); var select237 = linear_select([ - part1096, - part1097, + part1091, + part1092, ]); -var part1098 = // "Pattern{Constant('virtual router '), Field(p0,false)}" -match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); +var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); -var part1099 = // "Pattern{Field(node,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); +var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); -var part1100 = // "Pattern{Field(node,false), Constant('.')}" -match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); +var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); var select238 = linear_select([ - part1099, - part1100, + part1094, + part1095, ]); -var all231 = all_match({ +var all226 = all_match({ processors: [ dup113, select237, - dup374, - part1098, + dup371, + part1093, select238, ], on_success: processor_chain([ @@ -14578,10 +13154,9 @@ var all231 = all_match({ ]), }); -var msg656 = msg("00037:03", all231); +var msg656 = msg("00037:03", all226); -var part1101 = // "Pattern{Constant('Zone '), Field(zone,true), Constant(' was changed to non-shared.')}" -match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ +var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ dup1, dup2, dup3, @@ -14589,32 +13164,29 @@ match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to dup5, ])); -var msg657 = msg("00037:04", part1101); +var msg657 = msg("00037:04", part1096); -var part1102 = // "Pattern{Constant('Zone '), Field(zone,true), Constant(' ( '), Field(p0,false)}" -match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); +var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); var select239 = linear_select([ - dup258, - dup257, + dup256, + dup255, ]); -var part1103 = // "Pattern{Constant(''), Field(fld2,false), Constant(') was deleted. '), Field(p0,false)}" -match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); +var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); -var part1104 = // "Pattern{Field(space,false)}" -match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); +var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); var select240 = linear_select([ dup10, - part1104, + part1099, ]); -var all232 = all_match({ +var all227 = all_match({ processors: [ - part1102, + part1097, select239, - part1103, + part1098, select240, ], on_success: processor_chain([ @@ -14627,10 +13199,9 @@ var all232 = all_match({ ]), }); -var msg658 = msg("00037:05", all232); +var msg658 = msg("00037:05", all227); -var part1105 = // "Pattern{Constant('IP/TCP reassembly for ALG was '), Field(disposition,true), Constant(' on zone '), Field(zone,false), Constant('.')}" -match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ +var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -14638,7 +13209,7 @@ match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was dup5, ])); -var msg659 = msg("00037:06", part1105); +var msg659 = msg("00037:06", part1100); var select241 = linear_select([ msg653, @@ -14650,23 +13221,20 @@ var select241 = linear_select([ msg659, ]); -var part1106 = // "Pattern{Constant('OSPF routing instance in vrouter '), Field(p0,false)}" -match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); +var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); -var part1107 = // "Pattern{Field(node,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); +var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); -var part1108 = // "Pattern{Field(node,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); +var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); var select242 = linear_select([ - part1107, - part1108, + part1102, + part1103, ]); -var all233 = all_match({ +var all228 = all_match({ processors: [ - part1106, + part1101, select242, dup36, ], @@ -14679,10 +13247,9 @@ var all233 = all_match({ ]), }); -var msg660 = msg("00038", all233); +var msg660 = msg("00038", all228); -var part1109 = // "Pattern{Constant('BGP instance name created for vr '), Field(node,false)}" -match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ +var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ dup1, dup2, dup3, @@ -14690,26 +13257,23 @@ match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr dup5, ])); -var msg661 = msg("00039", part1109); +var msg661 = msg("00039", part1104); -var part1110 = // "Pattern{Constant('Low watermark'), Field(p0,false)}" -match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); +var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); -var part1111 = // "Pattern{Constant('High watermark'), Field(p0,false)}" -match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); +var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); var select243 = linear_select([ - part1110, - part1111, + part1105, + part1106, ]); -var part1112 = // "Pattern{Field(,false), Constant('for early aging has been changed to the default '), Field(fld2,false)}" -match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); +var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); -var all234 = all_match({ +var all229 = all_match({ processors: [ select243, - part1112, + part1107, ], on_success: processor_chain([ dup1, @@ -14720,10 +13284,9 @@ var all234 = all_match({ ]), }); -var msg662 = msg("00040", all234); +var msg662 = msg("00040", all229); -var part1113 = // "Pattern{Constant('VPN ''), Field(group,false), Constant('' from '), Field(daddr,true), Constant(' is '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ +var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -14732,15 +13295,14 @@ match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr-> dup5, ])); -var msg663 = msg("00040:01", part1113); +var msg663 = msg("00040:01", part1108); var select244 = linear_select([ msg662, msg663, ]); -var part1114 = // "Pattern{Constant('A route-map name in virtual router '), Field(node,true), Constant(' has been removed')}" -match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ +var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ dup1, dup2, dup3, @@ -14748,10 +13310,9 @@ match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual rout dup5, ])); -var msg664 = msg("00041", part1114); +var msg664 = msg("00041", part1109); -var part1115 = // "Pattern{Constant('VPN ''), Field(group,false), Constant('' from '), Field(daddr,true), Constant(' is '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ +var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -14760,15 +13321,14 @@ match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr-> dup5, ])); -var msg665 = msg("00041:01", part1115); +var msg665 = msg("00041:01", part1110); var select245 = linear_select([ msg664, msg665, ]); -var part1116 = // "Pattern{Constant('Replay packet detected on IPSec tunnel on '), Field(interface,true), Constant(' with tunnel ID '), Field(fld2,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,false), Constant(', '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ +var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -14777,10 +13337,9 @@ match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec dup5, ])); -var msg666 = msg("00042", part1116); +var msg666 = msg("00042", part1111); -var part1117 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -14791,15 +13350,14 @@ match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} dup60, ])); -var msg667 = msg("00042:01", part1117); +var msg667 = msg("00042:01", part1112); var select246 = linear_select([ msg666, msg667, ]); -var part1118 = // "Pattern{Constant('Receive StopCCN_msg, remove l2tp tunnel ('), Field(fld2,false), Constant('-'), Field(fld3,false), Constant('), Result code '), Field(resultcode,true), Constant(' ('), Field(result,false), Constant('). ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ +var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -14808,27 +13366,24 @@ match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp dup5, ])); -var msg668 = msg("00043", part1118); +var msg668 = msg("00043", part1113); -var part1119 = // "Pattern{Constant('access list '), Field(listnum,true), Constant(' sequence number '), Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); +var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); -var part1120 = // "Pattern{Constant('deny '), Field(p0,false)}" -match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); +var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); var select247 = linear_select([ - dup259, - part1120, + dup257, + part1115, ]); -var part1121 = // "Pattern{Constant('ip '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' '), Field(disposition,true), Constant(' in vrouter '), Field(node,false)}" -match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); +var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); -var all235 = all_match({ +var all230 = all_match({ processors: [ - part1119, + part1114, select247, - part1121, + part1116, ], on_success: processor_chain([ dup1, @@ -14839,10 +13394,9 @@ var all235 = all_match({ ]), }); -var msg669 = msg("00044", all235); +var msg669 = msg("00044", all230); -var part1122 = // "Pattern{Constant('access list '), Field(listnum,true), Constant(' '), Field(disposition,true), Constant(' in vrouter '), Field(node,false), Constant('.')}" -match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ +var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ dup1, dup2, dup3, @@ -14850,15 +13404,14 @@ match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{di dup5, ])); -var msg670 = msg("00044:01", part1122); +var msg670 = msg("00044:01", part1117); var select248 = linear_select([ msg669, msg670, ]); -var part1123 = // "Pattern{Constant('RIP instance in virtual router '), Field(node,true), Constant(' was '), Field(disposition,false), Constant('.')}" -match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ +var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -14866,27 +13419,24 @@ match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router % dup5, ])); -var msg671 = msg("00045", part1123); +var msg671 = msg("00045", part1118); -var part1124 = // "Pattern{Constant('remove '), Field(p0,false)}" -match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); +var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); -var part1125 = // "Pattern{Constant('add '), Field(p0,false)}" -match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); +var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); var select249 = linear_select([ - part1124, - part1125, + part1119, + part1120, ]); -var part1126 = // "Pattern{Constant('multicast policy from '), Field(src_zone,true), Constant(' '), Field(fld4,true), Constant(' to '), Field(dst_zone,true), Constant(' '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); +var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); -var all236 = all_match({ +var all231 = all_match({ processors: [ - dup185, + dup183, select249, - part1126, + part1121, ], on_success: processor_chain([ dup1, @@ -14898,79 +13448,68 @@ var all236 = all_match({ ]), }); -var msg672 = msg("00047", all236); +var msg672 = msg("00047", all231); -var part1127 = // "Pattern{Constant('Access list entry '), Field(listnum,true), Constant(' with '), Field(p0,false)}" -match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); +var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); -var part1128 = // "Pattern{Constant('a sequence '), Field(p0,false)}" -match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); +var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); -var part1129 = // "Pattern{Constant('sequence '), Field(p0,false)}" -match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); +var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); var select250 = linear_select([ - part1128, - part1129, + part1123, + part1124, ]); -var part1130 = // "Pattern{Constant('number '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); +var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); -var part1131 = // "Pattern{Constant('with an action of '), Field(p0,false)}" -match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); +var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); var select251 = linear_select([ - part1131, + part1126, dup112, ]); -var part1132 = // "Pattern{Constant('with an IP '), Field(p0,false)}" -match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); +var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); var select252 = linear_select([ - part1132, + part1127, dup139, ]); -var part1133 = // "Pattern{Constant('address '), Field(p0,false)}" -match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); +var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); -var part1134 = // "Pattern{Constant('and subnetwork mask of '), Field(p0,false)}" -match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); +var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); var select253 = linear_select([ - part1134, + part1129, dup16, ]); -var part1135 = // "Pattern{Field(,true), Constant(' '), Field(fld3,false), Constant('was '), Field(p0,false)}" -match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); +var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); -var part1136 = // "Pattern{Constant('created on '), Field(p0,false)}" -match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); +var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); var select254 = linear_select([ - part1136, + part1131, dup129, ]); -var part1137 = // "Pattern{Constant('virtual router '), Field(node,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); +var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); -var all237 = all_match({ +var all232 = all_match({ processors: [ - part1127, + part1122, select250, - part1130, + part1125, select251, - dup259, + dup257, select252, - part1133, + part1128, select253, - part1135, + part1130, select254, - part1137, + part1132, ], on_success: processor_chain([ setc("eventcategory","1501000000"), @@ -14982,43 +13521,37 @@ var all237 = all_match({ ]), }); -var msg673 = msg("00048", all237); +var msg673 = msg("00048", all232); -var part1138 = // "Pattern{Constant('Route '), Field(p0,false)}" -match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); +var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); -var part1139 = // "Pattern{Constant('map entry '), Field(p0,false)}" -match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); +var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); -var part1140 = // "Pattern{Constant('entry '), Field(p0,false)}" -match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); +var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); var select255 = linear_select([ - part1139, - part1140, + part1134, + part1135, ]); -var part1141 = // "Pattern{Constant('with sequence number '), Field(fld2,true), Constant(' in route map binck-ospf'), Field(p0,false)}" -match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); +var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); -var part1142 = // "Pattern{Constant(' in '), Field(p0,false)}" -match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); +var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); var select256 = linear_select([ - part1142, + part1137, dup105, ]); -var part1143 = // "Pattern{Constant('virtual router '), Field(node,true), Constant(' was '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); +var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); -var all238 = all_match({ +var all233 = all_match({ processors: [ - part1138, + part1133, select255, - part1141, + part1136, select256, - part1143, + part1138, ], on_success: processor_chain([ dup1, @@ -15030,11 +13563,10 @@ var all238 = all_match({ ]), }); -var msg674 = msg("00048:01", all238); +var msg674 = msg("00048:01", all233); -var part1144 = // "Pattern{Field(space,false), Constant('set match interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ - dup211, +var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ + dup209, dup2, dup3, dup9, @@ -15042,7 +13574,7 @@ match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface % dup5, ])); -var msg675 = msg("00048:02", part1144); +var msg675 = msg("00048:02", part1139); var select257 = linear_select([ msg673, @@ -15050,8 +13582,7 @@ var select257 = linear_select([ msg675, ]); -var part1145 = // "Pattern{Constant('Route-lookup preference changed to '), Field(fld8,true), Constant(' ('), Field(fld2,false), Constant(') => '), Field(fld3,true), Constant(' ('), Field(fld4,false), Constant(') => '), Field(fld5,true), Constant(' ('), Field(fld6,false), Constant(') in virtual router ('), Field(node,false), Constant(')')}" -match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ +var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ dup1, dup2, dup3, @@ -15059,10 +13590,9 @@ match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed dup5, ])); -var msg676 = msg("00049", part1145); +var msg676 = msg("00049", part1140); -var part1146 = // "Pattern{Constant('SIBR routing '), Field(disposition,true), Constant(' in virtual router '), Field(node,false)}" -match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ +var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ dup1, dup2, dup3, @@ -15070,10 +13600,9 @@ match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} dup5, ])); -var msg677 = msg("00049:01", part1146); +var msg677 = msg("00049:01", part1141); -var part1147 = // "Pattern{Constant('A virtual router with name '), Field(node,true), Constant(' and ID '), Field(fld2,true), Constant(' has been removed')}" -match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ +var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ dup1, dup2, dup3, @@ -15081,10 +13610,9 @@ match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{ dup5, ])); -var msg678 = msg("00049:02", part1147); +var msg678 = msg("00049:02", part1142); -var part1148 = // "Pattern{Constant('The router-id of virtual router "'), Field(node,false), Constant('" used by OSPF, BGP routing instances id has been uninitialized. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ +var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15092,10 +13620,9 @@ match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual rout dup5, ])); -var msg679 = msg("00049:03", part1148); +var msg679 = msg("00049:03", part1143); -var part1149 = // "Pattern{Constant('The system default-route through virtual router "'), Field(node,false), Constant('" has been added in virtual router "'), Field(fld4,false), Constant('" ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ +var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15103,10 +13630,9 @@ match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route thro dup5, ])); -var msg680 = msg("00049:04", part1149); +var msg680 = msg("00049:04", part1144); -var part1150 = // "Pattern{Constant('Subnetwork conflict checking for interfaces in virtual router ('), Field(node,false), Constant(') has been enabled. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ +var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15114,7 +13640,7 @@ match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking dup5, ])); -var msg681 = msg("00049:05", part1150); +var msg681 = msg("00049:05", part1145); var select258 = linear_select([ msg676, @@ -15125,8 +13651,7 @@ var select258 = linear_select([ msg681, ]); -var part1151 = // "Pattern{Constant('Track IP enabled ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ +var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15135,10 +13660,9 @@ match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", pro dup5, ])); -var msg682 = msg("00050", part1151); +var msg682 = msg("00050", part1146); -var part1152 = // "Pattern{Constant('Session utilization has reached '), Field(fld2,false), Constant(', which is '), Field(fld3,true), Constant(' of the system capacity!')}" -match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ +var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ dup117, dup2, dup3, @@ -15146,10 +13670,9 @@ match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached dup5, ])); -var msg683 = msg("00051", part1152); +var msg683 = msg("00051", part1147); -var part1153 = // "Pattern{Constant('AV: Suspicious client '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' used '), Field(fld2,true), Constant(' percent of AV resources, which exceeded the max of '), Field(fld3,true), Constant(' percent.')}" -match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ +var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ dup117, dup2, dup3, @@ -15157,24 +13680,22 @@ match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:% dup5, ])); -var msg684 = msg("00052", part1153); +var msg684 = msg("00052", part1148); -var part1154 = // "Pattern{Constant('router '), Field(p0,false)}" -match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); +var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); var select259 = linear_select([ - dup171, - part1154, + dup169, + part1149, ]); -var part1155 = // "Pattern{Constant('instance was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); +var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); -var all239 = all_match({ +var all234 = all_match({ processors: [ - dup260, + dup258, select259, - part1155, + part1150, ], on_success: processor_chain([ dup1, @@ -15185,27 +13706,24 @@ var all239 = all_match({ ]), }); -var msg685 = msg("00055", all239); +var msg685 = msg("00055", all234); -var part1156 = // "Pattern{Constant('proxy '), Field(p0,false)}" -match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); +var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); -var part1157 = // "Pattern{Constant('function '), Field(p0,false)}" -match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); +var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); var select260 = linear_select([ - part1156, - part1157, + part1151, + part1152, ]); -var part1158 = // "Pattern{Constant('was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); +var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); -var all240 = all_match({ +var all235 = all_match({ processors: [ - dup260, + dup258, select260, - part1158, + part1153, ], on_success: processor_chain([ dup1, @@ -15216,16 +13734,15 @@ var all240 = all_match({ ]), }); -var msg686 = msg("00055:01", all240); +var msg686 = msg("00055:01", all235); -var part1159 = // "Pattern{Constant('same subnet check on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); +var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); -var all241 = all_match({ +var all236 = all_match({ processors: [ - dup261, - dup392, - part1159, + dup259, + dup389, + part1154, ], on_success: processor_chain([ dup19, @@ -15236,16 +13753,15 @@ var all241 = all_match({ ]), }); -var msg687 = msg("00055:02", all241); +var msg687 = msg("00055:02", all236); -var part1160 = // "Pattern{Constant('router alert IP option check on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); +var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); -var all242 = all_match({ +var all237 = all_match({ processors: [ - dup261, - dup392, - part1160, + dup259, + dup389, + part1155, ], on_success: processor_chain([ dup44, @@ -15256,10 +13772,9 @@ var all242 = all_match({ ]), }); -var msg688 = msg("00055:03", all242); +var msg688 = msg("00055:03", all237); -var part1161 = // "Pattern{Constant('IGMP version was changed to '), Field(version,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ +var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ dup1, dup2, dup3, @@ -15267,27 +13782,24 @@ match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to % dup5, ])); -var msg689 = msg("00055:04", part1161); +var msg689 = msg("00055:04", part1156); -var part1162 = // "Pattern{Constant('IGMP query '), Field(p0,false)}" -match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); +var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); -var part1163 = // "Pattern{Constant('max response time '), Field(p0,false)}" -match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); +var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); var select261 = linear_select([ dup110, - part1163, + part1158, ]); -var part1164 = // "Pattern{Constant('was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false)}" -match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); +var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); -var all243 = all_match({ +var all238 = all_match({ processors: [ - part1162, + part1157, select261, - part1164, + part1159, ], on_success: processor_chain([ dup1, @@ -15298,30 +13810,26 @@ var all243 = all_match({ ]), }); -var msg690 = msg("00055:05", all243); +var msg690 = msg("00055:05", all238); -var part1165 = // "Pattern{Constant('IGMP l'), Field(p0,false)}" -match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); +var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); -var part1166 = // "Pattern{Constant('eave '), Field(p0,false)}" -match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); +var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); -var part1167 = // "Pattern{Constant('ast member query '), Field(p0,false)}" -match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); +var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); var select262 = linear_select([ - part1166, - part1167, + part1161, + part1162, ]); -var part1168 = // "Pattern{Constant('interval was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); +var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); -var all244 = all_match({ +var all239 = all_match({ processors: [ - part1165, + part1160, select262, - part1168, + part1163, ], on_success: processor_chain([ dup1, @@ -15332,31 +13840,27 @@ var all244 = all_match({ ]), }); -var msg691 = msg("00055:06", all244); +var msg691 = msg("00055:06", all239); -var part1169 = // "Pattern{Constant('routers '), Field(p0,false)}" -match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); +var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); -var part1170 = // "Pattern{Constant('hosts '), Field(p0,false)}" -match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); +var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); -var part1171 = // "Pattern{Constant('groups '), Field(p0,false)}" -match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); +var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); var select263 = linear_select([ - part1169, - part1170, - part1171, + part1164, + part1165, + part1166, ]); -var part1172 = // "Pattern{Constant('accept list ID was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); +var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); -var all245 = all_match({ +var all240 = all_match({ processors: [ - dup260, + dup258, select263, - part1172, + part1167, ], on_success: processor_chain([ dup1, @@ -15367,27 +13871,24 @@ var all245 = all_match({ ]), }); -var msg692 = msg("00055:07", all245); +var msg692 = msg("00055:07", all240); -var part1173 = // "Pattern{Constant('all groups '), Field(p0,false)}" -match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); +var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); -var part1174 = // "Pattern{Constant('group '), Field(p0,false)}" -match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); +var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); var select264 = linear_select([ - part1173, - part1174, + part1168, + part1169, ]); -var part1175 = // "Pattern{Constant(''), Field(group,true), Constant(' static flag was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); +var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); -var all246 = all_match({ +var all241 = all_match({ processors: [ - dup260, + dup258, select264, - part1175, + part1170, ], on_success: processor_chain([ dup1, @@ -15398,29 +13899,27 @@ var all246 = all_match({ ]), }); -var msg693 = msg("00055:08", all246); +var msg693 = msg("00055:08", all241); -var part1176 = // "Pattern{Constant('IGMP static group '), Field(group,true), Constant(' was added on interface '), Field(interface,false)}" -match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ - dup211, +var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg694 = msg("00055:09", part1176); +var msg694 = msg("00055:09", part1171); -var part1177 = // "Pattern{Constant('IGMP proxy always is '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" -match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ - dup211, +var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg695 = msg("00055:10", part1177); +var msg695 = msg("00055:10", part1172); var select265 = linear_select([ msg685, @@ -15436,8 +13935,7 @@ var select265 = linear_select([ msg695, ]); -var part1178 = // "Pattern{Constant('Remove multicast policy from '), Field(src_zone,true), Constant(' '), Field(saddr,true), Constant(' to '), Field(dst_zone,true), Constant(' '), Field(daddr,false)}" -match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ +var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ dup1, dup2, dup3, @@ -15445,10 +13943,9 @@ match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{s dup5, ])); -var msg696 = msg("00056", part1178); +var msg696 = msg("00056", part1173); -var part1179 = // "Pattern{Field(fld2,false), Constant(': static multicast route src='), Field(saddr,false), Constant(', grp='), Field(group,true), Constant(' input ifp = '), Field(sinterface,true), Constant(' output ifp = '), Field(dinterface,true), Constant(' added')}" -match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ +var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ dup1, dup2, dup3, @@ -15456,10 +13953,9 @@ match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route dup5, ])); -var msg697 = msg("00057", part1179); +var msg697 = msg("00057", part1174); -var part1180 = // "Pattern{Constant('PIMSM protocol configured on interface '), Field(interface,false)}" -match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ +var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ dup19, dup2, dup3, @@ -15467,29 +13963,27 @@ match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on int dup5, ])); -var msg698 = msg("00058", part1180); +var msg698 = msg("00058", part1175); -var part1181 = // "Pattern{Constant('DDNS module is '), Field(p0,false)}" -match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); +var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); -var part1182 = // "Pattern{Constant('initialized '), Field(p0,false)}" -match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); +var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); var select266 = linear_select([ - part1182, - dup264, + part1177, + dup262, dup157, dup156, ]); -var all247 = all_match({ +var all242 = all_match({ processors: [ - part1181, + part1176, select266, dup116, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15497,33 +13991,29 @@ var all247 = all_match({ ]), }); -var msg699 = msg("00059", all247); +var msg699 = msg("00059", all242); -var part1183 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with server type "'), Field(fld3,false), Constant('" name "'), Field(hostname,false), Constant('" refresh-interval '), Field(fld5,true), Constant(' hours minimum update interval '), Field(fld6,true), Constant(' minutes with '), Field(p0,false)}" -match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); +var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); -var part1184 = // "Pattern{Constant('secure '), Field(p0,false)}" -match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); +var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); -var part1185 = // "Pattern{Constant('clear-text '), Field(p0,false)}" -match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); +var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); var select267 = linear_select([ - part1184, - part1185, + part1179, + part1180, ]); -var part1186 = // "Pattern{Constant('secure connection.'), Field(,false)}" -match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); +var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); -var all248 = all_match({ +var all243 = all_match({ processors: [ - part1183, + part1178, select267, - part1186, + part1181, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15531,59 +14021,52 @@ var all248 = all_match({ ]), }); -var msg700 = msg("00059:02", all248); +var msg700 = msg("00059:02", all243); -var part1187 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with user name "'), Field(username,false), Constant('" agent "'), Field(fld3,false), Constant('"')}" -match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ - dup211, +var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg701 = msg("00059:03", part1187); +var msg701 = msg("00059:03", part1182); -var part1188 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with interface "'), Field(interface,false), Constant('" host-name "'), Field(hostname,false), Constant('"')}" -match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ - dup211, +var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg702 = msg("00059:04", part1188); +var msg702 = msg("00059:04", part1183); -var part1189 = // "Pattern{Constant('Hostname '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); +var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); -var part1190 = // "Pattern{Constant('Source interface '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); +var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); -var part1191 = // "Pattern{Constant('Username and password '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); +var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); -var part1192 = // "Pattern{Constant('Server '), Field(p0,false)}" -match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); +var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); var select268 = linear_select([ - part1189, - part1190, - part1191, - part1192, + part1184, + part1185, + part1186, + part1187, ]); -var part1193 = // "Pattern{Constant('of DDNS entry with id '), Field(fld2,true), Constant(' is cleared.')}" -match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); +var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); -var all249 = all_match({ +var all244 = all_match({ processors: [ select268, - part1193, + part1188, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15591,51 +14074,46 @@ var all249 = all_match({ ]), }); -var msg703 = msg("00059:05", all249); +var msg703 = msg("00059:05", all244); -var part1194 = // "Pattern{Constant('Agent of DDNS entry with id '), Field(fld2,true), Constant(' is reset to its default value.')}" -match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ - dup211, +var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg704 = msg("00059:06", part1194); +var msg704 = msg("00059:06", part1189); -var part1195 = // "Pattern{Constant('Updates for DDNS entry with id '), Field(fld2,true), Constant(' are set to be sent in secure ('), Field(protocol,false), Constant(') mode.')}" -match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ - dup211, +var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg705 = msg("00059:07", part1195); +var msg705 = msg("00059:07", part1190); -var part1196 = // "Pattern{Constant('Refresh '), Field(p0,false)}" -match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); +var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); -var part1197 = // "Pattern{Constant('Minimum update '), Field(p0,false)}" -match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); +var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); var select269 = linear_select([ - part1196, - part1197, + part1191, + part1192, ]); -var part1198 = // "Pattern{Constant('interval of DDNS entry with id '), Field(fld2,true), Constant(' is set to default value ('), Field(fld3,false), Constant(').')}" -match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); +var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); -var all250 = all_match({ +var all245 = all_match({ processors: [ select269, - part1198, + part1193, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15643,43 +14121,38 @@ var all250 = all_match({ ]), }); -var msg706 = msg("00059:08", all250); +var msg706 = msg("00059:08", all245); -var part1199 = // "Pattern{Constant('No-Change '), Field(p0,false)}" -match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); +var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); -var part1200 = // "Pattern{Constant('Error '), Field(p0,false)}" -match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); +var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); var select270 = linear_select([ - part1199, - part1200, + part1194, + part1195, ]); -var part1201 = // "Pattern{Constant('response received for DDNS entry update for id '), Field(fld2,true), Constant(' user "'), Field(username,false), Constant('" domain "'), Field(domain,false), Constant('" server type " d'), Field(p0,false)}" -match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); +var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); -var part1202 = // "Pattern{Constant('yndns '), Field(p0,false)}" -match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); +var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); var select271 = linear_select([ - dup263, - part1202, + dup261, + part1197, ]); -var part1203 = // "Pattern{Constant('", server name "'), Field(hostname,false), Constant('"')}" -match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); +var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); -var all251 = all_match({ +var all246 = all_match({ processors: [ - dup162, + dup160, select270, - part1201, + part1196, select271, - part1203, + part1198, ], on_success: processor_chain([ - dup211, + dup209, dup2, dup3, dup4, @@ -15687,18 +14160,17 @@ var all251 = all_match({ ]), }); -var msg707 = msg("00059:09", all251); +var msg707 = msg("00059:09", all246); -var part1204 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is '), Field(disposition,false), Constant('.')}" -match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ - dup211, +var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg708 = msg("00059:01", part1204); +var msg708 = msg("00059:01", part1199); var select272 = linear_select([ msg699, @@ -15713,8 +14185,7 @@ var select272 = linear_select([ msg708, ]); -var part1205 = // "Pattern{Constant('Track IP IP address '), Field(hostip,true), Constant(' failed. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ +var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ dup19, dup2, dup3, @@ -15723,10 +14194,9 @@ match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip- setc("event_description","Track IP failed"), ])); -var msg709 = msg("00062:01", part1205); +var msg709 = msg("00062:01", part1200); -var part1206 = // "Pattern{Constant('Track IP failure reached threshold. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ +var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ dup19, dup2, dup3, @@ -15735,10 +14205,9 @@ match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached thre setc("event_description","Track IP failure reached threshold"), ])); -var msg710 = msg("00062:02", part1206); +var msg710 = msg("00062:02", part1201); -var part1207 = // "Pattern{Constant('Track IP IP address '), Field(hostip,true), Constant(' succeeded. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ +var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ dup44, dup2, dup3, @@ -15747,10 +14216,9 @@ match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip- setc("event_description","Track IP succeeded"), ])); -var msg711 = msg("00062:03", part1207); +var msg711 = msg("00062:03", part1202); -var part1208 = // "Pattern{Constant('HA linkdown'), Field(,false)}" -match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ +var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ dup86, dup2, dup3, @@ -15758,7 +14226,7 @@ match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain dup5, ])); -var msg712 = msg("00062", part1208); +var msg712 = msg("00062", part1203); var select273 = linear_select([ msg709, @@ -15767,8 +14235,7 @@ var select273 = linear_select([ msg712, ]); -var part1209 = // "Pattern{Constant('nsrp track-ip ip '), Field(hostip,true), Constant(' '), Field(disposition,false), Constant('!')}" -match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ +var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ dup86, dup2, dup3, @@ -15776,10 +14243,9 @@ match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{d dup5, ])); -var msg713 = msg("00063", part1209); +var msg713 = msg("00063", part1204); -var part1210 = // "Pattern{Constant('Can not create track-ip list'), Field(,false)}" -match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ +var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ dup86, dup2, dup3, @@ -15787,10 +14253,9 @@ match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}" dup5, ])); -var msg714 = msg("00064", part1210); +var msg714 = msg("00064", part1205); -var part1211 = // "Pattern{Constant('track ip fail reaches threshold system may fail over!'), Field(,false)}" -match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ +var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ dup86, dup2, dup3, @@ -15798,10 +14263,9 @@ match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches thresho dup5, ])); -var msg715 = msg("00064:01", part1211); +var msg715 = msg("00064:01", part1206); -var part1212 = // "Pattern{Constant('Anti-Spam is detached from policy ID '), Field(policy_id,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ +var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ dup17, dup2, dup3, @@ -15810,7 +14274,7 @@ match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from po dup5, ])); -var msg716 = msg("00064:02", part1212); +var msg716 = msg("00064:02", part1207); var select274 = linear_select([ msg714, @@ -15818,27 +14282,24 @@ var select274 = linear_select([ msg716, ]); -var msg717 = msg("00070", dup414); +var msg717 = msg("00070", dup411); -var part1213 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state from '), Field(fld3,true), Constant(' to '), Field(p0,false)}" -match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); +var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); -var part1214 = // "Pattern{Constant('Init'), Field(,false)}" -match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); +var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); -var part1215 = // "Pattern{Constant('init. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); +var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); var select275 = linear_select([ - part1214, - part1215, + part1209, + part1210, ]); -var all252 = all_match({ +var all247 = all_match({ processors: [ - dup269, - dup394, - part1213, + dup267, + dup391, + part1208, select275, ], on_success: processor_chain([ @@ -15851,10 +14312,9 @@ var all252 = all_match({ ]), }); -var msg718 = msg("00070:01", all252); +var msg718 = msg("00070:01", all247); -var part1216 = // "Pattern{Constant('NSRP: nsrp control channel change to '), Field(interface,false)}" -match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ +var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ dup1, dup2, dup3, @@ -15862,7 +14322,7 @@ match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel ch dup5, ])); -var msg719 = msg("00070:02", part1216); +var msg719 = msg("00070:02", part1211); var select276 = linear_select([ msg717, @@ -15870,10 +14330,9 @@ var select276 = linear_select([ msg719, ]); -var msg720 = msg("00071", dup414); +var msg720 = msg("00071", dup411); -var part1217 = // "Pattern{Constant('The local device '), Field(fld1,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed state')}" -match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ +var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ dup1, dup2, dup3, @@ -15881,38 +14340,38 @@ match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in dup5, ])); -var msg721 = msg("00071:01", part1217); +var msg721 = msg("00071:01", part1212); var select277 = linear_select([ msg720, msg721, ]); -var msg722 = msg("00072", dup414); +var msg722 = msg("00072", dup411); -var msg723 = msg("00072:01", dup415); +var msg723 = msg("00072:01", dup412); var select278 = linear_select([ msg722, msg723, ]); -var msg724 = msg("00073", dup414); +var msg724 = msg("00073", dup411); -var msg725 = msg("00073:01", dup415); +var msg725 = msg("00073:01", dup412); var select279 = linear_select([ msg724, msg725, ]); -var msg726 = msg("00074", dup395); +var msg726 = msg("00074", dup392); -var all253 = all_match({ +var all248 = all_match({ processors: [ - dup265, - dup393, - dup273, + dup263, + dup390, + dup271, ], on_success: processor_chain([ dup1, @@ -15923,10 +14382,9 @@ var all253 = all_match({ ]), }); -var msg727 = msg("00075", all253); +var msg727 = msg("00075", all248); -var part1218 = // "Pattern{Constant('The local device '), Field(hardware_id,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed state from '), Field(event_state,true), Constant(' to inoperable. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ +var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -15936,10 +14394,9 @@ match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_i setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), ])); -var msg728 = msg("00075:02", part1218); +var msg728 = msg("00075:02", part1213); -var part1219 = // "Pattern{Constant('The local device '), Field(hardware_id,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ +var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -15947,7 +14404,7 @@ match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_i dup5, ])); -var msg729 = msg("00075:01", part1219); +var msg729 = msg("00075:01", part1214); var select280 = linear_select([ msg727, @@ -15955,16 +14412,15 @@ var select280 = linear_select([ msg729, ]); -var msg730 = msg("00076", dup395); +var msg730 = msg("00076", dup392); -var part1220 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' send 2nd path request to unit='), Field(fld3,false)}" -match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); +var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); -var all254 = all_match({ +var all249 = all_match({ processors: [ - dup265, - dup393, - part1220, + dup263, + dup390, + part1215, ], on_success: processor_chain([ dup44, @@ -15975,15 +14431,14 @@ var all254 = all_match({ ]), }); -var msg731 = msg("00076:01", all254); +var msg731 = msg("00076:01", all249); var select281 = linear_select([ msg730, msg731, ]); -var part1221 = // "Pattern{Constant('HA link disconnect. Begin to use second path of HA'), Field(,false)}" -match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ +var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ dup144, dup2, dup3, @@ -15991,13 +14446,13 @@ match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use dup5, ])); -var msg732 = msg("00077", part1221); +var msg732 = msg("00077", part1216); -var all255 = all_match({ +var all250 = all_match({ processors: [ - dup265, - dup393, - dup273, + dup263, + dup390, + dup271, ], on_success: processor_chain([ dup44, @@ -16008,10 +14463,9 @@ var all255 = all_match({ ]), }); -var msg733 = msg("00077:01", all255); +var msg733 = msg("00077:01", all250); -var part1222 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,false)}" -match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ +var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ setc("eventcategory","1607000000"), dup2, dup3, @@ -16019,7 +14473,7 @@ match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in dup5, ])); -var msg734 = msg("00077:02", part1222); +var msg734 = msg("00077:02", part1217); var select282 = linear_select([ msg732, @@ -16027,37 +14481,33 @@ var select282 = linear_select([ msg734, ]); -var part1223 = // "Pattern{Constant('RTSYNC: NSRP route synchronization is '), Field(disposition,false)}" -match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ - dup274, +var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ + dup272, dup2, dup3, dup4, dup5, ])); -var msg735 = msg("00084", part1223); +var msg735 = msg("00084", part1218); -var part1224 = // "Pattern{Constant('Failover '), Field(p0,false)}" -match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); +var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); -var part1225 = // "Pattern{Constant('Recovery '), Field(p0,false)}" -match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); +var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); var select283 = linear_select([ - part1224, - part1225, + part1219, + part1220, ]); -var part1226 = // "Pattern{Constant('untrust interface occurred.'), Field(,false)}" -match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); +var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); -var all256 = all_match({ +var all251 = all_match({ processors: [ select283, dup103, - dup372, - part1226, + dup369, + part1221, ], on_success: processor_chain([ dup44, @@ -16068,10 +14518,9 @@ var all256 = all_match({ ]), }); -var msg736 = msg("00090", all256); +var msg736 = msg("00090", all251); -var part1227 = // "Pattern{Constant('A new route cannot be added to the device because the maximum number of system route entries '), Field(fld2,true), Constant(' has been exceeded')}" -match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ +var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ dup117, dup2, dup3, @@ -16079,10 +14528,9 @@ match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to t dup5, ])); -var msg737 = msg("00200", part1227); +var msg737 = msg("00200", part1222); -var part1228 = // "Pattern{Constant('A route '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' cannot be added to the virtual router '), Field(node,true), Constant(' because the number of route entries in the virtual router exceeds the maximum number of routes '), Field(fld3,true), Constant(' allowed')}" -match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ +var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ dup117, dup2, dup3, @@ -16090,55 +14538,49 @@ match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cann dup5, ])); -var msg738 = msg("00201", part1228); +var msg738 = msg("00201", part1223); -var part1229 = // "Pattern{Field(fld2,true), Constant(' hello-packet flood from neighbor (ip = '), Field(hostip,true), Constant(' router-id = '), Field(fld3,false), Constant(') on interface '), Field(interface,true), Constant(' packet is dropped')}" -match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ - dup274, +var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ + dup272, dup2, dup4, dup5, dup3, ])); -var msg739 = msg("00202", part1229); +var msg739 = msg("00202", part1224); -var part1230 = // "Pattern{Field(fld2,true), Constant(' lsa flood on interface '), Field(interface,true), Constant(' has dropped a packet.')}" -match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ - dup274, +var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ + dup272, dup2, dup4, dup5, dup3, ])); -var msg740 = msg("00203", part1230); +var msg740 = msg("00203", part1225); -var part1231 = // "Pattern{Constant('The total number of redistributed routes into '), Field(p0,false)}" -match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); +var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); -var part1232 = // "Pattern{Constant('BGP '), Field(p0,false)}" -match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); +var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); -var part1233 = // "Pattern{Constant('OSPF '), Field(p0,false)}" -match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); +var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); var select284 = linear_select([ - part1232, - part1233, + part1227, + part1228, ]); -var part1234 = // "Pattern{Constant('in vrouter '), Field(node,true), Constant(' exceeded system limit ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); +var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); -var all257 = all_match({ +var all252 = all_match({ processors: [ - part1231, + part1226, select284, - part1234, + part1229, ], on_success: processor_chain([ - dup274, + dup272, dup2, dup3, dup4, @@ -16146,22 +14588,20 @@ var all257 = all_match({ ]), }); -var msg741 = msg("00206", all257); +var msg741 = msg("00206", all252); -var part1235 = // "Pattern{Constant('LSA flood in OSPF with router-id '), Field(fld2,true), Constant(' on '), Field(p0,false)}" -match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); +var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); -var part1236 = // "Pattern{Constant(''), Field(interface,true), Constant(' forced the interface to drop a packet.')}" -match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); +var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); -var all258 = all_match({ +var all253 = all_match({ processors: [ - part1235, - dup354, - part1236, + part1230, + dup352, + part1231, ], on_success: processor_chain([ - dup275, + dup273, dup2, dup3, dup4, @@ -16169,22 +14609,20 @@ var all258 = all_match({ ]), }); -var msg742 = msg("00206:01", all258); +var msg742 = msg("00206:01", all253); -var part1237 = // "Pattern{Constant('OSPF instance with router-id '), Field(fld3,true), Constant(' received a Hello packet flood from neighbor (IP address '), Field(hostip,false), Constant(', router ID '), Field(fld2,false), Constant(') on '), Field(p0,false)}" -match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); +var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); -var part1238 = // "Pattern{Constant(''), Field(interface,true), Constant(' forcing the interface to drop the packet.')}" -match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); +var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); -var all259 = all_match({ +var all254 = all_match({ processors: [ - part1237, - dup354, - part1238, + part1232, + dup352, + part1233, ], on_success: processor_chain([ - dup275, + dup273, dup2, dup3, dup4, @@ -16192,29 +14630,27 @@ var all259 = all_match({ ]), }); -var msg743 = msg("00206:02", all259); +var msg743 = msg("00206:02", all254); -var part1239 = // "Pattern{Constant('Link State Advertisement Id '), Field(fld2,false), Constant(', router ID '), Field(fld3,false), Constant(', type '), Field(fld4,true), Constant(' cannot be deleted from the real-time database in area '), Field(fld5,false)}" -match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ - dup275, +var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg744 = msg("00206:03", part1239); +var msg744 = msg("00206:03", part1234); -var part1240 = // "Pattern{Constant('Reject second OSPF neighbor ('), Field(fld2,false), Constant(') on interface ('), Field(interface,false), Constant(') since it_s configured as point-to-point interface')}" -match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ - dup275, +var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg745 = msg("00206:04", part1240); +var msg745 = msg("00206:04", part1235); var select285 = linear_select([ msg741, @@ -16224,49 +14660,45 @@ var select285 = linear_select([ msg745, ]); -var part1241 = // "Pattern{Constant('System wide RIP route limit exceeded, RIP route dropped.'), Field(,false)}" -match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ - dup275, +var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg746 = msg("00207", part1241); +var msg746 = msg("00207", part1236); -var part1242 = // "Pattern{Field(fld2,true), Constant(' RIP routes dropped from last system wide RIP route limit exceed.')}" -match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ - dup275, +var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg747 = msg("00207:01", part1242); +var msg747 = msg("00207:01", part1237); -var part1243 = // "Pattern{Constant('RIP database size limit exceeded for '), Field(fld2,false), Constant(', RIP route dropped.')}" -match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ - dup275, +var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg748 = msg("00207:02", part1243); +var msg748 = msg("00207:02", part1238); -var part1244 = // "Pattern{Field(fld2,true), Constant(' RIP routes dropped from the last database size exceed in vr '), Field(fld3,false), Constant('.')}" -match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ - dup275, +var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ + dup273, dup2, dup3, dup4, dup5, ])); -var msg749 = msg("00207:03", part1244); +var msg749 = msg("00207:03", part1239); var select286 = linear_select([ msg746, @@ -16275,423 +14707,396 @@ var select286 = linear_select([ msg749, ]); -var part1245 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=outgoing action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" -match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup187, +var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, dup278, - dup279, - dup280, ])); -var msg750 = msg("00257", part1245); +var msg750 = msg("00257", part1240); -var part1246 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=incoming action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,false)}" -match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup187, +var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup279, dup276, dup277, - dup281, - dup278, - dup279, - dup282, + dup280, ])); -var msg751 = msg("00257:14", part1246); +var msg751 = msg("00257:14", part1241); -var part1247 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=outgoing action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" -match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup283, +var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, - dup280, + dup282, + dup278, ])); -var msg752 = msg("00257:01", part1247); +var msg752 = msg("00257:01", part1242); -var part1248 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=incoming action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,false)}" -match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ - dup283, +var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, - dup281, - dup284, + dup274, + dup275, + dup279, dup282, + dup280, ])); -var msg753 = msg("00257:15", part1248); +var msg753 = msg("00257:15", part1243); -var part1249 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, - dup278, - dup279, ])); -var msg754 = msg("00257:02", part1249); +var msg754 = msg("00257:02", part1244); -var part1250 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ])); -var msg755 = msg("00257:03", part1250); +var msg755 = msg("00257:03", part1245); -var part1251 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" -match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ - dup187, +var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, - dup278, - dup279, ])); -var msg756 = msg("00257:04", part1251); +var msg756 = msg("00257:04", part1246); -var part1252 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ - dup283, +var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ])); -var msg757 = msg("00257:05", part1252); +var msg757 = msg("00257:05", part1247); -var part1253 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,true), Constant(' icmp code='), Field(icmpcode,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); +var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); -var all260 = all_match({ +var all255 = all_match({ processors: [ - dup285, - dup396, - part1253, + dup283, + dup393, + part1248, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg758 = msg("00257:19", all260); +var msg758 = msg("00257:19", all255); -var part1254 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); +var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); -var all261 = all_match({ +var all256 = all_match({ processors: [ - dup285, - dup396, - part1254, + dup283, + dup393, + part1249, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg759 = msg("00257:16", all261); +var msg759 = msg("00257:16", all256); -var part1255 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); +var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); -var all262 = all_match({ +var all257 = all_match({ processors: [ - dup285, - dup396, - part1255, + dup283, + dup393, + part1250, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ]), }); -var msg760 = msg("00257:17", all262); +var msg760 = msg("00257:17", all257); -var part1256 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); +var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); -var all263 = all_match({ +var all258 = all_match({ processors: [ - dup285, - dup396, - part1256, + dup283, + dup393, + part1251, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ]), }); -var msg761 = msg("00257:18", all263); +var msg761 = msg("00257:18", all258); -var part1257 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(p0,false)}" -match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); +var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); -var part1258 = // "Pattern{Field(dport,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); +var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); -var part1259 = // "Pattern{Field(dport,false)}" -match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); +var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); var select287 = linear_select([ - part1258, - part1259, + part1253, + part1254, ]); -var all264 = all_match({ +var all259 = all_match({ processors: [ - part1257, + part1252, select287, ], on_success: processor_chain([ - dup187, + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup61, dup276, dup277, - dup61, - dup278, - dup279, ]), }); -var msg762 = msg("00257:06", all264); +var msg762 = msg("00257:06", all259); -var part1260 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup61, - dup284, + dup282, ])); -var msg763 = msg("00257:07", part1260); +var msg763 = msg("00257:07", part1255); -var part1261 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' tcp='), Field(icmptype,false)}" -match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ - dup187, +var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup60, dup276, dup277, - dup60, - dup278, - dup279, ])); -var msg764 = msg("00257:08", part1261); +var msg764 = msg("00257:08", part1256); -var part1262 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(p0,false)}" -match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); +var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); -var part1263 = // "Pattern{Field(icmptype,true), Constant(' icmp code='), Field(icmpcode,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); +var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); -var part1264 = // "Pattern{Field(icmptype,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); +var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); -var part1265 = // "Pattern{Field(icmptype,false)}" -match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); +var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); var select288 = linear_select([ - part1263, - part1264, - part1265, + part1258, + part1259, + part1260, ]); -var all265 = all_match({ +var all260 = all_match({ processors: [ - part1262, + part1257, select288, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg765 = msg("00257:09", all265); +var msg765 = msg("00257:09", all260); -var part1266 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(p0,false)}" -match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); +var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); -var part1267 = // "Pattern{Field(daddr,true), Constant(' session_id='), Field(sessionid,false)}" -match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); +var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); var select289 = linear_select([ - part1267, - dup288, + part1262, + dup286, ]); -var all266 = all_match({ +var all261 = all_match({ processors: [ - part1266, + part1261, select289, ], on_success: processor_chain([ - dup187, + dup185, dup2, dup4, dup5, dup3, + dup274, + dup275, + dup60, dup276, dup277, - dup60, - dup278, - dup279, ]), }); -var msg766 = msg("00257:10", all266); +var msg766 = msg("00257:10", all261); -var part1268 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(p0,false)}" -match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); +var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); -var part1269 = // "Pattern{Field(daddr,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" -match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); +var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); var select290 = linear_select([ - part1269, - dup288, + part1264, + dup286, ]); -var all267 = all_match({ +var all262 = all_match({ processors: [ - part1268, + part1263, select290, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ]), }); -var msg767 = msg("00257:11", all267); +var msg767 = msg("00257:11", all262); -var part1270 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' type='), Field(fld3,false)}" -match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ - dup283, +var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, - dup276, - dup277, + dup274, + dup275, dup60, - dup284, + dup282, ])); -var msg768 = msg("00257:12", part1270); +var msg768 = msg("00257:12", part1265); -var part1271 = // "Pattern{Constant('start_time="'), Field(fld2,false)}" -match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ - dup283, +var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ + dup281, dup2, dup3, - dup276, + dup274, dup4, dup5, ])); -var msg769 = msg("00257:13", part1271); +var msg769 = msg("00257:13", part1266); var select291 = linear_select([ msg750, @@ -16716,27 +15121,24 @@ var select291 = linear_select([ msg769, ]); -var part1272 = // "Pattern{Constant('user '), Field(username,true), Constant(' has logged on via '), Field(p0,false)}" -match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); +var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); -var part1273 = // "Pattern{Constant('the console '), Field(p0,false)}" -match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); +var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); var select292 = linear_select([ - part1273, - dup291, - dup243, + part1268, + dup289, + dup241, ]); -var part1274 = // "Pattern{Constant('from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); +var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); -var all268 = all_match({ +var all263 = all_match({ processors: [ - dup397, - part1272, + dup394, + part1267, select292, - part1274, + part1269, ], on_success: processor_chain([ dup28, @@ -16751,15 +15153,14 @@ var all268 = all_match({ ]), }); -var msg770 = msg("00259", all268); +var msg770 = msg("00259", all263); -var part1275 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' has logged out via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); +var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); -var all269 = all_match({ +var all264 = all_match({ processors: [ - dup397, - part1275, + dup394, + part1270, ], on_success: processor_chain([ dup33, @@ -16772,33 +15173,30 @@ var all269 = all_match({ ]), }); -var msg771 = msg("00259:07", all269); +var msg771 = msg("00259:07", all264); -var part1276 = // "Pattern{Constant('Management session via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for [vsys] admin '), Field(administrator,true), Constant(' has timed out')}" -match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ - dup292, +var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg772 = msg("00259:01", part1276); +var msg772 = msg("00259:01", part1271); -var part1277 = // "Pattern{Constant('Management session via '), Field(logon_type,true), Constant(' for [ vsys ] admin '), Field(administrator,true), Constant(' has timed out')}" -match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ - dup292, +var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg773 = msg("00259:02", part1277); +var msg773 = msg("00259:02", part1272); -var part1278 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via the '), Field(logon_type,true), Constant(' has failed')}" -match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ - dup208, +var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ + dup206, dup29, dup30, dup31, @@ -16809,11 +15207,10 @@ match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by ad dup5, ])); -var msg774 = msg("00259:03", part1278); +var msg774 = msg("00259:03", part1273); -var part1279 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has failed')}" -match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ - dup208, +var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ + dup206, dup29, dup30, dup31, @@ -16824,31 +15221,28 @@ match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by ad dup5, ])); -var msg775 = msg("00259:04", part1279); +var msg775 = msg("00259:04", part1274); -var part1280 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log out of the '), Field(p0,false)}" -match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); +var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); -var part1281 = // "Pattern{Constant('Web '), Field(p0,false)}" -match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); +var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); var select293 = linear_select([ - dup243, - dup291, - part1281, + dup241, + dup289, + part1276, ]); -var part1282 = // "Pattern{Constant('session on host '), Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); +var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); -var all270 = all_match({ +var all265 = all_match({ processors: [ - part1280, + part1275, select293, - part1282, + part1277, ], on_success: processor_chain([ - dup292, + dup290, dup2, dup3, dup4, @@ -16856,18 +15250,17 @@ var all270 = all_match({ ]), }); -var msg776 = msg("00259:05", all270); +var msg776 = msg("00259:05", all265); -var part1283 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log out of the serial console session.')}" -match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ - dup292, +var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg777 = msg("00259:06", part1283); +var msg777 = msg("00259:06", part1278); var select294 = linear_select([ msg770, @@ -16880,19 +15273,17 @@ var select294 = linear_select([ msg777, ]); -var part1284 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been rejected via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ - dup292, +var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ + dup290, dup2, dup3, dup4, dup5, ])); -var msg778 = msg("00262", part1284); +var msg778 = msg("00262", part1279); -var part1285 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been accepted via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ +var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ setc("eventcategory","1401050100"), dup2, dup3, @@ -16900,34 +15291,29 @@ match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} ha dup5, ])); -var msg779 = msg("00263", part1285); +var msg779 = msg("00263", part1280); -var part1286 = // "Pattern{Constant('ActiveX control '), Field(p0,false)}" -match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); +var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); -var part1287 = // "Pattern{Constant('JAVA applet '), Field(p0,false)}" -match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); +var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); -var part1288 = // "Pattern{Constant('EXE file '), Field(p0,false)}" -match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); +var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); -var part1289 = // "Pattern{Constant('ZIP file '), Field(p0,false)}" -match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); +var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); var select295 = linear_select([ - part1286, - part1287, - part1288, - part1289, + part1281, + part1282, + part1283, + part1284, ]); -var part1290 = // "Pattern{Constant('has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('. '), Field(info,false)}" -match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); +var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); -var all271 = all_match({ +var all266 = all_match({ processors: [ select295, - part1290, + part1285, ], on_success: processor_chain([ setc("eventcategory","1003000000"), @@ -16939,43 +15325,39 @@ var all271 = all_match({ ]), }); -var msg780 = msg("00400", all271); +var msg780 = msg("00400", all266); -var part1291 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup85, dup2, dup4, dup5, dup3, - dup293, + dup291, ])); -var msg781 = msg("00401", part1291); +var msg781 = msg("00401", part1286); -var part1292 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup85, dup2, dup4, dup5, dup3, - dup294, + dup292, ])); -var msg782 = msg("00402", part1292); +var msg782 = msg("00402", part1287); -var part1293 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at '), Field(p0,false)}" -match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); +var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); -var part1294 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' in zone '), Field(zone,false), Constant('. '), Field(info,false)}" -match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); +var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); -var all272 = all_match({ +var all267 = all_match({ processors: [ - part1293, - dup339, - part1294, + part1288, + dup337, + part1289, ], on_success: processor_chain([ dup85, @@ -16983,31 +15365,29 @@ var all272 = all_match({ dup4, dup5, dup3, - dup294, + dup292, ]), }); -var msg783 = msg("00402:01", all272); +var msg783 = msg("00402:01", all267); var select296 = linear_select([ msg782, msg783, ]); -var part1295 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup85, dup2, dup4, dup5, dup3, - dup293, + dup291, ])); -var msg784 = msg("00403", part1295); +var msg784 = msg("00403", part1290); -var part1296 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup147, dup148, dup149, @@ -17016,34 +15396,33 @@ match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{spor dup4, dup5, dup3, - dup294, + dup292, ])); -var msg785 = msg("00404", part1296); +var msg785 = msg("00404", part1291); -var part1297 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" -match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ +var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ dup147, dup2, dup4, dup5, dup3, - dup293, + dup291, ])); -var msg786 = msg("00405", part1297); +var msg786 = msg("00405", part1292); -var msg787 = msg("00406", dup416); +var msg787 = msg("00406", dup413); -var msg788 = msg("00407", dup416); +var msg788 = msg("00407", dup413); -var msg789 = msg("00408", dup416); +var msg789 = msg("00408", dup413); -var all273 = all_match({ +var all268 = all_match({ processors: [ dup132, - dup345, - dup295, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -17056,12 +15435,11 @@ var all273 = all_match({ ]), }); -var msg790 = msg("00409", all273); +var msg790 = msg("00409", all268); -var msg791 = msg("00410", dup416); +var msg791 = msg("00410", dup413); -var part1298 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup3, @@ -17071,21 +15449,20 @@ match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} dup60, ])); -var msg792 = msg("00410:01", part1298); +var msg792 = msg("00410:01", part1293); var select297 = linear_select([ msg791, msg792, ]); -var part1299 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto TCP (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); +var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); -var all274 = all_match({ +var all269 = all_match({ processors: [ - part1299, - dup345, - dup295, + part1294, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -17098,19 +15475,17 @@ var all274 = all_match({ ]), }); -var msg793 = msg("00411", all274); +var msg793 = msg("00411", all269); -var part1300 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at '), Field(p0,false)}" -match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); +var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); -var part1301 = // "Pattern{Field(,true), Constant(' '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); +var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); -var all275 = all_match({ +var all270 = all_match({ processors: [ - part1300, - dup339, - part1301, + part1295, + dup337, + part1296, ], on_success: processor_chain([ dup58, @@ -17123,15 +15498,14 @@ var all275 = all_match({ ]), }); -var msg794 = msg("00413", all275); +var msg794 = msg("00413", all270); -var part1302 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,false), Constant('(zone '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); +var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); -var all276 = all_match({ +var all271 = all_match({ processors: [ - part1302, - dup345, + part1297, + dup343, dup83, ], on_success: processor_chain([ @@ -17146,10 +15520,9 @@ var all276 = all_match({ ]), }); -var msg795 = msg("00413:01", all276); +var msg795 = msg("00413:01", all271); -var part1303 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -17159,7 +15532,7 @@ match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup9, ])); -var msg796 = msg("00413:02", part1303); +var msg796 = msg("00413:02", part1298); var select298 = linear_select([ msg794, @@ -17167,8 +15540,7 @@ var select298 = linear_select([ msg796, ]); -var part1304 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -17178,10 +15550,9 @@ match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to dup9, ])); -var msg797 = msg("00414", part1304); +var msg797 = msg("00414", part1299); -var part1305 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup3, @@ -17191,15 +15562,14 @@ match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} dup9, ])); -var msg798 = msg("00414:01", part1305); +var msg798 = msg("00414:01", part1300); var select299 = linear_select([ msg797, msg798, ]); -var part1306 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup59, @@ -17209,13 +15579,13 @@ match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{spo dup61, ])); -var msg799 = msg("00415", part1306); +var msg799 = msg("00415", part1301); -var all277 = all_match({ +var all272 = all_match({ processors: [ dup132, - dup345, - dup296, + dup343, + dup294, ], on_success: processor_chain([ dup58, @@ -17228,12 +15598,12 @@ var all277 = all_match({ ]), }); -var msg800 = msg("00423", all277); +var msg800 = msg("00423", all272); -var all278 = all_match({ +var all273 = all_match({ processors: [ dup80, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -17248,12 +15618,12 @@ var all278 = all_match({ ]), }); -var msg801 = msg("00429", all278); +var msg801 = msg("00429", all273); -var all279 = all_match({ +var all274 = all_match({ processors: [ dup132, - dup345, + dup343, dup83, ], on_success: processor_chain([ @@ -17268,19 +15638,19 @@ var all279 = all_match({ ]), }); -var msg802 = msg("00429:01", all279); +var msg802 = msg("00429:01", all274); var select300 = linear_select([ msg801, msg802, ]); -var all280 = all_match({ +var all275 = all_match({ processors: [ dup80, - dup345, - dup297, - dup353, + dup343, + dup295, + dup351, ], on_success: processor_chain([ dup85, @@ -17294,14 +15664,14 @@ var all280 = all_match({ ]), }); -var msg803 = msg("00430", all280); +var msg803 = msg("00430", all275); -var all281 = all_match({ +var all276 = all_match({ processors: [ dup132, - dup345, - dup297, - dup353, + dup343, + dup295, + dup351, ], on_success: processor_chain([ dup85, @@ -17315,28 +15685,28 @@ var all281 = all_match({ ]), }); -var msg804 = msg("00430:01", all281); +var msg804 = msg("00430:01", all276); var select301 = linear_select([ msg803, msg804, ]); -var msg805 = msg("00431", dup417); +var msg805 = msg("00431", dup414); -var msg806 = msg("00432", dup417); +var msg806 = msg("00432", dup414); -var msg807 = msg("00433", dup418); +var msg807 = msg("00433", dup415); -var msg808 = msg("00434", dup418); +var msg808 = msg("00434", dup415); -var msg809 = msg("00435", dup398); +var msg809 = msg("00435", dup395); -var all282 = all_match({ +var all277 = all_match({ processors: [ dup132, - dup345, - dup296, + dup343, + dup294, ], on_success: processor_chain([ dup58, @@ -17349,19 +15719,19 @@ var all282 = all_match({ ]), }); -var msg810 = msg("00435:01", all282); +var msg810 = msg("00435:01", all277); var select302 = linear_select([ msg809, msg810, ]); -var msg811 = msg("00436", dup398); +var msg811 = msg("00436", dup395); -var all283 = all_match({ +var all278 = all_match({ processors: [ dup64, - dup340, + dup338, dup67, ], on_success: processor_chain([ @@ -17376,15 +15746,14 @@ var all283 = all_match({ ]), }); -var msg812 = msg("00436:01", all283); +var msg812 = msg("00436:01", all278); var select303 = linear_select([ msg811, msg812, ]); -var part1307 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup59, @@ -17394,12 +15763,12 @@ match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! dup61, ])); -var msg813 = msg("00437", part1307); +var msg813 = msg("00437", part1302); -var all284 = all_match({ +var all279 = all_match({ processors: [ - dup301, - dup340, + dup299, + dup338, dup67, ], on_success: processor_chain([ @@ -17414,10 +15783,9 @@ var all284 = all_match({ ]), }); -var msg814 = msg("00437:01", all284); +var msg814 = msg("00437:01", all279); -var part1308 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -17428,7 +15796,7 @@ match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup9, ])); -var msg815 = msg("00437:02", part1308); +var msg815 = msg("00437:02", part1303); var select304 = linear_select([ msg813, @@ -17436,8 +15804,7 @@ var select304 = linear_select([ msg815, ]); -var part1309 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" -match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ +var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ dup58, dup2, dup59, @@ -17447,10 +15814,9 @@ match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! dup61, ])); -var msg816 = msg("00438", part1309); +var msg816 = msg("00438", part1304); -var part1310 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -17460,12 +15826,12 @@ match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{ dup61, ])); -var msg817 = msg("00438:01", part1310); +var msg817 = msg("00438:01", part1305); -var all285 = all_match({ +var all280 = all_match({ processors: [ - dup301, - dup340, + dup299, + dup338, dup67, ], on_success: processor_chain([ @@ -17480,7 +15846,7 @@ var all285 = all_match({ ]), }); -var msg818 = msg("00438:02", all285); +var msg818 = msg("00438:02", all280); var select305 = linear_select([ msg816, @@ -17488,8 +15854,7 @@ var select305 = linear_select([ msg818, ]); -var part1311 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -17500,10 +15865,9 @@ match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! dup60, ])); -var msg819 = msg("00440", part1311); +var msg819 = msg("00440", part1306); -var part1312 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -17513,12 +15877,12 @@ match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detecte dup61, ])); -var msg820 = msg("00440:02", part1312); +var msg820 = msg("00440:02", part1307); -var all286 = all_match({ +var all281 = all_match({ processors: [ - dup241, - dup345, + dup239, + dup343, dup83, ], on_success: processor_chain([ @@ -17533,15 +15897,14 @@ var all286 = all_match({ ]), }); -var msg821 = msg("00440:01", all286); +var msg821 = msg("00440:01", all281); -var part1313 = // "Pattern{Constant('Fragmented traffic! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); +var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); -var all287 = all_match({ +var all282 = all_match({ processors: [ - part1313, - dup345, + part1308, + dup343, dup83, ], on_success: processor_chain([ @@ -17556,7 +15919,7 @@ var all287 = all_match({ ]), }); -var msg822 = msg("00440:03", all287); +var msg822 = msg("00440:03", all282); var select306 = linear_select([ msg819, @@ -17565,8 +15928,7 @@ var select306 = linear_select([ msg822, ]); -var part1314 = // "Pattern{Field(signame,true), Constant(' id='), Field(fld2,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup4, dup59, @@ -17577,14 +15939,13 @@ match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{ dup60, ])); -var msg823 = msg("00441", part1314); +var msg823 = msg("00441", part1309); -var msg824 = msg("00442", dup399); +var msg824 = msg("00442", dup396); -var msg825 = msg("00443", dup399); +var msg825 = msg("00443", dup396); -var part1315 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' issued command '), Field(fld2,true), Constant(' to redirect output.')}" -match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ +var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ dup1, dup2, dup3, @@ -17592,15 +15953,14 @@ match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued dup5, ])); -var msg826 = msg("00511", part1315); +var msg826 = msg("00511", part1310); -var part1316 = // "Pattern{Constant('All System Config saved by admin '), Field(p0,false)}" -match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); +var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); -var all288 = all_match({ +var all283 = all_match({ processors: [ - part1316, - dup400, + part1311, + dup397, ], on_success: processor_chain([ dup1, @@ -17612,10 +15972,9 @@ var all288 = all_match({ ]), }); -var msg827 = msg("00511:01", all288); +var msg827 = msg("00511:01", all283); -var part1317 = // "Pattern{Constant('All logged events or alarms are cleared by admin '), Field(administrator,false), Constant('.')}" -match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ +var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ dup1, dup2, dup3, @@ -17623,15 +15982,14 @@ match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms a dup5, ])); -var msg828 = msg("00511:02", part1317); +var msg828 = msg("00511:02", part1312); -var part1318 = // "Pattern{Constant('Get new software from flash to slot (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); +var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); -var all289 = all_match({ +var all284 = all_match({ processors: [ - part1318, - dup400, + part1313, + dup397, ], on_success: processor_chain([ dup1, @@ -17643,15 +16001,14 @@ var all289 = all_match({ ]), }); -var msg829 = msg("00511:03", all289); +var msg829 = msg("00511:03", all284); -var part1319 = // "Pattern{Constant('Get new software from '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') to slot (file: '), Field(fld3,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); +var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); -var all290 = all_match({ +var all285 = all_match({ processors: [ - part1319, - dup400, + part1314, + dup397, ], on_success: processor_chain([ dup1, @@ -17663,15 +16020,14 @@ var all290 = all_match({ ]), }); -var msg830 = msg("00511:04", all290); +var msg830 = msg("00511:04", all285); -var part1320 = // "Pattern{Constant('Get new software to '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); +var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); -var all291 = all_match({ +var all286 = all_match({ processors: [ - part1320, - dup400, + part1315, + dup397, ], on_success: processor_chain([ dup1, @@ -17683,15 +16039,14 @@ var all291 = all_match({ ]), }); -var msg831 = msg("00511:05", all291); +var msg831 = msg("00511:05", all286); -var part1321 = // "Pattern{Constant('Log setting is modified by admin '), Field(p0,false)}" -match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); +var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); -var all292 = all_match({ +var all287 = all_match({ processors: [ - part1321, - dup400, + part1316, + dup397, ], on_success: processor_chain([ dup1, @@ -17703,15 +16058,14 @@ var all292 = all_match({ ]), }); -var msg832 = msg("00511:06", all292); +var msg832 = msg("00511:06", all287); -var part1322 = // "Pattern{Constant('Save configuration to '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); +var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); -var all293 = all_match({ +var all288 = all_match({ processors: [ - part1322, - dup400, + part1317, + dup397, ], on_success: processor_chain([ dup1, @@ -17723,15 +16077,14 @@ var all293 = all_match({ ]), }); -var msg833 = msg("00511:07", all293); +var msg833 = msg("00511:07", all288); -var part1323 = // "Pattern{Constant('Save new software from slot (file: '), Field(fld2,false), Constant(') to flash by admin '), Field(p0,false)}" -match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); +var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); -var all294 = all_match({ +var all289 = all_match({ processors: [ - part1323, - dup400, + part1318, + dup397, ], on_success: processor_chain([ dup1, @@ -17743,15 +16096,14 @@ var all294 = all_match({ ]), }); -var msg834 = msg("00511:08", all294); +var msg834 = msg("00511:08", all289); -var part1324 = // "Pattern{Constant('Save new software from '), Field(hostip,true), Constant(' (file: '), Field(result,false), Constant(') to flash by admin '), Field(p0,false)}" -match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); +var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); -var all295 = all_match({ +var all290 = all_match({ processors: [ - part1324, - dup400, + part1319, + dup397, ], on_success: processor_chain([ dup1, @@ -17763,15 +16115,14 @@ var all295 = all_match({ ]), }); -var msg835 = msg("00511:09", all295); +var msg835 = msg("00511:09", all290); -var part1325 = // "Pattern{Constant('System Config from flash to slot - '), Field(fld2,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); +var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); -var all296 = all_match({ +var all291 = all_match({ processors: [ - part1325, - dup400, + part1320, + dup397, ], on_success: processor_chain([ dup1, @@ -17783,15 +16134,14 @@ var all296 = all_match({ ]), }); -var msg836 = msg("00511:10", all296); +var msg836 = msg("00511:10", all291); -var part1326 = // "Pattern{Constant('System Config load from '), Field(hostip,true), Constant(' (file '), Field(fld2,false), Constant(') to slot - '), Field(fld3,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); +var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); -var all297 = all_match({ +var all292 = all_match({ processors: [ - part1326, - dup400, + part1321, + dup397, ], on_success: processor_chain([ dup1, @@ -17803,15 +16153,14 @@ var all297 = all_match({ ]), }); -var msg837 = msg("00511:11", all297); +var msg837 = msg("00511:11", all292); -var part1327 = // "Pattern{Constant('System Config load from '), Field(hostip,true), Constant(' (file '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" -match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); +var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); -var all298 = all_match({ +var all293 = all_match({ processors: [ - part1327, - dup400, + part1322, + dup397, ], on_success: processor_chain([ dup1, @@ -17823,15 +16172,14 @@ var all298 = all_match({ ]), }); -var msg838 = msg("00511:12", all298); +var msg838 = msg("00511:12", all293); -var part1328 = // "Pattern{Constant('The system configuration was loaded from the slot by admin '), Field(p0,false)}" -match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); +var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); -var all299 = all_match({ +var all294 = all_match({ processors: [ - part1328, - dup400, + part1323, + dup397, ], on_success: processor_chain([ dup1, @@ -17843,10 +16191,9 @@ var all299 = all_match({ ]), }); -var msg839 = msg("00511:13", all299); +var msg839 = msg("00511:13", all294); -var part1329 = // "Pattern{Constant('FIPS: Attempt to set RADIUS shared secret with invalid length '), Field(fld2,false)}" -match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ +var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -17854,7 +16201,7 @@ match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS s dup5, ])); -var msg840 = msg("00511:14", part1329); +var msg840 = msg("00511:14", part1324); var select307 = linear_select([ msg826, @@ -17874,37 +16221,32 @@ var select307 = linear_select([ msg840, ]); -var part1330 = // "Pattern{Constant('The physical state of '), Field(p0,false)}" -match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); +var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); -var part1331 = // "Pattern{Constant('the Interface '), Field(p0,false)}" -match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); +var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); var select308 = linear_select([ dup123, - part1331, + part1326, dup122, ]); -var part1332 = // "Pattern{Constant(''), Field(interface,true), Constant(' has changed to '), Field(p0,false)}" -match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); +var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); -var part1333 = // "Pattern{Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); +var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); -var part1334 = // "Pattern{Field(result,false)}" -match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); +var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); var select309 = linear_select([ - part1333, - part1334, + part1328, + part1329, ]); -var all300 = all_match({ +var all295 = all_match({ processors: [ - part1330, + part1325, select308, - part1332, + part1327, select309, ], on_success: processor_chain([ @@ -17917,39 +16259,35 @@ var all300 = all_match({ ]), }); -var msg841 = msg("00513", all300); +var msg841 = msg("00513", all295); -var part1335 = // "Pattern{Constant('Vsys Admin '), Field(p0,false)}" -match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); +var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); var select310 = linear_select([ - part1335, - dup289, + part1330, + dup287, ]); -var part1336 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has logged on via the '), Field(logon_type,true), Constant(' ( HTTP'), Field(p0,false)}" -match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); +var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); -var part1337 = // "Pattern{Constant('S'), Field(p0,false)}" -match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); +var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); var select311 = linear_select([ dup96, - part1337, + part1332, ]); -var part1338 = // "Pattern{Field(,false), Constant(') to port '), Field(interface,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); +var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); -var all301 = all_match({ +var all296 = all_match({ processors: [ select310, - part1336, + part1331, select311, - part1338, + part1333, ], on_success: processor_chain([ - dup303, + dup301, dup2, dup3, dup4, @@ -17957,33 +16295,29 @@ var all301 = all_match({ ]), }); -var msg842 = msg("00515", all301); +var msg842 = msg("00515", all296); -var part1339 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); +var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); -var part1340 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' has failed '), Field(p0,false)}" -match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); +var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); -var part1341 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has failed '), Field(p0,false)}" -match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); +var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); var select312 = linear_select([ - part1340, - part1341, + part1335, + part1336, ]); -var part1342 = // "Pattern{Field(fld2,false)}" -match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); +var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); -var all302 = all_match({ +var all297 = all_match({ processors: [ - part1339, + part1334, select312, - part1342, + part1337, ], on_success: processor_chain([ - dup208, + dup206, dup29, dup30, dup31, @@ -17991,48 +16325,42 @@ var all302 = all_match({ dup2, dup4, dup5, - dup304, + dup302, dup3, ]), }); -var msg843 = msg("00515:01", all302); +var msg843 = msg("00515:01", all297); -var part1343 = // "Pattern{Constant('Management session via '), Field(p0,false)}" -match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); +var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); -var part1344 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); +var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); -var part1345 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); +var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); var select313 = linear_select([ - part1344, - part1345, + part1339, + part1340, ]); -var part1346 = // "Pattern{Constant('[vsys] admin '), Field(p0,false)}" -match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); +var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); -var part1347 = // "Pattern{Constant('vsys admin '), Field(p0,false)}" -match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); +var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); var select314 = linear_select([ - part1346, - part1347, + part1341, + part1342, dup15, ]); -var part1348 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has timed out')}" -match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); +var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); -var all303 = all_match({ +var all298 = all_match({ processors: [ - part1343, + part1338, select313, select314, - part1348, + part1343, ], on_success: processor_chain([ dup27, @@ -18043,40 +16371,36 @@ var all303 = all_match({ ]), }); -var msg844 = msg("00515:02", all303); +var msg844 = msg("00515:02", all298); -var part1349 = // "Pattern{Constant('[Vsys] '), Field(p0,false)}" -match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); +var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); -var part1350 = // "Pattern{Constant('Vsys '), Field(p0,false)}" -match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); +var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); var select315 = linear_select([ - part1349, - part1350, + part1344, + part1345, ]); -var part1351 = // "Pattern{Constant('Admin '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); +var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); -var part1352 = // "Pattern{Field(logon_type,false)}" -match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); +var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); var select316 = linear_select([ - dup306, - part1352, + dup304, + part1347, ]); -var all304 = all_match({ +var all299 = all_match({ processors: [ select315, - part1351, - dup401, + part1346, + dup398, dup40, select316, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18084,50 +16408,46 @@ var all304 = all_match({ ]), }); -var msg845 = msg("00515:04", all304); +var msg845 = msg("00515:04", all299); -var part1353 = // "Pattern{Constant('Admin User '), Field(administrator,true), Constant(' has logged on via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ - dup242, +var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg846 = msg("00515:06", part1353); +var msg846 = msg("00515:06", part1348); -var part1354 = // "Pattern{Field(,false), Constant('Admin '), Field(p0,false)}" -match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); +var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); var select317 = linear_select([ - dup307, + dup305, dup16, ]); -var part1355 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); +var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); -var part1356 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld2,false), Constant(')')}" -match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); +var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); var select318 = linear_select([ - dup308, - part1356, dup306, + part1351, + dup304, ]); -var all305 = all_match({ +var all300 = all_match({ processors: [ - part1354, + part1349, select317, - part1355, - dup401, + part1350, + dup398, dup40, select318, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18135,44 +16455,39 @@ var all305 = all_match({ ]), }); -var msg847 = msg("00515:05", all305); +var msg847 = msg("00515:05", all300); -var part1357 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' login attempt for '), Field(logon_type,false), Constant('(http) management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ - dup242, +var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg848 = msg("00515:07", part1357); +var msg848 = msg("00515:07", part1352); -var part1358 = // "Pattern{Field(fld2,true), Constant(' Admin User "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('(http'), Field(p0,false)}" -match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); +var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); -var part1359 = // "Pattern{Constant(') '), Field(p0,false)}" -match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); +var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); -var part1360 = // "Pattern{Constant('s) '), Field(p0,false)}" -match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); +var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); var select319 = linear_select([ - part1359, - part1360, + part1354, + part1355, ]); -var part1361 = // "Pattern{Constant('management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); +var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); -var all306 = all_match({ +var all301 = all_match({ processors: [ - part1358, + part1353, select319, - part1361, + part1356, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18180,32 +16495,29 @@ var all306 = all_match({ ]), }); -var msg849 = msg("00515:08", all306); +var msg849 = msg("00515:08", all301); -var part1362 = // "Pattern{Constant('User '), Field(username,true), Constant(' telnet management session from ('), Field(saddr,false), Constant(':'), Field(sport,false), Constant(') timed out')}" -match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ - dup242, +var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg850 = msg("00515:09", part1362); +var msg850 = msg("00515:09", part1357); -var part1363 = // "Pattern{Constant('User '), Field(username,true), Constant(' logged out of telnet session from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ - dup242, +var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg851 = msg("00515:10", part1363); +var msg851 = msg("00515:10", part1358); -var part1364 = // "Pattern{Constant('The session limit threshold has been set to '), Field(trigger_val,true), Constant(' on zone '), Field(zone,false), Constant('.')}" -match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ +var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ dup1, dup2, dup3, @@ -18213,22 +16525,20 @@ match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold h dup5, ])); -var msg852 = msg("00515:11", part1364); +var msg852 = msg("00515:11", part1359); -var part1365 = // "Pattern{Constant('[ Vsys ] Admin User "'), Field(administrator,false), Constant('" logged in for Web( http'), Field(p0,false)}" -match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); +var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); -var part1366 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(')')}" -match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); +var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); -var all307 = all_match({ +var all302 = all_match({ processors: [ - part1365, - dup402, - part1366, + part1360, + dup399, + part1361, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18236,31 +16546,30 @@ var all307 = all_match({ ]), }); -var msg853 = msg("00515:12", all307); +var msg853 = msg("00515:12", all302); var select320 = linear_select([ - dup290, - dup289, + dup288, + dup287, ]); -var part1367 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); +var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); var select321 = linear_select([ - dup308, dup306, + dup304, ]); -var all308 = all_match({ +var all303 = all_match({ processors: [ select320, - part1367, - dup401, + part1362, + dup398, dup40, select321, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18268,46 +16577,40 @@ var all308 = all_match({ ]), }); -var msg854 = msg("00515:13", all308); +var msg854 = msg("00515:13", all303); -var part1368 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log o'), Field(p0,false)}" -match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); +var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); -var part1369 = // "Pattern{Field(username,true), Constant(' '), Field(fld1,true), Constant(' has been forced to log o'), Field(p0,false)}" -match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); +var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); var select322 = linear_select([ - part1368, - part1369, + part1363, + part1364, ]); -var part1370 = // "Pattern{Constant('of the '), Field(p0,false)}" -match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); +var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); -var part1371 = // "Pattern{Constant('serial '), Field(logon_type,true), Constant(' session.')}" -match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); +var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); -var part1372 = // "Pattern{Field(logon_type,true), Constant(' session on host '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' ('), Field(event_time,false), Constant(')')}" -match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); +var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); -var part1373 = // "Pattern{Field(logon_type,true), Constant(' session on host '), Field(hostip,false), Constant(':'), Field(network_port,false)}" -match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); +var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); var select323 = linear_select([ - part1371, - part1372, - part1373, + part1366, + part1367, + part1368, ]); -var all309 = all_match({ +var all304 = all_match({ processors: [ select322, - dup401, - part1370, + dup398, + part1365, select323, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18315,32 +16618,29 @@ var all309 = all_match({ ]), }); -var msg855 = msg("00515:14", all309); +var msg855 = msg("00515:14", all304); -var part1374 = // "Pattern{Field(fld2,false), Constant(': Admin User '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" -match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); +var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); -var part1375 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); +var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); -var part1376 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); +var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); var select324 = linear_select([ - part1375, - part1376, + part1370, + part1371, ]); -var all310 = all_match({ +var all305 = all_match({ processors: [ - part1374, - dup401, + part1369, + dup398, dup40, select324, dup41, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup9, @@ -18349,31 +16649,28 @@ var all310 = all_match({ ]), }); -var msg856 = msg("00515:15", all310); +var msg856 = msg("00515:15", all305); -var part1377 = // "Pattern{Field(fld2,false), Constant(': Admin '), Field(p0,false)}" -match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); +var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); var select325 = linear_select([ - part1377, - dup289, + part1372, + dup287, ]); -var part1378 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' attempt access to '), Field(url,true), Constant(' illegal from '), Field(logon_type,false), Constant('( http'), Field(p0,false)}" -match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); +var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); -var part1379 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); +var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); -var all311 = all_match({ +var all306 = all_match({ processors: [ select325, - part1378, - dup402, - part1379, + part1373, + dup399, + part1374, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup9, @@ -18382,33 +16679,29 @@ var all311 = all_match({ ]), }); -var msg857 = msg("00515:16", all311); +var msg857 = msg("00515:16", all306); -var part1380 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged out for '), Field(logon_type,false), Constant('('), Field(p0,false)}" -match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); +var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); -var part1381 = // "Pattern{Constant('https '), Field(p0,false)}" -match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); +var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); -var part1382 = // "Pattern{Constant(' http '), Field(p0,false)}" -match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); +var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); var select326 = linear_select([ - part1381, - part1382, + part1376, + part1377, ]); -var part1383 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); +var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); -var all312 = all_match({ +var all307 = all_match({ processors: [ - part1380, + part1375, select326, - part1383, + part1378, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup4, @@ -18416,11 +16709,10 @@ var all312 = all_match({ ]), }); -var msg858 = msg("00515:17", all312); +var msg858 = msg("00515:17", all307); -var part1384 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' login attempt for '), Field(logon_type,false), Constant('(https) management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup242, +var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, dup2, dup3, dup9, @@ -18428,30 +16720,27 @@ match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} dup5, ])); -var msg859 = msg("00515:18", part1384); +var msg859 = msg("00515:18", part1379); -var part1385 = // "Pattern{Constant('Vsys admin user '), Field(administrator,true), Constant(' logged on via '), Field(p0,false)}" -match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); +var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); -var part1386 = // "Pattern{Field(logon_type,true), Constant(' from remote IP address '), Field(saddr,true), Constant(' using port '), Field(sport,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); +var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); -var part1387 = // "Pattern{Constant('the console. ('), Field(p0,false)}" -match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); +var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); var select327 = linear_select([ - part1386, - part1387, + part1381, + part1382, ]); -var all313 = all_match({ +var all308 = all_match({ processors: [ - part1385, + part1380, select327, dup41, ], on_success: processor_chain([ - dup242, + dup240, dup2, dup3, dup9, @@ -18460,11 +16749,10 @@ var all313 = all_match({ ]), }); -var msg860 = msg("00515:19", all313); +var msg860 = msg("00515:19", all308); -var part1388 = // "Pattern{Constant('netscreen: Management session via SCS from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for admin netscreen has timed out ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ - dup242, +var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ + dup240, dup2, dup3, dup9, @@ -18472,7 +16760,7 @@ match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session dup5, ])); -var msg861 = msg("00515:20", part1388); +var msg861 = msg("00515:20", part1383); var select328 = linear_select([ msg842, @@ -18497,85 +16785,77 @@ var select328 = linear_select([ msg861, ]); -var part1389 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' '), Field(fld1,false), Constant('at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup283, +var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg862 = msg("00518", part1389); +var msg862 = msg("00518", part1384); -var part1390 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup283, +var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg863 = msg("00518:17", part1390); +var msg863 = msg("00518:17", part1385); -var part1391 = // "Pattern{Constant('Local authentication for WebAuth user '), Field(username,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ - dup283, +var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg864 = msg("00518:01", part1391); +var msg864 = msg("00518:01", part1386); -var part1392 = // "Pattern{Constant('Local authentication for user '), Field(username,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ - dup283, +var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg865 = msg("00518:02", part1392); +var msg865 = msg("00518:02", part1387); -var part1393 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' must enter "Next Code" for SecurID '), Field(hostip,false)}" -match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ - dup205, +var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg866 = msg("00518:03", part1393); +var msg866 = msg("00518:03", part1388); -var part1394 = // "Pattern{Constant('WebAuth user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup205, +var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg867 = msg("00518:04", part1394); +var msg867 = msg("00518:04", part1389); -var part1395 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been challenged via the '), Field(authmethod,true), Constant(' server at '), Field(hostip,true), Constant(' (Rejected since challenge is not supported for '), Field(logon_type,false), Constant(')')}" -match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ - dup205, +var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg868 = msg("00518:05", part1395); +var msg868 = msg("00518:05", part1390); -var part1396 = // "Pattern{Constant('Error in authentication for WebAuth user '), Field(username,false)}" -match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ +var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ dup35, dup29, dup31, @@ -18586,27 +16866,24 @@ match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for W dup3, ])); -var msg869 = msg("00518:06", part1396); +var msg869 = msg("00518:06", part1391); -var part1397 = // "Pattern{Constant('Authentication for user '), Field(username,true), Constant(' was denied (long '), Field(p0,false)}" -match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); +var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); -var part1398 = // "Pattern{Constant('username '), Field(p0,false)}" -match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); +var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); var select329 = linear_select([ dup24, - part1398, + part1393, ]); -var part1399 = // "Pattern{Constant(')'), Field(,false)}" -match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); +var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); -var all314 = all_match({ +var all309 = all_match({ processors: [ - part1397, + part1392, select329, - part1399, + part1394, ], on_success: processor_chain([ dup53, @@ -18620,10 +16897,9 @@ var all314 = all_match({ ]), }); -var msg870 = msg("00518:07", all314); +var msg870 = msg("00518:07", all309); -var part1400 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' '), Field(authmethod,true), Constant(' authentication attempt has timed out')}" -match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ +var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ dup35, dup29, dup31, @@ -18634,22 +16910,20 @@ match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr dup3, ])); -var msg871 = msg("00518:08", part1400); +var msg871 = msg("00518:08", part1395); -var part1401 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ - dup205, +var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg872 = msg("00518:09", part1401); +var msg872 = msg("00518:09", part1396); -var part1402 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,true), Constant(' ('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' failed due to '), Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ - dup208, +var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ + dup206, dup29, dup30, dup31, @@ -18659,36 +16933,32 @@ match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator} dup9, dup5, dup3, - dup304, + dup302, ])); -var msg873 = msg("00518:10", part1402); +var msg873 = msg("00518:10", part1397); -var part1403 = // "Pattern{Constant('ADM: Local admin authentication failed for login name '), Field(p0,false)}" -match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); +var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); -var part1404 = // "Pattern{Constant('''), Field(username,false), Constant('': '), Field(p0,false)}" -match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); +var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); -var part1405 = // "Pattern{Field(username,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); +var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); var select330 = linear_select([ - part1404, - part1405, + part1399, + part1400, ]); -var part1406 = // "Pattern{Field(result,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); +var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); -var all315 = all_match({ +var all310 = all_match({ processors: [ - part1403, + part1398, select330, - part1406, + part1401, ], on_success: processor_chain([ - dup208, + dup206, dup29, dup30, dup31, @@ -18701,11 +16971,10 @@ var all315 = all_match({ ]), }); -var msg874 = msg("00518:11", all315); +var msg874 = msg("00518:11", all310); -var part1407 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ - dup242, +var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, dup2, dup4, dup9, @@ -18713,11 +16982,10 @@ match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator} dup3, ])); -var msg875 = msg("00518:12", part1407); +var msg875 = msg("00518:12", part1402); -var part1408 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' is rejected by the Radius server at '), Field(hostip,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ - dup292, +var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ + dup290, dup2, dup3, dup4, @@ -18725,18 +16993,17 @@ match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr dup5, ])); -var msg876 = msg("00518:13", part1408); +var msg876 = msg("00518:13", part1403); -var part1409 = // "Pattern{Field(fld2,false), Constant(': Admin user has been rejected via the Radius server at '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ - dup292, +var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ + dup290, dup2, dup4, dup5, dup9, ])); -var msg877 = msg("00518:14", part1409); +var msg877 = msg("00518:14", part1404); var select331 = linear_select([ msg862, @@ -18757,45 +17024,39 @@ var select331 = linear_select([ msg877, ]); -var part1410 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); +var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); -var part1411 = // "Pattern{Constant('of group '), Field(group,true), Constant(' at '), Field(saddr,true), Constant(' has '), Field(p0,false)}" -match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); +var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); -var part1412 = // "Pattern{Field(group,true), Constant(' at '), Field(saddr,true), Constant(' has '), Field(p0,false)}" -match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); +var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); var select332 = linear_select([ - dup196, - part1411, - part1412, + dup194, + part1406, + part1407, ]); -var part1413 = // "Pattern{Constant('been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server '), Field(p0,false)}" -match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); +var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); -var part1414 = // "Pattern{Constant('at '), Field(p0,false)}" -match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); +var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); var select333 = linear_select([ - part1414, + part1409, dup16, ]); -var part1415 = // "Pattern{Constant(''), Field(hostip,false)}" -match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); +var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); -var all316 = all_match({ +var all311 = all_match({ processors: [ - part1410, + part1405, select332, - part1413, + part1408, select333, - part1415, + part1410, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -18803,27 +17064,25 @@ var all316 = all_match({ ]), }); -var msg878 = msg("00519", all316); +var msg878 = msg("00519", all311); -var part1416 = // "Pattern{Constant('Local authentication for '), Field(p0,false)}" -match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); +var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); var select334 = linear_select([ - dup309, dup307, + dup305, ]); -var part1417 = // "Pattern{Constant(''), Field(username,true), Constant(' was '), Field(disposition,false)}" -match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); +var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); -var all317 = all_match({ +var all312 = all_match({ processors: [ - part1416, + part1411, select334, - part1417, + part1412, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -18831,27 +17090,25 @@ var all317 = all_match({ ]), }); -var msg879 = msg("00519:01", all317); +var msg879 = msg("00519:01", all312); -var part1418 = // "Pattern{Constant('User '), Field(p0,false)}" -match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); +var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); var select335 = linear_select([ - dup309, - part1418, + dup307, + part1413, ]); -var part1419 = // "Pattern{Constant(''), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" -match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); +var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); -var all318 = all_match({ +var all313 = all_match({ processors: [ - dup162, + dup160, select335, - part1419, + part1414, ], on_success: processor_chain([ - dup205, + dup203, dup2, dup3, dup4, @@ -18859,40 +17116,37 @@ var all318 = all_match({ ]), }); -var msg880 = msg("00519:02", all318); +var msg880 = msg("00519:02", all313); -var part1420 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(fld4,false)}" -match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ - dup242, +var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ + dup240, dup2, dup3, dup4, dup5, ])); -var msg881 = msg("00519:03", part1420); +var msg881 = msg("00519:03", part1415); -var part1421 = // "Pattern{Constant('ADM: Local admin authentication successful for login name '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ - dup242, +var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ + dup240, dup2, dup4, dup5, dup9, ])); -var msg882 = msg("00519:04", part1421); +var msg882 = msg("00519:04", part1416); -var part1422 = // "Pattern{Field(fld2,false), Constant('Admin user '), Field(administrator,true), Constant(' has been accepted via the Radius server at '), Field(hostip,false), Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ - dup242, +var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ + dup240, dup2, dup4, dup5, dup9, ])); -var msg883 = msg("00519:05", part1422); +var msg883 = msg("00519:05", part1417); var select336 = linear_select([ msg878, @@ -18903,8 +17157,7 @@ var select336 = linear_select([ msg883, ]); -var part1423 = // "Pattern{Field(hostname,true), Constant(' user authentication attempt has timed out')}" -match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ +var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ dup35, dup31, dup39, @@ -18914,38 +17167,32 @@ match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authenticatio dup5, ])); -var msg884 = msg("00520", part1423); +var msg884 = msg("00520", part1418); -var part1424 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); +var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); -var part1425 = // "Pattern{Constant('RADIUS '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); +var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); -var part1426 = // "Pattern{Constant('SecurID '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); +var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); -var part1427 = // "Pattern{Constant('LDAP '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); +var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); -var part1428 = // "Pattern{Constant('Local '), Field(p0,false)}" -match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); +var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); var select337 = linear_select([ - part1425, - part1426, - part1427, - part1428, + part1420, + part1421, + part1422, + part1423, ]); -var part1429 = // "Pattern{Constant('authentication attempt has timed out'), Field(,false)}" -match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); +var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); -var all319 = all_match({ +var all314 = all_match({ processors: [ - part1424, + part1419, select337, - part1429, + part1424, ], on_success: processor_chain([ dup35, @@ -18958,19 +17205,17 @@ var all319 = all_match({ ]), }); -var msg885 = msg("00520:01", all319); +var msg885 = msg("00520:01", all314); -var part1430 = // "Pattern{Constant('Trying '), Field(p0,false)}" -match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); +var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); -var part1431 = // "Pattern{Constant('server '), Field(fld2,false)}" -match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); +var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); -var all320 = all_match({ +var all315 = all_match({ processors: [ - part1430, - dup403, - part1431, + part1425, + dup400, + part1426, ], on_success: processor_chain([ dup44, @@ -18981,41 +17226,35 @@ var all320 = all_match({ ]), }); -var msg886 = msg("00520:02", all320); +var msg886 = msg("00520:02", all315); -var part1432 = // "Pattern{Constant('Primary '), Field(p0,false)}" -match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); +var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); -var part1433 = // "Pattern{Constant('Backup1 '), Field(p0,false)}" -match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); +var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); -var part1434 = // "Pattern{Constant('Backup2 '), Field(p0,false)}" -match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); +var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); var select338 = linear_select([ - part1432, - part1433, - part1434, + part1427, + part1428, + part1429, ]); -var part1435 = // "Pattern{Constant(''), Field(fld2,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); +var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); -var part1436 = // "Pattern{Constant(''), Field(fld3,false), Constant(', and '), Field(p0,false)}" -match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); +var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); -var part1437 = // "Pattern{Constant(''), Field(fld4,true), Constant(' servers failed')}" -match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); +var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); -var all321 = all_match({ +var all316 = all_match({ processors: [ - dup162, + dup160, select338, - part1435, - dup403, - part1436, - dup403, - part1437, + part1430, + dup400, + part1431, + dup400, + part1432, ], on_success: processor_chain([ dup19, @@ -19026,10 +17265,9 @@ var all321 = all_match({ ]), }); -var msg887 = msg("00520:03", all321); +var msg887 = msg("00520:03", all316); -var part1438 = // "Pattern{Constant('Trying '), Field(fld2,true), Constant(' Server '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ +var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -19037,10 +17275,9 @@ match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hos dup9, ])); -var msg888 = msg("00520:04", part1438); +var msg888 = msg("00520:04", part1433); -var part1439 = // "Pattern{Constant('Active Server Switchover: New requests for '), Field(fld31,true), Constant(' server will try '), Field(fld32,true), Constant(' from now on. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ +var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -19048,7 +17285,7 @@ match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: Ne dup9, ])); -var msg889 = msg("00520:05", part1439); +var msg889 = msg("00520:05", part1434); var select339 = linear_select([ msg884, @@ -19059,8 +17296,7 @@ var select339 = linear_select([ msg889, ]); -var part1440 = // "Pattern{Constant('Can't connect to E-mail server '), Field(hostip,false)}" -match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ +var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ dup27, dup2, dup3, @@ -19068,10 +17304,9 @@ match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server % dup5, ])); -var msg890 = msg("00521", part1440); +var msg890 = msg("00521", part1435); -var part1441 = // "Pattern{Constant('HA link state has '), Field(fld2,false)}" -match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ +var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ dup117, dup2, dup3, @@ -19079,32 +17314,29 @@ match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", proc dup5, ])); -var msg891 = msg("00522", part1441); +var msg891 = msg("00522", part1436); -var part1442 = // "Pattern{Constant('URL filtering received an error from '), Field(fld2,true), Constant(' (error '), Field(resultcode,false), Constant(').')}" -match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ - dup234, +var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ + dup232, dup2, dup3, dup4, dup5, ])); -var msg892 = msg("00523", part1442); +var msg892 = msg("00523", part1437); -var part1443 = // "Pattern{Constant('NetScreen device at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has responded successfully to SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ - dup211, +var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ + dup209, dup2, dup3, dup4, dup5, ])); -var msg893 = msg("00524", part1443); +var msg893 = msg("00524", part1438); -var part1444 = // "Pattern{Constant('SNMP request from an unknown SNMP community public at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ +var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -19113,10 +17345,9 @@ match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown dup5, ])); -var msg894 = msg("00524:02", part1444); +var msg894 = msg("00524:02", part1439); -var part1445 = // "Pattern{Constant('SNMP: NetScreen device has responded successfully to the SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ +var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -19125,10 +17356,9 @@ match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has re dup5, ])); -var msg895 = msg("00524:03", part1445); +var msg895 = msg("00524:03", part1440); -var part1446 = // "Pattern{Constant('SNMP request from an unknown SNMP community admin at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ +var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -19137,10 +17367,9 @@ match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown dup5, ])); -var msg896 = msg("00524:04", part1446); +var msg896 = msg("00524:04", part1441); -var part1447 = // "Pattern{Constant('SNMP request from an unknown SNMP community '), Field(fld2,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ +var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ dup18, dup2, dup4, @@ -19148,10 +17377,9 @@ match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown dup9, ])); -var msg897 = msg("00524:05", part1447); +var msg897 = msg("00524:05", part1442); -var part1448 = // "Pattern{Constant('SNMP request has been received from an unknown host in SNMP community '), Field(fld2,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ +var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ dup18, dup2, dup4, @@ -19159,20 +17387,18 @@ match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been receive dup9, ])); -var msg898 = msg("00524:06", part1448); +var msg898 = msg("00524:06", part1443); -var part1449 = // "Pattern{Constant('SNMP request from an unknown SNMP community '), Field(fld2,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' has been received')}" -match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ +var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg899 = msg("00524:12", part1449); +var msg899 = msg("00524:12", part1444); -var part1450 = // "Pattern{Constant('SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been received, but the SNMP version type is incorrect. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ +var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ dup19, dup2, dup4, @@ -19181,19 +17407,17 @@ match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{ dup9, ])); -var msg900 = msg("00524:14", part1450); +var msg900 = msg("00524:14", part1445); -var part1451 = // "Pattern{Constant('SNMP request has been received'), Field(p0,false)}" -match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); +var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); -var part1452 = // "Pattern{Field(,false), Constant('but '), Field(result,false)}" -match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); +var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); -var all322 = all_match({ +var all317 = all_match({ processors: [ - part1451, - dup404, - part1452, + part1446, + dup401, + part1447, ], on_success: processor_chain([ dup18, @@ -19203,60 +17427,54 @@ var all322 = all_match({ ]), }); -var msg901 = msg("00524:13", all322); +var msg901 = msg("00524:13", all317); -var part1453 = // "Pattern{Constant('Response to SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' has '), Field(disposition,true), Constant(' due to '), Field(result,false)}" -match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ +var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg902 = msg("00524:07", part1453); +var msg902 = msg("00524:07", part1448); -var part1454 = // "Pattern{Constant('SNMP community '), Field(fld2,true), Constant(' cannot be added because '), Field(result,false)}" -match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ +var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg903 = msg("00524:08", part1454); +var msg903 = msg("00524:08", part1449); -var part1455 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be added to community '), Field(fld2,true), Constant(' because of '), Field(result,false)}" -match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ +var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg904 = msg("00524:09", part1455); +var msg904 = msg("00524:09", part1450); -var part1456 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be added because '), Field(result,false)}" -match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ +var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg905 = msg("00524:10", part1456); +var msg905 = msg("00524:10", part1451); -var part1457 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be removed from community '), Field(fld2,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ +var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ dup18, dup2, dup4, dup5, ])); -var msg906 = msg("00524:11", part1457); +var msg906 = msg("00524:11", part1452); -var part1458 = // "Pattern{Constant('SNMP user/community '), Field(fld34,true), Constant(' doesn't exist. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ +var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -19264,7 +17482,7 @@ match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34- dup9, ])); -var msg907 = msg("00524:16", part1458); +var msg907 = msg("00524:16", part1453); var select340 = linear_select([ msg893, @@ -19284,9 +17502,8 @@ var select340 = linear_select([ msg907, ]); -var part1459 = // "Pattern{Constant('The new PIN for user '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' has been '), Field(disposition,true), Constant(' by SecurID '), Field(fld2,false)}" -match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ - dup205, +var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ + dup203, setc("ec_subject","Password"), dup38, dup2, @@ -19295,40 +17512,37 @@ match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username- dup5, ])); -var msg908 = msg("00525", part1459); +var msg908 = msg("00525", part1454); -var part1460 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' has selected a system-generated PIN for authentication with SecurID '), Field(fld2,false)}" -match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ - dup205, +var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg909 = msg("00525:01", part1460); +var msg909 = msg("00525:01", part1455); -var part1461 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' must enter the "new PIN" for SecurID '), Field(fld2,false)}" -match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ - dup205, +var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg910 = msg("00525:02", part1461); +var msg910 = msg("00525:02", part1456); -var part1462 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' must make a "New PIN" choice for SecurID '), Field(fld2,false)}" -match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ - dup205, +var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg911 = msg("00525:03", part1462); +var msg911 = msg("00525:03", part1457); var select341 = linear_select([ msg908, @@ -19337,10 +17551,9 @@ var select341 = linear_select([ msg911, ]); -var part1463 = // "Pattern{Constant('The user limit has been exceeded and '), Field(hostip,true), Constant(' cannot be added')}" -match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ +var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ dup37, - dup221, + dup219, dup38, dup39, dup2, @@ -19349,39 +17562,34 @@ match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded dup5, ])); -var msg912 = msg("00526", part1463); +var msg912 = msg("00526", part1458); -var part1464 = // "Pattern{Constant('A DHCP-'), Field(p0,false)}" -match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); +var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); -var part1465 = // "Pattern{Constant(' assigned '), Field(p0,false)}" -match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); +var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); var select342 = linear_select([ - dup313, - part1465, + dup311, + part1460, ]); -var part1466 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' has been '), Field(p0,false)}" -match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); +var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); -var part1467 = // "Pattern{Constant('freed from '), Field(p0,false)}" -match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); +var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); -var part1468 = // "Pattern{Constant('freed '), Field(p0,false)}" -match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); +var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); var select343 = linear_select([ - dup314, - part1467, - part1468, + dup312, + part1462, + part1463, ]); -var all323 = all_match({ +var all318 = all_match({ processors: [ - part1464, + part1459, select342, - part1466, + part1461, select343, dup108, ], @@ -19394,10 +17602,9 @@ var all323 = all_match({ ]), }); -var msg913 = msg("00527", all323); +var msg913 = msg("00527", all318); -var part1469 = // "Pattern{Constant('A DHCP-assigned IP address has been manually released'), Field(,false)}" -match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ +var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ dup44, dup2, dup3, @@ -19405,31 +17612,27 @@ match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address ha dup5, ])); -var msg914 = msg("00527:01", part1469); +var msg914 = msg("00527:01", part1464); -var part1470 = // "Pattern{Constant('DHCP server has '), Field(p0,false)}" -match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); +var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); -var part1471 = // "Pattern{Constant('released '), Field(p0,false)}" -match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); +var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); -var part1472 = // "Pattern{Constant('assigned or released '), Field(p0,false)}" -match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); +var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); var select344 = linear_select([ - dup313, - part1471, - part1472, + dup311, + part1466, + part1467, ]); -var part1473 = // "Pattern{Constant('an IP address'), Field(,false)}" -match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); +var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); -var all324 = all_match({ +var all319 = all_match({ processors: [ - part1470, + part1465, select344, - part1473, + part1468, ], on_success: processor_chain([ dup44, @@ -19440,21 +17643,19 @@ var all324 = all_match({ ]), }); -var msg915 = msg("00527:02", all324); +var msg915 = msg("00527:02", all319); -var part1474 = // "Pattern{Constant('MAC address '), Field(macaddr,true), Constant(' has detected an IP conflict and has declined address '), Field(hostip,false)}" -match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ - dup274, +var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ + dup272, dup2, dup3, dup4, dup5, ])); -var msg916 = msg("00527:03", part1474); +var msg916 = msg("00527:03", part1469); -var part1475 = // "Pattern{Constant('One or more DHCP-assigned IP addresses have been manually released.'), Field(,false)}" -match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ +var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ dup44, dup2, dup3, @@ -19462,16 +17663,15 @@ match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP dup5, ])); -var msg917 = msg("00527:04", part1475); +var msg917 = msg("00527:04", part1470); -var part1476 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is more than '), Field(fld2,true), Constant(' allocated.')}" -match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); +var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); -var all325 = all_match({ +var all320 = all_match({ processors: [ - dup212, - dup339, - part1476, + dup210, + dup337, + part1471, ], on_success: processor_chain([ dup44, @@ -19482,34 +17682,31 @@ var all325 = all_match({ ]), }); -var msg918 = msg("00527:05", all325); +var msg918 = msg("00527:05", all320); -var part1477 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); +var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); var select345 = linear_select([ dup106, dup127, ]); -var part1478 = // "Pattern{Constant('released from '), Field(p0,false)}" -match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); +var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); var select346 = linear_select([ - dup314, - part1478, + dup312, + part1473, ]); -var part1479 = // "Pattern{Constant(''), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); +var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); -var all326 = all_match({ +var all321 = all_match({ processors: [ - part1477, + part1472, select345, dup23, select346, - part1479, + part1474, ], on_success: processor_chain([ dup44, @@ -19521,10 +17718,9 @@ var all326 = all_match({ ]), }); -var msg919 = msg("00527:06", all326); +var msg919 = msg("00527:06", all321); -var part1480 = // "Pattern{Constant('One or more IP addresses have expired. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ +var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -19533,10 +17729,9 @@ match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have dup5, ])); -var msg920 = msg("00527:07", part1480); +var msg920 = msg("00527:07", part1475); -var part1481 = // "Pattern{Constant('DHCP server on interface '), Field(interface,true), Constant(' received '), Field(protocol_detail,true), Constant(' from '), Field(smacaddr,true), Constant(' requesting out-of-scope IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ +var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -19545,30 +17740,27 @@ match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{in dup5, ])); -var msg921 = msg("00527:08", part1481); +var msg921 = msg("00527:08", part1476); -var part1482 = // "Pattern{Constant('MAC address '), Field(macaddr,true), Constant(' has '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); +var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); -var part1483 = // "Pattern{Constant('address '), Field(hostip,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); +var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); -var part1484 = // "Pattern{Field(hostip,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); +var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); var select347 = linear_select([ - part1483, - part1484, + part1478, + part1479, ]); -var all327 = all_match({ +var all322 = all_match({ processors: [ - part1482, + part1477, select347, dup41, ], on_success: processor_chain([ - dup274, + dup272, dup2, dup3, dup9, @@ -19577,10 +17769,9 @@ var all327 = all_match({ ]), }); -var msg922 = msg("00527:09", all327); +var msg922 = msg("00527:09", all322); -var part1485 = // "Pattern{Constant('One or more IP addresses are expired. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ +var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -19589,7 +17780,7 @@ match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are dup5, ])); -var msg923 = msg("00527:10", part1485); +var msg923 = msg("00527:10", part1480); var select348 = linear_select([ msg913, @@ -19605,8 +17796,7 @@ var select348 = linear_select([ msg923, ]); -var part1486 = // "Pattern{Constant('SCS: User ''), Field(username,false), Constant('' authenticated using password :')}" -match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ +var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ setc("eventcategory","1302010000"), dup29, dup31, @@ -19617,66 +17807,60 @@ match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenti dup5, ])); -var msg924 = msg("00528", part1486); +var msg924 = msg("00528", part1481); -var part1487 = // "Pattern{Constant('SCS: Connection terminated for user '), Field(username,true), Constant(' from')}" -match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ - dup205, +var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg925 = msg("00528:01", part1487); +var msg925 = msg("00528:01", part1482); -var part1488 = // "Pattern{Constant('SCS: Disabled for all root/vsys on device. Client host attempting connection to interface ''), Field(interface,false), Constant('' with address '), Field(hostip,true), Constant(' from '), Field(saddr,false)}" -match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ - dup205, +var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg926 = msg("00528:02", part1488); +var msg926 = msg("00528:02", part1483); -var part1489 = // "Pattern{Constant('SSH: NetScreen device '), Field(disposition,true), Constant(' to identify itself to the SSH client at '), Field(hostip,false)}" -match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ - dup205, +var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg927 = msg("00528:03", part1489); +var msg927 = msg("00528:03", part1484); -var part1490 = // "Pattern{Constant('SSH: Incompatible SSH version string has been received from SSH client at '), Field(hostip,false)}" -match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ - dup205, +var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ + dup203, dup2, dup4, dup5, dup3, ])); -var msg928 = msg("00528:04", part1490); +var msg928 = msg("00528:04", part1485); -var part1491 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to send identification string to client host at '), Field(hostip,false)}" -match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ - dup205, +var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ + dup203, dup2, dup3, dup4, dup5, ])); -var msg929 = msg("00528:05", part1491); +var msg929 = msg("00528:05", part1486); -var part1492 = // "Pattern{Constant('SSH: Client at '), Field(saddr,true), Constant(' attempted to connect with invalid version string.')}" -match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ - dup315, +var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ + dup313, dup2, dup3, dup4, @@ -19684,38 +17868,33 @@ match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} att setc("result","invalid version string"), ])); -var msg930 = msg("00528:06", part1492); +var msg930 = msg("00528:06", part1487); -var part1493 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to negotiate '), Field(p0,false)}" -match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); +var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); -var part1494 = // "Pattern{Constant('MAC '), Field(p0,false)}" -match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); +var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); -var part1495 = // "Pattern{Constant('key exchange '), Field(p0,false)}" -match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); +var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); -var part1496 = // "Pattern{Constant('host key '), Field(p0,false)}" -match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); +var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); var select349 = linear_select([ dup88, - part1494, - part1495, - part1496, + part1489, + part1490, + part1491, ]); -var part1497 = // "Pattern{Constant('algorithm with host '), Field(hostip,false)}" -match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); +var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); -var all328 = all_match({ +var all323 = all_match({ processors: [ - part1493, + part1488, select349, - part1497, + part1492, ], on_success: processor_chain([ - dup316, + dup314, dup2, dup4, dup5, @@ -19723,55 +17902,50 @@ var all328 = all_match({ ]), }); -var msg931 = msg("00528:07", all328); +var msg931 = msg("00528:07", all323); -var part1498 = // "Pattern{Constant('SSH: Unsupported cipher type '), Field(fld2,true), Constant(' requested from '), Field(saddr,false)}" -match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ - dup316, +var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ + dup314, dup2, dup4, dup5, dup3, ])); -var msg932 = msg("00528:08", part1498); +var msg932 = msg("00528:08", part1493); -var part1499 = // "Pattern{Constant('SSH: Host client has requested NO cipher from '), Field(saddr,false)}" -match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ - dup316, +var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg933 = msg("00528:09", part1499); +var msg933 = msg("00528:09", part1494); -var part1500 = // "Pattern{Constant('SSH: Disabled for ''), Field(vsys,false), Constant(''. Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup283, +var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg934 = msg("00528:10", part1500); +var msg934 = msg("00528:10", part1495); -var part1501 = // "Pattern{Constant('SSH: Disabled for '), Field(fld2,true), Constant(' Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ - dup283, +var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg935 = msg("00528:11", part1501); +var msg935 = msg("00528:11", part1496); -var part1502 = // "Pattern{Constant('SSH: SSH user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' tried unsuccessfully to log in to '), Field(vsys,true), Constant(' using the shared untrusted interface. SSH disabled on that interface.')}" -match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ - dup283, +var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ + dup281, dup2, dup4, dup5, @@ -19779,51 +17953,44 @@ match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} a setc("disposition","disabled"), ])); -var msg936 = msg("00528:12", part1502); +var msg936 = msg("00528:12", part1497); -var part1503 = // "Pattern{Constant('SSH: SSH client at '), Field(saddr,true), Constant(' tried unsuccessfully to '), Field(p0,false)}" -match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); +var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); -var part1504 = // "Pattern{Constant('make '), Field(p0,false)}" -match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); +var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); -var part1505 = // "Pattern{Constant('establish '), Field(p0,false)}" -match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); +var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); var select350 = linear_select([ - part1504, - part1505, + part1499, + part1500, ]); -var part1506 = // "Pattern{Constant('an SSH connection to '), Field(p0,false)}" -match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); +var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); -var part1507 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' SSH '), Field(p0,false)}" -match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); +var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); -var part1508 = // "Pattern{Constant('not enabled '), Field(p0,false)}" -match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); +var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); var select351 = linear_select([ - part1508, + part1503, dup157, ]); -var part1509 = // "Pattern{Constant('on that interface.'), Field(,false)}" -match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); +var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); -var all329 = all_match({ +var all324 = all_match({ processors: [ - part1503, + part1498, select350, - part1506, - dup339, - part1507, + part1501, + dup337, + part1502, select351, - part1509, + part1504, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19831,54 +17998,48 @@ var all329 = all_match({ ]), }); -var msg937 = msg("00528:13", all329); +var msg937 = msg("00528:13", all324); -var part1510 = // "Pattern{Constant('SSH: SSH client '), Field(saddr,true), Constant(' unsuccessfully attempted to make an SSH connection to '), Field(vsys,true), Constant(' SSH was not completely initialized for that system.')}" -match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ - dup283, +var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg938 = msg("00528:14", part1510); +var msg938 = msg("00528:14", part1505); -var part1511 = // "Pattern{Constant('SSH: Admin user '), Field(p0,false)}" -match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); +var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); -var part1512 = // "Pattern{Field(administrator,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); +var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); var select352 = linear_select([ - dup317, - part1512, + dup315, + part1507, ]); -var part1513 = // "Pattern{Constant('at host '), Field(saddr,true), Constant(' requested unsupported '), Field(p0,false)}" -match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); +var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); -var part1514 = // "Pattern{Constant('PKA algorithm '), Field(p0,false)}" -match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); +var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); -var part1515 = // "Pattern{Constant('authentication method '), Field(p0,false)}" -match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); +var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); var select353 = linear_select([ - part1514, - part1515, + part1509, + part1510, ]); -var all330 = all_match({ +var all325 = all_match({ processors: [ - part1511, + part1506, select352, - part1513, + part1508, select353, dup108, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19886,43 +18047,40 @@ var all330 = all_match({ ]), }); -var msg939 = msg("00528:15", all330); +var msg939 = msg("00528:15", all325); -var part1516 = // "Pattern{Constant('SCP: Admin ''), Field(administrator,false), Constant('' at host '), Field(saddr,true), Constant(' executed invalid scp command: ''), Field(fld2,false), Constant(''')}" -match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ - dup283, +var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg940 = msg("00528:16", part1516); +var msg940 = msg("00528:16", part1511); -var part1517 = // "Pattern{Constant('SCP: Disabled for ''), Field(username,false), Constant(''. Attempted file transfer failed from host '), Field(saddr,false)}" -match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ - dup283, +var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg941 = msg("00528:17", part1517); +var msg941 = msg("00528:17", part1512); -var part1518 = // "Pattern{Constant('authentication successful for admin user '), Field(p0,false)}" -match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); +var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); -var all331 = all_match({ +var all326 = all_match({ processors: [ - dup318, - dup405, - part1518, - dup406, - dup322, + dup316, + dup402, + part1513, + dup403, + dup320, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19932,46 +18090,44 @@ var all331 = all_match({ ]), }); -var msg942 = msg("00528:18", all331); +var msg942 = msg("00528:18", all326); -var part1519 = // "Pattern{Constant('authentication failed for admin user '), Field(p0,false)}" -match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); +var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); -var all332 = all_match({ +var all327 = all_match({ processors: [ - dup318, - dup405, - part1519, - dup406, - dup322, + dup316, + dup402, + part1514, + dup403, + dup320, ], on_success: processor_chain([ - dup208, + dup206, dup29, dup31, dup54, dup2, dup4, dup5, - dup304, + dup302, dup3, setc("event_description","authentication failed for admin user"), ]), }); -var msg943 = msg("00528:26", all332); +var msg943 = msg("00528:26", all327); -var part1520 = // "Pattern{Constant(': SSH user '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' using password from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); +var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); -var all333 = all_match({ +var all328 = all_match({ processors: [ - dup323, - dup407, - part1520, + dup321, + dup404, + part1515, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19979,19 +18135,18 @@ var all333 = all_match({ ]), }); -var msg944 = msg("00528:19", all333); +var msg944 = msg("00528:19", all328); -var part1521 = // "Pattern{Constant(': Connection has been '), Field(disposition,true), Constant(' for admin user '), Field(administrator,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); +var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); -var all334 = all_match({ +var all329 = all_match({ processors: [ - dup323, - dup407, - part1521, + dup321, + dup404, + part1516, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -19999,33 +18154,30 @@ var all334 = all_match({ ]), }); -var msg945 = msg("00528:20", all334); +var msg945 = msg("00528:20", all329); -var part1522 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has requested PKA RSA authentication, which is not supported for that client.')}" -match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ - dup283, +var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ + dup281, dup2, dup4, dup5, dup3, ])); -var msg946 = msg("00528:21", part1522); +var msg946 = msg("00528:21", part1517); -var part1523 = // "Pattern{Constant('SCS: SSH client at '), Field(saddr,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" -match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); +var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); -var part1524 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' but '), Field(disposition,true), Constant(' because SCS is not enabled for that interface.')}" -match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); +var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); -var all335 = all_match({ +var all330 = all_match({ processors: [ - part1523, - dup339, - part1524, + part1518, + dup337, + part1519, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -20034,11 +18186,10 @@ var all335 = all_match({ ]), }); -var msg947 = msg("00528:22", all335); +var msg947 = msg("00528:22", all330); -var part1525 = // "Pattern{Constant('SCS: SSH client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection to vsys '), Field(vsys,true), Constant(' because SCS cannot generate the host and server keys before timing out.')}" -match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ - dup283, +var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ + dup281, dup2, dup4, dup5, @@ -20046,33 +18197,30 @@ match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:% setc("result","SCS cannot generate the host and server keys before timing out"), ])); -var msg948 = msg("00528:23", part1525); +var msg948 = msg("00528:23", part1520); -var part1526 = // "Pattern{Constant('SSH: '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ - dup283, +var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup281, dup2, dup3, dup4, dup5, ])); -var msg949 = msg("00528:24", part1526); +var msg949 = msg("00528:24", part1521); -var part1527 = // "Pattern{Constant('SSH: Admin '), Field(p0,false)}" -match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); +var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); -var part1528 = // "Pattern{Constant('at host '), Field(saddr,true), Constant(' attempted to be authenticated with no authentication methods enabled.')}" -match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); +var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); -var all336 = all_match({ +var all331 = all_match({ processors: [ - part1527, - dup406, - part1528, + part1522, + dup403, + part1523, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -20080,7 +18228,7 @@ var all336 = all_match({ ]), }); -var msg950 = msg("00528:25", all336); +var msg950 = msg("00528:25", all331); var select354 = linear_select([ msg924, @@ -20112,25 +18260,22 @@ var select354 = linear_select([ msg950, ]); -var part1529 = // "Pattern{Constant('manually '), Field(p0,false)}" -match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); +var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); -var part1530 = // "Pattern{Constant('automatically '), Field(p0,false)}" -match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); +var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); var select355 = linear_select([ - part1529, - part1530, + part1524, + part1525, ]); -var part1531 = // "Pattern{Constant('refreshed'), Field(,false)}" -match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); +var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); -var all337 = all_match({ +var all332 = all_match({ processors: [ dup63, select355, - part1531, + part1526, ], on_success: processor_chain([ dup44, @@ -20141,25 +18286,22 @@ var all337 = all_match({ ]), }); -var msg951 = msg("00529", all337); +var msg951 = msg("00529", all332); -var part1532 = // "Pattern{Constant('DNS entries have been refreshed by '), Field(p0,false)}" -match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); +var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); -var part1533 = // "Pattern{Constant('state change'), Field(,false)}" -match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); +var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); -var part1534 = // "Pattern{Constant('HA'), Field(,false)}" -match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); +var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); var select356 = linear_select([ - part1533, - part1534, + part1528, + part1529, ]); -var all338 = all_match({ +var all333 = all_match({ processors: [ - part1532, + part1527, select356, ], on_success: processor_chain([ @@ -20171,35 +18313,32 @@ var all338 = all_match({ ]), }); -var msg952 = msg("00529:01", all338); +var msg952 = msg("00529:01", all333); var select357 = linear_select([ msg951, msg952, ]); -var part1535 = // "Pattern{Constant('An IP conflict has been detected and the DHCP client has declined address '), Field(hostip,false)}" -match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ - dup274, +var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ + dup272, dup2, dup3, dup4, dup5, ])); -var msg953 = msg("00530", part1535); +var msg953 = msg("00530", part1530); -var part1536 = // "Pattern{Constant('DHCP client IP '), Field(hostip,true), Constant(' for the '), Field(p0,false)}" -match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); +var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); -var part1537 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' has been manually released')}" -match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); +var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); -var all339 = all_match({ +var all334 = all_match({ processors: [ - part1536, - dup339, - part1537, + part1531, + dup337, + part1532, ], on_success: processor_chain([ dup44, @@ -20210,10 +18349,9 @@ var all339 = all_match({ ]), }); -var msg954 = msg("00530:01", all339); +var msg954 = msg("00530:01", all334); -var part1538 = // "Pattern{Constant('DHCP client is unable to get an IP address for the '), Field(interface,true), Constant(' interface')}" -match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ +var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ dup18, dup2, dup3, @@ -20221,10 +18359,9 @@ match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get dup5, ])); -var msg955 = msg("00530:02", part1538); +var msg955 = msg("00530:02", part1533); -var part1539 = // "Pattern{Constant('DHCP client lease for '), Field(hostip,true), Constant(' has expired')}" -match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ +var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ dup44, dup2, dup3, @@ -20232,10 +18369,9 @@ match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hosti dup5, ])); -var msg956 = msg("00530:03", part1539); +var msg956 = msg("00530:03", part1534); -var part1540 = // "Pattern{Constant('DHCP server '), Field(hostip,true), Constant(' has assigned the untrust Interface '), Field(interface,true), Constant(' with lease '), Field(fld2,false), Constant('.')}" -match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ +var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ dup44, dup2, dup3, @@ -20243,10 +18379,9 @@ match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has a dup5, ])); -var msg957 = msg("00530:04", part1540); +var msg957 = msg("00530:04", part1535); -var part1541 = // "Pattern{Constant('DHCP server '), Field(hostip,true), Constant(' has assigned the '), Field(interface,true), Constant(' interface '), Field(fld2,true), Constant(' with lease '), Field(fld3,false)}" -match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ +var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -20254,10 +18389,9 @@ match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has a dup5, ])); -var msg958 = msg("00530:05", part1541); +var msg958 = msg("00530:05", part1536); -var part1542 = // "Pattern{Constant('DHCP client is unable to get IP address for the untrust interface.'), Field(,false)}" -match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ +var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ dup18, dup2, dup3, @@ -20265,7 +18399,7 @@ match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get dup5, ])); -var msg959 = msg("00530:06", part1542); +var msg959 = msg("00530:06", part1537); var select358 = linear_select([ msg953, @@ -20277,13 +18411,12 @@ var select358 = linear_select([ msg959, ]); -var part1543 = // "Pattern{Constant('System clock configurations have been changed by admin '), Field(p0,false)}" -match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); +var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); -var all340 = all_match({ +var all335 = all_match({ processors: [ - part1543, - dup400, + part1538, + dup397, ], on_success: processor_chain([ dup1, @@ -20295,10 +18428,9 @@ var all340 = all_match({ ]), }); -var msg960 = msg("00531", all340); +var msg960 = msg("00531", all335); -var part1544 = // "Pattern{Constant('failed to get clock through NTP'), Field(,false)}" -match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ +var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ dup86, dup2, dup3, @@ -20306,10 +18438,9 @@ match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through N dup5, ])); -var msg961 = msg("00531:01", part1544); +var msg961 = msg("00531:01", part1539); -var part1545 = // "Pattern{Constant('The system clock has been updated through NTP.'), Field(,false)}" -match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ +var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ dup1, dup2, dup3, @@ -20317,38 +18448,33 @@ match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been upd dup5, ])); -var msg962 = msg("00531:02", part1545); +var msg962 = msg("00531:02", part1540); -var part1546 = // "Pattern{Constant('The system clock was updated from '), Field(type,true), Constant(' NTP server type '), Field(hostname,true), Constant(' with a'), Field(p0,false)}" -match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); +var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); -var part1547 = // "Pattern{Constant(' ms '), Field(p0,false)}" -match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); +var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); var select359 = linear_select([ - part1547, + part1542, dup115, ]); -var part1548 = // "Pattern{Constant('adjustment of '), Field(fld3,false), Constant('. Authentication was '), Field(fld4,false), Constant('. Update mode was '), Field(p0,false)}" -match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); +var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); -var part1549 = // "Pattern{Field(fld5,false), Constant('('), Field(fld2,false), Constant(')')}" -match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); +var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); -var part1550 = // "Pattern{Field(fld5,false)}" -match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); +var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); var select360 = linear_select([ - part1549, - part1550, + part1544, + part1545, ]); -var all341 = all_match({ +var all336 = all_match({ processors: [ - part1546, + part1541, select359, - part1548, + part1543, select360, ], on_success: processor_chain([ @@ -20361,31 +18487,27 @@ var all341 = all_match({ ]), }); -var msg963 = msg("00531:03", all341); +var msg963 = msg("00531:03", all336); -var part1551 = // "Pattern{Constant('The NetScreen device is attempting to contact the '), Field(p0,false)}" -match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); +var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); -var part1552 = // "Pattern{Constant('primary backup '), Field(p0,false)}" -match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); +var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); -var part1553 = // "Pattern{Constant('secondary backup '), Field(p0,false)}" -match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); +var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); var select361 = linear_select([ - part1552, - part1553, - dup191, + part1547, + part1548, + dup189, ]); -var part1554 = // "Pattern{Constant('NTP server '), Field(hostname,false)}" -match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); +var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); -var all342 = all_match({ +var all337 = all_match({ processors: [ - part1551, + part1546, select361, - part1554, + part1549, ], on_success: processor_chain([ dup1, @@ -20396,10 +18518,9 @@ var all342 = all_match({ ]), }); -var msg964 = msg("00531:04", all342); +var msg964 = msg("00531:04", all337); -var part1555 = // "Pattern{Constant('No NTP server could be contacted. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ +var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20408,10 +18529,9 @@ match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contac dup5, ])); -var msg965 = msg("00531:05", part1555); +var msg965 = msg("00531:05", part1550); -var part1556 = // "Pattern{Constant('Network Time Protocol adjustment of '), Field(fld2,true), Constant(' from NTP server '), Field(hostname,true), Constant(' exceeds the allowed adjustment of '), Field(fld3,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ +var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20420,10 +18540,9 @@ match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustm dup5, ])); -var msg966 = msg("00531:06", part1556); +var msg966 = msg("00531:06", part1551); -var part1557 = // "Pattern{Constant('No acceptable time could be obtained from any NTP server. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ +var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20432,10 +18551,9 @@ match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be o dup5, ])); -var msg967 = msg("00531:07", part1557); +var msg967 = msg("00531:07", part1552); -var part1558 = // "Pattern{Constant('Administrator '), Field(administrator,true), Constant(' changed the '), Field(change_attribute,true), Constant(' from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' (by '), Field(fld3,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ +var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -20444,10 +18562,9 @@ match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator dup5, ])); -var msg968 = msg("00531:08", part1558); +var msg968 = msg("00531:08", part1553); -var part1559 = // "Pattern{Constant('Network Time Protocol settings changed. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ +var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -20456,10 +18573,9 @@ match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol setting dup5, ])); -var msg969 = msg("00531:09", part1559); +var msg969 = msg("00531:09", part1554); -var part1560 = // "Pattern{Constant('NTP server is '), Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ +var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ dup86, dup2, dup3, @@ -20468,10 +18584,9 @@ match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition-> dup5, ])); -var msg970 = msg("00531:10", part1560); +var msg970 = msg("00531:10", part1555); -var part1561 = // "Pattern{Constant('The system clock will be changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' received from primary NTP server '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ +var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -20481,10 +18596,9 @@ match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be chan setc("event_description","system clock changed based on receive from primary NTP server"), ])); -var msg971 = msg("00531:11", part1561); +var msg971 = msg("00531:11", part1556); -var part1562 = // "Pattern{Field(fld35,true), Constant(' NTP server '), Field(saddr,true), Constant(' could not be contacted. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ +var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -20492,7 +18606,7 @@ match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{sadd dup9, ])); -var msg972 = msg("00531:12", part1562); +var msg972 = msg("00531:12", part1557); var select362 = linear_select([ msg960, @@ -20510,8 +18624,7 @@ var select362 = linear_select([ msg972, ]); -var part1563 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' is now responding')}" -match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ +var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ dup44, dup2, dup3, @@ -20519,10 +18632,9 @@ match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now re dup5, ])); -var msg973 = msg("00533", part1563); +var msg973 = msg("00533", part1558); -var part1564 = // "Pattern{Field(fld2,true), Constant(' has been cleared')}" -match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ +var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ dup44, dup2, dup3, @@ -20530,55 +18642,50 @@ match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", pro dup5, ])); -var msg974 = msg("00534", part1564); +var msg974 = msg("00534", part1559); -var part1565 = // "Pattern{Constant('Cannot find the CA certificate with distinguished name '), Field(fld2,false)}" -match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ - dup316, +var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg975 = msg("00535", part1565); +var msg975 = msg("00535", part1560); -var part1566 = // "Pattern{Constant('Distinguished name '), Field(dn,true), Constant(' in the X509 certificate request is '), Field(disposition,false)}" -match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ - dup316, +var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg976 = msg("00535:01", part1566); +var msg976 = msg("00535:01", part1561); -var part1567 = // "Pattern{Constant('Local certificate with distinguished name '), Field(dn,true), Constant(' is '), Field(disposition,false)}" -match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ - dup316, +var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg977 = msg("00535:02", part1567); +var msg977 = msg("00535:02", part1562); -var part1568 = // "Pattern{Constant('PKCS #7 data cannot be decapsulated'), Field(,false)}" -match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ - dup316, +var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg978 = msg("00535:03", part1568); +var msg978 = msg("00535:03", part1563); -var part1569 = // "Pattern{Constant('SCEP_FAILURE message has been received from the CA'), Field(,false)}" -match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ - dup316, +var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ + dup314, dup2, dup3, dup4, @@ -20586,22 +18693,20 @@ match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been setc("result","SCEP_FAILURE message"), ])); -var msg979 = msg("00535:04", part1569); +var msg979 = msg("00535:04", part1564); -var part1570 = // "Pattern{Constant('PKI error message has been received: '), Field(result,false)}" -match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ - dup316, +var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ + dup314, dup2, dup3, dup4, dup5, ])); -var msg980 = msg("00535:05", part1570); +var msg980 = msg("00535:05", part1565); -var part1571 = // "Pattern{Constant('PKI: Saved CA configuration (CA cert subject name '), Field(dn,false), Constant('). ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ - dup316, +var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ + dup314, dup2, dup3, dup4, @@ -20609,7 +18714,7 @@ match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration ( setc("event_description","Saved CA configuration - cert subject name"), ])); -var msg981 = msg("00535:06", part1571); +var msg981 = msg("00535:06", part1566); var select363 = linear_select([ msg975, @@ -20621,31 +18726,26 @@ var select363 = linear_select([ msg981, ]); -var part1572 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); +var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); -var part1573 = // "Pattern{Constant('Phase 2 msg ID '), Field(sessionid,false), Constant(': '), Field(disposition,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); +var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); -var part1574 = // "Pattern{Constant('Phase 1: '), Field(disposition,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); +var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); -var part1575 = // "Pattern{Constant('phase 2:'), Field(disposition,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); +var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); -var part1576 = // "Pattern{Constant('phase 1:'), Field(disposition,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); +var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); var select364 = linear_select([ - part1573, - part1574, - part1575, - part1576, + part1568, + part1569, + part1570, + part1571, ]); -var all343 = all_match({ +var all338 = all_match({ processors: [ - part1572, + part1567, select364, dup10, ], @@ -20659,10 +18759,9 @@ var all343 = all_match({ ]), }); -var msg982 = msg("00536:49", all343); +var msg982 = msg("00536:49", all338); -var part1577 = // "Pattern{Constant('UDP packets have been received from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' at interface '), Field(interface,true), Constant(' at '), Field(daddr,false), Constant('/'), Field(dport,false)}" -match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ +var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ dup44, dup2, dup4, @@ -20671,10 +18770,9 @@ match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received f dup61, ])); -var msg983 = msg("00536", part1577); +var msg983 = msg("00536", part1572); -var part1578 = // "Pattern{Constant('Attempt to set tunnel ('), Field(fld2,false), Constant(') without IP address at both end points! Check outgoing interface.')}" -match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ +var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ dup18, dup2, dup3, @@ -20682,10 +18780,9 @@ match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2 dup5, ])); -var msg984 = msg("00536:01", part1578); +var msg984 = msg("00536:01", part1573); -var part1579 = // "Pattern{Constant('Gateway '), Field(fld2,true), Constant(' at '), Field(hostip,true), Constant(' in '), Field(fld4,true), Constant(' mode with ID: '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ +var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -20693,10 +18790,9 @@ match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip dup5, ])); -var msg985 = msg("00536:02", part1579); +var msg985 = msg("00536:02", part1574); -var part1580 = // "Pattern{Constant('IKE gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false), Constant('. '), Field(info,false)}" -match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ +var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ dup1, dup2, dup3, @@ -20704,10 +18800,9 @@ match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has bee dup5, ])); -var msg986 = msg("00536:03", part1580); +var msg986 = msg("00536:03", part1575); -var part1581 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has deactivated the SA with ID '), Field(fld2,false), Constant('.')}" -match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ +var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ setc("eventcategory","1801010100"), dup2, dup3, @@ -20715,10 +18810,9 @@ match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{grou dup5, ])); -var msg987 = msg("00536:04", part1581); +var msg987 = msg("00536:04", part1576); -var part1582 = // "Pattern{Constant('VPN ID number cannot be assigned'), Field(,false)}" -match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ +var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ dup44, dup2, dup3, @@ -20726,10 +18820,9 @@ match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assig dup5, ])); -var msg988 = msg("00536:05", part1582); +var msg988 = msg("00536:05", part1577); -var part1583 = // "Pattern{Constant('Local gateway IP address has changed to '), Field(fld2,false), Constant('. VPNs cannot terminate at an interface with IP '), Field(hostip,false)}" -match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ +var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ dup1, dup2, dup3, @@ -20737,10 +18830,9 @@ match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has dup5, ])); -var msg989 = msg("00536:06", part1583); +var msg989 = msg("00536:06", part1578); -var part1584 = // "Pattern{Constant('Local gateway IP address has changed from '), Field(change_old,true), Constant(' to another setting')}" -match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ +var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ dup1, dup2, dup3, @@ -20748,10 +18840,9 @@ match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has dup5, ])); -var msg990 = msg("00536:07", part1584); +var msg990 = msg("00536:07", part1579); -var part1585 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Sent initial contact notification message')}" -match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ +var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ dup44, dup2, dup3, @@ -20759,10 +18850,9 @@ match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial c dup5, ])); -var msg991 = msg("00536:08", part1585); +var msg991 = msg("00536:08", part1580); -var part1586 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Sent initial contact notification')}" -match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ +var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ dup44, dup2, dup3, @@ -20770,10 +18860,9 @@ match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial c dup5, ])); -var msg992 = msg("00536:09", part1586); +var msg992 = msg("00536:09", part1581); -var part1587 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Responded to a packet with a bad SPI after rebooting')}" -match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ +var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ dup44, dup2, dup3, @@ -20781,10 +18870,9 @@ match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a dup5, ])); -var msg993 = msg("00536:10", part1587); +var msg993 = msg("00536:10", part1582); -var part1588 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Removed Phase 2 SAs after receiving a notification message')}" -match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ +var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ dup44, dup2, dup3, @@ -20792,10 +18880,9 @@ match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase dup5, ])); -var msg994 = msg("00536:11", part1588); +var msg994 = msg("00536:11", part1583); -var part1589 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Rejected first Phase 1 packet from an unrecognized source')}" -match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ +var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ dup44, dup2, dup3, @@ -20803,10 +18890,9 @@ match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first dup5, ])); -var msg995 = msg("00536:12", part1589); +var msg995 = msg("00536:12", part1584); -var part1590 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Rejected an initial Phase 1 packet from an unrecognized peer gateway')}" -match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ +var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ dup44, dup2, dup3, @@ -20814,19 +18900,17 @@ match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an in dup5, ])); -var msg996 = msg("00536:13", part1590); +var msg996 = msg("00536:13", part1585); -var part1591 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received initial contact notification and removed Phase '), Field(p0,false)}" -match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); +var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); -var part1592 = // "Pattern{Constant('SAs'), Field(,false)}" -match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); +var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); -var all344 = all_match({ +var all339 = all_match({ processors: [ - part1591, - dup386, - part1592, + part1586, + dup383, + part1587, ], on_success: processor_chain([ dup44, @@ -20837,10 +18921,9 @@ var all344 = all_match({ ]), }); -var msg997 = msg("00536:14", all344); +var msg997 = msg("00536:14", all339); -var part1593 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received a notification message for '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ +var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ dup44, dup2, dup9, @@ -20849,10 +18932,9 @@ match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a not dup5, ])); -var msg998 = msg("00536:50", part1593); +var msg998 = msg("00536:50", part1588); -var part1594 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received incorrect ID payload: IP address '), Field(fld2,true), Constant(' instead of IP address '), Field(fld3,false)}" -match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ +var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -20860,10 +18942,9 @@ match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incor dup5, ])); -var msg999 = msg("00536:15", part1594); +var msg999 = msg("00536:15", part1589); -var part1595 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Phase 2 negotiation request is already in the task list')}" -match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ +var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ dup44, dup2, dup3, @@ -20871,10 +18952,9 @@ match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negoti dup5, ])); -var msg1000 = msg("00536:16", part1595); +var msg1000 = msg("00536:16", part1590); -var part1596 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Heartbeats have been lost '), Field(fld2,true), Constant(' times')}" -match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ +var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ dup44, dup2, dup3, @@ -20882,10 +18962,9 @@ match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats hav dup5, ])); -var msg1001 = msg("00536:17", part1596); +var msg1001 = msg("00536:17", part1591); -var part1597 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Dropped peer packet because no policy uses the peer configuration')}" -match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ +var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ dup44, dup2, dup3, @@ -20893,10 +18972,9 @@ match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer p dup5, ])); -var msg1002 = msg("00536:18", part1597); +var msg1002 = msg("00536:18", part1592); -var part1598 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Dropped packet because remote gateway OK is not used in any VPN tunnel configurations')}" -match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ +var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ dup44, dup2, dup3, @@ -20904,10 +18982,9 @@ match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet dup5, ])); -var msg1003 = msg("00536:19", part1598); +var msg1003 = msg("00536:19", part1593); -var part1599 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Added the initial contact task to the task list')}" -match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ +var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ dup44, dup2, dup3, @@ -20915,10 +18992,9 @@ match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the init dup5, ])); -var msg1004 = msg("00536:20", part1599); +var msg1004 = msg("00536:20", part1594); -var part1600 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Added Phase 2 session tasks to the task list')}" -match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ +var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ dup44, dup2, dup3, @@ -20926,10 +19002,9 @@ match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 dup5, ])); -var msg1005 = msg("00536:21", part1600); +var msg1005 = msg("00536:21", part1595); -var part1601 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1 : '), Field(disposition,true), Constant(' proposals from peer. Negotiations failed')}" -match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ +var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ dup44, dup2, dup3, @@ -20938,10 +19013,9 @@ match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{d setc("result","Negotiations failed"), ])); -var msg1006 = msg("00536:22", part1601); +var msg1006 = msg("00536:22", part1596); -var part1602 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1 : Aborted negotiations because the time limit has elapsed')}" -match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ +var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ dup44, dup2, dup3, @@ -20951,10 +19025,9 @@ match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Abo setc("disposition","Aborted"), ])); -var msg1007 = msg("00536:23", part1602); +var msg1007 = msg("00536:23", part1597); -var part1603 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled')}" -match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ +var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ dup44, dup2, dup3, @@ -20962,10 +19035,9 @@ match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Rece dup5, ])); -var msg1008 = msg("00536:24", part1603); +var msg1008 = msg("00536:24", part1598); -var part1604 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Received DH group '), Field(fld2,true), Constant(' instead of expected group '), Field(fld3,true), Constant(' for PFS')}" -match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ +var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ dup44, dup2, dup3, @@ -20973,10 +19045,9 @@ match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Rece dup5, ])); -var msg1009 = msg("00536:25", part1604); +var msg1009 = msg("00536:25", part1599); -var part1605 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: No policy exists for the proxy ID received: local ID '), Field(fld2,true), Constant(' remote ID '), Field(fld3,false)}" -match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ +var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ dup44, dup2, dup3, @@ -20984,10 +19055,9 @@ match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No p dup5, ])); -var msg1010 = msg("00536:26", part1605); +var msg1010 = msg("00536:26", part1600); -var part1606 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: RSA private key is needed to sign packets')}" -match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ +var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ dup44, dup2, dup3, @@ -20995,10 +19065,9 @@ match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA dup5, ])); -var msg1011 = msg("00536:27", part1606); +var msg1011 = msg("00536:27", part1601); -var part1607 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Aggressive mode negotiations have '), Field(disposition,false)}" -match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ +var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ dup44, dup2, dup3, @@ -21006,10 +19075,9 @@ match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggr dup5, ])); -var msg1012 = msg("00536:28", part1607); +var msg1012 = msg("00536:28", part1602); -var part1608 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Vendor ID payload indicates that the peer does not support NAT-T')}" -match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ +var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ dup44, dup2, dup3, @@ -21017,10 +19085,9 @@ match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Ven dup5, ])); -var msg1013 = msg("00536:29", part1608); +var msg1013 = msg("00536:29", part1603); -var part1609 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Retransmission limit has been reached')}" -match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ +var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ dup44, dup2, dup3, @@ -21028,10 +19095,9 @@ match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Ret dup5, ])); -var msg1014 = msg("00536:30", part1609); +var msg1014 = msg("00536:30", part1604); -var part1610 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Received an invalid RSA signature')}" -match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ +var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ dup44, dup2, dup3, @@ -21039,10 +19105,9 @@ match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Rec dup5, ])); -var msg1015 = msg("00536:31", part1610); +var msg1015 = msg("00536:31", part1605); -var part1611 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Received an incorrect public key authentication method')}" -match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ +var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ dup44, dup2, dup3, @@ -21050,10 +19115,9 @@ match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Rec dup5, ])); -var msg1016 = msg("00536:32", part1611); +var msg1016 = msg("00536:32", part1606); -var part1612 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: No private key exists to sign packets')}" -match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ +var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ dup44, dup2, dup3, @@ -21061,10 +19125,9 @@ match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No dup5, ])); -var msg1017 = msg("00536:33", part1612); +var msg1017 = msg("00536:33", part1607); -var part1613 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID')}" -match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ +var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ dup44, dup2, dup3, @@ -21072,10 +19135,9 @@ match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Mai dup5, ])); -var msg1018 = msg("00536:34", part1613); +var msg1018 = msg("00536:34", part1608); -var part1614 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: IKE initiator has detected NAT in front of the local device')}" -match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ +var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ dup44, dup2, dup3, @@ -21083,19 +19145,17 @@ match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE dup5, ])); -var msg1019 = msg("00536:35", part1614); +var msg1019 = msg("00536:35", part1609); -var part1615 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Discarded a second initial packet'), Field(p0,false)}" -match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); +var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); -var part1616 = // "Pattern{Field(,false), Constant('which arrived within '), Field(fld2,true), Constant(' after the first')}" -match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); +var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); -var all345 = all_match({ +var all340 = all_match({ processors: [ - part1615, - dup404, - part1616, + part1610, + dup401, + part1611, ], on_success: processor_chain([ dup44, @@ -21106,10 +19166,19 @@ var all345 = all_match({ ]), }); -var msg1020 = msg("00536:36", all345); +var msg1020 = msg("00536:36", all340); + +var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1021 = msg("00536:37", part1612); -var part1617 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Completed Aggressive mode negotiations with a '), Field(fld2,true), Constant(' lifetime')}" -match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ +var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ dup44, dup2, dup3, @@ -21117,10 +19186,9 @@ match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Com dup5, ])); -var msg1021 = msg("00536:37", part1617); +var msg1022 = msg("00536:38", part1613); -var part1618 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Certificate received has a subject name that does not match the ID payload')}" -match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ +var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ dup44, dup2, dup3, @@ -21128,10 +19196,9 @@ match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Cer dup5, ])); -var msg1022 = msg("00536:38", part1618); +var msg1023 = msg("00536:39", part1614); -var part1619 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Certificate received has a different IP address '), Field(fld2,true), Constant(' than expected')}" -match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ +var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ dup44, dup2, dup3, @@ -21139,33 +19206,9 @@ match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Cer dup5, ])); -var msg1023 = msg("00536:39", part1619); - -var part1620 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Cannot use a preshared key because the peer'), Field(p0,false)}" -match("MESSAGE#1011:00536:40/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{p0}"); - -var part1621 = // "Pattern{Constant('s gateway has a dynamic IP address and negotiations are in Main mode'), Field(,false)}" -match("MESSAGE#1011:00536:40/2", "nwparser.p0", "s gateway has a dynamic IP address and negotiations are in Main mode%{}"); - -var all346 = all_match({ - processors: [ - part1620, - dup363, - part1621, - ], - on_success: processor_chain([ - dup44, - dup2, - dup3, - dup4, - dup5, - ]), -}); - -var msg1024 = msg("00536:40", all346); +var msg1024 = msg("00536:40", part1615); -var part1622 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Initiated negotiations in Aggressive mode')}" -match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ +var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ dup44, dup2, dup3, @@ -21173,10 +19216,9 @@ match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Ini dup5, ])); -var msg1025 = msg("00536:47", part1622); +var msg1025 = msg("00536:47", part1616); -var part1623 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Cannot verify RSA signature')}" -match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ +var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ dup44, dup2, dup3, @@ -21184,10 +19226,9 @@ match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Can dup5, ])); -var msg1026 = msg("00536:41", part1623); +var msg1026 = msg("00536:41", part1617); -var part1624 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Initiated Main mode negotiations')}" -match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ +var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ dup44, dup2, dup3, @@ -21195,10 +19236,9 @@ match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Ini dup5, ])); -var msg1027 = msg("00536:42", part1624); +var msg1027 = msg("00536:42", part1618); -var part1625 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Initiated negotiations')}" -match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ +var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ dup44, dup2, dup3, @@ -21206,10 +19246,9 @@ match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Ini dup5, ])); -var msg1028 = msg("00536:43", part1625); +var msg1028 = msg("00536:43", part1619); -var part1626 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Changed heartbeat interval to '), Field(fld2,false)}" -match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ +var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ dup44, dup2, dup3, @@ -21217,10 +19256,9 @@ match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heart dup5, ])); -var msg1029 = msg("00536:44", part1626); +var msg1029 = msg("00536:44", part1620); -var part1627 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Heartbeats have been '), Field(disposition,true), Constant(' because '), Field(result,false)}" -match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ +var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ dup44, dup2, dup3, @@ -21228,10 +19266,9 @@ match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats ha dup5, ])); -var msg1030 = msg("00536:45", part1627); +var msg1030 = msg("00536:45", part1621); -var part1628 = // "Pattern{Constant('Received an IKE packet on '), Field(interface,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('/'), Field(fld1,false), Constant('. Cookies: '), Field(ike_cookie1,false), Constant(', '), Field(ike_cookie2,false), Constant('. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ +var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ dup44, dup2, dup3, @@ -21240,10 +19277,9 @@ match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{ setc("event_description","Received an IKE packet on interface"), ])); -var msg1031 = msg("00536:48", part1628); +var msg1031 = msg("00536:48", part1622); -var part1629 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received a bad SPI')}" -match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ +var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ dup44, dup2, dup3, @@ -21251,7 +19287,7 @@ match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a ba dup5, ])); -var msg1032 = msg("00536:46", part1629); +var msg1032 = msg("00536:46", part1623); var select365 = linear_select([ msg982, @@ -21307,8 +19343,7 @@ var select365 = linear_select([ msg1032, ]); -var part1630 = // "Pattern{Constant('PPPoE '), Field(disposition,true), Constant(' to establish a session: '), Field(info,false)}" -match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ +var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ dup18, dup2, dup4, @@ -21316,10 +19351,9 @@ match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to estab dup3, ])); -var msg1033 = msg("00537", part1630); +var msg1033 = msg("00537", part1624); -var part1631 = // "Pattern{Constant('PPPoE session shuts down: '), Field(result,false)}" -match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ +var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ dup18, dup2, dup3, @@ -21327,10 +19361,9 @@ match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{ dup5, ])); -var msg1034 = msg("00537:01", part1631); +var msg1034 = msg("00537:01", part1625); -var part1632 = // "Pattern{Constant('The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: '), Field(result,false)}" -match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ +var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ dup18, dup2, dup3, @@ -21338,10 +19371,9 @@ match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethe dup5, ])); -var msg1035 = msg("00537:02", part1632); +var msg1035 = msg("00537:02", part1626); -var part1633 = // "Pattern{Constant('PPPoE session has successfully established'), Field(,false)}" -match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ +var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ dup44, dup2, dup3, @@ -21349,7 +19381,7 @@ match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successful dup5, ])); -var msg1036 = msg("00537:03", part1633); +var msg1036 = msg("00537:03", part1627); var select366 = linear_select([ msg1033, @@ -21358,22 +19390,20 @@ var select366 = linear_select([ msg1036, ]); -var part1634 = // "Pattern{Constant('NACN failed to register to Policy Manager '), Field(fld2,true), Constant(' because '), Field(p0,false)}" -match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); +var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); var select367 = linear_select([ dup111, dup119, ]); -var part1635 = // "Pattern{Constant(''), Field(result,false)}" -match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); +var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); -var all347 = all_match({ +var all341 = all_match({ processors: [ - part1634, + part1628, select367, - part1635, + part1629, ], on_success: processor_chain([ dup44, @@ -21384,10 +19414,9 @@ var all347 = all_match({ ]), }); -var msg1037 = msg("00538", all347); +var msg1037 = msg("00538", all341); -var part1636 = // "Pattern{Constant('NACN successfully registered to Policy Manager '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ +var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ dup44, dup2, dup3, @@ -21395,10 +19424,9 @@ match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered dup5, ])); -var msg1038 = msg("00538:01", part1636); +var msg1038 = msg("00538:01", part1630); -var part1637 = // "Pattern{Constant('The NACN protocol has started for Policy Manager '), Field(fld2,true), Constant(' on hostname '), Field(hostname,true), Constant(' IP address '), Field(hostip,true), Constant(' port '), Field(network_port,false), Constant('.')}" -match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ +var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ dup44, dup2, dup3, @@ -21406,10 +19434,9 @@ match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has starte dup5, ])); -var msg1039 = msg("00538:02", part1637); +var msg1039 = msg("00538:02", part1631); -var part1638 = // "Pattern{Constant('Cannot connect to NSM Server at '), Field(hostip,true), Constant(' ('), Field(fld2,true), Constant(' connect attempt(s)) '), Field(fld3,false)}" -match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ +var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ dup19, dup2, dup4, @@ -21417,10 +19444,9 @@ match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server dup3, ])); -var msg1040 = msg("00538:03", part1638); +var msg1040 = msg("00538:03", part1632); -var part1639 = // "Pattern{Constant('Device is not known to Global PRO data collector at '), Field(hostip,false)}" -match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ +var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ dup27, dup2, dup3, @@ -21428,30 +19454,26 @@ match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Globa dup5, ])); -var msg1041 = msg("00538:04", part1639); +var msg1041 = msg("00538:04", part1633); -var part1640 = // "Pattern{Constant('Lost '), Field(p0,false)}" -match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); +var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); -var part1641 = // "Pattern{Constant('socket connection'), Field(p0,false)}" -match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); +var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); -var part1642 = // "Pattern{Constant('connection'), Field(p0,false)}" -match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); +var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); var select368 = linear_select([ - part1641, - part1642, + part1635, + part1636, ]); -var part1643 = // "Pattern{Field(,false), Constant('to Global PRO data collector at '), Field(hostip,false)}" -match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); +var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); -var all348 = all_match({ +var all342 = all_match({ processors: [ - part1640, + part1634, select368, - part1643, + part1637, ], on_success: processor_chain([ dup27, @@ -21462,30 +19484,26 @@ var all348 = all_match({ ]), }); -var msg1042 = msg("00538:05", all348); +var msg1042 = msg("00538:05", all342); -var part1644 = // "Pattern{Constant('Device has connected to the Global PRO'), Field(p0,false)}" -match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); +var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); -var part1645 = // "Pattern{Constant(' '), Field(fld2,true), Constant(' primary data collector at '), Field(p0,false)}" -match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); +var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); -var part1646 = // "Pattern{Constant(' primary data collector at '), Field(p0,false)}" -match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); +var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); var select369 = linear_select([ - part1645, - part1646, + part1639, + part1640, ]); -var part1647 = // "Pattern{Field(hostip,false)}" -match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); +var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); -var all349 = all_match({ +var all343 = all_match({ processors: [ - part1644, + part1638, select369, - part1647, + part1641, ], on_success: processor_chain([ dup27, @@ -21496,22 +19514,20 @@ var all349 = all_match({ ]), }); -var msg1043 = msg("00538:06", all349); +var msg1043 = msg("00538:06", all343); -var part1648 = // "Pattern{Constant('Connection to Global PRO data collector at '), Field(hostip,true), Constant(' has'), Field(p0,false)}" -match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); +var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); -var part1649 = // "Pattern{Constant(' been'), Field(p0,false)}" -match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); +var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); var select370 = linear_select([ - part1649, + part1643, dup16, ]); -var all350 = all_match({ +var all344 = all_match({ processors: [ - part1648, + part1642, select370, dup136, ], @@ -21524,10 +19540,9 @@ var all350 = all_match({ ]), }); -var msg1044 = msg("00538:07", all350); +var msg1044 = msg("00538:07", all344); -var part1650 = // "Pattern{Constant('Cannot connect to Global PRO data collector at '), Field(hostip,false)}" -match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ +var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ dup27, dup2, dup3, @@ -21535,11 +19550,10 @@ match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO dup5, ])); -var msg1045 = msg("00538:08", part1650); +var msg1045 = msg("00538:08", part1644); -var part1651 = // "Pattern{Constant('NSM: Connected to NSM server at '), Field(hostip,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ - dup303, +var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ + dup301, dup2, dup3, dup9, @@ -21548,26 +19562,24 @@ match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server setc("event_description","Connected to NSM server"), ])); -var msg1046 = msg("00538:09", part1651); +var msg1046 = msg("00538:09", part1645); -var part1652 = // "Pattern{Constant('NSM: Connection to NSM server at '), Field(hostip,true), Constant(' is down. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(p0,false)}" -match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); +var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); -var part1653 = // "Pattern{Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); +var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); var select371 = linear_select([ - part1653, + part1647, dup41, ]); -var all351 = all_match({ +var all345 = all_match({ processors: [ - part1652, + part1646, select371, ], on_success: processor_chain([ - dup200, + dup198, dup2, dup3, dup9, @@ -21577,36 +19589,33 @@ var all351 = all_match({ ]), }); -var msg1047 = msg("00538:10", all351); +var msg1047 = msg("00538:10", all345); -var part1654 = // "Pattern{Constant('NSM: Cannot connect to NSM server at '), Field(hostip,false), Constant('. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld2,true), Constant(' connect attempt(s)) ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ - dup200, +var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ + dup198, dup2, dup3, dup9, dup4, dup5, - dup325, + dup323, ])); -var msg1048 = msg("00538:11", part1654); +var msg1048 = msg("00538:11", part1648); -var part1655 = // "Pattern{Constant('NSM: Cannot connect to NSM server at '), Field(hostip,false), Constant('. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ - dup200, +var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ + dup198, dup2, dup3, dup9, dup4, dup5, - dup325, + dup323, ])); -var msg1049 = msg("00538:12", part1655); +var msg1049 = msg("00538:12", part1649); -var part1656 = // "Pattern{Constant('NSM: Sent 2B message ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ +var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -21616,7 +19625,7 @@ match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1 setc("event_description","Sent 2B message"), ])); -var msg1050 = msg("00538:13", part1656); +var msg1050 = msg("00538:13", part1650); var select372 = linear_select([ msg1037, @@ -21635,8 +19644,7 @@ var select372 = linear_select([ msg1050, ]); -var part1657 = // "Pattern{Constant('No IP address in L2TP IP pool for user '), Field(username,false)}" -match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ +var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ dup117, dup2, dup3, @@ -21644,10 +19652,9 @@ match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool f dup5, ])); -var msg1051 = msg("00539", part1657); +var msg1051 = msg("00539", part1651); -var part1658 = // "Pattern{Constant('No L2TP IP pool for user '), Field(username,false)}" -match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ +var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ dup117, dup2, dup3, @@ -21655,10 +19662,9 @@ match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{u dup5, ])); -var msg1052 = msg("00539:01", part1658); +var msg1052 = msg("00539:01", part1652); -var part1659 = // "Pattern{Constant('Cannot allocate IP addr from Pool '), Field(group_object,true), Constant(' for user '), Field(username,false)}" -match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ +var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ dup117, dup2, dup3, @@ -21666,10 +19672,9 @@ match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from dup5, ])); -var msg1053 = msg("00539:02", part1659); +var msg1053 = msg("00539:02", part1653); -var part1660 = // "Pattern{Constant('Dialup HDLC PPP failed to establish a session: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ +var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ dup19, dup2, dup3, @@ -21677,10 +19682,9 @@ match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to es dup5, ])); -var msg1054 = msg("00539:03", part1660); +var msg1054 = msg("00539:03", part1654); -var part1661 = // "Pattern{Constant('Dialup HDLC PPP session has successfully established.'), Field(,false)}" -match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ +var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ dup44, dup2, dup3, @@ -21688,10 +19692,9 @@ match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has dup5, ])); -var msg1055 = msg("00539:04", part1661); +var msg1055 = msg("00539:04", part1655); -var part1662 = // "Pattern{Constant('No IP Pool has been assigned. You cannot allocate an IP address'), Field(,false)}" -match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ +var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ dup18, dup2, dup3, @@ -21699,10 +19702,9 @@ match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned dup5, ])); -var msg1056 = msg("00539:05", part1662); +var msg1056 = msg("00539:05", part1656); -var part1663 = // "Pattern{Constant('PPP settings changed.'), Field(,false)}" -match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ +var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ dup1, dup2, dup3, @@ -21710,7 +19712,7 @@ match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", p dup5, ])); -var msg1057 = msg("00539:06", part1663); +var msg1057 = msg("00539:06", part1657); var select373 = linear_select([ msg1051, @@ -21722,20 +19724,18 @@ var select373 = linear_select([ msg1057, ]); -var part1664 = // "Pattern{Constant('ScreenOS '), Field(fld2,true), Constant(' serial # '), Field(serial_number,false), Constant(': Asset recovery has been '), Field(disposition,false)}" -match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ - dup326, +var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ + dup324, dup2, dup3, dup4, dup5, ])); -var msg1058 = msg("00541", part1664); +var msg1058 = msg("00541", part1658); -var part1665 = // "Pattern{Constant('Neighbor router ID - '), Field(fld2,true), Constant(' IP address - '), Field(hostip,true), Constant(' changed its state to '), Field(change_new,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ - dup275, +var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ + dup273, dup9, dup2, dup3, @@ -21743,11 +19743,10 @@ match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2- dup5, ])); -var msg1059 = msg("00541:01", part1665); +var msg1059 = msg("00541:01", part1659); -var part1666 = // "Pattern{Constant('The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' state, (neighbor router-id 1'), Field(fld2,false), Constant(', ip-address '), Field(hostip,false), Constant('). ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ - dup275, +var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ + dup273, dup9, dup2, dup3, @@ -21755,22 +19754,20 @@ match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neigh dup5, ])); -var msg1060 = msg("00541:02", part1666); +var msg1060 = msg("00541:02", part1660); -var part1667 = // "Pattern{Constant('LSA in following area aged out: LSA area ID '), Field(fld3,false), Constant(', LSA ID '), Field(fld4,false), Constant(', router ID '), Field(fld2,false), Constant(', type '), Field(fld7,true), Constant(' in OSPF. ('), Field(fld1,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); +var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); -var part1668 = // "Pattern{Constant('<<'), Field(fld16,false), Constant('>')}" -match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); +var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); var select374 = linear_select([ - part1668, + part1662, dup21, ]); -var all352 = all_match({ +var all346 = all_match({ processors: [ - part1667, + part1661, select374, ], on_success: processor_chain([ @@ -21783,7 +19780,7 @@ var all352 = all_match({ ]), }); -var msg1061 = msg("00541:03", all352); +var msg1061 = msg("00541:03", all346); var select375 = linear_select([ msg1058, @@ -21792,8 +19789,7 @@ var select375 = linear_select([ msg1061, ]); -var part1669 = // "Pattern{Constant('BGP of vr: '), Field(node,false), Constant(', prefix adding: '), Field(fld2,false), Constant(', ribin overflow '), Field(fld3,true), Constant(' times (max rib-in '), Field(fld4,false), Constant(')')}" -match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ +var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ dup1, dup2, dup3, @@ -21801,46 +19797,40 @@ match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix addi dup5, ])); -var msg1062 = msg("00542", part1669); +var msg1062 = msg("00542", part1663); -var part1670 = // "Pattern{Constant('Access for '), Field(p0,false)}" -match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); +var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); -var part1671 = // "Pattern{Constant('WebAuth firewall '), Field(p0,false)}" -match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); +var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); -var part1672 = // "Pattern{Constant('firewall '), Field(p0,false)}" -match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); +var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); var select376 = linear_select([ - part1671, - part1672, + part1665, + part1666, ]); -var part1673 = // "Pattern{Constant('user '), Field(username,true), Constant(' '), Field(space,false), Constant('at '), Field(hostip,true), Constant(' (accepted at '), Field(fld2,true), Constant(' for duration '), Field(duration,true), Constant(' via the '), Field(logon_type,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); +var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); -var part1674 = // "Pattern{Constant('by policy id '), Field(policy_id,true), Constant(' is '), Field(p0,false)}" -match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); +var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); var select377 = linear_select([ - part1674, + part1668, dup106, ]); -var part1675 = // "Pattern{Constant('now over ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); +var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); -var all353 = all_match({ +var all347 = all_match({ processors: [ - part1670, + part1664, select376, - part1673, + part1667, select377, - part1675, + part1669, ], on_success: processor_chain([ - dup283, + dup281, dup2, dup4, dup5, @@ -21849,11 +19839,10 @@ var all353 = all_match({ ]), }); -var msg1063 = msg("00543", all353); +var msg1063 = msg("00543", all347); -var part1676 = // "Pattern{Constant('User '), Field(username,true), Constant(' [ of group '), Field(group,true), Constant(' ] at '), Field(hostip,true), Constant(' has been challenged by the RADIUS server at '), Field(daddr,false)}" -match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ - dup283, +var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ + dup281, dup2, dup4, dup5, @@ -21862,21 +19851,19 @@ match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group % setc("action","RADIUS server challenge"), ])); -var msg1064 = msg("00544", part1676); +var msg1064 = msg("00544", part1670); -var part1677 = // "Pattern{Constant('delete-route-> trust-vr: '), Field(fld2,false)}" -match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ - dup283, +var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ + dup281, dup2, dup3, dup4, dup5, ])); -var msg1065 = msg("00546", part1677); +var msg1065 = msg("00546", part1671); -var part1678 = // "Pattern{Constant('AV: Content from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' was not scanned because max content size was exceeded.')}" -match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ +var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ dup44, dup2, dup4, @@ -21885,10 +19872,9 @@ match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{spo dup61, ])); -var msg1066 = msg("00547", part1678); +var msg1066 = msg("00547", part1672); -var part1679 = // "Pattern{Constant('AV: Content from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' was not scanned due to a scan engine error or constraint.')}" -match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ +var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ dup44, dup2, dup4, @@ -21897,10 +19883,9 @@ match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{ dup61, ])); -var msg1067 = msg("00547:01", part1679); +var msg1067 = msg("00547:01", part1673); -var part1680 = // "Pattern{Constant('AV object scan-mgr data has been '), Field(disposition,false), Constant('.')}" -match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ +var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ dup1, dup2, dup3, @@ -21908,30 +19893,26 @@ match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has dup5, ])); -var msg1068 = msg("00547:02", part1680); +var msg1068 = msg("00547:02", part1674); -var part1681 = // "Pattern{Constant('AV: Content from '), Field(location_desc,false), Constant(', http url: '), Field(url,false), Constant(', is passed '), Field(p0,false)}" -match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); +var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); -var part1682 = // "Pattern{Constant('due to '), Field(p0,false)}" -match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); +var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); -var part1683 = // "Pattern{Constant('because '), Field(p0,false)}" -match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); +var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); var select378 = linear_select([ - part1682, - part1683, + part1676, + part1677, ]); -var part1684 = // "Pattern{Constant(''), Field(result,false), Constant('. ('), Field(event_time_string,false), Constant(')')}" -match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); +var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); -var all354 = all_match({ +var all348 = all_match({ processors: [ - part1681, + part1675, select378, - part1684, + part1678, ], on_success: processor_chain([ dup1, @@ -21943,7 +19924,7 @@ var all354 = all_match({ ]), }); -var msg1069 = msg("00547:03", all354); +var msg1069 = msg("00547:03", all348); var select379 = linear_select([ msg1066, @@ -21952,19 +19933,17 @@ var select379 = linear_select([ msg1069, ]); -var part1685 = // "Pattern{Constant('add-route-> untrust-vr: '), Field(fld2,false)}" -match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ - dup283, +var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ + dup281, dup2, dup3, dup4, dup5, ])); -var msg1070 = msg("00549", part1685); +var msg1070 = msg("00549", part1679); -var part1686 = // "Pattern{Constant('Error '), Field(resultcode,true), Constant(' occurred during configlet file processing.')}" -match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ +var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ dup18, dup2, dup3, @@ -21972,10 +19951,9 @@ match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred dup5, ])); -var msg1071 = msg("00551", part1686); +var msg1071 = msg("00551", part1680); -var part1687 = // "Pattern{Constant('Error '), Field(resultcode,true), Constant(' occurred, causing failure to establish secure management with Management System.')}" -match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ +var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ dup86, dup2, dup3, @@ -21983,22 +19961,20 @@ match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurr dup5, ])); -var msg1072 = msg("00551:01", part1687); +var msg1072 = msg("00551:01", part1681); -var part1688 = // "Pattern{Constant('Configlet file '), Field(p0,false)}" -match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); +var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); -var part1689 = // "Pattern{Constant('decryption '), Field(p0,false)}" -match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); +var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); var select380 = linear_select([ - part1689, + part1683, dup89, ]); -var all355 = all_match({ +var all349 = all_match({ processors: [ - part1688, + part1682, select380, dup128, ], @@ -22011,10 +19987,9 @@ var all355 = all_match({ ]), }); -var msg1073 = msg("00551:02", all355); +var msg1073 = msg("00551:02", all349); -var part1690 = // "Pattern{Constant('Rapid Deployment cannot start because gateway has undergone configuration changes. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ +var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ dup18, dup2, dup3, @@ -22023,10 +19998,9 @@ match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot star dup5, ])); -var msg1074 = msg("00551:03", part1690); +var msg1074 = msg("00551:03", part1684); -var part1691 = // "Pattern{Constant('Secure management established successfully with remote server. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ +var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -22035,7 +20009,7 @@ match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management establishe dup5, ])); -var msg1075 = msg("00551:04", part1691); +var msg1075 = msg("00551:04", part1685); var select381 = linear_select([ msg1071, @@ -22045,29 +20019,25 @@ var select381 = linear_select([ msg1075, ]); -var part1692 = // "Pattern{Constant('SCAN-MGR: Failed to get '), Field(p0,false)}" -match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); +var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); -var part1693 = // "Pattern{Constant('AltServer '), Field(p0,false)}" -match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); +var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); -var part1694 = // "Pattern{Constant('Version '), Field(p0,false)}" -match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); +var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); -var part1695 = // "Pattern{Constant('Path_GateLockCE '), Field(p0,false)}" -match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); +var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); var select382 = linear_select([ - part1693, - part1694, - part1695, + part1687, + part1688, + part1689, ]); -var all356 = all_match({ +var all350 = all_match({ processors: [ - part1692, + part1686, select382, - dup327, + dup325, ], on_success: processor_chain([ dup18, @@ -22078,10 +20048,9 @@ var all356 = all_match({ ]), }); -var msg1076 = msg("00553", all356); +var msg1076 = msg("00553", all350); -var part1696 = // "Pattern{Constant('SCAN-MGR: Zero pattern size from server.ini.'), Field(,false)}" -match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ +var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ dup18, dup2, dup3, @@ -22089,10 +20058,9 @@ match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size dup5, ])); -var msg1077 = msg("00553:01", part1696); +var msg1077 = msg("00553:01", part1690); -var part1697 = // "Pattern{Constant('SCAN-MGR: Pattern size from server.ini is too large: '), Field(bytes,true), Constant(' (bytes).')}" -match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ +var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ dup18, dup2, dup3, @@ -22100,10 +20068,9 @@ match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from dup5, ])); -var msg1078 = msg("00553:02", part1697); +var msg1078 = msg("00553:02", part1691); -var part1698 = // "Pattern{Constant('SCAN-MGR: Pattern URL from server.ini is too long: '), Field(fld2,false), Constant('; max is '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ +var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ dup18, dup2, dup3, @@ -22111,24 +20078,22 @@ match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from s dup5, ])); -var msg1079 = msg("00553:03", part1698); +var msg1079 = msg("00553:03", part1692); -var part1699 = // "Pattern{Constant('SCAN-MGR: Failed to retrieve '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); +var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); var select383 = linear_select([ - dup328, - dup329, + dup326, + dup327, ]); -var part1700 = // "Pattern{Constant('file: '), Field(fld2,false), Constant('; http status code: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); +var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); -var all357 = all_match({ +var all351 = all_match({ processors: [ - part1699, + part1693, select383, - part1700, + part1694, ], on_success: processor_chain([ dup18, @@ -22139,10 +20104,9 @@ var all357 = all_match({ ]), }); -var msg1080 = msg("00553:04", all357); +var msg1080 = msg("00553:04", all351); -var part1701 = // "Pattern{Constant('SCAN-MGR: Failed to write pattern into a RAM file.'), Field(,false)}" -match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ +var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ dup18, dup2, dup3, @@ -22150,10 +20114,9 @@ match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pa dup5, ])); -var msg1081 = msg("00553:05", part1701); +var msg1081 = msg("00553:05", part1695); -var part1702 = // "Pattern{Constant('SCAN-MGR: Check Pattern File failed: code from VSAPI: '), Field(resultcode,false)}" -match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ +var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ dup18, dup2, dup3, @@ -22161,10 +20124,9 @@ match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File dup5, ])); -var msg1082 = msg("00553:06", part1702); +var msg1082 = msg("00553:06", part1696); -var part1703 = // "Pattern{Constant('SCAN-MGR: Failed to write pattern into flash.'), Field(,false)}" -match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ +var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ dup18, dup2, dup3, @@ -22172,21 +20134,20 @@ match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pa dup5, ])); -var msg1083 = msg("00553:07", part1703); +var msg1083 = msg("00553:07", part1697); -var part1704 = // "Pattern{Constant('SCAN-MGR: Internal error while setting up for retrieving '), Field(p0,false)}" -match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); +var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); var select384 = linear_select([ - dup329, - dup328, + dup327, + dup326, ]); -var all358 = all_match({ +var all352 = all_match({ processors: [ - part1704, + part1698, select384, - dup330, + dup328, ], on_success: processor_chain([ dup19, @@ -22197,10 +20158,9 @@ var all358 = all_match({ ]), }); -var msg1084 = msg("00553:08", all358); +var msg1084 = msg("00553:08", all352); -var part1705 = // "Pattern{Constant('SCAN-MGR: '), Field(fld2,true), Constant(' '), Field(disposition,false), Constant(': Err: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ +var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22208,10 +20168,9 @@ match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{dispos dup5, ])); -var msg1085 = msg("00553:09", part1705); +var msg1085 = msg("00553:09", part1699); -var part1706 = // "Pattern{Constant('SCAN-MGR: TMIntCPVSInit '), Field(disposition,true), Constant(' due to '), Field(result,false)}" -match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ +var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ dup19, dup2, dup3, @@ -22219,10 +20178,9 @@ match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{di dup5, ])); -var msg1086 = msg("00553:10", part1706); +var msg1086 = msg("00553:10", part1700); -var part1707 = // "Pattern{Constant('SCAN-MGR: Attempted Pattern Creation Date('), Field(fld2,false), Constant(') is after AV Key Expiration date('), Field(fld3,false), Constant(').')}" -match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ +var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ dup18, dup2, dup3, @@ -22230,10 +20188,9 @@ match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern dup5, ])); -var msg1087 = msg("00553:11", part1707); +var msg1087 = msg("00553:11", part1701); -var part1708 = // "Pattern{Constant('SCAN-MGR: TMIntSetDecompressLayer '), Field(disposition,false), Constant(': Layer: '), Field(fld2,false), Constant(', Err: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ +var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22241,10 +20198,9 @@ match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompress dup5, ])); -var msg1088 = msg("00553:12", part1708); +var msg1088 = msg("00553:12", part1702); -var part1709 = // "Pattern{Constant('SCAN-MGR: TMIntSetExtractFileSizeLimit '), Field(disposition,false), Constant(': Limit: '), Field(fld2,false), Constant(', Err: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ +var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22252,10 +20208,9 @@ match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFil dup5, ])); -var msg1089 = msg("00553:13", part1709); +var msg1089 = msg("00553:13", part1703); -var part1710 = // "Pattern{Constant('SCAN-MGR: TMIntScanFile '), Field(disposition,false), Constant(': ret: '), Field(fld2,false), Constant('; cpapiErrCode: '), Field(resultcode,false), Constant('.')}" -match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ +var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ dup19, dup2, dup3, @@ -22263,10 +20218,9 @@ match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{di dup5, ])); -var msg1090 = msg("00553:14", part1710); +var msg1090 = msg("00553:14", part1704); -var part1711 = // "Pattern{Constant('SCAN-MGR: VSAPI resource usage error. Left usage: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ +var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ dup19, dup2, dup3, @@ -22274,10 +20228,9 @@ match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usa dup5, ])); -var msg1091 = msg("00553:15", part1711); +var msg1091 = msg("00553:15", part1705); -var part1712 = // "Pattern{Constant('SCAN-MGR: Set decompress layer to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ +var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22285,10 +20238,9 @@ match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress lay dup5, ])); -var msg1092 = msg("00553:16", part1712); +var msg1092 = msg("00553:16", part1706); -var part1713 = // "Pattern{Constant('SCAN-MGR: Set maximum content size to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ +var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22296,10 +20248,9 @@ match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum conten dup5, ])); -var msg1093 = msg("00553:17", part1713); +var msg1093 = msg("00553:17", part1707); -var part1714 = // "Pattern{Constant('SCAN-MGR: Set maximum number of concurrent messages to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ +var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22307,10 +20258,9 @@ match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number dup5, ])); -var msg1094 = msg("00553:18", part1714); +var msg1094 = msg("00553:18", part1708); -var part1715 = // "Pattern{Constant('SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ +var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22318,10 +20268,9 @@ match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximu dup5, ])); -var msg1095 = msg("00553:19", part1715); +var msg1095 = msg("00553:19", part1709); -var part1716 = // "Pattern{Constant('SCAN-MGR: Set Pattern URL to '), Field(fld2,false), Constant('; update interval is '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ +var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ dup1, dup2, dup3, @@ -22329,10 +20278,9 @@ match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to dup5, ])); -var msg1096 = msg("00553:20", part1716); +var msg1096 = msg("00553:20", part1710); -var part1717 = // "Pattern{Constant('SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.'), Field(,false)}" -match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ +var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ dup1, dup2, dup3, @@ -22340,10 +20288,9 @@ match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; dup5, ])); -var msg1097 = msg("00553:21", part1717); +var msg1097 = msg("00553:21", part1711); -var part1718 = // "Pattern{Constant('SCAN-MGR: New pattern updated: version: '), Field(version,false), Constant(', size: '), Field(bytes,true), Constant(' (bytes).')}" -match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ +var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ dup1, dup2, dup3, @@ -22351,7 +20298,7 @@ match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern update dup5, ])); -var msg1098 = msg("00553:22", part1718); +var msg1098 = msg("00553:22", part1712); var select385 = linear_select([ msg1076, @@ -22379,29 +20326,25 @@ var select385 = linear_select([ msg1098, ]); -var part1719 = // "Pattern{Constant('SCAN-MGR: Cannot get '), Field(p0,false)}" -match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); +var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); -var part1720 = // "Pattern{Constant('AltServer info '), Field(p0,false)}" -match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); +var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); -var part1721 = // "Pattern{Constant('Version number '), Field(p0,false)}" -match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); +var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); -var part1722 = // "Pattern{Constant('Path_GateLockCE info '), Field(p0,false)}" -match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); +var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); var select386 = linear_select([ - part1720, - part1721, - part1722, + part1714, + part1715, + part1716, ]); -var all359 = all_match({ +var all353 = all_match({ processors: [ - part1719, + part1713, select386, - dup327, + dup325, ], on_success: processor_chain([ dup144, @@ -22412,10 +20355,9 @@ var all359 = all_match({ ]), }); -var msg1099 = msg("00554", all359); +var msg1099 = msg("00554", all353); -var part1723 = // "Pattern{Constant('SCAN-MGR: Per server.ini file, the AV pattern file size is zero.'), Field(,false)}" -match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ +var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ dup19, dup2, dup3, @@ -22423,10 +20365,9 @@ match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini fil dup5, ])); -var msg1100 = msg("00554:01", part1723); +var msg1100 = msg("00554:01", part1717); -var part1724 = // "Pattern{Constant('SCAN-MGR: AV pattern file size is too large ('), Field(bytes,true), Constant(' bytes).')}" -match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ +var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ dup19, dup2, dup3, @@ -22434,10 +20375,9 @@ match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file si dup5, ])); -var msg1101 = msg("00554:02", part1724); +var msg1101 = msg("00554:02", part1718); -var part1725 = // "Pattern{Constant('SCAN-MGR: Alternate AV pattern file server URL is too long: '), Field(bytes,true), Constant(' bytes. Max: '), Field(fld2,true), Constant(' bytes.')}" -match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ +var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ dup19, dup2, dup3, @@ -22445,19 +20385,17 @@ match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV patte dup5, ])); -var msg1102 = msg("00554:03", part1725); +var msg1102 = msg("00554:03", part1719); -var part1726 = // "Pattern{Constant('SCAN-MGR: Cannot retrieve '), Field(p0,false)}" -match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); +var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); -var part1727 = // "Pattern{Constant('file from '), Field(hostip,false), Constant(':'), Field(network_port,false), Constant('. HTTP status code: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); +var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); -var all360 = all_match({ +var all354 = all_match({ processors: [ - part1726, - dup408, - part1727, + part1720, + dup405, + part1721, ], on_success: processor_chain([ dup144, @@ -22468,25 +20406,22 @@ var all360 = all_match({ ]), }); -var msg1103 = msg("00554:04", all360); +var msg1103 = msg("00554:04", all354); -var part1728 = // "Pattern{Constant('SCAN-MGR: Cannot write AV pattern file to '), Field(p0,false)}" -match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); +var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); -var part1729 = // "Pattern{Constant('RAM '), Field(p0,false)}" -match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); +var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); -var part1730 = // "Pattern{Constant('flash '), Field(p0,false)}" -match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); +var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); var select387 = linear_select([ - part1729, - part1730, + part1723, + part1724, ]); -var all361 = all_match({ +var all355 = all_match({ processors: [ - part1728, + part1722, select387, dup116, ], @@ -22499,10 +20434,9 @@ var all361 = all_match({ ]), }); -var msg1104 = msg("00554:05", all361); +var msg1104 = msg("00554:05", all355); -var part1731 = // "Pattern{Constant('SCAN-MGR: Cannot check AV pattern file. VSAPI code: '), Field(fld2,false)}" -match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ +var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ dup144, dup2, dup3, @@ -22510,16 +20444,15 @@ match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pa dup5, ])); -var msg1105 = msg("00554:06", part1731); +var msg1105 = msg("00554:06", part1725); -var part1732 = // "Pattern{Constant('SCAN-MGR: Internal error occurred while retrieving '), Field(p0,false)}" -match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); +var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); -var all362 = all_match({ +var all356 = all_match({ processors: [ - part1732, - dup408, - dup330, + part1726, + dup405, + dup328, ], on_success: processor_chain([ dup19, @@ -22530,29 +20463,25 @@ var all362 = all_match({ ]), }); -var msg1106 = msg("00554:07", all362); +var msg1106 = msg("00554:07", all356); -var part1733 = // "Pattern{Constant('SCAN-MGR: Internal error occurred when calling this function: '), Field(fld2,false), Constant('. '), Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); +var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); -var part1734 = // "Pattern{Constant('Error: '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); +var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); -var part1735 = // "Pattern{Constant('Returned a NULL VSC handler '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); +var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); -var part1736 = // "Pattern{Constant('cpapiErrCode: '), Field(resultcode,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); +var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); var select388 = linear_select([ - part1734, - part1735, - part1736, + part1728, + part1729, + part1730, ]); -var all363 = all_match({ +var all357 = all_match({ processors: [ - part1733, + part1727, select388, dup116, ], @@ -22565,10 +20494,9 @@ var all363 = all_match({ ]), }); -var msg1107 = msg("00554:08", all363); +var msg1107 = msg("00554:08", all357); -var part1737 = // "Pattern{Constant('SCAN-MGR: Number of decompression layers has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ +var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22576,10 +20504,9 @@ match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompre dup5, ])); -var msg1108 = msg("00554:09", part1737); +var msg1108 = msg("00554:09", part1731); -var part1738 = // "Pattern{Constant('SCAN-MGR: Maximum content size has been set to '), Field(fld2,true), Constant(' KB.')}" -match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ +var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ dup1, dup2, dup3, @@ -22587,10 +20514,9 @@ match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content si dup5, ])); -var msg1109 = msg("00554:10", part1738); +var msg1109 = msg("00554:10", part1732); -var part1739 = // "Pattern{Constant('SCAN-MGR: Maximum number of concurrent messages has been set to '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ +var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ dup1, dup2, dup3, @@ -22598,46 +20524,39 @@ match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of dup5, ])); -var msg1110 = msg("00554:11", part1739); +var msg1110 = msg("00554:11", part1733); -var part1740 = // "Pattern{Constant('SCAN-MGR: Fail mode has been set to '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); +var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); -var part1741 = // "Pattern{Constant('drop '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); +var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); -var part1742 = // "Pattern{Constant('pass '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); +var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); var select389 = linear_select([ - part1741, - part1742, + part1735, + part1736, ]); -var part1743 = // "Pattern{Constant('unexamined traffic if '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); +var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); -var part1744 = // "Pattern{Constant('content size '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); +var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); -var part1745 = // "Pattern{Constant('number of concurrent messages '), Field(p0,false)}" -match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); +var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); var select390 = linear_select([ - part1744, - part1745, + part1738, + part1739, ]); -var part1746 = // "Pattern{Constant('exceeds max.'), Field(,false)}" -match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); +var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); -var all364 = all_match({ +var all358 = all_match({ processors: [ - part1740, + part1734, select389, - part1743, + part1737, select390, - part1746, + part1740, ], on_success: processor_chain([ dup1, @@ -22648,10 +20567,9 @@ var all364 = all_match({ ]), }); -var msg1111 = msg("00554:12", all364); +var msg1111 = msg("00554:12", all358); -var part1747 = // "Pattern{Constant('SCAN-MGR: URL for AV pattern update server has been set to '), Field(fld2,false), Constant(', and the update interval to '), Field(fld3,true), Constant(' minutes.')}" -match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ +var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ dup1, dup2, dup3, @@ -22659,10 +20577,9 @@ match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern dup5, ])); -var msg1112 = msg("00554:13", part1747); +var msg1112 = msg("00554:13", part1741); -var part1748 = // "Pattern{Constant('SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.'), Field(,false)}" -match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ +var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ dup1, dup2, dup3, @@ -22670,10 +20587,9 @@ match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern dup5, ])); -var msg1113 = msg("00554:14", part1748); +var msg1113 = msg("00554:14", part1742); -var part1749 = // "Pattern{Constant('SCAN-MGR: New AV pattern file has been updated. Version: '), Field(version,false), Constant('; size: '), Field(bytes,true), Constant(' bytes.')}" -match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ +var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ dup1, dup2, dup3, @@ -22681,10 +20597,9 @@ match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern fil dup5, ])); -var msg1114 = msg("00554:15", part1749); +var msg1114 = msg("00554:15", part1743); -var part1750 = // "Pattern{Constant('SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ +var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ dup19, dup2, dup3, @@ -22692,10 +20607,9 @@ match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exce dup5, ])); -var msg1115 = msg("00554:16", part1750); +var msg1115 = msg("00554:16", part1744); -var part1751 = // "Pattern{Constant('SCAN-MGR: Attempted to load AV pattern file created '), Field(fld2,true), Constant(' after the AV subscription expired. (Exp: '), Field(fld3,false), Constant(')')}" -match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ +var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ dup1, dup2, dup3, @@ -22703,7 +20617,7 @@ match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load dup5, ])); -var msg1116 = msg("00554:17", part1751); +var msg1116 = msg("00554:17", part1745); var select391 = linear_select([ msg1099, @@ -22726,8 +20640,7 @@ var select391 = linear_select([ msg1116, ]); -var part1752 = // "Pattern{Constant('Vrouter '), Field(node,true), Constant(' PIMSM cannot process non-multicast address '), Field(hostip,false)}" -match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ +var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ dup19, dup2, dup3, @@ -22735,10 +20648,9 @@ match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot dup5, ])); -var msg1117 = msg("00555", part1752); +var msg1117 = msg("00555", part1746); -var part1753 = // "Pattern{Constant('UF-MGR: Failed to process a request. Reason: '), Field(result,false)}" -match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ +var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ dup19, dup2, dup3, @@ -22746,10 +20658,9 @@ match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a req dup5, ])); -var msg1118 = msg("00556", part1753); +var msg1118 = msg("00556", part1747); -var part1754 = // "Pattern{Constant('UF-MGR: Failed to abort a transaction. Reason: '), Field(result,false)}" -match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ +var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ dup19, dup2, dup3, @@ -22757,49 +20668,42 @@ match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a tr dup5, ])); -var msg1119 = msg("00556:01", part1754); +var msg1119 = msg("00556:01", part1748); -var part1755 = // "Pattern{Constant('UF-MGR: UF '), Field(p0,false)}" -match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); +var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); -var part1756 = // "Pattern{Constant('K'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); +var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); -var part1757 = // "Pattern{Constant('k'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); +var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); var select392 = linear_select([ - part1756, - part1757, + part1750, + part1751, ]); -var part1758 = // "Pattern{Constant('ey '), Field(p0,false)}" -match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); +var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); -var part1759 = // "Pattern{Constant('Expired'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); +var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); -var part1760 = // "Pattern{Constant('expired'), Field(p0,false)}" -match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); +var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); var select393 = linear_select([ - part1759, - part1760, + part1753, + part1754, ]); -var part1761 = // "Pattern{Field(,false), Constant('(expiration date: '), Field(fld2,false), Constant('; current date: '), Field(fld3,false), Constant(').')}" -match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); +var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); -var all365 = all_match({ +var all359 = all_match({ processors: [ - part1755, + part1749, select392, - part1758, + part1752, select393, - part1761, + part1755, ], on_success: processor_chain([ - dup256, + dup254, dup2, dup3, dup4, @@ -22807,30 +20711,26 @@ var all365 = all_match({ ]), }); -var msg1120 = msg("00556:02", all365); +var msg1120 = msg("00556:02", all359); -var part1762 = // "Pattern{Constant('UF-MGR: Failed to '), Field(p0,false)}" -match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); +var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); -var part1763 = // "Pattern{Constant('enable '), Field(p0,false)}" -match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); +var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); -var part1764 = // "Pattern{Constant('disable '), Field(p0,false)}" -match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); +var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); var select394 = linear_select([ - part1763, - part1764, + part1757, + part1758, ]); -var part1765 = // "Pattern{Constant('cache.'), Field(,false)}" -match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); +var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); -var all366 = all_match({ +var all360 = all_match({ processors: [ - part1762, + part1756, select394, - part1765, + part1759, ], on_success: processor_chain([ dup19, @@ -22841,10 +20741,9 @@ var all366 = all_match({ ]), }); -var msg1121 = msg("00556:03", all366); +var msg1121 = msg("00556:03", all360); -var part1766 = // "Pattern{Constant('UF-MGR: Internal Error: '), Field(resultcode,false)}" -match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ +var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ dup19, dup2, dup3, @@ -22852,10 +20751,9 @@ match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{re dup5, ])); -var msg1122 = msg("00556:04", part1766); +var msg1122 = msg("00556:04", part1760); -var part1767 = // "Pattern{Constant('UF-MGR: Cache size changed to '), Field(fld2,false), Constant('(K).')}" -match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ +var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ dup19, dup2, dup3, @@ -22863,10 +20761,9 @@ match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed t dup5, ])); -var msg1123 = msg("00556:05", part1767); +var msg1123 = msg("00556:05", part1761); -var part1768 = // "Pattern{Constant('UF-MGR: Cache timeout changes to '), Field(fld2,true), Constant(' (hours).')}" -match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ +var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ dup19, dup2, dup3, @@ -22874,10 +20771,9 @@ match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout change dup5, ])); -var msg1124 = msg("00556:06", part1768); +var msg1124 = msg("00556:06", part1762); -var part1769 = // "Pattern{Constant('UF-MGR: Category update interval changed to '), Field(fld2,true), Constant(' (weeks).')}" -match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ +var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ dup19, dup2, dup3, @@ -22885,15 +20781,14 @@ match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update inte dup5, ])); -var msg1125 = msg("00556:07", part1769); +var msg1125 = msg("00556:07", part1763); -var part1770 = // "Pattern{Constant('UF-MGR: Cache '), Field(p0,false)}" -match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); +var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); -var all367 = all_match({ +var all361 = all_match({ processors: [ - part1770, - dup360, + part1764, + dup358, dup116, ], on_success: processor_chain([ @@ -22905,33 +20800,30 @@ var all367 = all_match({ ]), }); -var msg1126 = msg("00556:08", all367); +var msg1126 = msg("00556:08", all361); -var part1771 = // "Pattern{Constant('UF-MGR: URL BLOCKED: ip_addr ('), Field(fld2,false), Constant(') -> ip_addr ('), Field(fld3,false), Constant('), '), Field(fld4,true), Constant(' action: '), Field(disposition,false), Constant(', category: '), Field(fld5,false), Constant(', reason '), Field(result,false)}" -match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ - dup234, +var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ + dup232, dup2, dup3, dup4, dup5, - dup284, + dup282, ])); -var msg1127 = msg("00556:09", part1771); +var msg1127 = msg("00556:09", part1765); -var part1772 = // "Pattern{Constant('UF-MGR: URL FILTER ERR: ip_addr ('), Field(fld2,false), Constant(') -> ip_addr ('), Field(fld3,false), Constant('), host: '), Field(fld5,true), Constant(' page: '), Field(fld4,true), Constant(' code: '), Field(resultcode,true), Constant(' reason: '), Field(result,false), Constant('.')}" -match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ - dup234, +var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ + dup232, dup2, dup3, dup4, dup5, ])); -var msg1128 = msg("00556:10", part1772); +var msg1128 = msg("00556:10", part1766); -var part1773 = // "Pattern{Constant('UF-MGR: Primary CPA server changed to '), Field(fld2,false)}" -match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ +var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ dup19, dup2, dup3, @@ -22939,24 +20831,22 @@ match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server c dup5, ])); -var msg1129 = msg("00556:11", part1773); +var msg1129 = msg("00556:11", part1767); -var part1774 = // "Pattern{Constant('UF-MGR: '), Field(fld2,true), Constant(' CPA server '), Field(p0,false)}" -match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); +var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); var select395 = linear_select([ dup140, - dup171, + dup169, ]); -var part1775 = // "Pattern{Constant('changed to '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); +var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); -var all368 = all_match({ +var all362 = all_match({ processors: [ - part1774, + part1768, select395, - part1775, + part1769, ], on_success: processor_chain([ dup19, @@ -22967,10 +20857,9 @@ var all368 = all_match({ ]), }); -var msg1130 = msg("00556:12", all368); +var msg1130 = msg("00556:12", all362); -var part1776 = // "Pattern{Constant('UF-MGR: SurfControl URL filtering '), Field(disposition,false), Constant('.')}" -match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ +var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ dup19, dup2, dup3, @@ -22978,19 +20867,17 @@ match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filt dup5, ])); -var msg1131 = msg("00556:13", part1776); +var msg1131 = msg("00556:13", part1770); -var part1777 = // "Pattern{Constant('UF-MGR: The url '), Field(url,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); +var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); -var part1778 = // "Pattern{Constant('category '), Field(fld2,false), Constant('.')}" -match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); +var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); -var all369 = all_match({ +var all363 = all_match({ processors: [ - part1777, - dup409, - part1778, + part1771, + dup406, + part1772, ], on_success: processor_chain([ dup19, @@ -23001,19 +20888,17 @@ var all369 = all_match({ ]), }); -var msg1132 = msg("00556:14", all369); +var msg1132 = msg("00556:14", all363); -var part1779 = // "Pattern{Constant('UF-MGR: The category '), Field(fld2,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); +var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); -var part1780 = // "Pattern{Constant('profile '), Field(fld3,true), Constant(' with action '), Field(disposition,false), Constant('.')}" -match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); +var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); -var all370 = all_match({ +var all364 = all_match({ processors: [ - part1779, - dup409, - part1780, + part1773, + dup406, + part1774, ], on_success: processor_chain([ dup19, @@ -23021,39 +20906,35 @@ var all370 = all_match({ dup3, dup4, dup5, - dup284, + dup282, ]), }); -var msg1133 = msg("00556:15", all370); +var msg1133 = msg("00556:15", all364); -var part1781 = // "Pattern{Constant('UF-MGR: The '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); +var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); -var part1782 = // "Pattern{Constant('profile '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); +var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); -var part1783 = // "Pattern{Constant('category '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); +var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); var select396 = linear_select([ - part1782, - part1783, + part1776, + part1777, ]); -var part1784 = // "Pattern{Constant(''), Field(fld2,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); +var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); var select397 = linear_select([ dup104, dup120, ]); -var all371 = all_match({ +var all365 = all_match({ processors: [ - part1781, + part1775, select396, - part1784, + part1778, select397, dup116, ], @@ -23066,30 +20947,26 @@ var all371 = all_match({ ]), }); -var msg1134 = msg("00556:16", all371); +var msg1134 = msg("00556:16", all365); -var part1785 = // "Pattern{Constant('UF-MGR: The category '), Field(fld2,true), Constant(' was set in profile '), Field(profile,true), Constant(' as the '), Field(p0,false)}" -match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); +var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); -var part1786 = // "Pattern{Constant('black '), Field(p0,false)}" -match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); +var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); -var part1787 = // "Pattern{Constant('white '), Field(p0,false)}" -match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); +var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); var select398 = linear_select([ - part1786, - part1787, + part1780, + part1781, ]); -var part1788 = // "Pattern{Constant('list.'), Field(,false)}" -match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); +var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); -var all372 = all_match({ +var all366 = all_match({ processors: [ - part1785, + part1779, select398, - part1788, + part1782, ], on_success: processor_chain([ dup19, @@ -23100,27 +20977,24 @@ var all372 = all_match({ ]), }); -var msg1135 = msg("00556:17", all372); +var msg1135 = msg("00556:17", all366); -var part1789 = // "Pattern{Constant('UF-MGR: The action for '), Field(fld2,true), Constant(' in profile '), Field(profile,true), Constant(' was '), Field(p0,false)}" -match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); +var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); -var part1790 = // "Pattern{Constant('changed '), Field(p0,false)}" -match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); +var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); var select399 = linear_select([ dup101, - part1790, + part1784, ]); -var part1791 = // "Pattern{Constant('to '), Field(fld3,false), Constant('.')}" -match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); +var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); -var all373 = all_match({ +var all367 = all_match({ processors: [ - part1789, + part1783, select399, - part1791, + part1785, ], on_success: processor_chain([ dup19, @@ -23131,29 +21005,26 @@ var all373 = all_match({ ]), }); -var msg1136 = msg("00556:18", all373); +var msg1136 = msg("00556:18", all367); -var part1792 = // "Pattern{Constant('UF-MGR: The category list from the CPA server '), Field(p0,false)}" -match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); +var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); -var part1793 = // "Pattern{Constant('updated on'), Field(p0,false)}" -match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); +var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); var select400 = linear_select([ dup103, dup96, ]); -var part1794 = // "Pattern{Constant('the device.'), Field(,false)}" -match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); +var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); -var all374 = all_match({ +var all368 = all_match({ processors: [ - part1792, - dup357, - part1793, + part1786, + dup355, + part1787, select400, - part1794, + part1788, ], on_success: processor_chain([ dup19, @@ -23164,24 +21035,22 @@ var all374 = all_match({ ]), }); -var msg1137 = msg("00556:20", all374); +var msg1137 = msg("00556:20", all368); -var part1795 = // "Pattern{Constant('UF-MGR: URL BLOCKED: '), Field(saddr,false), Constant('('), Field(sport,false), Constant(')->'), Field(daddr,false), Constant('('), Field(dport,false), Constant('), '), Field(fld2,true), Constant(' action: '), Field(disposition,false), Constant(', category: '), Field(category,false), Constant(', reason: '), Field(result,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ - dup234, +var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ + dup232, dup2, dup3, dup9, dup4, dup5, - dup284, + dup282, ])); -var msg1138 = msg("00556:21", part1795); +var msg1138 = msg("00556:21", part1789); -var part1796 = // "Pattern{Constant('UF-MGR: URL BLOCKED: '), Field(saddr,false), Constant('('), Field(sport,false), Constant(')->'), Field(daddr,false), Constant('('), Field(dport,false), Constant('), '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ - dup234, +var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ + dup232, dup2, dup3, dup9, @@ -23189,7 +21058,7 @@ match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr dup5, ])); -var msg1139 = msg("00556:22", part1796); +var msg1139 = msg("00556:22", part1790); var select401 = linear_select([ msg1118, @@ -23216,8 +21085,7 @@ var select401 = linear_select([ msg1139, ]); -var part1797 = // "Pattern{Constant('PPP LCP on interface '), Field(interface,true), Constant(' is '), Field(fld2,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ +var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23226,10 +21094,9 @@ match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interfac dup5, ])); -var msg1140 = msg("00572", part1797); +var msg1140 = msg("00572", part1791); -var part1798 = // "Pattern{Constant('PPP authentication state on interface '), Field(interface,false), Constant(': '), Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ +var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23238,10 +21105,9 @@ match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on dup5, ])); -var msg1141 = msg("00572:01", part1798); +var msg1141 = msg("00572:01", part1792); -var part1799 = // "Pattern{Constant('PPP on interface '), Field(interface,true), Constant(' is '), Field(disposition,true), Constant(' by receiving Terminate-Request. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ +var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23250,7 +21116,7 @@ match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface dup5, ])); -var msg1142 = msg("00572:03", part1799); +var msg1142 = msg("00572:03", part1793); var select402 = linear_select([ msg1140, @@ -23258,8 +21124,7 @@ var select402 = linear_select([ msg1142, ]); -var part1800 = // "Pattern{Constant('PBR policy "'), Field(policyname,false), Constant('" rebuilding lookup tree for virtual router "'), Field(node,false), Constant('". ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ +var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -23267,10 +21132,9 @@ match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" re dup9, ])); -var msg1143 = msg("00615", part1800); +var msg1143 = msg("00615", part1794); -var part1801 = // "Pattern{Constant('PBR policy "'), Field(policyname,false), Constant('" lookup tree rebuilt successfully in virtual router "'), Field(node,false), Constant('". ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ +var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ dup44, dup2, dup4, @@ -23278,15 +21142,14 @@ match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" dup9, ])); -var msg1144 = msg("00615:01", part1801); +var msg1144 = msg("00615:01", part1795); var select403 = linear_select([ msg1143, msg1144, ]); -var part1802 = // "Pattern{Field(signame,true), Constant(' attack! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,false), Constant(', through policy '), Field(policyname,false), Constant('. Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -23297,10 +21160,9 @@ match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{sad dup61, ])); -var msg1145 = msg("00601", part1802); +var msg1145 = msg("00601", part1796); -var part1803 = // "Pattern{Field(signame,true), Constant(' has been detected from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' through policy '), Field(policyname,true), Constant(' '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup2, dup59, @@ -23311,10 +21173,9 @@ match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detect dup61, ])); -var msg1146 = msg("00601:01", part1803); +var msg1146 = msg("00601:01", part1797); -var part1804 = // "Pattern{Constant('Error in initializing multicast.'), Field(,false)}" -match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ +var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ dup19, dup2, dup3, @@ -23322,7 +21183,7 @@ match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multic dup5, ])); -var msg1147 = msg("00601:18", part1804); +var msg1147 = msg("00601:18", part1798); var select404 = linear_select([ msg1145, @@ -23330,8 +21191,7 @@ var select404 = linear_select([ msg1147, ]); -var part1805 = // "Pattern{Constant('PIMSM Error in initializing interface state change'), Field(,false)}" -match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ +var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ dup19, dup2, dup3, @@ -23339,48 +21199,41 @@ match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing int dup5, ])); -var msg1148 = msg("00602", part1805); +var msg1148 = msg("00602", part1799); -var part1806 = // "Pattern{Constant('Switch event: the status of ethernet port '), Field(fld2,true), Constant(' changed to link '), Field(p0,false)}" -match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); +var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); -var part1807 = // "Pattern{Constant(', duplex '), Field(p0,false)}" -match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); +var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); -var part1808 = // "Pattern{Constant('full '), Field(p0,false)}" -match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); +var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); -var part1809 = // "Pattern{Constant('half '), Field(p0,false)}" -match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); +var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); var select405 = linear_select([ - part1808, - part1809, + part1802, + part1803, ]); -var part1810 = // "Pattern{Constant(', speed 10'), Field(p0,false)}" -match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); +var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); -var part1811 = // "Pattern{Constant('0 '), Field(p0,false)}" -match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); +var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); var select406 = linear_select([ - part1811, + part1805, dup96, ]); -var part1812 = // "Pattern{Constant('M. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); +var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); -var all375 = all_match({ +var all369 = all_match({ processors: [ - part1806, - dup355, - part1807, + part1800, + dup353, + part1801, select405, - part1810, + part1804, select406, - part1812, + part1806, ], on_success: processor_chain([ dup1, @@ -23392,11 +21245,10 @@ var all375 = all_match({ ]), }); -var msg1149 = msg("00612", all375); +var msg1149 = msg("00612", all369); -var part1813 = // "Pattern{Constant('RTSYNC: Event posted to send all the DRP routes to backup device. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ - dup274, +var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23404,33 +21256,29 @@ match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send al dup5, ])); -var msg1150 = msg("00620", part1813); +var msg1150 = msg("00620", part1807); -var part1814 = // "Pattern{Constant('RTSYNC: '), Field(p0,false)}" -match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); +var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); -var part1815 = // "Pattern{Constant('Serviced'), Field(p0,false)}" -match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); +var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); -var part1816 = // "Pattern{Constant('Recieved'), Field(p0,false)}" -match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); +var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); var select407 = linear_select([ - part1815, - part1816, + part1809, + part1810, ]); -var part1817 = // "Pattern{Field(,false), Constant('coldstart request for route synchronization from NSRP peer. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); +var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); -var all376 = all_match({ +var all370 = all_match({ processors: [ - part1814, + part1808, select407, - part1817, + part1811, ], on_success: processor_chain([ - dup274, + dup272, dup2, dup3, dup9, @@ -23439,11 +21287,10 @@ var all376 = all_match({ ]), }); -var msg1151 = msg("00620:01", all376); +var msg1151 = msg("00620:01", all370); -var part1818 = // "Pattern{Constant('RTSYNC: Started timer to purge all the DRP backup routes - '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ - dup274, +var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23451,11 +21298,10 @@ match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to pur dup5, ])); -var msg1152 = msg("00620:02", part1818); +var msg1152 = msg("00620:02", part1812); -var part1819 = // "Pattern{Constant('RTSYNC: Event posted to purge backup routes in all vrouters. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ - dup274, +var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23463,11 +21309,10 @@ match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purg dup5, ])); -var msg1153 = msg("00620:03", part1819); +var msg1153 = msg("00620:03", part1813); -var part1820 = // "Pattern{Constant('RTSYNC: Timer to purge the DRP backup routes is stopped. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ - dup274, +var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -23475,7 +21320,7 @@ match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the D dup5, ])); -var msg1154 = msg("00620:04", part1820); +var msg1154 = msg("00620:04", part1814); var select408 = linear_select([ msg1150, @@ -23485,9 +21330,8 @@ var select408 = linear_select([ msg1154, ]); -var part1821 = // "Pattern{Constant('NHRP : NHRP instance in virtual router '), Field(node,true), Constant(' is created. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ - dup275, +var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ + dup273, dup2, dup3, dup9, @@ -23495,30 +21339,27 @@ match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual dup5, ])); -var msg1155 = msg("00622", part1821); +var msg1155 = msg("00622", part1815); -var part1822 = // "Pattern{Constant('Session (id '), Field(sessionid,true), Constant(' src-ip '), Field(saddr,true), Constant(' dst-ip '), Field(daddr,true), Constant(' dst port '), Field(dport,false), Constant(') route is '), Field(p0,false)}" -match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); +var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); -var part1823 = // "Pattern{Constant('invalid'), Field(p0,false)}" -match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); +var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); -var part1824 = // "Pattern{Constant('valid'), Field(p0,false)}" -match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); +var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); var select409 = linear_select([ - part1823, - part1824, + part1817, + part1818, ]); -var all377 = all_match({ +var all371 = all_match({ processors: [ - part1822, + part1816, select409, dup49, ], on_success: processor_chain([ - dup275, + dup273, dup2, dup4, dup5, @@ -23526,37 +21367,32 @@ var all377 = all_match({ ]), }); -var msg1156 = msg("00625", all377); +var msg1156 = msg("00625", all371); -var part1825 = // "Pattern{Constant('audit log queue '), Field(p0,false)}" -match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); +var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); -var part1826 = // "Pattern{Constant('Traffic Log '), Field(p0,false)}" -match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); +var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); -var part1827 = // "Pattern{Constant('Event Alarm Log '), Field(p0,false)}" -match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); +var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); -var part1828 = // "Pattern{Constant('Event Log '), Field(p0,false)}" -match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); +var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); var select410 = linear_select([ - part1826, - part1827, - part1828, + part1820, + part1821, + part1822, ]); -var part1829 = // "Pattern{Constant('is overwritten ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); +var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); -var all378 = all_match({ +var all372 = all_match({ processors: [ - part1825, + part1819, select410, - part1829, + part1823, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup4, dup5, @@ -23564,22 +21400,20 @@ var all378 = all_match({ ]), }); -var msg1157 = msg("00628", all378); +var msg1157 = msg("00628", all372); -var part1830 = // "Pattern{Constant('Log setting was modified to '), Field(disposition,true), Constant(' '), Field(fld2,true), Constant(' level by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ +var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup4, dup5, dup9, - dup284, + dup282, ])); -var msg1158 = msg("00767:50", part1830); +var msg1158 = msg("00767:50", part1824); -var part1831 = // "Pattern{Constant('Attack CS:Man in Middle is created by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ dup58, dup2, dup4, @@ -23587,10 +21421,9 @@ match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is c dup9, ])); -var msg1159 = msg("00767:51", part1831); +var msg1159 = msg("00767:51", part1825); -var part1832 = // "Pattern{Constant('Attack group '), Field(group,true), Constant(' is created by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ dup58, dup2, dup4, @@ -23598,10 +21431,9 @@ match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is c dup9, ])); -var msg1160 = msg("00767:52", part1832); +var msg1160 = msg("00767:52", part1826); -var part1833 = // "Pattern{Constant('Attack CS:Man in Middle is added to attack group '), Field(group,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ dup58, dup2, dup4, @@ -23609,10 +21441,9 @@ match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is a dup9, ])); -var msg1161 = msg("00767:53", part1833); +var msg1161 = msg("00767:53", part1827); -var part1834 = // "Pattern{Constant('Cannot contact the SecurID server'), Field(,false)}" -match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ +var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ dup27, setc("ec_theme","Communication"), dup39, @@ -23622,25 +21453,22 @@ match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID serv dup5, ])); -var msg1162 = msg("00767", part1834); +var msg1162 = msg("00767", part1828); -var part1835 = // "Pattern{Constant('System auto-config of file '), Field(fld2,true), Constant(' from TFTP server '), Field(hostip,true), Constant(' has '), Field(p0,false)}" -match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); +var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); -var part1836 = // "Pattern{Constant('been loaded successfully'), Field(,false)}" -match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); +var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); -var part1837 = // "Pattern{Constant('failed'), Field(,false)}" -match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); +var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); var select411 = linear_select([ - part1836, - part1837, + part1830, + part1831, ]); -var all379 = all_match({ +var all373 = all_match({ processors: [ - part1835, + part1829, select411, ], on_success: processor_chain([ @@ -23652,10 +21480,9 @@ var all379 = all_match({ ]), }); -var msg1163 = msg("00767:01", all379); +var msg1163 = msg("00767:01", all373); -var part1838 = // "Pattern{Constant('netscreen: System Config saved from host '), Field(saddr,false)}" -match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ +var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ setc("eventcategory","1702000000"), dup2, dup3, @@ -23663,10 +21490,9 @@ match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config sav dup5, ])); -var msg1164 = msg("00767:02", part1838); +var msg1164 = msg("00767:02", part1832); -var part1839 = // "Pattern{Constant('System Config saved to filename '), Field(filename,false)}" -match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ +var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ dup1, dup2, dup3, @@ -23674,10 +21500,9 @@ match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filen dup5, ])); -var msg1165 = msg("00767:03", part1839); +var msg1165 = msg("00767:03", part1833); -var part1840 = // "Pattern{Constant('System is operational.'), Field(,false)}" -match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ +var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ dup44, dup2, dup3, @@ -23685,10 +21510,9 @@ match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", dup5, ])); -var msg1166 = msg("00767:04", part1840); +var msg1166 = msg("00767:04", part1834); -var part1841 = // "Pattern{Constant('The device cannot contact the SecurID server'), Field(,false)}" -match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ +var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ dup27, dup2, dup3, @@ -23696,10 +21520,9 @@ match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact th dup5, ])); -var msg1167 = msg("00767:05", part1841); +var msg1167 = msg("00767:05", part1835); -var part1842 = // "Pattern{Constant('The device cannot send data to the SecurID server'), Field(,false)}" -match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ +var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ dup27, dup2, dup3, @@ -23707,10 +21530,9 @@ match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data dup5, ])); -var msg1168 = msg("00767:06", part1842); +var msg1168 = msg("00767:06", part1836); -var part1843 = // "Pattern{Constant('The system configuration was saved from peer unit by admin'), Field(,false)}" -match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ +var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ dup1, dup2, dup3, @@ -23718,15 +21540,14 @@ match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was dup5, ])); -var msg1169 = msg("00767:07", part1843); +var msg1169 = msg("00767:07", part1837); -var part1844 = // "Pattern{Constant('The system configuration was saved by admin '), Field(p0,false)}" -match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); +var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); -var all380 = all_match({ +var all374 = all_match({ processors: [ - part1844, - dup400, + part1838, + dup397, ], on_success: processor_chain([ dup1, @@ -23738,25 +21559,22 @@ var all380 = all_match({ ]), }); -var msg1170 = msg("00767:08", all380); +var msg1170 = msg("00767:08", all374); -var part1845 = // "Pattern{Constant('traffic shaping is turned O'), Field(p0,false)}" -match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); +var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); -var part1846 = // "Pattern{Constant('N'), Field(,false)}" -match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); +var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); -var part1847 = // "Pattern{Constant('FF'), Field(,false)}" -match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); +var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); var select412 = linear_select([ - part1846, - part1847, + part1840, + part1841, ]); -var all381 = all_match({ +var all375 = all_match({ processors: [ - part1845, + part1839, select412, ], on_success: processor_chain([ @@ -23768,15 +21586,14 @@ var all381 = all_match({ ]), }); -var msg1171 = msg("00767:09", all381); +var msg1171 = msg("00767:09", all375); -var part1848 = // "Pattern{Constant('The system configuration was saved from host '), Field(saddr,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); +var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); -var all382 = all_match({ +var all376 = all_match({ processors: [ - part1848, - dup400, + part1842, + dup397, ], on_success: processor_chain([ dup1, @@ -23788,40 +21605,35 @@ var all382 = all_match({ ]), }); -var msg1172 = msg("00767:10", all382); +var msg1172 = msg("00767:10", all376); -var part1849 = // "Pattern{Constant('Fatal error. The NetScreen device was unable to upgrade the '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); +var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); -var part1850 = // "Pattern{Constant('file system '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); +var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); var select413 = linear_select([ - dup333, - part1850, + dup331, + part1844, ]); -var part1851 = // "Pattern{Constant(', and the '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); +var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); -var part1852 = // "Pattern{Constant('old file system '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); +var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); var select414 = linear_select([ - dup333, - part1852, + dup331, + part1846, ]); -var part1853 = // "Pattern{Constant('is damaged.'), Field(,false)}" -match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); +var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); -var all383 = all_match({ +var all377 = all_match({ processors: [ - part1849, + part1843, select413, - part1851, + part1845, select414, - part1853, + part1847, ], on_success: processor_chain([ dup18, @@ -23832,10 +21644,9 @@ var all383 = all_match({ ]), }); -var msg1173 = msg("00767:11", all383); +var msg1173 = msg("00767:11", all377); -var part1854 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ +var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -23844,15 +21655,14 @@ match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved b dup5, ])); -var msg1174 = msg("00767:12", part1854); +var msg1174 = msg("00767:12", part1848); -var part1855 = // "Pattern{Field(fld2,false), Constant('Environment variable '), Field(fld3,true), Constant(' is changed to '), Field(fld4,true), Constant(' by admin '), Field(p0,false)}" -match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); +var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); -var all384 = all_match({ +var all378 = all_match({ processors: [ - part1855, - dup400, + part1849, + dup397, ], on_success: processor_chain([ dup1, @@ -23864,38 +21674,33 @@ var all384 = all_match({ ]), }); -var msg1175 = msg("00767:13", all384); +var msg1175 = msg("00767:13", all378); -var part1856 = // "Pattern{Constant('System was '), Field(p0,false)}" -match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); +var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); -var part1857 = // "Pattern{Constant('reset '), Field(p0,false)}" -match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); +var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); var select415 = linear_select([ - part1857, - dup264, + part1851, + dup262, ]); -var part1858 = // "Pattern{Constant('at '), Field(fld2,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); +var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); -var part1859 = // "Pattern{Constant('admin '), Field(administrator,false)}" -match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); +var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); -var part1860 = // "Pattern{Field(username,false)}" -match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); +var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); var select416 = linear_select([ - part1859, - part1860, + part1853, + part1854, ]); -var all385 = all_match({ +var all379 = all_match({ processors: [ - part1856, + part1850, select415, - part1858, + part1852, select416, ], on_success: processor_chain([ @@ -23907,39 +21712,34 @@ var all385 = all_match({ ]), }); -var msg1176 = msg("00767:14", all385); +var msg1176 = msg("00767:14", all379); -var part1861 = // "Pattern{Constant('System '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); +var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); -var part1862 = // "Pattern{Constant('Event '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); +var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); -var part1863 = // "Pattern{Constant('Traffic '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); +var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); var select417 = linear_select([ - part1861, - part1862, - part1863, + part1855, + part1856, + part1857, ]); -var part1864 = // "Pattern{Constant('log was reviewed by '), Field(p0,false)}" -match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); +var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); -var part1865 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('.')}" -match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); +var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); -var all386 = all_match({ +var all380 = all_match({ processors: [ - dup185, + dup183, select417, - part1864, - dup338, - part1865, + part1858, + dup336, + part1859, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup3, dup4, @@ -23947,10 +21747,9 @@ var all386 = all_match({ ]), }); -var msg1177 = msg("00767:15", all386); +var msg1177 = msg("00767:15", all380); -var part1866 = // "Pattern{Field(fld2,true), Constant(' Admin '), Field(administrator,true), Constant(' issued command '), Field(info,true), Constant(' to redirect output.')}" -match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ +var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ dup1, dup2, dup3, @@ -23958,15 +21757,14 @@ match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administra dup5, ])); -var msg1178 = msg("00767:16", part1866); +var msg1178 = msg("00767:16", part1860); -var part1867 = // "Pattern{Field(fld2,true), Constant(' Save new software from '), Field(fld3,true), Constant(' to flash by admin '), Field(p0,false)}" -match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); +var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); -var all387 = all_match({ +var all381 = all_match({ processors: [ - part1867, - dup400, + part1861, + dup397, ], on_success: processor_chain([ dup1, @@ -23978,10 +21776,9 @@ var all387 = all_match({ ]), }); -var msg1179 = msg("00767:17", all387); +var msg1179 = msg("00767:17", all381); -var part1868 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' has been '), Field(fld2,true), Constant(' saved to flash.')}" -match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ +var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ dup1, dup2, dup3, @@ -23989,10 +21786,9 @@ match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{ve dup5, ])); -var msg1180 = msg("00767:18", part1868); +var msg1180 = msg("00767:18", part1862); -var part1869 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' was rejected because the authentication check failed.')}" -match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ +var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ dup1, dup2, dup3, @@ -24000,10 +21796,9 @@ match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{ve dup5, ])); -var msg1181 = msg("00767:19", part1869); +var msg1181 = msg("00767:19", part1863); -var part1870 = // "Pattern{Constant('The dictionary file version of the RADIUS server '), Field(hostname,true), Constant(' does not match '), Field(fld2,false)}" -match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ +var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ dup1, dup2, dup3, @@ -24011,10 +21806,9 @@ match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version dup5, ])); -var msg1182 = msg("00767:20", part1870); +var msg1182 = msg("00767:20", part1864); -var part1871 = // "Pattern{Constant('Session ('), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(', '), Field(fld4,false), Constant(') cleared '), Field(fld5,false)}" -match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ +var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ dup1, dup2, dup3, @@ -24022,47 +21816,40 @@ match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, dup5, ])); -var msg1183 = msg("00767:21", part1871); +var msg1183 = msg("00767:21", part1865); -var part1872 = // "Pattern{Constant('The system configuration was not saved '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); +var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); -var part1873 = // "Pattern{Field(fld2,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); +var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); -var part1874 = // "Pattern{Constant(''), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); var select418 = linear_select([ - part1873, - part1874, + part1867, + part1868, ]); -var part1875 = // "Pattern{Constant('by administrator '), Field(fld3,false), Constant('. '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); +var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); -var part1876 = // "Pattern{Constant('It was locked '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); +var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); -var part1877 = // "Pattern{Constant('Locked '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); +var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); var select419 = linear_select([ - part1876, - part1877, + part1870, + part1871, ]); -var part1878 = // "Pattern{Constant('by administrator '), Field(fld4,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); +var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); -var all388 = all_match({ +var all382 = all_match({ processors: [ - part1872, + part1866, select418, - part1875, + part1869, select419, - part1878, - dup356, + part1872, + dup354, ], on_success: processor_chain([ dup50, @@ -24076,10 +21863,9 @@ var all388 = all_match({ ]), }); -var msg1184 = msg("00767:22", all388); +var msg1184 = msg("00767:22", all382); -var part1879 = // "Pattern{Constant('Save new software from slot filename '), Field(filename,true), Constant(' to flash memory by administrator '), Field(administrator,false)}" -match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ +var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ dup1, dup2, dup3, @@ -24087,30 +21873,27 @@ match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot dup5, ])); -var msg1185 = msg("00767:23", part1879); +var msg1185 = msg("00767:23", part1873); -var part1880 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from '), Field(p0,false)}" -match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); +var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); var select420 = linear_select([ - dup171, + dup169, dup16, ]); -var part1881 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); +var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); -var part1882 = // "Pattern{Field(saddr,true), Constant(' by '), Field(p0,false)}" -match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); +var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); var select421 = linear_select([ - part1881, - part1882, + part1875, + part1876, ]); -var all389 = all_match({ +var all383 = all_match({ processors: [ - part1880, + part1874, select420, dup23, select421, @@ -24125,41 +21908,35 @@ var all389 = all_match({ ]), }); -var msg1186 = msg("00767:25", all389); +var msg1186 = msg("00767:25", all383); -var part1883 = // "Pattern{Constant('Lock configuration '), Field(p0,false)}" -match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); +var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); -var part1884 = // "Pattern{Constant('started'), Field(p0,false)}" -match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); +var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); -var part1885 = // "Pattern{Constant('ended'), Field(p0,false)}" -match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); +var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); var select422 = linear_select([ - part1884, - part1885, + part1878, + part1879, ]); -var part1886 = // "Pattern{Field(,false), Constant('by task '), Field(p0,false)}" -match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); +var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); -var part1887 = // "Pattern{Constant(''), Field(fld3,false), Constant(', with a timeout value of '), Field(fld2,false)}" -match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); +var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); -var part1888 = // "Pattern{Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); +var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); var select423 = linear_select([ - part1887, - part1888, + part1881, + part1882, ]); -var all390 = all_match({ +var all384 = all_match({ processors: [ - part1883, + part1877, select422, - part1886, + part1880, select423, ], on_success: processor_chain([ @@ -24174,29 +21951,26 @@ var all390 = all_match({ ]), }); -var msg1187 = msg("00767:26", all390); +var msg1187 = msg("00767:26", all384); -var part1889 = // "Pattern{Constant('Environment variable '), Field(fld2,true), Constant(' changed to '), Field(p0,false)}" -match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); +var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); -var part1890 = // "Pattern{Field(fld3,true), Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); +var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); -var part1891 = // "Pattern{Field(fld3,false)}" -match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); +var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); var select424 = linear_select([ - part1890, - part1891, + part1884, + part1885, ]); -var all391 = all_match({ +var all385 = all_match({ processors: [ - part1889, + part1883, select424, ], on_success: processor_chain([ - dup225, + dup223, dup2, dup3, dup9, @@ -24205,10 +21979,9 @@ var all391 = all_match({ ]), }); -var msg1188 = msg("00767:27", all391); +var msg1188 = msg("00767:27", all385); -var part1892 = // "Pattern{Constant('The system configuration was loaded from IP address '), Field(hostip,true), Constant(' under filename '), Field(filename,true), Constant(' by administrator by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ +var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24217,10 +21990,9 @@ match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was dup5, ])); -var msg1189 = msg("00767:28", part1892); +var msg1189 = msg("00767:28", part1886); -var part1893 = // "Pattern{Constant('Save configuration to IP address '), Field(hostip,true), Constant(' under filename '), Field(filename,true), Constant(' by administrator by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ +var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24229,10 +22001,9 @@ match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP add dup5, ])); -var msg1190 = msg("00767:29", part1893); +var msg1190 = msg("00767:29", part1887); -var part1894 = // "Pattern{Field(fld2,false), Constant(': The system configuration was saved from host '), Field(saddr,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ +var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24241,28 +22012,25 @@ match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configur dup5, ])); -var msg1191 = msg("00767:30", part1894); +var msg1191 = msg("00767:30", part1888); -var part1895 = // "Pattern{Constant('logged events or alarms '), Field(p0,false)}" -match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); +var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); -var part1896 = // "Pattern{Constant('traffic logs '), Field(p0,false)}" -match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); +var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); var select425 = linear_select([ - part1895, - part1896, + part1889, + part1890, ]); -var part1897 = // "Pattern{Constant('were cleared by admin '), Field(p0,false)}" -match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); +var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); -var all392 = all_match({ +var all386 = all_match({ processors: [ - dup188, + dup186, select425, - part1897, - dup400, + part1891, + dup397, ], on_success: processor_chain([ dup1, @@ -24274,30 +22042,26 @@ var all392 = all_match({ ]), }); -var msg1192 = msg("00767:31", all392); +var msg1192 = msg("00767:31", all386); -var part1898 = // "Pattern{Constant('SIP parser error '), Field(p0,false)}" -match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); +var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); -var part1899 = // "Pattern{Constant('SIP-field'), Field(p0,false)}" -match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); +var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); -var part1900 = // "Pattern{Constant('Message'), Field(p0,false)}" -match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); +var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); var select426 = linear_select([ - part1899, - part1900, + part1893, + part1894, ]); -var part1901 = // "Pattern{Constant(': '), Field(result,false), Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); +var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); -var all393 = all_match({ +var all387 = all_match({ processors: [ - part1898, + part1892, select426, - part1901, + part1895, ], on_success: processor_chain([ dup27, @@ -24309,10 +22073,9 @@ var all393 = all_match({ ]), }); -var msg1193 = msg("00767:32", all393); +var msg1193 = msg("00767:32", all387); -var part1902 = // "Pattern{Constant('Daylight Saving Time has started. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ +var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -24321,11 +22084,10 @@ match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has sta dup5, ])); -var msg1194 = msg("00767:33", part1902); +var msg1194 = msg("00767:33", part1896); -var part1903 = // "Pattern{Constant('NetScreen devices do not support multiple IP addresses '), Field(hostip,true), Constant(' or ports '), Field(network_port,true), Constant(' in SIP headers RESPONSE ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ - dup315, +var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ + dup313, dup2, dup3, dup9, @@ -24333,10 +22095,9 @@ match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not sup dup5, ])); -var msg1195 = msg("00767:34", part1903); +var msg1195 = msg("00767:34", part1897); -var part1904 = // "Pattern{Constant('Environment variable '), Field(fld2,true), Constant(' set to '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ +var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24345,10 +22106,9 @@ match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2- dup5, ])); -var msg1196 = msg("00767:35", part1904); +var msg1196 = msg("00767:35", part1898); -var part1905 = // "Pattern{Constant('System configuration saved from '), Field(fld2,true), Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ +var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24357,11 +22117,10 @@ match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved f dup5, ])); -var msg1197 = msg("00767:36", part1905); +var msg1197 = msg("00767:36", part1899); -var part1906 = // "Pattern{Constant('Trial keys are available to download to enable advanced features. '), Field(space,true), Constant(' To find out, please visit '), Field(url,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ - dup256, +var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ + dup254, dup2, dup3, dup9, @@ -24369,10 +22128,9 @@ match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to dup5, ])); -var msg1198 = msg("00767:37", part1906); +var msg1198 = msg("00767:37", part1900); -var part1907 = // "Pattern{Constant('Log buffer was full and remaining messages were sent to external destination. '), Field(fld2,true), Constant(' packets were dropped. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ +var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ setc("eventcategory","1602000000"), dup2, dup3, @@ -24381,46 +22139,40 @@ match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and rema dup5, ])); -var msg1199 = msg("00767:38", part1907); +var msg1199 = msg("00767:38", part1901); -var part1908 = // "Pattern{Constant('Cannot '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); +var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); -var part1909 = // "Pattern{Constant('download '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); +var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); -var part1910 = // "Pattern{Constant('parse '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); +var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); var select427 = linear_select([ - part1909, - part1910, + part1903, + part1904, ]); -var part1911 = // "Pattern{Constant('attack database '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); +var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); -var part1912 = // "Pattern{Constant('from '), Field(url,true), Constant(' ('), Field(result,false), Constant('). '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); +var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); -var part1913 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); +var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); var select428 = linear_select([ - part1912, - part1913, + part1906, + part1907, ]); -var all394 = all_match({ +var all388 = all_match({ processors: [ - part1908, + part1902, select427, - part1911, + part1905, select428, dup10, ], on_success: processor_chain([ - dup326, + dup324, dup2, dup3, dup9, @@ -24429,10 +22181,9 @@ var all394 = all_match({ ]), }); -var msg1200 = msg("00767:39", all394); +var msg1200 = msg("00767:39", all388); -var part1914 = // "Pattern{Constant('Deep Inspection update key is '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ +var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ dup62, dup2, dup3, @@ -24441,10 +22192,9 @@ match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key i dup5, ])); -var msg1201 = msg("00767:40", part1914); +var msg1201 = msg("00767:40", part1908); -var part1915 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ +var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24453,10 +22203,9 @@ match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved b dup5, ])); -var msg1202 = msg("00767:42", part1915); +var msg1202 = msg("00767:42", part1909); -var part1916 = // "Pattern{Constant('Daylight Saving Time ended. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ +var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -24465,10 +22214,9 @@ match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. dup5, ])); -var msg1203 = msg("00767:43", part1916); +var msg1203 = msg("00767:43", part1910); -var part1917 = // "Pattern{Constant('New GMT zone ahead or behind by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ +var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ dup44, dup2, dup3, @@ -24477,10 +22225,9 @@ match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind dup5, ])); -var msg1204 = msg("00767:44", part1917); +var msg1204 = msg("00767:44", part1911); -var part1918 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' is saved to flash. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ +var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24489,10 +22236,9 @@ match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{ve dup5, ])); -var msg1205 = msg("00767:45", part1918); +var msg1205 = msg("00767:45", part1912); -var part1919 = // "Pattern{Constant('System configuration saved by netscreen via '), Field(logon_type,true), Constant(' by netscreen. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ +var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24501,10 +22247,9 @@ match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved b dup5, ])); -var msg1206 = msg("00767:46", part1919); +var msg1206 = msg("00767:46", part1913); -var part1920 = // "Pattern{Constant('User '), Field(username,true), Constant(' belongs to a different group in the RADIUS server than that allowed in the device. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ +var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ dup1, dup2, dup3, @@ -24513,19 +22258,17 @@ match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs t dup9, ])); -var msg1207 = msg("00767:47", part1920); +var msg1207 = msg("00767:47", part1914); -var part1921 = // "Pattern{Constant('System configuration saved by '), Field(p0,false)}" -match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); +var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); -var part1922 = // "Pattern{Field(logon_type,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); +var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); -var all395 = all_match({ +var all389 = all_match({ processors: [ - part1921, - dup367, - part1922, + part1915, + dup364, + part1916, ], on_success: processor_chain([ dup1, @@ -24537,11 +22280,10 @@ var all395 = all_match({ ]), }); -var msg1208 = msg("00767:24", all395); +var msg1208 = msg("00767:24", all389); -var part1923 = // "Pattern{Constant('HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ - dup274, +var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ + dup272, dup2, dup3, dup9, @@ -24549,30 +22291,26 @@ match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) dup5, ])); -var msg1209 = msg("00767:48", part1923); +var msg1209 = msg("00767:48", part1917); -var part1924 = // "Pattern{Field(fld2,true), Constant(' turn o'), Field(p0,false)}" -match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); +var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); -var part1925 = // "Pattern{Constant('n'), Field(p0,false)}" -match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); +var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); -var part1926 = // "Pattern{Constant('ff'), Field(p0,false)}" -match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); +var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); var select429 = linear_select([ - part1925, - part1926, + part1919, + part1920, ]); -var part1927 = // "Pattern{Field(,false), Constant('debug switch for '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); +var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); -var all396 = all_match({ +var all390 = all_match({ processors: [ - part1924, + part1918, select429, - part1927, + part1921, ], on_success: processor_chain([ dup1, @@ -24583,7 +22321,7 @@ var all396 = all_match({ ]), }); -var msg1210 = msg("00767:49", all396); +var msg1210 = msg("00767:49", all390); var select430 = linear_select([ msg1158, @@ -24641,26 +22379,25 @@ var select430 = linear_select([ msg1210, ]); -var part1928 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, - dup279, - dup3, + dup274, dup277, + dup3, + dup275, dup60, ])); -var msg1211 = msg("01269", part1928); +var msg1211 = msg("01269", part1922); -var msg1212 = msg("01269:01", dup410); +var msg1212 = msg("01269:01", dup407); -var msg1213 = msg("01269:02", dup411); +var msg1213 = msg("01269:02", dup408); -var msg1214 = msg("01269:03", dup412); +var msg1214 = msg("01269:03", dup409); var select431 = linear_select([ msg1211, @@ -24669,67 +22406,63 @@ var select431 = linear_select([ msg1214, ]); -var part1929 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup278, - dup279, + dup276, dup277, - dup334, + dup275, + dup332, ])); -var msg1215 = msg("17852", part1929); +var msg1215 = msg("17852", part1923); -var part1930 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, - dup334, - dup284, + dup275, + dup332, + dup282, ])); -var msg1216 = msg("17852:01", part1930); +var msg1216 = msg("17852:01", part1924); -var part1931 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup61, ])); -var msg1217 = msg("17852:02", part1931); +var msg1217 = msg("17852:02", part1925); -var part1932 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, - dup334, - dup284, + dup275, + dup332, + dup282, ])); -var msg1218 = msg("17852:03", part1932); +var msg1218 = msg("17852:03", part1926); var select432 = linear_select([ msg1215, @@ -24738,53 +22471,50 @@ var select432 = linear_select([ msg1218, ]); -var msg1219 = msg("23184", dup413); +var msg1219 = msg("23184", dup410); -var part1933 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup61, - dup284, + dup282, ])); -var msg1220 = msg("23184:01", part1933); +var msg1220 = msg("23184:01", part1927); -var part1934 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup278, - dup279, + dup276, dup277, + dup275, dup61, ])); -var msg1221 = msg("23184:02", part1934); +var msg1221 = msg("23184:02", part1928); -var part1935 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, - dup334, - dup284, + dup275, + dup332, + dup282, ])); -var msg1222 = msg("23184:03", part1935); +var msg1222 = msg("23184:03", part1929); var select433 = linear_select([ msg1219, @@ -24793,49 +22523,47 @@ var select433 = linear_select([ msg1222, ]); -var msg1223 = msg("27052", dup413); +var msg1223 = msg("27052", dup410); -var part1936 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,false), Constant('direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup283, +var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup61, - dup284, + dup282, ])); -var msg1224 = msg("27052:01", part1936); +var msg1224 = msg("27052:01", part1930); var select434 = linear_select([ msg1223, msg1224, ]); -var part1937 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, - dup279, + dup277, dup5, - dup276, + dup274, dup3, - dup277, - dup278, + dup275, + dup276, dup60, ])); -var msg1225 = msg("39568", part1937); +var msg1225 = msg("39568", part1931); -var msg1226 = msg("39568:01", dup410); +var msg1226 = msg("39568:01", dup407); -var msg1227 = msg("39568:02", dup411); +var msg1227 = msg("39568:02", dup408); -var msg1228 = msg("39568:03", dup412); +var msg1228 = msg("39568:03", dup409); var select435 = linear_select([ msg1225, @@ -25010,751 +22738,500 @@ var chain1 = processor_chain([ }), ]); -var part1938 = // "Pattern{Constant('Address '), Field(group_object,true), Constant(' for '), Field(p0,false)}" -match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); - -var part1939 = // "Pattern{Constant('domain address '), Field(domain,true), Constant(' in zone '), Field(p0,false)}" -match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); +var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); -var part1940 = // "Pattern{Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); +var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); -var part1941 = // "Pattern{Constant('('), Field(fld1,false), Constant(')')}" -match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); +var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); -var part1942 = // "Pattern{Field(fld1,false)}" -match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); +var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); -var part1943 = // "Pattern{Constant('Address '), Field(p0,false)}" -match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); +var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); -var part1944 = // "Pattern{Constant('MIP('), Field(interface,false), Constant(') '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); +var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); -var part1945 = // "Pattern{Field(group_object,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); +var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); -var part1946 = // "Pattern{Constant('admin '), Field(p0,false)}" -match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); +var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); -var part1947 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); +var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); -var part1948 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ')}" -match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); +var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); -var part1949 = // "Pattern{}" -match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); +var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); -var part1950 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); +var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); -var part1951 = // "Pattern{Constant('password '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); +var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); -var part1952 = // "Pattern{Constant('name '), Field(p0,false)}" -match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); +var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); -var part1953 = // "Pattern{Field(administrator,false)}" -match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); +var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); -var part1954 = // "Pattern{Field(disposition,false)}" -match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); +var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); -var part1955 = // "Pattern{Constant('via '), Field(p0,false)}" -match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); +var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); -var part1956 = // "Pattern{Field(fld1,false), Constant(')')}" -match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); +var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); -var part1957 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(p0,false)}" -match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); +var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); -var part1958 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); +var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); -var part1959 = // "Pattern{Field(username,true), Constant(' via '), Field(p0,false)}" -match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); +var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); -var part1960 = // "Pattern{Constant('NSRP Peer . ('), Field(p0,false)}" -match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); +var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); -var part1961 = // "Pattern{Constant('. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); +var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); -var part1962 = // "Pattern{Constant('changed'), Field(p0,false)}" -match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); +var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); -var part1963 = // "Pattern{Constant('The '), Field(p0,false)}" -match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); +var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); -var part1964 = // "Pattern{Constant('interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); +var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); -var part1965 = // "Pattern{Constant('Interface'), Field(p0,false)}" -match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); +var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); -var part1966 = // "Pattern{Constant('DNS entries have been '), Field(p0,false)}" -match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); +var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); -var part1967 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); +var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); -var part1968 = // "Pattern{Field(zone,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); +var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); -var part1969 = // "Pattern{Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); +var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); -var part1970 = // "Pattern{Constant('int '), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); -var part1971 = // "Pattern{Field(dport,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); +var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); -var part1972 = // "Pattern{Field(dport,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); +var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); -var part1973 = // "Pattern{Field(space,false), Constant('using protocol '), Field(p0,false)}" -match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); +var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); -var part1974 = // "Pattern{Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); +var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); -var part1975 = // "Pattern{Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); +var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); -var part1976 = // "Pattern{Constant('. '), Field(p0,false)}" -match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); +var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); -var part1977 = // "Pattern{Field(fld2,false), Constant(': SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); +var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); -var part1978 = // "Pattern{Constant('SYN '), Field(p0,false)}" -match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); +var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); -var part1979 = // "Pattern{Constant('timeout value '), Field(p0,false)}" -match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); +var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); -var part1980 = // "Pattern{Constant('destination '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); +var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); -var part1981 = // "Pattern{Constant('source '), Field(p0,false)}" -match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); +var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); -var part1982 = // "Pattern{Constant('A '), Field(p0,false)}" -match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); +var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); -var part1983 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); -var part1984 = // "Pattern{Constant(', int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); +var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part1985 = // "Pattern{Constant('int '), Field(p0,false)}" -match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); +var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); -var part1986 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); +var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); -var part1987 = // "Pattern{Constant('HA '), Field(p0,false)}" -match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); +var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); -var part1988 = // "Pattern{Constant('encryption '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); +var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); -var part1989 = // "Pattern{Constant('authentication '), Field(p0,false)}" -match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); +var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); -var part1990 = // "Pattern{Constant('key '), Field(p0,false)}" -match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); +var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); -var part1991 = // "Pattern{Constant('disabled'), Field(,false)}" -match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); +var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); -var part1992 = // "Pattern{Constant('set to '), Field(trigger_val,false)}" -match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); +var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); -var part1993 = // "Pattern{Constant('up'), Field(,false)}" -match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); +var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); -var part1994 = // "Pattern{Constant('down'), Field(,false)}" -match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); +var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); -var part1995 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); +var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); -var part1996 = // "Pattern{Constant('set'), Field(,false)}" -match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); +var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); -var part1997 = // "Pattern{Constant('unset'), Field(,false)}" -match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); +var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); -var part1998 = // "Pattern{Constant('undefined '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); +var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); -var part1999 = // "Pattern{Constant('set '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); +var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); -var part2000 = // "Pattern{Constant('active '), Field(p0,false)}" -match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); +var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); -var part2001 = // "Pattern{Constant('to '), Field(p0,false)}" -match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); +var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); -var part2002 = // "Pattern{Constant('created '), Field(p0,false)}" -match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); +var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); -var part2003 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); +var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); -var part2004 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); +var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); -var part2005 = // "Pattern{Constant('was '), Field(p0,false)}" -match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); +var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); -var part2006 = // "Pattern{Constant(''), Field(fld2,false)}" -match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); +var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); -var part2007 = // "Pattern{Constant('threshold '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); +var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); -var part2008 = // "Pattern{Constant('interval '), Field(p0,false)}" -match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); +var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); -var part2009 = // "Pattern{Constant('of '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); +var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); -var part2010 = // "Pattern{Constant('that '), Field(p0,false)}" -match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); +var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); -var part2011 = // "Pattern{Constant('Zone '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); +var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); -var part2012 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); +var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); -var part2013 = // "Pattern{Constant('n '), Field(p0,false)}" -match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); +var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); -var part2014 = // "Pattern{Constant('.'), Field(,false)}" -match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); +var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); -var part2015 = // "Pattern{Constant('for '), Field(p0,false)}" -match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); +var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); -var part2016 = // "Pattern{Constant('the '), Field(p0,false)}" -match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); +var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); -var part2017 = // "Pattern{Constant('removed '), Field(p0,false)}" -match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); +var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); -var part2018 = // "Pattern{Constant('interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); +var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); -var part2019 = // "Pattern{Constant('the interface '), Field(p0,false)}" -match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); +var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); -var part2020 = // "Pattern{Field(interface,false)}" -match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); +var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); -var part2021 = // "Pattern{Constant('s '), Field(p0,false)}" -match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); +var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); -var part2022 = // "Pattern{Constant('on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); +var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); -var part2023 = // "Pattern{Constant('has been '), Field(p0,false)}" -match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); +var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); -var part2024 = // "Pattern{Constant(''), Field(disposition,false), Constant('.')}" -match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); +var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); -var part2025 = // "Pattern{Constant('removed from '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); +var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); -var part2026 = // "Pattern{Constant('added to '), Field(p0,false)}" -match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); +var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); -var part2027 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); +var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); -var part2028 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); -var part2029 = // "Pattern{Constant('Interface '), Field(p0,false)}" -match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); +var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2030 = // "Pattern{Constant('set to '), Field(fld2,false)}" -match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); +var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); -var part2031 = // "Pattern{Constant('gateway '), Field(p0,false)}" -match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); +var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); -var part2032 = // "Pattern{Field(,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); +var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); -var part2033 = // "Pattern{Constant('port number '), Field(p0,false)}" -match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); +var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); -var part2034 = // "Pattern{Constant('has been '), Field(disposition,false)}" -match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); +var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); -var part2035 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); +var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); -var part2036 = // "Pattern{Constant('port '), Field(p0,false)}" -match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); +var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); -var part2037 = // "Pattern{Constant('up '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); +var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); -var part2038 = // "Pattern{Constant('down '), Field(p0,false)}" -match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); +var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); -var part2039 = // "Pattern{Constant('('), Field(fld1,false), Constant(') ')}" -match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); +var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); -var part2040 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); +var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); -var part2041 = // "Pattern{Constant('IP '), Field(p0,false)}" -match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); +var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); -var part2042 = // "Pattern{Constant('address pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); +var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); -var part2043 = // "Pattern{Constant('pool '), Field(p0,false)}" -match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); +var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); -var part2044 = // "Pattern{Constant('enabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); +var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); -var part2045 = // "Pattern{Constant('disabled '), Field(p0,false)}" -match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); +var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); -var part2046 = // "Pattern{Constant('AH '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); +var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); -var part2047 = // "Pattern{Constant('ESP '), Field(p0,false)}" -match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); +var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); -var part2048 = // "Pattern{Constant('Â’'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_0", "nwparser.p0", "Â’%{p0}"); +var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); -var part2049 = // "Pattern{Constant('&'), Field(p0,false)}" -match("MESSAGE#347:00018:02/1_1", "nwparser.p0", "\u0026%{p0}"); +var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); -var part2050 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); +var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); -var part2051 = // "Pattern{Constant('Source'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); +var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); -var part2052 = // "Pattern{Constant('Destination'), Field(p0,false)}" -match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); +var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); -var part2053 = // "Pattern{Constant('from '), Field(p0,false)}" -match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); +var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); -var part2054 = // "Pattern{Constant('policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); +var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); -var part2055 = // "Pattern{Constant('Attempt to enable '), Field(p0,false)}" -match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); +var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); -var part2056 = // "Pattern{Constant('traffic logging via syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); +var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); -var part2057 = // "Pattern{Constant('syslog '), Field(p0,false)}" -match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); +var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); -var part2058 = // "Pattern{Constant('Syslog '), Field(p0,false)}" -match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); +var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); -var part2059 = // "Pattern{Constant('host '), Field(p0,false)}" -match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); +var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); -var part2060 = // "Pattern{Constant('domain name '), Field(p0,false)}" -match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); +var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); -var part2061 = // "Pattern{Constant('has been changed to '), Field(fld2,false)}" -match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); +var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); -var part2062 = // "Pattern{Constant('security facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); +var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); -var part2063 = // "Pattern{Constant('facility '), Field(p0,false)}" -match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); +var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); -var part2064 = // "Pattern{Constant('local0'), Field(,false)}" -match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); +var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); -var part2065 = // "Pattern{Constant('local1'), Field(,false)}" -match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); +var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); -var part2066 = // "Pattern{Constant('local2'), Field(,false)}" -match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); +var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); -var part2067 = // "Pattern{Constant('local3'), Field(,false)}" -match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); +var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); -var part2068 = // "Pattern{Constant('local4'), Field(,false)}" -match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); +var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); -var part2069 = // "Pattern{Constant('local5'), Field(,false)}" -match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); +var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); -var part2070 = // "Pattern{Constant('local6'), Field(,false)}" -match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); +var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); -var part2071 = // "Pattern{Constant('local7'), Field(,false)}" -match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); +var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); -var part2072 = // "Pattern{Constant('auth/sec'), Field(,false)}" -match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); +var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); -var part2073 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); +var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); -var part2074 = // "Pattern{Constant('All '), Field(p0,false)}" -match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); +var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); -var part2075 = // "Pattern{Constant('primary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); +var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); -var part2076 = // "Pattern{Constant('secondary '), Field(p0,false)}" -match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); +var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); -var part2077 = // "Pattern{Constant('t '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); +var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); -var part2078 = // "Pattern{Constant('w '), Field(p0,false)}" -match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); +var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); -var part2079 = // "Pattern{Constant('server '), Field(p0,false)}" -match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); +var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); -var part2080 = // "Pattern{Constant('has '), Field(p0,false)}" -match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); +var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); -var part2081 = // "Pattern{Constant('SCS'), Field(p0,false)}" -match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); +var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); -var part2082 = // "Pattern{Constant('bound to '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); +var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); -var part2083 = // "Pattern{Constant('unbound from '), Field(p0,false)}" -match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); +var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); -var part2084 = // "Pattern{Constant('PKA RSA '), Field(p0,false)}" -match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); +var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); -var part2085 = // "Pattern{Constant('unbind '), Field(p0,false)}" -match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); +var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); -var part2086 = // "Pattern{Constant('PKA key '), Field(p0,false)}" -match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); +var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); -var part2087 = // "Pattern{Constant('Multiple login failures '), Field(p0,false)}" -match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); +var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); -var part2088 = // "Pattern{Constant('occurred for '), Field(p0,false)}" -match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); +var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); -var part2089 = // "Pattern{Constant('aborted'), Field(,false)}" -match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); +var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); -var part2090 = // "Pattern{Constant('performed'), Field(,false)}" -match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); +var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); -var part2091 = // "Pattern{Constant('IP pool of DHCP server on '), Field(p0,false)}" -match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); +var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); -var part2092 = // "Pattern{Constant('certificate '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); +var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); -var part2093 = // "Pattern{Constant('CRL '), Field(p0,false)}" -match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); +var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); -var part2094 = // "Pattern{Constant('auto '), Field(p0,false)}" -match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); +var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); -var part2095 = // "Pattern{Constant('RSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); +var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); -var part2096 = // "Pattern{Constant('DSA '), Field(p0,false)}" -match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); +var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); -var part2097 = // "Pattern{Constant('key pair.'), Field(,false)}" -match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); +var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); -var part2098 = // "Pattern{Constant('FIPS test for '), Field(p0,false)}" -match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); +var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); -var part2099 = // "Pattern{Constant('ECDSA '), Field(p0,false)}" -match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); +var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); -var part2100 = // "Pattern{Constant('yes '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); +var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); -var part2101 = // "Pattern{Constant('no '), Field(p0,false)}" -match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); +var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); -var part2102 = // "Pattern{Constant('location '), Field(p0,false)}" -match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); +var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); -var part2103 = // "Pattern{Field(,true), Constant(' '), Field(interface,false)}" -match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); +var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); -var part2104 = // "Pattern{Constant('arp re'), Field(p0,false)}" -match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); +var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); -var part2105 = // "Pattern{Constant('q '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); +var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); -var part2106 = // "Pattern{Constant('ply '), Field(p0,false)}" -match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); +var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); -var part2107 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); +var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); -var part2108 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" -match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); +var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); -var part2109 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); +var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); -var part2110 = // "Pattern{Constant('NACN Policy Manager '), Field(p0,false)}" -match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); +var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); -var part2111 = // "Pattern{Constant('1 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); +var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); -var part2112 = // "Pattern{Constant('2 '), Field(p0,false)}" -match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); +var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); -var part2113 = // "Pattern{Constant('unset '), Field(p0,false)}" -match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); +var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2114 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); -var part2115 = // "Pattern{Constant('SSH '), Field(p0,false)}" -match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); +var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); -var part2116 = // "Pattern{Constant('SCS: NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); +var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); -var part2117 = // "Pattern{Constant('NetScreen '), Field(p0,false)}" -match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); +var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); -var part2118 = // "Pattern{Constant('S'), Field(p0,false)}" -match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); +var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); -var part2119 = // "Pattern{Constant('CS: SSH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); +var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); -var part2120 = // "Pattern{Constant('SH'), Field(p0,false)}" -match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); +var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); -var part2121 = // "Pattern{Constant('the root system '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); +var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); -var part2122 = // "Pattern{Constant('vsys '), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); +var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); -var part2123 = // "Pattern{Constant('CS: SSH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); +var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); -var part2124 = // "Pattern{Constant('SH '), Field(p0,false)}" -match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); +var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); -var part2125 = // "Pattern{Constant('a '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); +var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); -var part2126 = // "Pattern{Constant('ert '), Field(p0,false)}" -match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); +var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); -var part2127 = // "Pattern{Constant('SSL '), Field(p0,false)}" -match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); +var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); -var part2128 = // "Pattern{Constant('id: '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); +var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); -var part2129 = // "Pattern{Constant('ID '), Field(p0,false)}" -match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); +var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); -var part2130 = // "Pattern{Constant('permit '), Field(p0,false)}" -match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); +var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); -var part2131 = // "Pattern{Constant('IGMP '), Field(p0,false)}" -match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); +var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); -var part2132 = // "Pattern{Constant('IGMP will '), Field(p0,false)}" -match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); +var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); -var part2133 = // "Pattern{Constant('not do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); +var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); -var part2134 = // "Pattern{Constant('do '), Field(p0,false)}" -match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); +var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); -var part2135 = // "Pattern{Constant('shut down '), Field(p0,false)}" -match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); +var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); -var part2136 = // "Pattern{Constant('NSRP: '), Field(p0,false)}" -match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); +var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); -var part2137 = // "Pattern{Constant('Unit '), Field(p0,false)}" -match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); +var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); -var part2138 = // "Pattern{Constant('local unit= '), Field(p0,false)}" -match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); +var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var part2139 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); -var part2140 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Sec'), Field(p0,false)}" -match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); +var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); -var part2141 = // "Pattern{Constant('ruity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); +var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); -var part2142 = // "Pattern{Constant('urity'), Field(p0,false)}" -match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); +var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); -var part2143 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state')}" -match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); +var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); -var part2144 = // "Pattern{Constant(''), Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); +var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); -var part2145 = // "Pattern{Constant('start_time='), Field(p0,false)}" -match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); +var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); -var part2146 = // "Pattern{Constant('\"'), Field(fld2,false), Constant('\"'), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); +var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); -var part2147 = // "Pattern{Constant(' "'), Field(fld2,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); +var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); -var part2148 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); +var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); -var part2149 = // "Pattern{Constant('Admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); +var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); -var part2150 = // "Pattern{Constant('Vsys admin '), Field(p0,false)}" -match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); +var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); -var part2151 = // "Pattern{Constant('Telnet '), Field(p0,false)}" -match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); +var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); -var part2152 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); +var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); -var part2153 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); +var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); -var part2154 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.'), Field(p0,false)}" -match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); +var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2155 = // "Pattern{Field(obj_type,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); -var part2156 = // "Pattern{Field(signame,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); +var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); -var part2157 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" -match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); +var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); -var part2158 = // "Pattern{Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); +var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); -var part2159 = // "Pattern{Constant('ut '), Field(p0,false)}" -match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); +var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); -var part2160 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); +var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); -var part2161 = // "Pattern{Constant('user '), Field(p0,false)}" -match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); +var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); -var part2162 = // "Pattern{Constant('the '), Field(logon_type,false)}" -match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); +var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); -var part2163 = // "Pattern{Constant('WebAuth user '), Field(p0,false)}" -match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); +var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); -var part2164 = // "Pattern{Constant('backup1 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); +var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); -var part2165 = // "Pattern{Constant('backup2 '), Field(p0,false)}" -match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); +var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); -var part2166 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); +var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); -var part2167 = // "Pattern{Constant('assigned '), Field(p0,false)}" -match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); +var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); -var part2168 = // "Pattern{Constant('assigned to '), Field(p0,false)}" -match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); +var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); -var part2169 = // "Pattern{Constant('''), Field(administrator,false), Constant('' '), Field(p0,false)}" -match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); +var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); -var part2170 = // "Pattern{Constant('SSH: P'), Field(p0,false)}" -match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); +var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); -var part2171 = // "Pattern{Constant('KA '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); +var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); -var part2172 = // "Pattern{Constant('assword '), Field(p0,false)}" -match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); +var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); -var part2173 = // "Pattern{Constant('\''), Field(administrator,false), Constant('\' '), Field(p0,false)}" -match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); +var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); -var part2174 = // "Pattern{Constant('at host '), Field(saddr,false)}" -match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); +var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); -var part2175 = // "Pattern{Field(,false), Constant('S'), Field(p0,false)}" -match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); +var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); -var part2176 = // "Pattern{Constant('CS '), Field(p0,false)}" -match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); +var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); -var part2177 = // "Pattern{Constant('from server.ini file.'), Field(,false)}" -match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); +var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); -var part2178 = // "Pattern{Constant('pattern '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); +var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); -var part2179 = // "Pattern{Constant('server.ini '), Field(p0,false)}" -match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); +var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); -var part2180 = // "Pattern{Constant('file.'), Field(,false)}" -match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); +var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); -var part2181 = // "Pattern{Constant('AV pattern '), Field(p0,false)}" -match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); +var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); -var part2182 = // "Pattern{Constant('added into '), Field(p0,false)}" -match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); - -var part2183 = // "Pattern{Constant('loader '), Field(p0,false)}" -match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); +var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); var select436 = linear_select([ dup10, dup11, ]); -var part2184 = // "Pattern{Constant('Policy ID='), Field(policy_id,true), Constant(' Rate='), Field(fld2,true), Constant(' exceeds threshold')}" -match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ +var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ dup1, dup2, dup3, @@ -25792,8 +23269,7 @@ var select442 = linear_select([ dup72, ]); -var part2185 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(interface,false), Constant(')')}" -match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ +var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ dup58, dup2, dup3, @@ -25899,41 +23375,38 @@ var select461 = linear_select([ ]); var select462 = linear_select([ - dup160, dup161, + dup162, ]); var select463 = linear_select([ dup163, - dup164, + dup103, ]); var select464 = linear_select([ - dup165, - dup103, + dup162, + dup161, ]); var select465 = linear_select([ - dup164, - dup163, + dup46, + dup47, ]); var select466 = linear_select([ - dup46, - dup47, + dup166, + dup167, ]); var select467 = linear_select([ - dup168, - dup169, + dup172, + dup173, ]); var select468 = linear_select([ dup174, dup175, -]); - -var select469 = linear_select([ dup176, dup177, dup178, @@ -25941,47 +23414,44 @@ var select469 = linear_select([ dup180, dup181, dup182, - dup183, - dup184, ]); -var select470 = linear_select([ +var select469 = linear_select([ dup49, dup21, ]); -var select471 = linear_select([ - dup191, - dup192, +var select470 = linear_select([ + dup189, + dup190, ]); -var select472 = linear_select([ +var select471 = linear_select([ dup96, dup152, ]); -var select473 = linear_select([ - dup198, - dup199, +var select472 = linear_select([ + dup196, + dup197, ]); -var select474 = linear_select([ +var select473 = linear_select([ dup24, - dup202, + dup200, ]); -var select475 = linear_select([ +var select474 = linear_select([ dup103, - dup165, + dup163, ]); -var select476 = linear_select([ - dup207, +var select475 = linear_select([ + dup205, dup118, ]); -var part2186 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" -match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ +var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ dup1, dup2, dup3, @@ -25989,49 +23459,54 @@ match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has bee dup5, ])); +var select476 = linear_select([ + dup212, + dup213, +]); + var select477 = linear_select([ - dup214, dup215, + dup216, ]); var select478 = linear_select([ - dup217, - dup218, + dup222, + dup215, ]); var select479 = linear_select([ dup224, - dup217, + dup225, ]); var select480 = linear_select([ - dup226, - dup227, + dup231, + dup124, ]); var select481 = linear_select([ - dup233, - dup124, + dup229, + dup230, ]); var select482 = linear_select([ - dup231, - dup232, + dup233, + dup234, ]); var select483 = linear_select([ - dup235, dup236, + dup237, ]); var select484 = linear_select([ - dup238, - dup239, + dup242, + dup243, ]); var select485 = linear_select([ - dup244, dup245, + dup246, ]); var select486 = linear_select([ @@ -26050,27 +23525,21 @@ var select488 = linear_select([ ]); var select489 = linear_select([ - dup253, - dup254, + dup260, + dup261, ]); var select490 = linear_select([ - dup262, - dup263, + dup264, + dup265, ]); var select491 = linear_select([ - dup266, - dup267, -]); - -var select492 = linear_select([ - dup270, - dup271, + dup268, + dup269, ]); -var part2187 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" -match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ +var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ dup1, dup2, dup3, @@ -26078,18 +23547,17 @@ match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in th dup5, ])); -var select493 = linear_select([ - dup286, - dup287, +var select492 = linear_select([ + dup284, + dup285, ]); -var select494 = linear_select([ - dup289, - dup290, +var select493 = linear_select([ + dup287, + dup288, ]); -var part2188 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" -match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ +var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ dup58, dup2, dup59, @@ -26099,8 +23567,7 @@ match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var part2189 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to zone '), Field(zone,false), Constant(', proto '), Field(protocol,true), Constant(' (int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" -match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ +var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ dup58, dup4, dup59, @@ -26111,116 +23578,112 @@ match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to dup60, ])); -var select495 = linear_select([ - dup302, +var select494 = linear_select([ + dup300, dup26, ]); -var select496 = linear_select([ +var select495 = linear_select([ dup115, - dup305, + dup303, ]); -var select497 = linear_select([ +var select496 = linear_select([ dup125, dup96, ]); +var select497 = linear_select([ + dup189, + dup308, + dup309, +]); + var select498 = linear_select([ - dup191, dup310, - dup311, + dup16, ]); var select499 = linear_select([ - dup312, - dup16, + dup317, + dup318, ]); var select500 = linear_select([ dup319, - dup320, + dup315, ]); var select501 = linear_select([ - dup321, - dup317, + dup322, + dup250, ]); var select502 = linear_select([ - dup324, - dup252, -]); - -var select503 = linear_select([ + dup327, dup329, - dup331, ]); -var select504 = linear_select([ - dup332, +var select503 = linear_select([ + dup330, dup129, ]); -var part2190 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var part2191 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup187, +var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup60, ])); -var part2192 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" -match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ - dup283, +var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, dup2, dup4, dup5, - dup276, + dup274, dup3, - dup277, + dup275, dup60, - dup284, + dup282, ])); -var part2193 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" -match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ - dup187, +var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, dup2, dup4, dup5, - dup276, + dup274, dup3, + dup275, + dup276, dup277, - dup278, - dup279, dup61, ])); -var all397 = all_match({ +var all391 = all_match({ processors: [ - dup265, - dup393, - dup268, + dup263, + dup390, + dup266, ], on_success: processor_chain([ dup1, @@ -26231,11 +23694,11 @@ var all397 = all_match({ ]), }); -var all398 = all_match({ +var all392 = all_match({ processors: [ - dup269, - dup394, - dup272, + dup267, + dup391, + dup270, ], on_success: processor_chain([ dup1, @@ -26246,11 +23709,11 @@ var all398 = all_match({ ]), }); -var all399 = all_match({ +var all393 = all_match({ processors: [ dup80, - dup345, - dup295, + dup343, + dup293, ], on_success: processor_chain([ dup58, @@ -26263,14 +23726,14 @@ var all399 = all_match({ ]), }); -var all400 = all_match({ +var all394 = all_match({ processors: [ - dup298, - dup345, + dup296, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, @@ -26281,14 +23744,14 @@ var all400 = all_match({ ]), }); -var all401 = all_match({ +var all395 = all_match({ processors: [ - dup300, - dup345, + dup298, + dup343, dup131, ], on_success: processor_chain([ - dup299, + dup297, dup2, dup3, dup9, diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js b/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js index 618356e4723..bc962bd964d 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/pipeline.js @@ -21,20 +21,15 @@ function DeviceProcessor() { } } -var dup1 = // "Pattern{Constant('info'), Field(p0,false)}" -match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); +var dup1 = match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); -var dup2 = // "Pattern{Constant('rprt'), Field(p0,false)}" -match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); +var dup2 = match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); -var dup3 = // "Pattern{Constant('warn'), Field(p0,false)}" -match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); +var dup3 = match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); -var dup4 = // "Pattern{Constant('err'), Field(p0,false)}" -match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); +var dup4 = match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); -var dup5 = // "Pattern{Constant('note'), Field(p0,false)}" -match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); +var dup5 = match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); var dup6 = call({ dest: "nwparser.messageid", @@ -74,24 +69,19 @@ var dup12 = setc("dclass_counter1_string","No of attachments:"); var dup13 = setc("dclass_counter2_string","No of recipients:"); -var dup14 = // "Pattern{Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); +var dup14 = match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); -var dup15 = // "Pattern{Field(hostip,false)}" -match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); +var dup15 = match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); var dup16 = setc("eventcategory","1207030000"); var dup17 = setc("eventcategory","1207000000"); -var dup18 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); +var dup18 = match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); -var dup19 = // "Pattern{Constant('attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); +var dup19 = match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); -var dup20 = // "Pattern{Constant('mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); +var dup20 = match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); var dup21 = call({ dest: "nwparser.filename", @@ -103,11 +93,9 @@ var dup21 = call({ var dup22 = setc("eventcategory","1207040200"); -var dup23 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' version="'), Field(component_version,false), Constant('" duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); +var dup23 = match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); -var dup24 = // "Pattern{Field(duration_string,false)}" -match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); +var dup24 = match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); var dup25 = setc("eventcategory","1003010000"); @@ -115,29 +103,21 @@ var dup26 = setc("eventcategory","1003000000"); var dup27 = setc("eventcategory","1207040000"); -var dup28 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); +var dup28 = match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); -var dup29 = // "Pattern{Constant('['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); +var dup29 = match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); -var dup30 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); +var dup30 = match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); -var dup31 = // "Pattern{Field(dhost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); +var dup31 = match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); -var dup32 = // "Pattern{Field(,false), Constant('dsn='), Field(resultcode,false), Constant(', stat='), Field(info,false)}" -match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); +var dup32 = match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); -var dup33 = // "Pattern{Constant('['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); +var dup33 = match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); -var dup34 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); +var dup34 = match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); -var dup35 = // "Pattern{Field(dhost,false)}" -match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); +var dup35 = match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); var dup36 = date_time({ dest: "event_time", @@ -147,29 +127,21 @@ var dup36 = date_time({ ], }); -var dup37 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); +var dup37 = match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); -var dup38 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var dup38 = match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); -var dup39 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); +var dup39 = match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); -var dup40 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); +var dup40 = match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); -var dup41 = // "Pattern{Field(,false), Constant('field='), Field(fld2,false), Constant(', status='), Field(info,false)}" -match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); +var dup41 = match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); -var dup42 = // "Pattern{Field(,false), Constant('version='), Field(fld55,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); +var dup42 = match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); -var dup43 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(fld71,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); +var dup43 = match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); -var dup44 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var dup44 = match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); var dup45 = linear_select([ dup1, @@ -189,62 +161,52 @@ var dup47 = linear_select([ dup20, ]); -var dup48 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" -match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ +var dup48 = match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ dup26, dup9, ])); -var dup49 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var dup49 = match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var dup50 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var dup50 = match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var dup51 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" -match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ +var dup51 = match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ dup17, dup9, ])); -var dup52 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var dup52 = match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup17, dup9, ])); -var dup53 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" -match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ +var dup53 = match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ dup27, dup9, ])); -var dup54 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' version='), Field(fld55,false)}" -match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ +var dup54 = match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ dup17, dup9, ])); -var dup55 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sig='), Field(fld60,false)}" -match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ +var dup55 = match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ dup17, dup9, ])); -var dup56 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,false)}" -match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ +var dup56 = match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ dup17, dup9, ])); -var dup57 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' addr='), Field(saddr,false)}" -match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ +var dup57 = match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ dup17, dup9, ])); @@ -263,20 +225,17 @@ var dup59 = linear_select([ dup35, ]); -var dup60 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': timeout waiting for input from '), Field(fld11,true), Constant(' during server cmd read')}" -match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ +var dup60 = match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ dup17, dup9, ])); -var dup61 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ +var dup61 = match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ dup17, dup9, ])); -var dup62 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" -match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ +var dup62 = match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ dup17, dup9, ])); @@ -351,8 +310,7 @@ var dup68 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld3,false), Constant(']: '), Field(p0,false)}" -match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{hinstance}[%{hfld3}]: %{p0}", processor_chain([ +var hdr1 = match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{hinstance}[%{hfld3}]: %{p0}", processor_chain([ call({ dest: "nwparser.payload", fn: STRCAT, @@ -366,8 +324,7 @@ match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{h }), ])); -var part1 = // "Pattern{Field(,false), Constant('s='), Field(hfld4,true), Constant(' cmd=send '), Field(p0,false)}" -match("HEADER#0:0024/2", "nwparser.p0", "%{}s=%{hfld4->} cmd=send %{p0}"); +var part1 = match("HEADER#0:0024/2", "nwparser.p0", "%{}s=%{hfld4->} cmd=send %{p0}"); var all1 = all_match({ processors: [ @@ -381,11 +338,9 @@ var all1 = all_match({ ]), }); -var hdr2 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld3,false), Constant(']: '), Field(p0,false)}" -match("HEADER#1:0023/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]: %{p0}"); +var hdr2 = match("HEADER#1:0023/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]: %{p0}"); -var part2 = // "Pattern{Field(,true), Constant(' '), Field(payload,false)}" -match("HEADER#1:0023/2", "nwparser.p0", "%{} %{payload}"); +var part2 = match("HEADER#1:0023/2", "nwparser.p0", "%{} %{payload}"); var all2 = all_match({ processors: [ @@ -398,8 +353,7 @@ var all2 = all_match({ ]), }); -var hdr3 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(p0,false)}" -match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} %{messageid}[%{hfld2}]: %{p0}", processor_chain([ +var hdr3 = match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} %{messageid}[%{hfld2}]: %{p0}", processor_chain([ setc("header_id","0025"), call({ dest: "nwparser.payload", @@ -414,8 +368,7 @@ match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} % }), ])); -var hdr4 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld4,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' attachment='), Field(hfld7,true), Constant(' file='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %{hinstance}[%{hfld4}]: %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr4 = match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %{hinstance}[%{hfld4}]: %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0026"), dup6, call({ @@ -447,8 +400,7 @@ match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname-> }), ])); -var hdr5 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' attachment='), Field(hfld7,true), Constant(' file='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr5 = match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0003"), dup6, call({ @@ -478,8 +430,7 @@ match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance- }), ])); -var hdr6 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld3,true), Constant(' m='), Field(hfld4,true), Constant(' x='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} m=%{hfld4->} x=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr6 = match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} m=%{hfld4->} x=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0015"), dup6, call({ @@ -507,8 +458,7 @@ match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr7 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld3,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr7 = match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0016"), dup6, call({ @@ -532,8 +482,7 @@ match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr8 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(severity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(p0,false)}" -match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ +var hdr8 = match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ setc("header_id","0017"), call({ dest: "nwparser.messageid", @@ -546,8 +495,7 @@ match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % dup7, ])); -var hdr9 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant(': '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' m='), Field(hfld3,true), Constant(' x='), Field(hfld4,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} cmd=%{messageid->} %{p0}", processor_chain([ +var hdr9 = match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} cmd=%{messageid->} %{p0}", processor_chain([ setc("header_id","0018"), call({ dest: "nwparser.payload", @@ -570,8 +518,7 @@ match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr10 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance->} %{hseverity->} s=%{hfld2->} mod=%{messageid->} %{p0}", processor_chain([ +var hdr10 = match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance->} %{hseverity->} s=%{hfld2->} mod=%{messageid->} %{p0}", processor_chain([ setc("header_id","0019"), call({ dest: "nwparser.payload", @@ -590,8 +537,7 @@ match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} % }), ])); -var hdr11 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,false), Constant('='), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} mod=%{msgIdPart1->} %{msgIdPart2}=%{hfld3->} %{p0}", processor_chain([ +var hdr11 = match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} mod=%{msgIdPart1->} %{msgIdPart2}=%{hfld3->} %{p0}", processor_chain([ setc("header_id","0020"), dup6, call({ @@ -615,8 +561,7 @@ match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} }), ])); -var hdr12 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(severity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(p0,false)}" -match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ +var hdr12 = match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ setc("header_id","0021"), call({ dest: "nwparser.messageid", @@ -629,8 +574,7 @@ match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} dup7, ])); -var hdr13 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant(': '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' m='), Field(hfld3,true), Constant(' x='), Field(hfld4,true), Constant(' '), Field(msgIdPart1,false), Constant('='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} %{msgIdPart1}=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr13 = match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} %{msgIdPart1}=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0022"), dup6, call({ @@ -656,8 +600,7 @@ match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} }), ])); -var hdr14 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr14 = match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0001"), dup6, call({ @@ -683,8 +626,7 @@ match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr15 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} cmd=%{messageid->} %{p0}", processor_chain([ +var hdr15 = match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} cmd=%{messageid->} %{p0}", processor_chain([ setc("header_id","0008"), call({ dest: "nwparser.payload", @@ -707,8 +649,7 @@ match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr16 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr16 = match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0002"), dup6, call({ @@ -730,8 +671,7 @@ match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr17 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{messageid->} %{p0}", processor_chain([ +var hdr17 = match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{messageid->} %{p0}", processor_chain([ setc("header_id","0007"), call({ dest: "nwparser.payload", @@ -750,8 +690,7 @@ match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr18 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} cmd=%{messageid->} %{p0}", processor_chain([ +var hdr18 = match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} cmd=%{messageid->} %{p0}", processor_chain([ setc("header_id","0012"), call({ dest: "nwparser.payload", @@ -770,8 +709,7 @@ match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr19 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' type='), Field(hfld5,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} type=%{hfld5->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr19 = match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} type=%{hfld5->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0004"), dup6, call({ @@ -793,8 +731,7 @@ match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr20 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' pid='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} pid=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr20 = match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} pid=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0005"), dup6, call({ @@ -816,8 +753,7 @@ match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr21 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" -match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ +var hdr21 = match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ setc("header_id","0006"), dup6, call({ @@ -837,8 +773,7 @@ match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr22 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{messageid->} %{p0}", processor_chain([ +var hdr22 = match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{messageid->} %{p0}", processor_chain([ setc("header_id","0009"), call({ dest: "nwparser.payload", @@ -855,8 +790,7 @@ match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr23 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} %{hinstance}[%{hfld1}]: %{messageid->} %{p0}", processor_chain([ +var hdr23 = match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} %{hinstance}[%{hfld1}]: %{messageid->} %{p0}", processor_chain([ setc("header_id","0014"), call({ dest: "nwparser.payload", @@ -873,8 +807,7 @@ match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} }), ])); -var hdr24 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(p0,false)}" -match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid}[%{hfld1}]: %{p0}", processor_chain([ +var hdr24 = match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid}[%{hfld1}]: %{p0}", processor_chain([ setc("header_id","0013"), call({ dest: "nwparser.payload", @@ -891,8 +824,7 @@ match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr25 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid->} %{p0}", processor_chain([ +var hdr25 = match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0011"), call({ dest: "nwparser.payload", @@ -907,8 +839,7 @@ match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance }), ])); -var hdr26 = // "Pattern{Field(messageid,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(p0,false)}" -match("HEADER#25:0010", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ +var hdr26 = match("HEADER#25:0010", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ setc("header_id","0010"), call({ dest: "nwparser.payload", @@ -952,16 +883,14 @@ var select1 = linear_select([ hdr26, ]); -var part3 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' r='), Field(event_counter,true), Constant(' value='), Field(to,true), Constant(' verified='), Field(fld3,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#0:mail_env_rcpt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ +var part3 = match("MESSAGE#0:mail_env_rcpt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ dup8, dup9, ])); var msg1 = msg("mail_env_rcpt", part3); -var part4 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' r='), Field(event_counter,true), Constant(' value='), Field(to,true), Constant(' verified='), Field(fld3,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#1:mail_env_rcpt:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ +var part4 = match("MESSAGE#1:mail_env_rcpt:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ dup8, dup9, ])); @@ -973,32 +902,28 @@ var select2 = linear_select([ msg2, ]); -var part5 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,true), Constant(' a='), Field(fld12,false)}" -match("MESSAGE#2:mail_attachment", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ +var part5 = match("MESSAGE#2:mail_attachment", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ dup10, dup9, ])); var msg3 = msg("mail_attachment", part5); -var part6 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,true), Constant(' a='), Field(fld12,false)}" -match("MESSAGE#3:mail_attachment:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ +var part6 = match("MESSAGE#3:mail_attachment:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ dup10, dup9, ])); var msg4 = msg("mail_attachment:01", part6); -var part7 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,false)}" -match("MESSAGE#4:mail_attachment:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ +var part7 = match("MESSAGE#4:mail_attachment:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ dup10, dup9, ])); var msg5 = msg("mail_attachment:02", part7); -var part8 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,false)}" -match("MESSAGE#5:mail_attachment:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ +var part8 = match("MESSAGE#5:mail_attachment:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ dup10, dup9, ])); @@ -1012,8 +937,7 @@ var select3 = linear_select([ msg6, ]); -var part9 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part9 = match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1022,8 +946,7 @@ match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{ses var msg7 = msg("mail_msg", part9); -var part10 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part10 = match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1032,8 +955,7 @@ match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{ var msg8 = msg("mail_msg:01", part10); -var part11 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part11 = match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1042,8 +964,7 @@ match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{ var msg9 = msg("mail_msg:04", part11); -var part12 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part12 = match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1052,8 +973,7 @@ match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{ var msg10 = msg("mail_msg:02", part12); -var part13 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#10:mail_msg:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part13 = match("MESSAGE#10:mail_msg:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup11, dup9, dup12, @@ -1070,8 +990,7 @@ var select4 = linear_select([ msg11, ]); -var part14 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(to,true), Constant(' ofrom='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(p0,false)}" -match("MESSAGE#11:mail_env_from:ofrom/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); +var part14 = match("MESSAGE#11:mail_env_from:ofrom/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); var all3 = all_match({ processors: [ @@ -1086,16 +1005,14 @@ var all3 = all_match({ var msg12 = msg("mail_env_from:ofrom", all3); -var part15 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(to,true), Constant(' ofrom='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#12:mail_env_from:ofrom:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ +var part15 = match("MESSAGE#12:mail_env_from:ofrom:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ dup16, dup9, ])); var msg13 = msg("mail_env_from:ofrom:01", part15); -var part16 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(p0,false)}" -match("MESSAGE#13:mail_env_from/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); +var part16 = match("MESSAGE#13:mail_env_from/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); var all4 = all_match({ processors: [ @@ -1110,8 +1027,7 @@ var all4 = all_match({ var msg14 = msg("mail_env_from", all4); -var part17 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#14:mail_env_from:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ +var part17 = match("MESSAGE#14:mail_env_from:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ dup16, dup9, ])); @@ -1125,16 +1041,14 @@ var select5 = linear_select([ msg15, ]); -var part18 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(ddomain,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#15:mail_helo", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ +var part18 = match("MESSAGE#15:mail_helo", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ dup17, dup9, ])); var msg16 = msg("mail_helo", part18); -var part19 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(ddomain,true), Constant(' routes='), Field(fld4,false)}" -match("MESSAGE#16:mail_helo:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ +var part19 = match("MESSAGE#16:mail_helo:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ dup17, dup9, ])); @@ -1146,33 +1060,27 @@ var select6 = linear_select([ msg17, ]); -var part20 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#17:mail_continue-system-sendmail", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} err=%{fld58}", processor_chain([ +var part20 = match("MESSAGE#17:mail_continue-system-sendmail", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg18 = msg("mail_continue-system-sendmail", part20); -var part21 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#18:mail_release", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=%{result->} err=%{fld58}", processor_chain([ +var part21 = match("MESSAGE#18:mail_release", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg19 = msg("mail_release", part21); -var part22 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#19:session_data/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} %{p0}"); +var part22 = match("MESSAGE#19:session_data/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} %{p0}"); -var part23 = // "Pattern{Constant('rcpt_notroutes='), Field(fld20,true), Constant(' data_routes='), Field(fld21,false)}" -match("MESSAGE#19:session_data/1_0", "nwparser.p0", "rcpt_notroutes=%{fld20->} data_routes=%{fld21}"); +var part23 = match("MESSAGE#19:session_data/1_0", "nwparser.p0", "rcpt_notroutes=%{fld20->} data_routes=%{fld21}"); -var part24 = // "Pattern{Constant('rcpt='), Field(to,true), Constant(' suborg='), Field(fld22,false)}" -match("MESSAGE#19:session_data/1_1", "nwparser.p0", "rcpt=%{to->} suborg=%{fld22}"); +var part24 = match("MESSAGE#19:session_data/1_1", "nwparser.p0", "rcpt=%{to->} suborg=%{fld22}"); -var part25 = // "Pattern{Constant('from='), Field(from,true), Constant(' suborg='), Field(fld22,false)}" -match("MESSAGE#19:session_data/1_2", "nwparser.p0", "from=%{from->} suborg=%{fld22}"); +var part25 = match("MESSAGE#19:session_data/1_2", "nwparser.p0", "from=%{from->} suborg=%{fld22}"); var select7 = linear_select([ part23, @@ -1193,8 +1101,7 @@ var all5 = all_match({ var msg20 = msg("session_data", all5); -var part26 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rcpt_notroutes='), Field(fld20,true), Constant(' data_routes='), Field(fld21,false)}" -match("MESSAGE#20:session_data:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rcpt_notroutes=%{fld20->} data_routes=%{fld21}", processor_chain([ +var part26 = match("MESSAGE#20:session_data:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rcpt_notroutes=%{fld20->} data_routes=%{fld21}", processor_chain([ dup17, dup9, ])); @@ -1206,16 +1113,14 @@ var select8 = linear_select([ msg21, ]); -var part27 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' folder='), Field(fld22,true), Constant(' pri='), Field(fld23,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#21:session_store", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ +var part27 = match("MESSAGE#21:session_store", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg22 = msg("session_store", part27); -var part28 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' folder='), Field(fld22,true), Constant(' pri='), Field(fld23,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#22:session_store:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ +var part28 = match("MESSAGE#22:session_store:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); @@ -1227,16 +1132,14 @@ var select9 = linear_select([ msg23, ]); -var part29 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#23:session_headers", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part29 = match("MESSAGE#23:session_headers", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); var msg24 = msg("session_headers", part29); -var part30 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#24:session_headers:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part30 = match("MESSAGE#24:session_headers:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); @@ -1248,8 +1151,7 @@ var select10 = linear_select([ msg25, ]); -var part31 = // "Pattern{Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,false)}" -match("MESSAGE#25:session_judge/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}"); +var part31 = match("MESSAGE#25:session_judge/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}"); var all6 = all_match({ processors: [ @@ -1266,8 +1168,7 @@ var all6 = all_match({ var msg26 = msg("session_judge", all6); -var part32 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,false)}" -match("MESSAGE#26:session_judge:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}", processor_chain([ +var part32 = match("MESSAGE#26:session_judge:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}", processor_chain([ dup17, dup9, ])); @@ -1279,16 +1180,14 @@ var select11 = linear_select([ msg27, ]); -var part33 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ip='), Field(hostip,true), Constant(' country='), Field(location_country,true), Constant(' lip='), Field(fld24,true), Constant(' prot='), Field(fld25,true), Constant(' hops_active='), Field(fld26,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' perlwait='), Field(fld27,false)}" -match("MESSAGE#27:session_connect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ +var part33 = match("MESSAGE#27:session_connect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ dup17, dup9, ])); var msg28 = msg("session_connect", part33); -var part34 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ip='), Field(hostip,true), Constant(' country='), Field(location_country,true), Constant(' lip='), Field(fld24,true), Constant(' prot='), Field(fld25,true), Constant(' hops_active='), Field(fld26,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' perlwait='), Field(fld27,false)}" -match("MESSAGE#28:session_connect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ +var part34 = match("MESSAGE#28:session_connect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ dup17, dup9, ])); @@ -1300,16 +1199,14 @@ var select12 = linear_select([ msg29, ]); -var part35 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' host='), Field(hostname,true), Constant(' resolve='), Field(fld28,true), Constant(' reverse='), Field(fld13,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#29:session_resolve", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part35 = match("MESSAGE#29:session_resolve", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); var msg30 = msg("session_resolve", part35); -var part36 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' host='), Field(hostname,true), Constant(' resolve='), Field(fld28,true), Constant(' reverse='), Field(fld13,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" -match("MESSAGE#30:session_resolve:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ +var part36 = match("MESSAGE#30:session_resolve:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ dup17, dup9, ])); @@ -1321,16 +1218,14 @@ var select13 = linear_select([ msg31, ]); -var part37 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' ip='), Field(hostip,true), Constant(' rate='), Field(fld29,true), Constant(' crate='), Field(fld30,true), Constant(' limit='), Field(fld31,false)}" -match("MESSAGE#31:session_throttle", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ +var part37 = match("MESSAGE#31:session_throttle", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ dup17, dup9, ])); var msg32 = msg("session_throttle", part37); -var part38 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' ip='), Field(hostip,true), Constant(' rate='), Field(fld29,true), Constant(' crate='), Field(fld30,true), Constant(' limit='), Field(fld31,false)}" -match("MESSAGE#32:session_throttle:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ +var part38 = match("MESSAGE#32:session_throttle:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ dup17, dup9, ])); @@ -1342,24 +1237,21 @@ var select14 = linear_select([ msg33, ]); -var part39 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' rate='), Field(fld58,false)}" -match("MESSAGE#33:session_dispose", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ +var part39 = match("MESSAGE#33:session_dispose", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ dup22, dup9, ])); var msg34 = msg("session_dispose", part39); -var part40 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' rate='), Field(fld58,false)}" -match("MESSAGE#34:session_dispose:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ +var part40 = match("MESSAGE#34:session_dispose:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ dup22, dup9, ])); var msg35 = msg("session_dispose:01", part40); -var part41 = // "Pattern{Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,false)}" -match("MESSAGE#35:session_dispose:02/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}"); +var part41 = match("MESSAGE#35:session_dispose:02/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}"); var all7 = all_match({ processors: [ @@ -1376,8 +1268,7 @@ var all7 = all_match({ var msg36 = msg("session_dispose:02", all7); -var part42 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,false)}" -match("MESSAGE#36:session_dispose:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}", processor_chain([ +var part42 = match("MESSAGE#36:session_dispose:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}", processor_chain([ dup22, dup9, ])); @@ -1391,8 +1282,7 @@ var select15 = linear_select([ msg37, ]); -var part43 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part43 = match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup17, dup9, dup13, @@ -1400,8 +1290,7 @@ match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity var msg38 = msg("session_disconnect", part43); -var part44 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#38:session_disconnect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part44 = match("MESSAGE#38:session_disconnect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup17, dup9, dup13, @@ -1414,14 +1303,11 @@ var select16 = linear_select([ msg39, ]); -var part45 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#39:av_run:02/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{fld1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} %{p0}"); +var part45 = match("MESSAGE#39:av_run:02/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{fld1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} %{p0}"); -var part46 = // "Pattern{Constant('cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_0", "nwparser.p0", "cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); +var part46 = match("MESSAGE#39:av_run:02/1_0", "nwparser.p0", "cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); -var part47 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_2", "nwparser.p0", "vendor=%{fld36->} duration=%{p0}"); +var part47 = match("MESSAGE#39:av_run:02/1_2", "nwparser.p0", "vendor=%{fld36->} duration=%{p0}"); var select17 = linear_select([ part46, @@ -1444,22 +1330,18 @@ var all8 = all_match({ var msg40 = msg("av_run:02", all8); -var part48 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#40:av_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ +var part48 = match("MESSAGE#40:av_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ dup25, dup9, ])); var msg41 = msg("av_run:03", part48); -var part49 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#41:av_run/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} %{p0}"); +var part49 = match("MESSAGE#41:av_run/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} %{p0}"); -var part50 = // "Pattern{Constant('name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#41:av_run/1_1", "nwparser.p0", "name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); +var part50 = match("MESSAGE#41:av_run/1_1", "nwparser.p0", "name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); -var part51 = // "Pattern{Constant('name='), Field(fld34,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#41:av_run/1_2", "nwparser.p0", "name=%{fld34->} vendor=%{fld36->} duration=%{p0}"); +var part51 = match("MESSAGE#41:av_run/1_2", "nwparser.p0", "name=%{fld34->} vendor=%{fld36->} duration=%{p0}"); var select18 = linear_select([ dup23, @@ -1481,8 +1363,7 @@ var all9 = all_match({ var msg42 = msg("av_run", all9); -var part52 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#42:av_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ +var part52 = match("MESSAGE#42:av_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ dup25, dup9, ])); @@ -1500,24 +1381,21 @@ var msg44 = msg("av_refresh", dup48); var msg45 = msg("av_init", dup48); -var part53 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#45:av_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var part53 = match("MESSAGE#45:av_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup26, dup9, ])); var msg46 = msg("av_load", part53); -var part54 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#46:access_run:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part54 = match("MESSAGE#46:access_run:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg47 = msg("access_run:02", part54); -var part55 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#47:access_run:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part55 = match("MESSAGE#47:access_run:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); @@ -1535,8 +1413,7 @@ var select20 = linear_select([ msg50, ]); -var part56 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" -match("MESSAGE#50:access_refresh", "nwparser.payload", "%{fld0->} %{severity->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ +var part56 = match("MESSAGE#50:access_refresh", "nwparser.payload", "%{fld0->} %{severity->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ dup17, dup9, ])); @@ -1556,36 +1433,29 @@ var msg54 = msg("regulation_init", dup51); var msg55 = msg("regulation_refresh", dup51); -var part57 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} %{p0}"); +var part57 = match("MESSAGE#55:spam_run:rule/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} %{p0}"); -var part58 = // "Pattern{Constant('ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/1_0", "nwparser.p0", "ipscore=%{fld40->} suspectscore=%{p0}"); +var part58 = match("MESSAGE#55:spam_run:rule/1_0", "nwparser.p0", "ipscore=%{fld40->} suspectscore=%{p0}"); -var part59 = // "Pattern{Constant('suspectscore='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/1_1", "nwparser.p0", "suspectscore=%{p0}"); +var part59 = match("MESSAGE#55:spam_run:rule/1_1", "nwparser.p0", "suspectscore=%{p0}"); var select22 = linear_select([ part58, part59, ]); -var part60 = // "Pattern{Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/2", "nwparser.p0", "%{fld41->} phishscore=%{fld42->} %{p0}"); +var part60 = match("MESSAGE#55:spam_run:rule/2", "nwparser.p0", "%{fld41->} phishscore=%{fld42->} %{p0}"); -var part61 = // "Pattern{Constant('bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/3_0", "nwparser.p0", "bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{p0}"); +var part61 = match("MESSAGE#55:spam_run:rule/3_0", "nwparser.p0", "bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{p0}"); -var part62 = // "Pattern{Constant('adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' classifier='), Field(p0,false)}" -match("MESSAGE#55:spam_run:rule/3_1", "nwparser.p0", "adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{p0}"); +var part62 = match("MESSAGE#55:spam_run:rule/3_1", "nwparser.p0", "adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{p0}"); var select23 = linear_select([ part61, part62, ]); -var part63 = // "Pattern{Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#55:spam_run:rule/4", "nwparser.p0", "%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}"); +var part63 = match("MESSAGE#55:spam_run:rule/4", "nwparser.p0", "%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}"); var all10 = all_match({ processors: [ @@ -1603,64 +1473,56 @@ var all10 = all_match({ var msg56 = msg("spam_run:rule", all10); -var part64 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#56:spam_run:rule_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ +var part64 = match("MESSAGE#56:spam_run:rule_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg57 = msg("spam_run:rule_02", part64); -var part65 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' ndrscore='), Field(fld57,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' adjustscore='), Field(fld58,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#57:spam_run:rule_03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld57->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld58->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ +var part65 = match("MESSAGE#57:spam_run:rule_03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld57->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld58->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg58 = msg("spam_run:rule_03", part65); -var part66 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' kscore.is_bulkscore='), Field(fld57,true), Constant(' kscore.compositescore='), Field(fld40,true), Constant(' circleOfTrustscore='), Field(fld41,true), Constant(' compositescore='), Field(fld42,true), Constant(' urlsuspect_oldscore='), Field(fld43,true), Constant(' suspectscore='), Field(reputation_num,true), Constant(' recipient_domain_to_sender_totalscore='), Field(fld58,true), Constant(' phishscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld45,true), Constant(' kscore.is_spamscore='), Field(fld46,true), Constant(' recipient_to_sender_totalscore='), Field(fld47,true), Constant(' recipient_domain_to_sender_domain_totalscore='), Field(fld48,true), Constant(' rbsscore='), Field(fld49,true), Constant(' spamscore='), Field(fld50,true), Constant(' recipient_to_sender_domain_totalscore='), Field(fld51,true), Constant(' urlsuspectscore='), Field(fld52,true), Constant(' '), Field(fld53,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#58:spam_run:rule_04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} kscore.is_bulkscore=%{fld57->} kscore.compositescore=%{fld40->} circleOfTrustscore=%{fld41->} compositescore=%{fld42->} urlsuspect_oldscore=%{fld43->} suspectscore=%{reputation_num->} recipient_domain_to_sender_totalscore=%{fld58->} phishscore=%{fld44->} bulkscore=%{fld45->} kscore.is_spamscore=%{fld46->} recipient_to_sender_totalscore=%{fld47->} recipient_domain_to_sender_domain_totalscore=%{fld48->} rbsscore=%{fld49->} spamscore=%{fld50->} recipient_to_sender_domain_totalscore=%{fld51->} urlsuspectscore=%{fld52->} %{fld53->} duration=%{duration_string}", processor_chain([ +var part66 = match("MESSAGE#58:spam_run:rule_04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} kscore.is_bulkscore=%{fld57->} kscore.compositescore=%{fld40->} circleOfTrustscore=%{fld41->} compositescore=%{fld42->} urlsuspect_oldscore=%{fld43->} suspectscore=%{reputation_num->} recipient_domain_to_sender_totalscore=%{fld58->} phishscore=%{fld44->} bulkscore=%{fld45->} kscore.is_spamscore=%{fld46->} recipient_to_sender_totalscore=%{fld47->} recipient_domain_to_sender_domain_totalscore=%{fld48->} rbsscore=%{fld49->} spamscore=%{fld50->} recipient_to_sender_domain_totalscore=%{fld51->} urlsuspectscore=%{fld52->} %{fld53->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg59 = msg("spam_run:rule_04", part66); -var part67 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' ndrscore='), Field(fld53,true), Constant(' suspectscore='), Field(fld40,true), Constant(' malwarescore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' adjustscore='), Field(fld54,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#59:spam_run:rule_05", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld53->} suspectscore=%{fld40->} malwarescore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld54->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ +var part67 = match("MESSAGE#59:spam_run:rule_05", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld53->} suspectscore=%{fld40->} malwarescore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld54->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ dup27, dup9, ])); var msg60 = msg("spam_run:rule_05", part67); -var part68 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' mod='), Field(agent,true), Constant(' total_uri_count='), Field(dclass_counter1,true), Constant(' uris_excluded_from_report_info='), Field(dclass_counter2,false)}" -match("MESSAGE#60:spam_run:rule_06", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} mod=%{agent->} total_uri_count=%{dclass_counter1->} uris_excluded_from_report_info=%{dclass_counter2}", processor_chain([ +var part68 = match("MESSAGE#60:spam_run:rule_06", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} mod=%{agent->} total_uri_count=%{dclass_counter1->} uris_excluded_from_report_info=%{dclass_counter2}", processor_chain([ dup27, dup9, ])); var msg61 = msg("spam_run:rule_06", part68); -var part69 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' tests='), Field(fld52,false)}" -match("MESSAGE#61:spam_run:action_01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ +var part69 = match("MESSAGE#61:spam_run:action_01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ dup27, dup9, ])); var msg62 = msg("spam_run:action_01", part69); -var part70 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' tests='), Field(fld52,false)}" -match("MESSAGE#62:spam_run:action", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ +var part70 = match("MESSAGE#62:spam_run:action", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ dup27, dup9, ])); var msg63 = msg("spam_run:action", part70); -var part71 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' num_domains='), Field(fld53,true), Constant(' num_domains_to_lookup='), Field(fld40,false)}" -match("MESSAGE#63:spam_run:action_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} num_domains=%{fld53->} num_domains_to_lookup=%{fld40}", processor_chain([ +var part71 = match("MESSAGE#63:spam_run:action_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} num_domains=%{fld53->} num_domains_to_lookup=%{fld40}", processor_chain([ dup27, dup9, ])); @@ -1683,24 +1545,21 @@ var msg65 = msg("spam_refresh", dup53); var msg66 = msg("spam_init", dup53); -var part72 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#66:spam_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var part72 = match("MESSAGE#66:spam_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup27, dup9, ])); var msg67 = msg("spam_load", part72); -var part73 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' policy='), Field(fld38,true), Constant(' address='), Field(fld54,false)}" -match("MESSAGE#67:batv_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ +var part73 = match("MESSAGE#67:batv_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ dup17, dup9, ])); var msg68 = msg("batv_run", part73); -var part74 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' policy='), Field(fld38,true), Constant(' address='), Field(fld54,false)}" -match("MESSAGE#68:batv_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ +var part74 = match("MESSAGE#68:batv_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ dup17, dup9, ])); @@ -1724,16 +1583,14 @@ var msg73 = msg("zerohour_init", dup54); var msg74 = msg("zerohour_load", dup52); -var part75 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' count='), Field(fld2,true), Constant(' name='), Field(fld34,true), Constant(' init_time='), Field(fld3,true), Constant(' init_virusthreat='), Field(fld4,true), Constant(' virusthreat='), Field(fld5,true), Constant(' virusthreatid='), Field(fld6,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#74:zerohour_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ +var part75 = match("MESSAGE#74:zerohour_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg75 = msg("zerohour_run", part75); -var part76 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' count='), Field(fld2,true), Constant(' name='), Field(fld34,true), Constant(' init_time='), Field(fld3,true), Constant(' init_virusthreat='), Field(fld4,true), Constant(' virusthreat='), Field(fld5,true), Constant(' virusthreatid='), Field(fld6,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#75:zerohour_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ +var part76 = match("MESSAGE#75:zerohour_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); @@ -1745,40 +1602,35 @@ var select26 = linear_select([ msg76, ]); -var part77 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#76:service_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} duration=%{duration_string}", processor_chain([ +var part77 = match("MESSAGE#76:service_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg77 = msg("service_refresh", part77); -var part78 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#77:perl_clone", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} duration=%{duration_string}", processor_chain([ +var part78 = match("MESSAGE#77:perl_clone", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg78 = msg("perl_clone", part78); -var part79 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#78:cvt_convert", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part79 = match("MESSAGE#78:cvt_convert", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg79 = msg("cvt_convert", part79); -var part80 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#79:cvt_convert:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part80 = match("MESSAGE#79:cvt_convert:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg80 = msg("cvt_convert:01", part80); -var part81 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#80:cvt_convert:02", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part81 = match("MESSAGE#80:cvt_convert:02", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); @@ -1791,8 +1643,7 @@ var select27 = linear_select([ msg81, ]); -var part82 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#81:cvt_detect", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ +var part82 = match("MESSAGE#81:cvt_detect", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ dup17, dup9, ])); @@ -1808,8 +1659,7 @@ var select28 = linear_select([ msg84, ]); -var part83 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(fld5,true), Constant(' mod='), Field(agent,true), Constant(' encrypted='), Field(fld6,false)}" -match("MESSAGE#84:cvtd_encrypted", "nwparser.payload", "%{fld0->} %{severity->} pid=%{fld5->} mod=%{agent->} encrypted=%{fld6}", processor_chain([ +var part83 = match("MESSAGE#84:cvtd_encrypted", "nwparser.payload", "%{fld0->} %{severity->} pid=%{fld5->} mod=%{agent->} encrypted=%{fld6}", processor_chain([ dup17, dup9, ])); @@ -1829,8 +1679,7 @@ var msg88 = msg("soap_listen", dup57); var msg89 = msg("http_listen", dup57); -var part84 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#89:mltr", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{event_description}", processor_chain([ +var part84 = match("MESSAGE#89:mltr", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{event_description}", processor_chain([ dup17, dup9, ])); @@ -1843,22 +1692,18 @@ var msg92 = msg("smtpsrv_load", dup52); var msg93 = msg("smtpsrv_listen", dup57); -var part85 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#93:smtpsrv_run", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part85 = match("MESSAGE#93:smtpsrv_run", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg94 = msg("smtpsrv_run", part85); -var part86 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#94:smtpsrv/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{p0}"); +var part86 = match("MESSAGE#94:smtpsrv/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{p0}"); -var part87 = // "Pattern{Field(result,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#94:smtpsrv/1_0", "nwparser.p0", "%{result->} err=%{fld58}"); +var part87 = match("MESSAGE#94:smtpsrv/1_0", "nwparser.p0", "%{result->} err=%{fld58}"); -var part88 = // "Pattern{Field(result,false)}" -match_copy("MESSAGE#94:smtpsrv/1_1", "nwparser.p0", "result"); +var part88 = match_copy("MESSAGE#94:smtpsrv/1_1", "nwparser.p0", "result"); var select30 = linear_select([ part87, @@ -1878,24 +1723,21 @@ var all11 = all_match({ var msg95 = msg("smtpsrv", all11); -var part89 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' cmd='), Field(obj_type,true), Constant(' profile='), Field(fld52,true), Constant(' qid='), Field(fld15,true), Constant(' rcpts='), Field(to,false)}" -match("MESSAGE#95:send", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ +var part89 = match("MESSAGE#95:send", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ dup17, dup9, ])); var msg96 = msg("send", part89); -var part90 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' cmd='), Field(obj_type,true), Constant(' profile='), Field(fld52,true), Constant(' qid='), Field(fld15,true), Constant(' rcpts='), Field(to,false)}" -match("MESSAGE#96:send:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ +var part90 = match("MESSAGE#96:send:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ dup17, dup9, ])); var msg97 = msg("send:01", part90); -var part91 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' cmd='), Field(obj_type,true), Constant(' rcpt='), Field(to,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#97:send:02", "nwparser.payload", "%{fld0}: %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} rcpt=%{to->} err=%{fld58}", processor_chain([ +var part91 = match("MESSAGE#97:send:02", "nwparser.payload", "%{fld0}: %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} rcpt=%{to->} err=%{fld58}", processor_chain([ dup17, dup9, ])); @@ -1908,22 +1750,18 @@ var select31 = linear_select([ msg98, ]); -var part92 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{p0}"); +var part92 = match("MESSAGE#98:queued-alert/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{p0}"); -var part93 = // "Pattern{Field(fld55,true), Constant(' tls_verify='), Field(fld70,false), Constant(', pri='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/1_0", "nwparser.p0", "%{fld55->} tls_verify=%{fld70}, pri=%{p0}"); +var part93 = match("MESSAGE#98:queued-alert/1_0", "nwparser.p0", "%{fld55->} tls_verify=%{fld70}, pri=%{p0}"); -var part94 = // "Pattern{Field(fld55,false), Constant(', pri='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/1_1", "nwparser.p0", "%{fld55}, pri=%{p0}"); +var part94 = match("MESSAGE#98:queued-alert/1_1", "nwparser.p0", "%{fld55}, pri=%{p0}"); var select32 = linear_select([ part93, part94, ]); -var part95 = // "Pattern{Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#98:queued-alert/2", "nwparser.p0", "%{fld23}, relay=%{p0}"); +var part95 = match("MESSAGE#98:queued-alert/2", "nwparser.p0", "%{fld23}, relay=%{p0}"); var all12 = all_match({ processors: [ @@ -1941,11 +1779,9 @@ var all12 = all_match({ var msg99 = msg("queued-alert", all12); -var part96 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#99:queued-alert:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); +var part96 = match("MESSAGE#99:queued-alert:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); -var part97 = // "Pattern{Constant('['), Field(fld50,false), Constant('] ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}]"); +var part97 = match("MESSAGE#99:queued-alert:01/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}]"); var select33 = linear_select([ part97, @@ -1968,8 +1804,7 @@ var all13 = all_match({ var msg100 = msg("queued-alert:01", all13); -var part98 = // "Pattern{Constant('['), Field(fld50,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#100:queued-alert:02/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}],%{p0}"); +var part98 = match("MESSAGE#100:queued-alert:02/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}],%{p0}"); var select34 = linear_select([ part98, @@ -1978,8 +1813,7 @@ var select34 = linear_select([ dup31, ]); -var part99 = // "Pattern{Field(,false), Constant('version='), Field(version,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(s_cipher,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#100:queued-alert:02/2", "nwparser.p0", "%{}version=%{version}, verify=%{fld57}, cipher=%{s_cipher}, bits=%{fld59}"); +var part99 = match("MESSAGE#100:queued-alert:02/2", "nwparser.p0", "%{}version=%{version}, verify=%{fld57}, cipher=%{s_cipher}, bits=%{fld59}"); var all14 = all_match({ processors: [ @@ -2037,8 +1871,7 @@ var msg111 = msg("queued-reinject:02", dup65); var msg112 = msg("queued-reinject:03", dup66); -var part100 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': maxrcpts='), Field(fld56,false), Constant(', rcpts='), Field(fld57,false), Constant(', count='), Field(fld58,false), Constant(', ids='), Field(fld59,false)}" -match("MESSAGE#111:queued-reinject:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: maxrcpts=%{fld56}, rcpts=%{fld57}, count=%{fld58}, ids=%{fld59}", processor_chain([ +var part100 = match("MESSAGE#111:queued-reinject:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: maxrcpts=%{fld56}, rcpts=%{fld57}, count=%{fld58}, ids=%{fld59}", processor_chain([ dup17, dup9, ])); @@ -2059,8 +1892,7 @@ var select38 = linear_select([ msg115, ]); -var part101 = // "Pattern{Field(,false), Constant('version='), Field(version,false), Constant(', verify='), Field(disposition,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#114:queued-eurort/2", "nwparser.p0", "%{}version=%{version}, verify=%{disposition}, cipher=%{fld58}, bits=%{fld59}"); +var part101 = match("MESSAGE#114:queued-eurort/2", "nwparser.p0", "%{}version=%{version}, verify=%{disposition}, cipher=%{fld58}, bits=%{fld59}"); var all15 = all_match({ processors: [ @@ -2100,16 +1932,14 @@ var select40 = linear_select([ var msg122 = msg("sm-msp-queue", dup66); -var part102 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: starting daemon ('), Field(fld7,false), Constant('): '), Field(fld6,false)}" -match("MESSAGE#122:sm-msp-queue:01", "nwparser.payload", "%{agent}[%{process_id}]: starting daemon (%{fld7}): %{fld6}", processor_chain([ +var part102 = match("MESSAGE#122:sm-msp-queue:01", "nwparser.payload", "%{agent}[%{process_id}]: starting daemon (%{fld7}): %{fld6}", processor_chain([ setc("eventcategory","1605000000"), dup9, ])); var msg123 = msg("sm-msp-queue:01", part102); -var part103 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', ctladdr='), Field(fld13,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#123:sm-msp-queue:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, ctladdr=%{fld13}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var part103 = match("MESSAGE#123:sm-msp-queue:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, ctladdr=%{fld13}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); var all16 = all_match({ processors: [ @@ -2131,14 +1961,11 @@ var select41 = linear_select([ msg124, ]); -var part104 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', tls_verify='), Field(fld24,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#124:sendmail:15/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, tls_verify=%{fld24}, pri=%{fld23}, relay=%{p0}"); +var part104 = match("MESSAGE#124:sendmail:15/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, tls_verify=%{fld24}, pri=%{fld23}, relay=%{p0}"); -var part105 = // "Pattern{Field(dhost,false), Constant('. ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#124:sendmail:15/1_1", "nwparser.p0", "%{dhost}. [%{daddr}],%{p0}"); +var part105 = match("MESSAGE#124:sendmail:15/1_1", "nwparser.p0", "%{dhost}. [%{daddr}],%{p0}"); -var part106 = // "Pattern{Field(dhost,false), Constant('.,'), Field(p0,false)}" -match("MESSAGE#124:sendmail:15/1_2", "nwparser.p0", "%{dhost}.,%{p0}"); +var part106 = match("MESSAGE#124:sendmail:15/1_2", "nwparser.p0", "%{dhost}.,%{p0}"); var select42 = linear_select([ dup28, @@ -2160,14 +1987,11 @@ var all17 = all_match({ var msg125 = msg("sendmail:15", all17); -var part107 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld54,false), Constant(', nrcpts='), Field(fld55,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(p0,false)}" -match("MESSAGE#125:sendmail:14/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld54}, nrcpts=%{fld55}, msgid=%{id}, proto=%{protocol}, daemon=%{p0}"); +var part107 = match("MESSAGE#125:sendmail:14/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld54}, nrcpts=%{fld55}, msgid=%{id}, proto=%{protocol}, daemon=%{p0}"); -var part108 = // "Pattern{Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#125:sendmail:14/1_0", "nwparser.p0", "%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); +var part108 = match("MESSAGE#125:sendmail:14/1_0", "nwparser.p0", "%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); -var part109 = // "Pattern{Field(fld69,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#125:sendmail:14/1_1", "nwparser.p0", "%{fld69}, relay=%{p0}"); +var part109 = match("MESSAGE#125:sendmail:14/1_1", "nwparser.p0", "%{fld69}, relay=%{p0}"); var select43 = linear_select([ part108, @@ -2190,62 +2014,53 @@ var msg126 = msg("sendmail:14", all18); var msg127 = msg("sendmail", dup68); -var part110 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': available mech='), Field(fld2,false), Constant(', allowed mech='), Field(fld3,false)}" -match("MESSAGE#127:sendmail:01", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: available mech=%{fld2}, allowed mech=%{fld3}", processor_chain([ +var part110 = match("MESSAGE#127:sendmail:01", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: available mech=%{fld2}, allowed mech=%{fld3}", processor_chain([ dup17, dup9, ])); var msg128 = msg("sendmail:01", part110); -var part111 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': milter='), Field(fld2,false), Constant(', action='), Field(action,false), Constant(', reject='), Field(fld3,false)}" -match("MESSAGE#128:sendmail:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: milter=%{fld2}, action=%{action}, reject=%{fld3}", processor_chain([ +var part111 = match("MESSAGE#128:sendmail:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: milter=%{fld2}, action=%{action}, reject=%{fld3}", processor_chain([ dup17, dup9, ])); var msg129 = msg("sendmail:02", part111); -var part112 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': '), Field(fld57,false), Constant(': host='), Field(hostname,false), Constant(', addr='), Field(saddr,false), Constant(', reject='), Field(fld3,false)}" -match("MESSAGE#129:sendmail:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}: host=%{hostname}, addr=%{saddr}, reject=%{fld3}", processor_chain([ +var part112 = match("MESSAGE#129:sendmail:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}: host=%{hostname}, addr=%{saddr}, reject=%{fld3}", processor_chain([ dup17, dup9, ])); var msg130 = msg("sendmail:03", part112); -var part113 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': '), Field(fld2,false), Constant(': '), Field(fld3,false), Constant(': vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" -match("MESSAGE#130:sendmail:08", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ +var part113 = match("MESSAGE#130:sendmail:08", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ dup17, dup9, ])); var msg131 = msg("sendmail:08", part113); -var part114 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': '), Field(fld2,false), Constant(': '), Field(fld3,false), Constant(': rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" -match("MESSAGE#131:sendmail:09", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} suspectscore=%{fld41->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ +var part114 = match("MESSAGE#131:sendmail:09", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} suspectscore=%{fld41->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ dup17, dup9, ])); var msg132 = msg("sendmail:09", part114); -var part115 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': rcpt'), Field(p0,false)}" -match("MESSAGE#132:sendmail:10/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: rcpt%{p0}"); +var part115 = match("MESSAGE#132:sendmail:10/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: rcpt%{p0}"); -var part116 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#132:sendmail:10/1_0", "nwparser.p0", ": %{p0}"); +var part116 = match("MESSAGE#132:sendmail:10/1_0", "nwparser.p0", ": %{p0}"); -var part117 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#132:sendmail:10/1_1", "nwparser.p0", "p0"); +var part117 = match_copy("MESSAGE#132:sendmail:10/1_1", "nwparser.p0", "p0"); var select44 = linear_select([ part116, part117, ]); -var part118 = // "Pattern{Field(,true), Constant(' '), Field(fld2,false)}" -match("MESSAGE#132:sendmail:10/2", "nwparser.p0", "%{} %{fld2}"); +var part118 = match("MESSAGE#132:sendmail:10/2", "nwparser.p0", "%{} %{fld2}"); var all19 = all_match({ processors: [ @@ -2261,8 +2076,7 @@ var all19 = all_match({ var msg133 = msg("sendmail:10", all19); -var part119 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#133:sendmail:11/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); +var part119 = match("MESSAGE#133:sendmail:11/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); var all20 = all_match({ processors: [ @@ -2278,27 +2092,23 @@ var all20 = all_match({ var msg134 = msg("sendmail:11", all20); -var part120 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': SYSERR('), Field(fld2,false), Constant('): '), Field(action,false), Constant(': '), Field(event_description,true), Constant(' from '), Field(from,false), Constant(', from='), Field(fld3,false)}" -match("MESSAGE#134:sendmail:12", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} from %{from}, from=%{fld3}", processor_chain([ +var part120 = match("MESSAGE#134:sendmail:12", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} from %{from}, from=%{fld3}", processor_chain([ dup17, dup9, ])); var msg135 = msg("sendmail:12", part120); -var part121 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant(']'), Field(p0,false)}" -match("MESSAGE#135:sendmail:13/0_0", "nwparser.payload", "%{fld10->} %{agent}]%{p0}"); +var part121 = match("MESSAGE#135:sendmail:13/0_0", "nwparser.payload", "%{fld10->} %{agent}]%{p0}"); -var part122 = // "Pattern{Field(agent,false), Constant(']'), Field(p0,false)}" -match("MESSAGE#135:sendmail:13/0_1", "nwparser.payload", "%{agent}]%{p0}"); +var part122 = match("MESSAGE#135:sendmail:13/0_1", "nwparser.payload", "%{agent}]%{p0}"); var select45 = linear_select([ part121, part122, ]); -var part123 = // "Pattern{Field(process_id,false), Constant('[: '), Field(fld1,false), Constant(': SYSERR('), Field(fld2,false), Constant('): '), Field(action,false), Constant(': '), Field(event_description,true), Constant(' file '), Field(filename,false), Constant(': '), Field(fld3,false)}" -match("MESSAGE#135:sendmail:13/1", "nwparser.p0", "%{process_id}[: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} file %{filename}: %{fld3}"); +var part123 = match("MESSAGE#135:sendmail:13/1", "nwparser.p0", "%{process_id}[: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} file %{filename}: %{fld3}"); var all21 = all_match({ processors: [ @@ -2313,27 +2123,23 @@ var all21 = all_match({ var msg136 = msg("sendmail:13", all21); -var part124 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': '), Field(fld57,false), Constant(':'), Field(event_description,false)}" -match("MESSAGE#136:sendmail:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}:%{event_description}", processor_chain([ +var part124 = match("MESSAGE#136:sendmail:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}:%{event_description}", processor_chain([ dup17, dup9, ])); var msg137 = msg("sendmail:04", part124); -var part125 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(':'), Field(event_description,false)}" -match("MESSAGE#137:sendmail:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}:%{event_description}", processor_chain([ +var part125 = match("MESSAGE#137:sendmail:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}:%{event_description}", processor_chain([ dup17, dup9, ])); var msg138 = msg("sendmail:05", part125); -var part126 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: AUTH='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#169:sendmail:06/0", "nwparser.payload", "%{agent}[%{process_id}]: AUTH=%{authmethod}, relay=%{p0}"); +var part126 = match("MESSAGE#169:sendmail:06/0", "nwparser.payload", "%{agent}[%{process_id}]: AUTH=%{authmethod}, relay=%{p0}"); -var part127 = // "Pattern{Field(,false), Constant('authid='), Field(uid,false), Constant(', mech='), Field(scheme,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#169:sendmail:06/2", "nwparser.p0", "%{}authid=%{uid}, mech=%{scheme}, bits=%{fld59}"); +var part127 = match("MESSAGE#169:sendmail:06/2", "nwparser.p0", "%{}authid=%{uid}, mech=%{scheme}, bits=%{fld59}"); var all22 = all_match({ processors: [ @@ -2370,24 +2176,21 @@ var select46 = linear_select([ msg140, ]); -var part128 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' pid='), Field(process_id,true), Constant(' status='), Field(fld29,false)}" -match("MESSAGE#138:info:eid_pid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} pid=%{process_id->} status=%{fld29}", processor_chain([ +var part128 = match("MESSAGE#138:info:eid_pid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} pid=%{process_id->} status=%{fld29}", processor_chain([ dup17, dup9, ])); var msg141 = msg("info:eid_pid_status", part128); -var part129 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status='), Field(fld29,false)}" -match("MESSAGE#139:info:eid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=%{fld29}", processor_chain([ +var part129 = match("MESSAGE#139:info:eid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=%{fld29}", processor_chain([ dup17, dup9, ])); var msg142 = msg("info:eid_status", part129); -var part130 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' '), Field(info,false)}" -match("MESSAGE#140:info:eid", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} %{info}", processor_chain([ +var part130 = match("MESSAGE#140:info:eid", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} %{info}", processor_chain([ dup17, dup9, ])); @@ -2396,17 +2199,13 @@ var msg143 = msg("info:eid", part130); var msg144 = msg("info:pid", dup62); -var part131 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(p0,false)}" -match("MESSAGE#143:info/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{p0}"); +var part131 = match("MESSAGE#143:info/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{p0}"); -var part132 = // "Pattern{Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ofrom='), Field(from,false)}" -match("MESSAGE#143:info/1_0", "nwparser.p0", "%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ofrom=%{from}"); +var part132 = match("MESSAGE#143:info/1_0", "nwparser.p0", "%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ofrom=%{from}"); -var part133 = // "Pattern{Field(sessionid1,true), Constant(' status='), Field(info,true), Constant(' restquery_stage='), Field(fld3,false)}" -match("MESSAGE#143:info/1_1", "nwparser.p0", "%{sessionid1->} status=%{info->} restquery_stage=%{fld3}"); +var part133 = match("MESSAGE#143:info/1_1", "nwparser.p0", "%{sessionid1->} status=%{info->} restquery_stage=%{fld3}"); -var part134 = // "Pattern{Field(sessionid1,false)}" -match_copy("MESSAGE#143:info/1_2", "nwparser.p0", "sessionid1"); +var part134 = match_copy("MESSAGE#143:info/1_2", "nwparser.p0", "sessionid1"); var select47 = linear_select([ part132, @@ -2427,38 +2226,32 @@ var all23 = all_match({ var msg145 = msg("info", all23); -var part135 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sys='), Field(fld1,true), Constant(' evt='), Field(action,true), Constant(' active='), Field(fld2,true), Constant(' expires='), Field(fld3,true), Constant(' msg='), Field(event_description,false)}" -match("MESSAGE#144:info:02", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{action->} active=%{fld2->} expires=%{fld3->} msg=%{event_description}", processor_chain([ +var part135 = match("MESSAGE#144:info:02", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{action->} active=%{fld2->} expires=%{fld3->} msg=%{event_description}", processor_chain([ dup17, dup9, ])); var msg146 = msg("info:02", part135); -var part136 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' server='), Field(saddr,true), Constant(' elapsed='), Field(duration_string,true), Constant(' avgtime='), Field(fld2,true), Constant(' qname='), Field(fld3,true), Constant(' qtype='), Field(fld4,false)}" -match("MESSAGE#145:info:03", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} server=%{saddr->} elapsed=%{duration_string->} avgtime=%{fld2->} qname=%{fld3->} qtype=%{fld4}", processor_chain([ +var part136 = match("MESSAGE#145:info:03", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} server=%{saddr->} elapsed=%{duration_string->} avgtime=%{fld2->} qname=%{fld3->} qtype=%{fld4}", processor_chain([ dup17, dup9, ])); var msg147 = msg("info:03", part136); -var part137 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" -match("MESSAGE#146:info:01", "nwparser.payload", "%{fld0->} %{severity->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ +var part137 = match("MESSAGE#146:info:01", "nwparser.payload", "%{fld0->} %{severity->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ dup17, dup9, ])); var msg148 = msg("info:01", part137); -var part138 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sys='), Field(fld1,true), Constant(' evt='), Field(p0,false)}" -match("MESSAGE#147:info:04/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{p0}"); +var part138 = match("MESSAGE#147:info:04/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{p0}"); -var part139 = // "Pattern{Field(action,true), Constant(' msg='), Field(event_description,false)}" -match("MESSAGE#147:info:04/1_0", "nwparser.p0", "%{action->} msg=%{event_description}"); +var part139 = match("MESSAGE#147:info:04/1_0", "nwparser.p0", "%{action->} msg=%{event_description}"); -var part140 = // "Pattern{Field(action,false)}" -match_copy("MESSAGE#147:info:04/1_1", "nwparser.p0", "action"); +var part140 = match_copy("MESSAGE#147:info:04/1_1", "nwparser.p0", "action"); var select48 = linear_select([ part139, @@ -2478,14 +2271,11 @@ var all24 = all_match({ var msg149 = msg("info:04", all24); -var part141 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#148:info:05/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} %{p0}"); +var part141 = match("MESSAGE#148:info:05/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} %{p0}"); -var part142 = // "Pattern{Constant('type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#148:info:05/1_0", "nwparser.p0", "type=%{fld6->} cmd=%{obj_type->} id=%{fld5}"); +var part142 = match("MESSAGE#148:info:05/1_0", "nwparser.p0", "type=%{fld6->} cmd=%{obj_type->} id=%{fld5}"); -var part143 = // "Pattern{Constant('cmd='), Field(obj_type,false)}" -match("MESSAGE#148:info:05/1_1", "nwparser.p0", "cmd=%{obj_type}"); +var part143 = match("MESSAGE#148:info:05/1_1", "nwparser.p0", "cmd=%{obj_type}"); var select49 = linear_select([ part142, @@ -2520,8 +2310,7 @@ var select50 = linear_select([ var msg151 = msg("note:pid", dup62); -var part144 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' module='), Field(agent,true), Constant(' action='), Field(action,true), Constant(' size='), Field(bytes,false)}" -match("MESSAGE#149:note:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} module=%{agent->} action=%{action->} size=%{bytes}", processor_chain([ +var part144 = match("MESSAGE#149:note:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} module=%{agent->} action=%{action->} size=%{bytes}", processor_chain([ dup17, dup9, ])); @@ -2533,40 +2322,35 @@ var select51 = linear_select([ msg152, ]); -var part145 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' secprofile_name='), Field(fld3,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#150:rprt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} secprofile_name=%{fld3->} rcpts=%{dclass_counter2->} duration=%{duration_string}", processor_chain([ +var part145 = match("MESSAGE#150:rprt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} secprofile_name=%{fld3->} rcpts=%{dclass_counter2->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); var msg153 = msg("rprt", part145); -var part146 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' module='), Field(agent,true), Constant(' age='), Field(fld6,true), Constant(' limit='), Field(fld31,false)}" -match("MESSAGE#151:err", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} module=%{agent->} age=%{fld6->} limit=%{fld31}", processor_chain([ +var part146 = match("MESSAGE#151:err", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} module=%{agent->} age=%{fld6->} limit=%{fld31}", processor_chain([ dup17, dup9, ])); var msg154 = msg("err", part146); -var part147 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' eid='), Field(fld4,true), Constant(' result='), Field(result,false)}" -match("MESSAGE#152:warn", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} eid=%{fld4->} result=%{result}", processor_chain([ +var part147 = match("MESSAGE#152:warn", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} eid=%{fld4->} result=%{result}", processor_chain([ dup17, dup9, ])); var msg155 = msg("warn", part147); -var part148 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status="'), Field(event_state,true), Constant(' file: '), Field(filename,false), Constant('"')}" -match("MESSAGE#153:warn:01", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file: %{filename}\"", processor_chain([ +var part148 = match("MESSAGE#153:warn:01", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file: %{filename}\"", processor_chain([ dup17, dup9, ])); var msg156 = msg("warn:01", part148); -var part149 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status="'), Field(event_state,true), Constant(' file '), Field(filename,true), Constant(' does not contain enough (or correct) info. Fix this or remove the file."')}" -match("MESSAGE#154:warn:02", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file %{filename->} does not contain enough (or correct) info. Fix this or remove the file.\"", processor_chain([ +var part149 = match("MESSAGE#154:warn:02", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file %{filename->} does not contain enough (or correct) info. Fix this or remove the file.\"", processor_chain([ dup17, dup9, setc("event_description","does not contain enough (or correct) info. Fix this or remove the file"), @@ -2584,14 +2368,11 @@ var msg158 = msg("queued-aglife", dup68); var msg159 = msg("pdr_run", dup50); -var part150 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' ttl='), Field(fld1,true), Constant(' reply="'), Field(p0,false)}" -match("MESSAGE#157:pdr_ttl/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} ttl=%{fld1->} reply=\"%{p0}"); +var part150 = match("MESSAGE#157:pdr_ttl/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} ttl=%{fld1->} reply=\"%{p0}"); -var part151 = // "Pattern{Constant('\"'), Field(fld2,true), Constant(' rscore='), Field(fld3,false), Constant('\""')}" -match("MESSAGE#157:pdr_ttl/1_0", "nwparser.p0", "\\\"%{fld2->} rscore=%{fld3}\\\"\""); +var part151 = match("MESSAGE#157:pdr_ttl/1_0", "nwparser.p0", "\\\"%{fld2->} rscore=%{fld3}\\\"\""); -var part152 = // "Pattern{Field(fld2,false), Constant('"')}" -match("MESSAGE#157:pdr_ttl/1_1", "nwparser.p0", "%{fld2}\""); +var part152 = match("MESSAGE#157:pdr_ttl/1_1", "nwparser.p0", "%{fld2}\""); var select53 = linear_select([ part151, @@ -2611,16 +2392,14 @@ var all26 = all_match({ var msg160 = msg("pdr_ttl", all26); -var part153 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' signature='), Field(fld1,true), Constant(' identity='), Field(sigid_string,true), Constant(' host='), Field(hostname,true), Constant(' result='), Field(result,true), Constant(' result_detail='), Field(fld2,false)}" -match("MESSAGE#158:dkimv_run:signature", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} signature=%{fld1->} identity=%{sigid_string->} host=%{hostname->} result=%{result->} result_detail=%{fld2}", processor_chain([ +var part153 = match("MESSAGE#158:dkimv_run:signature", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} signature=%{fld1->} identity=%{sigid_string->} host=%{hostname->} result=%{result->} result_detail=%{fld2}", processor_chain([ dup17, dup9, ])); var msg161 = msg("dkimv_run:signature", part153); -var part154 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' status="'), Field(info,false), Constant(', '), Field(event_state,false), Constant('"')}" -match("MESSAGE#159:dkimv_run:status", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=\"%{info}, %{event_state}\"", processor_chain([ +var part154 = match("MESSAGE#159:dkimv_run:status", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=\"%{info}, %{event_state}\"", processor_chain([ dup17, dup9, ])); @@ -2632,8 +2411,7 @@ var select54 = linear_select([ msg162, ]); -var part155 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' unexpected response type='), Field(fld1,false)}" -match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} unexpected response type=%{fld1}", processor_chain([ +var part155 = match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} unexpected response type=%{fld1}", processor_chain([ dup17, dup9, setc("result","unexpected response"), @@ -2641,8 +2419,7 @@ match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod= var msg163 = msg("dkimv_type", part155); -var part156 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' publickey_cache_entries='), Field(fld6,false)}" -match("MESSAGE#161:dkimv_type:01", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} publickey_cache_entries=%{fld6}", processor_chain([ +var part156 = match("MESSAGE#161:dkimv_type:01", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} publickey_cache_entries=%{fld6}", processor_chain([ dup17, dup9, ])); @@ -2656,8 +2433,7 @@ var select55 = linear_select([ var msg165 = msg("dmarc_run:rule", dup49); -var part157 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' result='), Field(result,true), Constant(' result_detail='), Field(fld2,false)}" -match("MESSAGE#163:dmarc_run:result", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} result=%{result->} result_detail=%{fld2}", processor_chain([ +var part157 = match("MESSAGE#163:dmarc_run:result", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} result=%{result->} result_detail=%{fld2}", processor_chain([ dup17, dup9, ])); @@ -2669,8 +2445,7 @@ var select56 = linear_select([ msg166, ]); -var part158 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' policy_cache_entries='), Field(fld6,false)}" -match("MESSAGE#164:dmarc_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} policy_cache_entries=%{fld6}", processor_chain([ +var part158 = match("MESSAGE#164:dmarc_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} policy_cache_entries=%{fld6}", processor_chain([ dup17, dup9, ])); @@ -2679,8 +2454,7 @@ var msg167 = msg("dmarc_type", part158); var msg168 = msg("spf_run:rule", dup49); -var part159 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cmd='), Field(obj_type,true), Constant(' result='), Field(result,false)}" -match("MESSAGE#166:spf_run:cmd", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cmd=%{obj_type->} result=%{result}", processor_chain([ +var part159 = match("MESSAGE#166:spf_run:cmd", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cmd=%{obj_type->} result=%{result}", processor_chain([ dup17, dup9, ])); @@ -2692,24 +2466,21 @@ var select57 = linear_select([ msg169, ]); -var part160 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' suspectscore='), Field(fld41,true), Constant(' malwarescore='), Field(fld49,true), Constant(' phishscore='), Field(fld42,true), Constant(' adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' tests='), Field(fld52,false)}" -match("MESSAGE#167:action_checksubmsg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} suspectscore=%{fld41->} malwarescore=%{fld49->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} tests=%{fld52}", processor_chain([ +var part160 = match("MESSAGE#167:action_checksubmsg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} suspectscore=%{fld41->} malwarescore=%{fld49->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} tests=%{fld52}", processor_chain([ dup17, dup9, ])); var msg170 = msg("action_checksubmsg", part160); -var part161 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' authscope='), Field(fld5,true), Constant(' err='), Field(fld58,false)}" -match("MESSAGE#168:rest_oauth", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} authscope=%{fld5->} err=%{fld58}", processor_chain([ +var part161 = match("MESSAGE#168:rest_oauth", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} authscope=%{fld5->} err=%{fld58}", processor_chain([ dup17, dup9, ])); var msg171 = msg("rest_oauth", part161); -var part162 = // "Pattern{Constant('mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(id,true), Constant(' load smartid ccard')}" -match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid ccard", processor_chain([ +var part162 = match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid ccard", processor_chain([ dup17, dup9, setc("event_description","load smartid ccard"), @@ -2718,8 +2489,7 @@ match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} typ var msg172 = msg("filter_instance1:01", part162); -var part163 = // "Pattern{Constant('mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(id,true), Constant(' load smartid jcb')}" -match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid jcb", processor_chain([ +var part163 = match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid jcb", processor_chain([ dup17, dup9, setc("event_description","load smartid jcb"), @@ -2728,22 +2498,18 @@ match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} typ var msg173 = msg("filter_instance1:02", part163); -var part164 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject="'), Field(subject,false), Constant('" '), Field(p0,false)}" -match("MESSAGE#173:filter_instance1:03/0", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=\"%{subject}\" %{p0}"); +var part164 = match("MESSAGE#173:filter_instance1:03/0", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=\"%{subject}\" %{p0}"); -var part165 = // "Pattern{Constant('spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(p0,false)}" -match("MESSAGE#173:filter_instance1:03/1_0", "nwparser.p0", "spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{p0}"); +var part165 = match("MESSAGE#173:filter_instance1:03/1_0", "nwparser.p0", "spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{p0}"); -var part166 = // "Pattern{Constant('duration='), Field(p0,false)}" -match("MESSAGE#173:filter_instance1:03/1_1", "nwparser.p0", "duration=%{p0}"); +var part166 = match("MESSAGE#173:filter_instance1:03/1_1", "nwparser.p0", "duration=%{p0}"); var select58 = linear_select([ part165, part166, ]); -var part167 = // "Pattern{Field(fld16,true), Constant(' elapsed='), Field(duration_string,false)}" -match("MESSAGE#173:filter_instance1:03/2", "nwparser.p0", "%{fld16->} elapsed=%{duration_string}"); +var part167 = match("MESSAGE#173:filter_instance1:03/2", "nwparser.p0", "%{fld16->} elapsed=%{duration_string}"); var all27 = all_match({ processors: [ @@ -2762,8 +2528,7 @@ var all27 = all_match({ var msg174 = msg("filter_instance1:03", all27); -var part168 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" -match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ +var part168 = match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ dup17, dup9, dup13, @@ -2772,8 +2537,7 @@ match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} m var msg175 = msg("filter_instance1:04", part168); -var part169 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' header.from="\"'), Field(info,false), Constant('\" '), Field(fld4,true), Constant(' <<'), Field(user_address,false), Constant('>"')}" -match("MESSAGE#175:filter_instance1:05", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} header.from=\"\\\"%{info}\\\" %{fld4->} \u003c\u003c%{user_address}>\"", processor_chain([ +var part169 = match("MESSAGE#175:filter_instance1:05", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} header.from=\"\\\"%{info}\\\" %{fld4->} \u003c\u003c%{user_address}>\"", processor_chain([ dup17, dup9, dup36, @@ -3001,89 +2765,61 @@ var chain1 = processor_chain([ }), ]); -var part171 = // "Pattern{Constant('info'), Field(p0,false)}" -match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); +var part171 = match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); -var part172 = // "Pattern{Constant('rprt'), Field(p0,false)}" -match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); +var part172 = match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); -var part173 = // "Pattern{Constant('warn'), Field(p0,false)}" -match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); +var part173 = match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); -var part174 = // "Pattern{Constant('err'), Field(p0,false)}" -match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); +var part174 = match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); -var part175 = // "Pattern{Constant('note'), Field(p0,false)}" -match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); +var part175 = match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); -var part176 = // "Pattern{Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" -match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); +var part176 = match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); -var part177 = // "Pattern{Field(hostip,false)}" -match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); +var part177 = match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); -var part178 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); +var part178 = match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); -var part179 = // "Pattern{Constant('attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); +var part179 = match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); -var part180 = // "Pattern{Constant('mod='), Field(p0,false)}" -match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); +var part180 = match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); -var part181 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' version="'), Field(component_version,false), Constant('" duration='), Field(p0,false)}" -match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); +var part181 = match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); -var part182 = // "Pattern{Field(duration_string,false)}" -match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); +var part182 = match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); -var part183 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); +var part183 = match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); -var part184 = // "Pattern{Constant('['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); +var part184 = match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); -var part185 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant('],'), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); +var part185 = match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); -var part186 = // "Pattern{Field(dhost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); +var part186 = match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); -var part187 = // "Pattern{Field(,false), Constant('dsn='), Field(resultcode,false), Constant(', stat='), Field(info,false)}" -match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); +var part187 = match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); -var part188 = // "Pattern{Constant('['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); +var part188 = match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); -var part189 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); +var part189 = match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); -var part190 = // "Pattern{Field(dhost,false)}" -match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); +var part190 = match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); -var part191 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); +var part191 = match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); -var part192 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var part192 = match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); -var part193 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); +var part193 = match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); -var part194 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant(']')}" -match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); +var part194 = match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); -var part195 = // "Pattern{Field(,false), Constant('field='), Field(fld2,false), Constant(', status='), Field(info,false)}" -match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); +var part195 = match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); -var part196 = // "Pattern{Field(,false), Constant('version='), Field(fld55,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" -match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); +var part196 = match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); -var part197 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(fld71,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); +var part197 = match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); -var part198 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" -match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); +var part198 = match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); var select60 = linear_select([ dup1, @@ -3103,62 +2839,52 @@ var select62 = linear_select([ dup20, ]); -var part199 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" -match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ +var part199 = match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ dup26, dup9, ])); -var part200 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part200 = match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var part201 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" -match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ +var part201 = match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ dup17, dup9, ])); -var part202 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" -match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ +var part202 = match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ dup17, dup9, ])); -var part203 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" -match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ +var part203 = match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ dup17, dup9, ])); -var part204 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" -match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ +var part204 = match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ dup27, dup9, ])); -var part205 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' version='), Field(fld55,false)}" -match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ +var part205 = match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ dup17, dup9, ])); -var part206 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sig='), Field(fld60,false)}" -match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ +var part206 = match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ dup17, dup9, ])); -var part207 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,false)}" -match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ +var part207 = match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ dup17, dup9, ])); -var part208 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' addr='), Field(saddr,false)}" -match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ +var part208 = match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ dup17, dup9, ])); @@ -3177,20 +2903,17 @@ var select64 = linear_select([ dup35, ]); -var part209 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': timeout waiting for input from '), Field(fld11,true), Constant(' during server cmd read')}" -match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ +var part209 = match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ dup17, dup9, ])); -var part210 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(event_description,false)}" -match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ +var part210 = match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ dup17, dup9, ])); -var part211 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" -match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ +var part211 = match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ dup17, dup9, ])); diff --git a/x-pack/filebeat/module/snort/log/config/pipeline.js b/x-pack/filebeat/module/snort/log/config/pipeline.js index d4d6aec1028..18f0ec783e3 100644 --- a/x-pack/filebeat/module/snort/log/config/pipeline.js +++ b/x-pack/filebeat/module/snort/log/config/pipeline.js @@ -46,44 +46,31 @@ var map_getEventLegacyCategoryName = { var dup1 = setc("messageid","FTD_events"); -var dup2 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var dup2 = match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var dup3 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); +var dup3 = match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); -var dup4 = // "Pattern{Field(hfld10,true), Constant(' [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); +var dup4 = match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); -var dup5 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var dup5 = match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var dup6 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); +var dup6 = match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); -var dup7 = // "Pattern{Field(hfld10,true), Constant(' [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); +var dup7 = match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); -var dup8 = // "Pattern{Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); +var dup8 = match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); -var dup9 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" ['), Field(p0,false)}" -match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); +var dup9 = match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); -var dup10 = // "Pattern{Field(hfld10,true), Constant(' ['), Field(p0,false)}" -match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); +var dup10 = match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); -var dup11 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); +var dup11 = match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); -var dup12 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var dup12 = match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var dup13 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var dup13 = match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var dup14 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var dup14 = match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); var dup15 = call({ dest: "nwparser.payload", @@ -135,11 +122,9 @@ var dup19 = call({ ], }); -var dup20 = // "Pattern{Constant('at'), Field(p0,false)}" -match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); +var dup20 = match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); -var dup21 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); +var dup21 = match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); var dup22 = call({ dest: "nwparser.messageid", @@ -171,19 +156,15 @@ var dup24 = setc("messageid","HMNOTIFY"); var dup25 = setc("messageid","SystemSettings"); -var dup26 = // "Pattern{Constant('['), Field(hpid,false), Constant(']: ['), Field(p0,false)}" -match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); +var dup26 = match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); -var dup27 = // "Pattern{Constant(': ['), Field(p0,false)}" -match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); +var dup27 = match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); -var dup28 = // "Pattern{Constant(']'), Field(hversion,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hevent_source,true), Constant(' '), Field(payload,false)}" -match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); +var dup28 = match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); var dup29 = setc("messageid","Snort_AlertLog"); -var dup30 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); +var dup30 = match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); var dup31 = date_time({ dest: "event_time", @@ -195,38 +176,27 @@ var dup31 = date_time({ var dup32 = setf("msg","$MSG"); -var dup33 = // "Pattern{Field(threat_val,true), Constant(' ]:alert {'), Field(p0,false)}" -match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); +var dup33 = match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); -var dup34 = // "Pattern{Field(threat_val,true), Constant(' ]: '), Field(fld1,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); +var dup34 = match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); -var dup35 = // "Pattern{Field(threat_val,false), Constant(']: {'), Field(p0,false)}" -match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); +var dup35 = match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); -var dup36 = // "Pattern{Field(threat_val,true), Constant(' ] {'), Field(p0,false)}" -match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); +var dup36 = match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); -var dup37 = // "Pattern{Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); +var dup37 = match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); -var dup38 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(') -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); +var dup38 = match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); -var dup39 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); +var dup39 = match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); -var dup40 = // "Pattern{Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); +var dup40 = match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); -var dup41 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(location_dst,false), Constant(')')}" -match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); +var dup41 = match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); -var dup42 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); +var dup42 = match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); -var dup43 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); +var dup43 = match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); var dup44 = setc("eventcategory","1003030000"); @@ -266,17 +236,13 @@ var dup56 = date_time({ ], }); -var dup57 = // "Pattern{Field(context,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); +var dup57 = match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); -var dup58 = // "Pattern{Constant('<<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); +var dup58 = match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); -var dup59 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); +var dup59 = match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); -var dup60 = // "Pattern{Constant('{'), Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); +var dup60 = match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); var dup61 = setc("eventcategory","1103000000"); @@ -288,17 +254,13 @@ var dup64 = setc("eventcategory","1002000000"); var dup65 = setc("eventcategory","1001020200"); -var dup66 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" -match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); +var dup66 = match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); -var dup67 = // "Pattern{Constant(' <<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); +var dup67 = match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); -var dup68 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); +var dup68 = match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); -var dup69 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); +var dup69 = match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); var dup70 = setc("eventcategory","1001020100"); @@ -310,8 +272,7 @@ var dup73 = setc("ec_activity","Detect"); var dup74 = setc("ec_theme","TEV"); -var dup75 = // "Pattern{Field(context,true), Constant(' <<'), Field(interface,false), Constant('> '), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); +var dup75 = match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); var dup76 = setf("signame","context"); @@ -387,17 +348,13 @@ var dup111 = setc("eventcategory","1001020307"); var dup112 = setc("eventcategory","1401060000"); -var dup113 = // "Pattern{Field(threat_val,true), Constant(' ]:alert '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); +var dup113 = match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); -var dup114 = // "Pattern{Field(threat_val,false), Constant(']: '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); +var dup114 = match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); -var dup115 = // "Pattern{Field(threat_val,true), Constant(' ] '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); +var dup115 = match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); -var dup116 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); +var dup116 = match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); var dup117 = setc("eventcategory","1003050000"); @@ -413,14 +370,11 @@ var dup122 = setc("eventcategory","1603090000"); var dup123 = setc("eventcategory","1003040000"); -var dup124 = // "Pattern{Constant(':alert '), Field(p0,false)}" -match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); +var dup124 = match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); -var dup125 = // "Pattern{Constant(''), Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); +var dup125 = match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); -var dup126 = // "Pattern{Constant(''), Field(daddr,false)}" -match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); +var dup126 = match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); var dup127 = setc("eventcategory","1605000000"); @@ -434,25 +388,19 @@ var dup129 = date_time({ ], }); -var dup130 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' MAC: '), Field(smacaddr,true), Constant(' TTL '), Field(p0,false)}" -match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); +var dup130 = match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); -var dup131 = // "Pattern{Field(sinterface,true), Constant(' ('), Field(protocol,true), Constant(' detected)')}" -match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); +var dup131 = match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); -var dup132 = // "Pattern{Field(sinterface,false)}" -match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); +var dup132 = match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); -var dup133 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); +var dup133 = match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); -var dup134 = // "Pattern{Field(protocol,false)}" -match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); +var dup134 = match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); var dup135 = setc("eventcategory","1605020000"); -var dup136 = // "Pattern{Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); +var dup136 = match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); var dup137 = setc("ec_subject","User"); @@ -470,19 +418,15 @@ var dup143 = setf("hostip","hfld2"); var dup144 = setc("ec_activity","Logoff"); -var dup145 = // "Pattern{Constant('>'), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); +var dup145 = match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); var dup146 = setc("category","Session Expiration"); -var dup147 = // "Pattern{Field(fld1,false), Constant(']['), Field(policyname,false), Constant('] Connection Type: '), Field(event_state,false), Constant(', User: '), Field(username,false), Constant(', Client: '), Field(application,false), Constant(', Application Protocol: '), Field(protocol,false), Constant(', Web App: '), Field(application,false), Constant(', Access Control Rule Name: '), Field(rulename,false), Constant(', Access Control Rule Action: '), Field(action,false), Constant(', Access Control Rule Reasons: '), Field(result,false), Constant(', URL Category: '), Field(category,false), Constant(', URL Reputation: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); +var dup147 = match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); -var dup148 = // "Pattern{Constant('Risk unknown, URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); +var dup148 = match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); -var dup149 = // "Pattern{Field(reputation_num,false), Constant(', URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); +var dup149 = match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); var dup150 = setc("eventcategory","1801000000"); @@ -490,20 +434,15 @@ var dup151 = setc("dclass_counter1_string","Number of File Events"); var dup152 = setc("dclass_counter2_string","Number of IPS Events"); -var dup153 = // "Pattern{Constant('-*> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); +var dup153 = match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); -var dup154 = // "Pattern{Constant('> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); +var dup154 = match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); -var dup155 = // "Pattern{Constant('From "'), Field(sensor,false), Constant('" at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); +var dup155 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); -var dup156 = // "Pattern{Constant('at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); +var dup156 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); -var dup157 = // "Pattern{Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); +var dup157 = match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); var dup158 = date_time({ dest: "event_time", @@ -513,11 +452,9 @@ var dup158 = date_time({ ], }); -var dup159 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' '), Field(network_service,false)}" -match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); +var dup159 = match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); -var dup160 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" -match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); +var dup160 = match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); var dup161 = date_time({ dest: "event_time", @@ -564,8 +501,7 @@ var dup169 = linear_select([ dup10, ]); -var dup170 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ +var dup170 = match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ dup19, ])); @@ -637,8 +573,7 @@ var dup182 = linear_select([ dup132, ]); -var dup183 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(version,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ +var dup183 = match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ dup127, dup31, dup32, @@ -646,8 +581,7 @@ match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} Fr dup129, ])); -var dup184 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ +var dup184 = match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ dup135, dup31, dup32, @@ -660,8 +594,7 @@ var dup185 = linear_select([ dup134, ]); -var dup186 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' '), Field(product,false)}" -match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ +var dup186 = match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ dup135, dup31, dup32, @@ -669,8 +602,7 @@ match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} dup129, ])); -var dup187 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" -match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ +var dup187 = match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ dup135, dup31, dup32, @@ -678,8 +610,7 @@ match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \" dup129, ])); -var dup188 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,false)}" -match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ +var dup188 = match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ dup135, dup31, dup32, @@ -4814,34 +4745,28 @@ var dup356 = all_match({ ]), }); -var hdr1 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z %FTD-'), Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#0:0055", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0055", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ setc("header_id","0055"), dup1, ])); -var hdr2 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z '), Field(hostname,true), Constant(' '), Field(fld1,true), Constant(' %NGIPS-'), Field(severity,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#1:0056", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %{fld1->} %NGIPS-%{severity}-%{hfld3}:%{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0056", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %{fld1->} %NGIPS-%{severity}-%{hfld3}:%{payload}", processor_chain([ setc("header_id","0056"), setc("messageid","NGIPS_events"), ])); -var part1 = // "Pattern{Field(result,false), Constant('] From '), Field(p0,false)}" -match("HEADER#2:00010/2", "nwparser.p0", "%{result}] From %{p0}"); +var part1 = match("HEADER#2:00010/2", "nwparser.p0", "%{result}] From %{p0}"); -var part2 = // "Pattern{Constant('"'), Field(group_object,false), Constant('/'), Field(hfld11,false), Constant('" at '), Field(p0,false)}" -match("HEADER#2:00010/3_0", "nwparser.p0", "\"%{group_object}/%{hfld11}\" at %{p0}"); +var part2 = match("HEADER#2:00010/3_0", "nwparser.p0", "\"%{group_object}/%{hfld11}\" at %{p0}"); -var part3 = // "Pattern{Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(p0,false)}" -match("HEADER#2:00010/3_1", "nwparser.p0", "%{group_object}/%{hfld11->} at %{p0}"); +var part3 = match("HEADER#2:00010/3_1", "nwparser.p0", "%{group_object}/%{hfld11->} at %{p0}"); var select1 = linear_select([ part2, part3, ]); -var part4 = // "Pattern{Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#2:00010/4", "nwparser.p0", "%{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part4 = match("HEADER#2:00010/4", "nwparser.p0", "%{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); var all1 = all_match({ processors: [ @@ -4889,8 +4814,7 @@ var all4 = all_match({ ]), }); -var hdr3 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant(':'), Field(hfld3,true), Constant(' at '), Field(hfld4,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant(']'), Field(payload,false)}" -match("HEADER#6:0015", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: %{hfld2}:%{hfld3->} at %{hfld4}: [%{hevent_source}:%{messageid}:%{hversion}]%{payload}", processor_chain([ +var hdr3 = match("HEADER#6:0015", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: %{hfld2}:%{hfld3->} at %{hfld4}: [%{hevent_source}:%{messageid}:%{hversion}]%{payload}", processor_chain([ setc("header_id","0015"), ])); @@ -4982,8 +4906,7 @@ var all12 = all_match({ ]), }); -var hdr4 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#15:0030/0", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr4 = match("HEADER#15:0030/0", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); var all13 = all_match({ processors: [ @@ -4996,64 +4919,53 @@ var all13 = all_match({ ]), }); -var hdr5 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#16:0004", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr5 = match("HEADER#16:0004", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0004"), ])); -var hdr6 = // "Pattern{Constant('snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#17:0005", "message", "snort: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr6 = match("HEADER#17:0005", "message", "snort: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0005"), ])); -var hdr7 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: '), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#18:0018", "message", "snort[%{hpid}]: %{messageid}: %{payload}", processor_chain([ +var hdr7 = match("HEADER#18:0018", "message", "snort[%{hpid}]: %{messageid}: %{payload}", processor_chain([ setc("header_id","0018"), ])); -var hdr8 = // "Pattern{Constant('snort: '), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#19:0006", "message", "snort: %{messageid}: %{payload}", processor_chain([ +var hdr8 = match("HEADER#19:0006", "message", "snort: %{messageid}: %{payload}", processor_chain([ setc("header_id","0006"), ])); -var hdr9 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort['), Field(hpid,false), Constant(']: '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#20:0007", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: %{messageid->} %{p0}", processor_chain([ +var hdr9 = match("HEADER#20:0007", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: %{messageid->} %{p0}", processor_chain([ setc("header_id","0007"), dup15, ])); -var hdr10 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#21:0008", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr10 = match("HEADER#21:0008", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0008"), ])); -var hdr11 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hfld1,false), Constant(': [Primary Detection Engine ('), Field(hfld10,false), Constant(')]['), Field(policyname,false), Constant(']['), Field(hfld2,false), Constant(':'), Field(id,false), Constant(':'), Field(hfld3,false), Constant(']'), Field(payload,false)}" -match("HEADER#22:0046", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine (%{hfld10})][%{policyname}][%{hfld2}:%{id}:%{hfld3}]%{payload}", processor_chain([ +var hdr11 = match("HEADER#22:0046", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine (%{hfld10})][%{policyname}][%{hfld2}:%{id}:%{hfld3}]%{payload}", processor_chain([ setc("header_id","0046"), dup16, ])); -var hdr12 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hpid,false), Constant(']['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#23:0009", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hpid}][%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr12 = match("HEADER#23:0009", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hpid}][%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0009"), ])); -var hdr13 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld5,false), Constant(': '), Field(hfld6,false), Constant(': '), Field(hfld7,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#24:0022", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{host->} %{hfld5}: %{hfld6}: %{hfld7}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr13 = match("HEADER#24:0022", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{host->} %{hfld5}: %{hfld6}: %{hfld7}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0022"), dup17, dup18, ])); -var hdr14 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#25:0010", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr14 = match("HEADER#25:0010", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0010"), dup17, dup18, ])); -var part5 = // "Pattern{Constant('From '), Field(hsensor,true), Constant(' at'), Field(p0,false)}" -match("HEADER#26:0011/1_0", "nwparser.p0", "From %{hsensor->} at%{p0}"); +var part5 = match("HEADER#26:0011/1_0", "nwparser.p0", "From %{hsensor->} at%{p0}"); var select2 = linear_select([ part5, @@ -5072,8 +4984,7 @@ var all14 = all_match({ ]), }); -var part6 = // "Pattern{Field(fld10,true), Constant(' From '), Field(hsensor,true), Constant(' at'), Field(p0,false)}" -match("HEADER#27:0014/1_0", "nwparser.p0", "%{fld10->} From %{hsensor->} at%{p0}"); +var part6 = match("HEADER#27:0014/1_0", "nwparser.p0", "%{fld10->} From %{hsensor->} at%{p0}"); var select3 = linear_select([ part6, @@ -5092,8 +5003,7 @@ var all15 = all_match({ ]), }); -var hdr15 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(msgIdPart4,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr15 = match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0012"), dup23, call({ @@ -5115,8 +5025,7 @@ match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr16 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(msgIdPart4,true), Constant(' '), Field(hfld12,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} %{hfld12->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr16 = match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} %{hfld12->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0016"), dup23, call({ @@ -5140,72 +5049,60 @@ match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr17 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort: '), Field(messageid,false), Constant(':'), Field(payload,false)}" -match("HEADER#30:0013", "message", "%{month->} %{day->} %{time->} %{host->} snort: %{messageid}:%{payload}", processor_chain([ +var hdr17 = match("HEADER#30:0013", "message", "%{month->} %{day->} %{time->} %{host->} snort: %{messageid}:%{payload}", processor_chain([ setc("header_id","0013"), ])); -var hdr18 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': HMNOTIFY: '), Field(payload,false)}" -match("HEADER#31:0020", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: HMNOTIFY: %{payload}", processor_chain([ +var hdr18 = match("HEADER#31:0020", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: HMNOTIFY: %{payload}", processor_chain([ setc("header_id","0020"), dup24, ])); -var hdr19 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' : HMNOTIFY: '), Field(payload,false)}" -match("HEADER#32:0035", "message", "%{month->} %{day->} %{time->} %{host->} : HMNOTIFY: %{payload}", processor_chain([ +var hdr19 = match("HEADER#32:0035", "message", "%{month->} %{day->} %{time->} %{host->} : HMNOTIFY: %{payload}", processor_chain([ setc("header_id","0035"), dup24, ])); -var hdr20 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hsigid,false), Constant(':'), Field(hversion,false), Constant('] "'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#33:0017", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] \"%{messageid->} %{p0}", processor_chain([ +var hdr20 = match("HEADER#33:0017", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] \"%{messageid->} %{p0}", processor_chain([ setc("header_id","0017"), dup15, ])); -var hdr21 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hsigid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#34:0019", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] %{messageid->} %{p0}", processor_chain([ +var hdr21 = match("HEADER#34:0019", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] %{messageid->} %{p0}", processor_chain([ setc("header_id","0019"), dup15, ])); -var hdr22 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hfld1,false), Constant(': [Primary Detection Engine'), Field(payload,false)}" -match("HEADER#35:0041", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine%{payload}", processor_chain([ +var hdr22 = match("HEADER#35:0041", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine%{payload}", processor_chain([ setc("header_id","0041"), dup16, ])); -var hdr23 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': Protocol: '), Field(hprotocol,false), Constant(', '), Field(payload,false)}" -match("HEADER#36:0045", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Protocol: %{hprotocol}, %{payload}", processor_chain([ +var hdr23 = match("HEADER#36:0045", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Protocol: %{hprotocol}, %{payload}", processor_chain([ setc("header_id","0045"), setc("messageid","connection_events"), ])); -var hdr24 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(hfld4,true), Constant(' '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" -match("HEADER#37:0042", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{hfld4->} %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ +var hdr24 = match("HEADER#37:0042", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{hfld4->} %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ setc("header_id","0042"), dup25, ])); -var hdr25 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hfld5,false), Constant('] '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" -match("HEADER#38:00212", "message", "%{month->} %{day->} %{time->} %{hfld1}: [%{hfld5}] %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ +var hdr25 = match("HEADER#38:00212", "message", "%{month->} %{day->} %{time->} %{hfld1}: [%{hfld5}] %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ setc("header_id","00212"), dup25, ])); -var hdr26 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" -match("HEADER#39:0021", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ +var hdr26 = match("HEADER#39:0021", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ setc("header_id","0021"), dup25, ])); -var hdr27 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" -match("HEADER#40:0029", "message", "%{month->} %{day->} %{time->} %{host}: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ +var hdr27 = match("HEADER#40:0029", "message", "%{month->} %{day->} %{time->} %{host}: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ setc("header_id","0029"), ])); -var hdr28 = // "Pattern{Constant('snort'), Field(p0,false)}" -match("HEADER#41:0024/0", "message", "snort%{p0}"); +var hdr28 = match("HEADER#41:0024/0", "message", "snort%{p0}"); var all16 = all_match({ processors: [ @@ -5219,8 +5116,7 @@ var all16 = all_match({ ]), }); -var hdr29 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort'), Field(p0,false)}" -match("HEADER#42:0025/0", "message", "%{month->} %{day->} %{time->} snort%{p0}"); +var hdr29 = match("HEADER#42:0025/0", "message", "%{month->} %{day->} %{time->} snort%{p0}"); var all17 = all_match({ processors: [ @@ -5234,8 +5130,7 @@ var all17 = all_match({ ]), }); -var part7 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#43:0023/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part7 = match("HEADER#43:0023/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); var all18 = all_match({ processors: [ @@ -5249,8 +5144,7 @@ var all18 = all_match({ ]), }); -var part8 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#44:0026/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part8 = match("HEADER#44:0026/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); var all19 = all_match({ processors: [ @@ -5288,8 +5182,7 @@ var all21 = all_match({ ]), }); -var hdr30 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': Sha256:'), Field(hfld2,true), Constant(' Disposition: Malware'), Field(p0,false)}" -match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Sha256:%{hfld2->} Disposition: Malware%{p0}", processor_chain([ +var hdr30 = match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Sha256:%{hfld2->} Disposition: Malware%{p0}", processor_chain([ setc("header_id","0040"), setc("messageid","MALWARE"), call({ @@ -5303,8 +5196,7 @@ match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr31 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" -match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} From %{hsensor->} at %{p0}", processor_chain([ +var hdr31 = match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} From %{hsensor->} at %{p0}", processor_chain([ setc("header_id","0043"), dup22, call({ @@ -5324,27 +5216,22 @@ match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hf }), ])); -var hdr32 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#49:0044", "message", "%{month->} %{day->} %{time->} %{host->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr32 = match("HEADER#49:0044", "message", "%{month->} %{day->} %{time->} %{host->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0044"), ])); -var hdr33 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(hyear,true), Constant(' '), Field(time,true), Constant(' '), Field(p0,false)}" -match("HEADER#50:0057/0", "message", "%{month->} %{day->} %{hyear->} %{time->} %{p0}"); +var hdr33 = match("HEADER#50:0057/0", "message", "%{month->} %{day->} %{hyear->} %{time->} %{p0}"); -var part9 = // "Pattern{Field(hostname,false), Constant(': %FTD-'), Field(p0,false)}" -match("HEADER#50:0057/1_0", "nwparser.p0", "%{hostname}: %FTD-%{p0}"); +var part9 = match("HEADER#50:0057/1_0", "nwparser.p0", "%{hostname}: %FTD-%{p0}"); -var part10 = // "Pattern{Field(hostname,true), Constant(' %FTD-'), Field(p0,false)}" -match("HEADER#50:0057/1_1", "nwparser.p0", "%{hostname->} %FTD-%{p0}"); +var part10 = match("HEADER#50:0057/1_1", "nwparser.p0", "%{hostname->} %FTD-%{p0}"); var select4 = linear_select([ part9, part10, ]); -var part11 = // "Pattern{Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#50:0057/2", "nwparser.p0", "%{fld2}-%{hfld3}:%{payload}"); +var part11 = match("HEADER#50:0057/2", "nwparser.p0", "%{fld2}-%{hfld3}:%{payload}"); var all22 = all_match({ processors: [ @@ -5358,8 +5245,7 @@ var all22 = all_match({ ]), }); -var hdr34 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z '), Field(hostname,true), Constant(' %FTD-'), Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" -match("HEADER#51:0058", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ +var hdr34 = match("HEADER#51:0058", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ setc("header_id","0058"), dup1, ])); @@ -5419,8 +5305,7 @@ var select5 = linear_select([ hdr34, ]); -var part12 = // "Pattern{Field(event_type,true), Constant(' (Sensor '), Field(sensor,false), Constant('): Severity:'), Field(severity,false), Constant(': '), Field(result,false)}" -match("MESSAGE#0:HMNOTIFY", "nwparser.payload", "%{event_type->} (Sensor %{sensor}): Severity:%{severity}: %{result}", processor_chain([ +var part12 = match("MESSAGE#0:HMNOTIFY", "nwparser.payload", "%{event_type->} (Sensor %{sensor}): Severity:%{severity}: %{result}", processor_chain([ setc("eventcategory","1604000000"), dup31, dup32, @@ -95633,17 +95518,13 @@ var all66 = all_match({ var msg38452 = msg("snort-sid-template", all66); -var part13 = // "Pattern{Constant('PORTSCAN DETECTED from '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/0", "nwparser.payload", "PORTSCAN DETECTED from %{p0}"); +var part13 = match("MESSAGE#38452:spp_portscan/0", "nwparser.payload", "PORTSCAN DETECTED from %{p0}"); -var part14 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(')(THRESHOLD '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/1_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src})(THRESHOLD %{p0}"); +var part14 = match("MESSAGE#38452:spp_portscan/1_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src})(THRESHOLD %{p0}"); -var part15 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,false), Constant('(THRESHOLD '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/1_1", "nwparser.p0", "%{saddr}:%{sport}(THRESHOLD %{p0}"); +var part15 = match("MESSAGE#38452:spp_portscan/1_1", "nwparser.p0", "%{saddr}:%{sport}(THRESHOLD %{p0}"); -var part16 = // "Pattern{Field(saddr,false), Constant('(THRESHOLD '), Field(p0,false)}" -match("MESSAGE#38452:spp_portscan/1_2", "nwparser.p0", "%{saddr}(THRESHOLD %{p0}"); +var part16 = match("MESSAGE#38452:spp_portscan/1_2", "nwparser.p0", "%{saddr}(THRESHOLD %{p0}"); var select2444 = linear_select([ part14, @@ -95651,8 +95532,7 @@ var select2444 = linear_select([ part16, ]); -var part17 = // "Pattern{Field(dclass_counter1,true), Constant(' connections exceeded in '), Field(duration,true), Constant(' seconds)')}" -match("MESSAGE#38452:spp_portscan/2", "nwparser.p0", "%{dclass_counter1->} connections exceeded in %{duration->} seconds)"); +var part17 = match("MESSAGE#38452:spp_portscan/2", "nwparser.p0", "%{dclass_counter1->} connections exceeded in %{duration->} seconds)"); var all67 = all_match({ processors: [ @@ -95676,8 +95556,7 @@ var all67 = all_match({ var msg38453 = msg("spp_portscan", all67); -var part18 = // "Pattern{Constant('portscan status from '), Field(saddr,false), Constant(': '), Field(dclass_counter1,true), Constant(' connections across '), Field(fld1,true), Constant(' hosts: '), Field(fld2,false), Constant(', '), Field(fld3,false)}" -match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from %{saddr}: %{dclass_counter1->} connections across %{fld1->} hosts: %{fld2}, %{fld3}", processor_chain([ +var part18 = match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from %{saddr}: %{dclass_counter1->} connections across %{fld1->} hosts: %{fld2}, %{fld3}", processor_chain([ dup61, dup31, dup32, @@ -95692,8 +95571,7 @@ match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from var msg38454 = msg("spp_portscan:01", part18); -var part19 = // "Pattern{Constant('End of portscan from '), Field(saddr,false), Constant(': TOTAL time('), Field(fld1,false), Constant(') hosts('), Field(fld2,false), Constant(') '), Field(fld3,true), Constant(' '), Field(fld4,false)}" -match("MESSAGE#38454:spp_portscan:02", "nwparser.payload", "End of portscan from %{saddr}: TOTAL time(%{fld1}) hosts(%{fld2}) %{fld3->} %{fld4}", processor_chain([ +var part19 = match("MESSAGE#38454:spp_portscan:02", "nwparser.payload", "End of portscan from %{saddr}: TOTAL time(%{fld1}) hosts(%{fld2}) %{fld3->} %{fld4}", processor_chain([ dup61, dup31, dup32, @@ -95716,8 +95594,7 @@ var select2445 = linear_select([ msg38456, ]); -var part20 = // "Pattern{Constant('Portscan detected from '), Field(saddr,true), Constant(' Talker('), Field(fld1,false), Constant(') Scanner('), Field(fld2,false), Constant(')')}" -match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{saddr->} Talker(%{fld1}) Scanner(%{fld2})", processor_chain([ +var part20 = match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{saddr->} Talker(%{fld1}) Scanner(%{fld2})", processor_chain([ dup61, dup31, dup32, @@ -95725,8 +95602,7 @@ match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{sa var msg38457 = msg("Portscan", part20); -var part21 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Hops: '), Field(result,false)}" -match("MESSAGE#38457:Hops_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Hops: %{result}", processor_chain([ +var part21 = match("MESSAGE#38457:Hops_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Hops: %{result}", processor_chain([ dup127, dup31, dup32, @@ -95740,8 +95616,7 @@ var msg38459 = msg("MAC_Information_Change", dup354); var msg38460 = msg("Additional_MAC_Detected_for", dup354); -var part22 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' NETBIOS Name: '), Field(result,false)}" -match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} NETBIOS Name: %{result}", processor_chain([ +var part22 = match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} NETBIOS Name: %{result}", processor_chain([ dup127, dup31, dup32, @@ -95751,19 +95626,16 @@ match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} Fro var msg38461 = msg("NETBIOS_Name_Change", part22); -var part23 = // "Pattern{Constant('MAC Address: '), Field(smacaddr,true), Constant(' Host Type: '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Host Type: %{p0}"); +var part23 = match("MESSAGE#38461:New_Host/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Host Type: %{p0}"); -var part24 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Host Type: '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/1_1", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{p0}"); +var part24 = match("MESSAGE#38461:New_Host/1_1", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{p0}"); var select2446 = linear_select([ part23, part24, ]); -var part25 = // "Pattern{Field(fld7,false)}" -match_copy("MESSAGE#38461:New_Host/2", "nwparser.p0", "fld7"); +var part25 = match_copy("MESSAGE#38461:New_Host/2", "nwparser.p0", "fld7"); var all68 = all_match({ processors: [ @@ -95782,11 +95654,9 @@ var all68 = all_match({ var msg38462 = msg("New_Host", all68); -var part26 = // "Pattern{Constant('MAC Address: '), Field(smacaddr,true), Constant(' Network Protocol: '), Field(p0,false)}" -match("MESSAGE#38462:New_Network_Protocol/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Network Protocol: %{p0}"); +var part26 = match("MESSAGE#38462:New_Network_Protocol/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Network Protocol: %{p0}"); -var part27 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Network Protocol: '), Field(p0,false)}" -match("MESSAGE#38462:New_Network_Protocol/1_1", "nwparser.p0", "IP Address: %{saddr->} Network Protocol: %{p0}"); +var part27 = match("MESSAGE#38462:New_Network_Protocol/1_1", "nwparser.p0", "IP Address: %{saddr->} Network Protocol: %{p0}"); var select2447 = linear_select([ part26, @@ -95810,8 +95680,7 @@ var all69 = all_match({ var msg38463 = msg("New_Network_Protocol", all69); -var part28 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(protocol,false)}" -match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{protocol}", processor_chain([ +var part28 = match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{protocol}", processor_chain([ dup135, dup31, dup32, @@ -95821,8 +95690,7 @@ match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \" var msg38464 = msg("New_UDP_Service", part28); -var part29 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Transport Protocol: '), Field(protocol,false)}" -match("MESSAGE#38464:New_Transport_Protocol", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Transport Protocol: %{protocol}", processor_chain([ +var part29 = match("MESSAGE#38464:New_Transport_Protocol", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Transport Protocol: %{protocol}", processor_chain([ dup135, dup31, dup32, @@ -95838,8 +95706,7 @@ var msg38467 = msg("OS_Information_Update", dup183); var msg38468 = msg("TCP_Service_Confidence_Update", dup184); -var part30 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" -match("MESSAGE#38468:TCP_Service_Information_Update/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); +var part30 = match("MESSAGE#38468:TCP_Service_Information_Update/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); var all70 = all_match({ processors: [ @@ -95857,8 +95724,7 @@ var all70 = all_match({ var msg38469 = msg("TCP_Service_Information_Update", all70); -var part31 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> MAC Address: '), Field(saddr,true), Constant(' VLAN ID: '), Field(sport,true), Constant(' Type: '), Field(protocol,true), Constant(' Priority: '), Field(threat_val,false)}" -match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> MAC Address: %{saddr->} VLAN ID: %{sport->} Type: %{protocol->} Priority: %{threat_val}", processor_chain([ +var part31 = match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> MAC Address: %{saddr->} VLAN ID: %{sport->} Type: %{protocol->} Priority: %{threat_val}", processor_chain([ dup135, dup31, dup32, @@ -95869,14 +95735,11 @@ match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{contex var msg38470 = msg("VLAN_Tag_Information_Update", part31); -var part32 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(p0,false)}" -match("MESSAGE#38470:New_OS/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{p0}"); +var part32 = match("MESSAGE#38470:New_OS/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{p0}"); -var part33 = // "Pattern{Field(os,true), Constant(' Device Info: '), Field(fld7,false)}" -match("MESSAGE#38470:New_OS/1_0", "nwparser.p0", "%{os->} Device Info: %{fld7}"); +var part33 = match("MESSAGE#38470:New_OS/1_0", "nwparser.p0", "%{os->} Device Info: %{fld7}"); -var part34 = // "Pattern{Field(os,false)}" -match_copy("MESSAGE#38470:New_OS/1_1", "nwparser.p0", "os"); +var part34 = match_copy("MESSAGE#38470:New_OS/1_1", "nwparser.p0", "os"); var select2448 = linear_select([ part33, @@ -95909,8 +95772,7 @@ var msg38475 = msg("TCP_Port_Closed", dup187); var msg38476 = msg("TCP_Port_Timeout", dup188); -var part35 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' web browser '), Field(application,false)}" -match("MESSAGE#38476:Client_Application_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} web browser %{application}", processor_chain([ +var part35 = match("MESSAGE#38476:Client_Application_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} web browser %{application}", processor_chain([ dup135, dup31, dup32, @@ -95922,8 +95784,7 @@ var msg38477 = msg("Client_Application_Timeout", part35); var msg38478 = msg("Host_Timeout", dup188); -var part36 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS'), Field(os,false)}" -match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS%{os}", processor_chain([ +var part36 = match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS%{os}", processor_chain([ dup135, dup31, dup32, @@ -95933,22 +95794,18 @@ match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From % var msg38479 = msg("Identity_Timeout", part36); -var part37 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Serv'), Field(p0,false)}" -match("MESSAGE#38479:Identity_Timeout:01/0", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Serv%{p0}"); +var part37 = match("MESSAGE#38479:Identity_Timeout:01/0", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Serv%{p0}"); -var part38 = // "Pattern{Constant('ice'), Field(p0,false)}" -match("MESSAGE#38479:Identity_Timeout:01/1_0", "nwparser.p0", "ice%{p0}"); +var part38 = match("MESSAGE#38479:Identity_Timeout:01/1_0", "nwparser.p0", "ice%{p0}"); -var part39 = // "Pattern{Constant('er'), Field(p0,false)}" -match("MESSAGE#38479:Identity_Timeout:01/1_1", "nwparser.p0", "er%{p0}"); +var part39 = match("MESSAGE#38479:Identity_Timeout:01/1_1", "nwparser.p0", "er%{p0}"); var select2449 = linear_select([ part38, part39, ]); -var part40 = // "Pattern{Field(,false), Constant('port: '), Field(sport,false), Constant('/'), Field(protocol,true), Constant(' '), Field(network_service,false)}" -match("MESSAGE#38479:Identity_Timeout:01/2", "nwparser.p0", "%{}port: %{sport}/%{protocol->} %{network_service}"); +var part40 = match("MESSAGE#38479:Identity_Timeout:01/2", "nwparser.p0", "%{}port: %{sport}/%{protocol->} %{network_service}"); var all72 = all_match({ processors: [ @@ -95976,8 +95833,7 @@ var msg38481 = msg("UDP_Port_Timeout", dup188); var msg38482 = msg("UDP_Service_Confidence_Update", dup184); -var part41 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,true), Constant(' Subtypes: '), Field(fld1,false)}" -match("MESSAGE#38482:UDP_Service_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result->} Subtypes: %{fld1}", processor_chain([ +var part41 = match("MESSAGE#38482:UDP_Service_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result->} Subtypes: %{fld1}", processor_chain([ dup135, dup31, dup32, @@ -95994,17 +95850,13 @@ var select2451 = linear_select([ msg38484, ]); -var part42 = // "Pattern{Field(context,true), Constant(' ['), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/0", "nwparser.payload", "%{context->} [%{p0}"); +var part42 = match("MESSAGE#38484:EmergingThreats/0", "nwparser.payload", "%{context->} [%{p0}"); -var part43 = // "Pattern{Constant('Impact: '), Field(result,false), Constant('] From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/1_0", "nwparser.p0", "Impact: %{result}] From \"%{sensor}\" at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{p0}"); +var part43 = match("MESSAGE#38484:EmergingThreats/1_0", "nwparser.p0", "Impact: %{result}] From \"%{sensor}\" at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{p0}"); -var part44 = // "Pattern{Constant('Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/1_1", "nwparser.p0", "Classification: %{sigtype}] [Priority: %{p0}"); +var part44 = match("MESSAGE#38484:EmergingThreats/1_1", "nwparser.p0", "Classification: %{sigtype}] [Priority: %{p0}"); -var part45 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/1_2", "nwparser.p0", "%{info}] [Priority: %{p0}"); +var part45 = match("MESSAGE#38484:EmergingThreats/1_2", "nwparser.p0", "%{info}] [Priority: %{p0}"); var select2452 = linear_select([ part43, @@ -96012,8 +95864,7 @@ var select2452 = linear_select([ part45, ]); -var part46 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" -match("MESSAGE#38484:EmergingThreats/2", "nwparser.p0", "%{threat_val->} ]%{p0}"); +var part46 = match("MESSAGE#38484:EmergingThreats/2", "nwparser.p0", "%{threat_val->} ]%{p0}"); var all73 = all_match({ processors: [ @@ -96043,8 +95894,7 @@ var all73 = all_match({ var msg38485 = msg("EmergingThreats", all73); -var part47 = // "Pattern{Constant('Pruned session from cache that was using '), Field(bytes,true), Constant(' bytes ('), Field(result,false), Constant('). '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' --> '), Field(daddr,true), Constant(' '), Field(fld2,true), Constant(' ('), Field(fld3,false), Constant(') : '), Field(info,false)}" -match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that was using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ +var part47 = match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that was using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ dup127, dup31, dup32, @@ -96052,8 +95902,7 @@ match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that wa var msg38486 = msg("S5", part47); -var part48 = // "Pattern{Constant('Session exceeded configured max bytes to queue '), Field(fld4,true), Constant(' using '), Field(bytes,true), Constant(' bytes ('), Field(result,false), Constant('). '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' --> '), Field(daddr,true), Constant(' '), Field(fld2,true), Constant(' ('), Field(fld3,false), Constant(') : '), Field(info,false)}" -match("MESSAGE#38486:S5:01", "nwparser.payload", "Session exceeded configured max bytes to queue %{fld4->} using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ +var part48 = match("MESSAGE#38486:S5:01", "nwparser.payload", "Session exceeded configured max bytes to queue %{fld4->} using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ dup127, dup31, dup32, @@ -96066,8 +95915,7 @@ var select2453 = linear_select([ msg38487, ]); -var part49 = // "Pattern{Constant('Login, Login Success'), Field(,false)}" -match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Success%{}", processor_chain([ +var part49 = match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Success%{}", processor_chain([ dup112, dup31, dup32, @@ -96083,8 +95931,7 @@ match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Succe var msg38488 = msg("SystemSettings:01", part49); -var part50 = // "Pattern{Constant('Logout, Logout Success'), Field(,false)}" -match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Success%{}", processor_chain([ +var part50 = match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Success%{}", processor_chain([ setc("eventcategory","1802000000"), dup31, dup32, @@ -96100,8 +95947,7 @@ match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Suc var msg38489 = msg("SystemSettings:02", part50); -var part51 = // "Pattern{Constant('System > '), Field(info,false)}" -match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", processor_chain([ +var part51 = match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96114,8 +95960,7 @@ match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", var msg38490 = msg("SystemSettings:03", part51); -var part52 = // "Pattern{Constant('Policies > '), Field(info,false)}" -match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info}", processor_chain([ +var part52 = match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96128,8 +95973,7 @@ match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info} var msg38491 = msg("SystemSettings:04", part52); -var part53 = // "Pattern{Constant('Object > '), Field(info,false)}" -match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", processor_chain([ +var part53 = match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96141,8 +95985,7 @@ match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", var msg38492 = msg("SystemSettings:05", part53); -var part54 = // "Pattern{Constant('Overview > '), Field(info,false)}" -match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info}", processor_chain([ +var part54 = match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96154,8 +95997,7 @@ match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info} var msg38493 = msg("SystemSettings:06", part54); -var part55 = // "Pattern{Constant('Task Queue, '), Field(info,false)}" -match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info}", processor_chain([ +var part55 = match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96168,8 +96010,7 @@ match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info var msg38494 = msg("SystemSettings:07", part55); -var part56 = // "Pattern{Constant('Intrusion Policy > '), Field(info,false)}" -match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > %{info}", processor_chain([ +var part56 = match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96182,19 +96023,16 @@ match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > var msg38495 = msg("SystemSettings:08", part56); -var part57 = // "Pattern{Constant('Analysis & Reporting '), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/0", "nwparser.payload", "Analysis \u0026 Reporting %{p0}"); +var part57 = match("MESSAGE#38495:SystemSettings:09/0", "nwparser.payload", "Analysis \u0026 Reporting %{p0}"); -var part58 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/1_1", "nwparser.p0", ",%{p0}"); +var part58 = match("MESSAGE#38495:SystemSettings:09/1_1", "nwparser.p0", ",%{p0}"); var select2454 = linear_select([ dup145, part58, ]); -var part59 = // "Pattern{Field(,true), Constant(' '), Field(info,false)}" -match("MESSAGE#38495:SystemSettings:09/2", "nwparser.p0", "%{} %{info}"); +var part59 = match("MESSAGE#38495:SystemSettings:09/2", "nwparser.p0", "%{} %{info}"); var all74 = all_match({ processors: [ @@ -96216,8 +96054,7 @@ var all74 = all_match({ var msg38496 = msg("SystemSettings:09", all74); -var part60 = // "Pattern{Constant('Heartbeat, '), Field(info,false)}" -match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info}", processor_chain([ +var part60 = match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96230,8 +96067,7 @@ match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info} var msg38497 = msg("SystemSettings:10", part60); -var part61 = // "Pattern{Constant('FailD, '), Field(info,false)}" -match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", processor_chain([ +var part61 = match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96243,8 +96079,7 @@ match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", p var msg38498 = msg("SystemSettings:11", part61); -var part62 = // "Pattern{Constant('Health > '), Field(info,false)}" -match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", processor_chain([ +var part62 = match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96257,8 +96092,7 @@ match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", var msg38499 = msg("SystemSettings:12", part62); -var part63 = // "Pattern{Constant('Session Expiration, '), Field(info,false)}" -match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration, %{info}", processor_chain([ +var part63 = match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration, %{info}", processor_chain([ dup127, dup31, dup32, @@ -96271,8 +96105,7 @@ match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration var msg38500 = msg("SystemSettings:13", part63); -var part64 = // "Pattern{Constant('Analysis '), Field(info,false)}" -match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", processor_chain([ +var part64 = match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", processor_chain([ dup127, dup31, dup32, @@ -96285,8 +96118,7 @@ match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", var msg38501 = msg("SystemSettings:14", part64); -var part65 = // "Pattern{Constant('Devices '), Field(info,false)}" -match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", processor_chain([ +var part65 = match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", processor_chain([ dup127, dup31, dup32, @@ -96299,8 +96131,7 @@ match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", var msg38502 = msg("SystemSettings:15", part65); -var part66 = // "Pattern{Constant('Intrusion Events,'), Field(info,false)}" -match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,%{info}", processor_chain([ +var part66 = match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,%{info}", processor_chain([ dup127, dup31, dup32, @@ -96313,8 +96144,7 @@ match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,% var msg38503 = msg("SystemSettings:16", part66); -var part67 = // "Pattern{Constant('Login, Login Failed'), Field(,false)}" -match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Failed%{}", processor_chain([ +var part67 = match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Failed%{}", processor_chain([ dup91, dup31, dup137, @@ -96331,8 +96161,7 @@ match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Faile var msg38504 = msg("SystemSettings:17", part67); -var part68 = // "Pattern{Constant('Command Line,'), Field(info,false)}" -match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{info}", processor_chain([ +var part68 = match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{info}", processor_chain([ dup127, dup31, dup32, @@ -96344,8 +96173,7 @@ match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{inf var msg38505 = msg("SystemSettings:18", part68); -var part69 = // "Pattern{Constant('Access Control Policy > '), Field(info,false)}" -match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Policy > %{info}", processor_chain([ +var part69 = match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Policy > %{info}", processor_chain([ dup127, dup31, dup32, @@ -96357,8 +96185,7 @@ match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Pol var msg38506 = msg("SystemSettings:19", part69); -var part70 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#38506:SystemSettings:20", "nwparser.payload", "info", processor_chain([ +var part70 = match_copy("MESSAGE#38506:SystemSettings:20", "nwparser.payload", "info", processor_chain([ dup127, dup31, dup32, @@ -96407,8 +96234,7 @@ var msg38513 = msg("2101867", dup192); var msg38514 = msg("2101918", dup192); -var part71 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(sbytes,false), Constant(', Context: '), Field(context,false), Constant(', SSL Rule Name: '), Field(fld9,false), Constant(', SSL Flow Status: '), Field(fld10,false), Constant(', SSL Cipher Suite: '), Field(fld11,false), Constant(', SSL Certificate: '), Field(fld12,false), Constant(', SSL Subject CN: '), Field(fld13,false), Constant(', SSL Subject Country: '), Field(fld14,false), Constant(', SSL Subject OU: '), Field(fld15,false), Constant(', SSL Subject Org: '), Field(fld16,false), Constant(', SSL Issuer CN: '), Field(fld17,false), Constant(', SSL Issuer Country: '), Field(fld18,false), Constant(', SSL Issuer OU: '), Field(fld19,false), Constant(', SSL Issuer Org: '), Field(fld20,false), Constant(', SSL Valid Start Date: '), Field(fld21,false), Constant(', SSL Valid End Date: '), Field(fld22,false), Constant(', SSL Version: '), Field(fld23,false), Constant(', SSL Server Certificate Status: '), Field(fld24,false), Constant(', SSL Actual Action: '), Field(fld25,false), Constant(', SSL Expected Action: '), Field(fld26,false), Constant(', SSL Server Name: '), Field(fld27,false), Constant(', SSL URL Category: '), Field(fld28,false), Constant(', SSL Session ID: '), Field(fld29,false), Constant(', SSL Ticket Id: '), Field(fld30,false), Constant(', {'), Field(protocol,false), Constant('} '), Field(saddr,true), Constant(' -> '), Field(daddr,false), Constant(', type:'), Field(event_type,false), Constant(', code:'), Field(event_description,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{saddr->} -> %{daddr}, type:%{event_type}, code:%{event_description}"); +var part71 = match("MESSAGE#38514:Primary_Detection_Engine/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{saddr->} -> %{daddr}, type:%{event_type}, code:%{event_description}"); var all75 = all_match({ processors: [ @@ -96428,8 +96254,7 @@ var all75 = all_match({ var msg38515 = msg("Primary_Detection_Engine", all75); -var part72 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(sbytes,false), Constant(', Context: '), Field(context,false), Constant(', SSL Rule Name: '), Field(fld9,false), Constant(', SSL Flow Status: '), Field(fld10,false), Constant(', SSL Cipher Suite: '), Field(fld11,false), Constant(', SSL Certificate: '), Field(fld12,false), Constant(', SSL Subject CN: '), Field(fld13,false), Constant(', SSL Subject Country: '), Field(fld14,false), Constant(', SSL Subject OU: '), Field(fld15,false), Constant(', SSL Subject Org: '), Field(fld16,false), Constant(', SSL Issuer CN: '), Field(fld17,false), Constant(', SSL Issuer Country: '), Field(fld18,false), Constant(', SSL Issuer OU: '), Field(fld19,false), Constant(', SSL Issuer Org: '), Field(fld20,false), Constant(', SSL Valid Start Date: '), Field(fld21,false), Constant(', SSL Valid End Date: '), Field(fld22,false), Constant(', SSL Version: '), Field(fld23,false), Constant(', SSL Server Certificate Status: '), Field(fld24,false), Constant(', SSL Actual Action: '), Field(fld25,false), Constant(', SSL Expected Action: '), Field(fld26,false), Constant(', SSL Server Name: '), Field(fld27,false), Constant(', SSL URL Category: '), Field(fld28,false), Constant(', SSL Session ID: '), Field(fld29,false), Constant(', SSL Ticket Id: '), Field(fld30,false), Constant(', {'), Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#38515:Primary_Detection_Engine:01/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{p0}"); +var part72 = match("MESSAGE#38515:Primary_Detection_Engine:01/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{p0}"); var all76 = all_match({ processors: [ @@ -96451,14 +96276,11 @@ var all76 = all_match({ var msg38516 = msg("Primary_Detection_Engine:01", all76); -var part73 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(p0,false)}" -match("MESSAGE#38516:Primary_Detection_Engine:02/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{p0}"); +var part73 = match("MESSAGE#38516:Primary_Detection_Engine:02/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{p0}"); -var part74 = // "Pattern{Field(sbytes,false), Constant(', Context: '), Field(context,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#38516:Primary_Detection_Engine:02/3_0", "nwparser.p0", "%{sbytes}, Context: %{context->} {%{p0}"); +var part74 = match("MESSAGE#38516:Primary_Detection_Engine:02/3_0", "nwparser.p0", "%{sbytes}, Context: %{context->} {%{p0}"); -var part75 = // "Pattern{Field(sbytes,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#38516:Primary_Detection_Engine:02/3_1", "nwparser.p0", "%{sbytes->} {%{p0}"); +var part75 = match("MESSAGE#38516:Primary_Detection_Engine:02/3_1", "nwparser.p0", "%{sbytes->} {%{p0}"); var select2456 = linear_select([ part74, @@ -96487,8 +96309,7 @@ var all77 = all_match({ var msg38517 = msg("Primary_Detection_Engine:02", all77); -var part76 = // "Pattern{Constant('"'), Field(context,false), Constant('" [Classification:'), Field(sigtype,false), Constant('] User:'), Field(username,false), Constant(', Application:'), Field(application,false), Constant(', Client:'), Field(fld12,false), Constant(', App Protocol:'), Field(fld14,false), Constant(', Interface Ingress:'), Field(dinterface,false), Constant(', Interface Egress:'), Field(sinterface,false), Constant(', Security Zone Ingress:'), Field(dst_zone,false), Constant(', Security Zone Egress:'), Field(src_zone,false), Constant(', Context:'), Field(fld13,false), Constant(', SSL Flow Status:'), Field(fld1,false), Constant(', SSL Actual Action:'), Field(fld22,false), Constant(', SSL Certificate:'), Field(fld3,false), Constant(', SSL Subject CN:'), Field(fld4,false), Constant(', SSL Subject Country:'), Field(fld5,false), Constant(', SSL Subject OU:'), Field(fld6,false), Constant(', SSL Subject Org:'), Field(fld7,false), Constant(', SSL Issuer CN:'), Field(fld8,false), Constant(', SSL Issuer Country:'), Field(fld9,false), Constant(', SSL Issuer OU:'), Field(fld10,false), Constant(', SSL Issuer Org:'), Field(fld11,false), Constant(', SSL Valid Start Date:'), Field(fld12,false), Constant(', SSL Valid End Date:'), Field(fld13,false), Constant(', [Priority:'), Field(threat_val,false), Constant('] {'), Field(protocol,false), Constant('}'), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#38517:Primary_Detection_Engine:03", "nwparser.payload", "\"%{context}\" [Classification:%{sigtype}] User:%{username}, Application:%{application}, Client:%{fld12}, App Protocol:%{fld14}, Interface Ingress:%{dinterface}, Interface Egress:%{sinterface}, Security Zone Ingress:%{dst_zone}, Security Zone Egress:%{src_zone}, Context:%{fld13}, SSL Flow Status:%{fld1}, SSL Actual Action:%{fld22}, SSL Certificate:%{fld3}, SSL Subject CN:%{fld4}, SSL Subject Country:%{fld5}, SSL Subject OU:%{fld6}, SSL Subject Org:%{fld7}, SSL Issuer CN:%{fld8}, SSL Issuer Country:%{fld9}, SSL Issuer OU:%{fld10}, SSL Issuer Org:%{fld11}, SSL Valid Start Date:%{fld12}, SSL Valid End Date:%{fld13}, [Priority:%{threat_val}] {%{protocol}}%{saddr}:%{sport}->%{daddr}:%{dport}", processor_chain([ +var part76 = match("MESSAGE#38517:Primary_Detection_Engine:03", "nwparser.payload", "\"%{context}\" [Classification:%{sigtype}] User:%{username}, Application:%{application}, Client:%{fld12}, App Protocol:%{fld14}, Interface Ingress:%{dinterface}, Interface Egress:%{sinterface}, Security Zone Ingress:%{dst_zone}, Security Zone Egress:%{src_zone}, Context:%{fld13}, SSL Flow Status:%{fld1}, SSL Actual Action:%{fld22}, SSL Certificate:%{fld3}, SSL Subject CN:%{fld4}, SSL Subject Country:%{fld5}, SSL Subject OU:%{fld6}, SSL Subject Org:%{fld7}, SSL Issuer CN:%{fld8}, SSL Issuer Country:%{fld9}, SSL Issuer OU:%{fld10}, SSL Issuer Org:%{fld11}, SSL Valid Start Date:%{fld12}, SSL Valid End Date:%{fld13}, [Priority:%{threat_val}] {%{protocol}}%{saddr}:%{sport}->%{daddr}:%{dport}", processor_chain([ dup44, dup31, dup32, @@ -96507,8 +96328,7 @@ var select2457 = linear_select([ msg38518, ]); -var part77 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC > Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('>'), Field(daddr,false)}" -match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC > Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}>%{daddr}", processor_chain([ +var part77 = match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC > Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}>%{daddr}", processor_chain([ dup100, dup31, dup129, @@ -96518,19 +96338,16 @@ match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} F var msg38519 = msg("Network_Based_Malware", part77); -var part78 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -'), Field(p0,false)}" -match("MESSAGE#38519:Network_Based_Malware:01/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -%{p0}"); +var part78 = match("MESSAGE#38519:Network_Based_Malware:01/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -%{p0}"); -var part79 = // "Pattern{Constant('*>'), Field(p0,false)}" -match("MESSAGE#38519:Network_Based_Malware:01/1_0", "nwparser.p0", "*>%{p0}"); +var part79 = match("MESSAGE#38519:Network_Based_Malware:01/1_0", "nwparser.p0", "*>%{p0}"); var select2458 = linear_select([ part79, dup145, ]); -var part80 = // "Pattern{Field(,true), Constant(' '), Field(space,false), Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" -match("MESSAGE#38519:Network_Based_Malware:01/2", "nwparser.p0", "%{} %{space}Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); +var part80 = match("MESSAGE#38519:Network_Based_Malware:01/2", "nwparser.p0", "%{} %{space}Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); var all78 = all_match({ processors: [ @@ -96549,8 +96366,7 @@ var all78 = all_match({ var msg38520 = msg("Network_Based_Malware:01", all78); -var part81 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('->'), Field(daddr,false)}" -match("MESSAGE#38520:Network_Based_Malware:02", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ +var part81 = match("MESSAGE#38520:Network_Based_Malware:02", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ dup100, dup31, dup129, @@ -96566,17 +96382,13 @@ var select2459 = linear_select([ msg38521, ]); -var part82 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC %{p0}"); +var part82 = match("MESSAGE#38521:Network_Based_Retrospective/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC %{p0}"); -var part83 = // "Pattern{Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/2", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{p0}"); +var part83 = match("MESSAGE#38521:Network_Based_Retrospective/2", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{p0}"); -var part84 = // "Pattern{Field(saddr,false), Constant('->'), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/3_0", "nwparser.p0", "%{saddr}->%{p0}"); +var part84 = match("MESSAGE#38521:Network_Based_Retrospective/3_0", "nwparser.p0", "%{saddr}->%{p0}"); -var part85 = // "Pattern{Field(saddr,false), Constant('>'), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/3_1", "nwparser.p0", "%{saddr}>%{p0}"); +var part85 = match("MESSAGE#38521:Network_Based_Retrospective/3_1", "nwparser.p0", "%{saddr}>%{p0}"); var select2460 = linear_select([ part84, @@ -96602,14 +96414,11 @@ var all79 = all_match({ var msg38522 = msg("Network_Based_Retrospective", all79); -var part86 = // "Pattern{Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/4", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{p0}"); +var part86 = match("MESSAGE#38522:Network_Based_Retrospective:01/4", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{p0}"); -var part87 = // "Pattern{Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/5_0", "nwparser.p0", "%{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); +var part87 = match("MESSAGE#38522:Network_Based_Retrospective:01/5_0", "nwparser.p0", "%{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); -var part88 = // "Pattern{Field(threat_name,false)}" -match_copy("MESSAGE#38522:Network_Based_Retrospective:01/5_1", "nwparser.p0", "threat_name"); +var part88 = match_copy("MESSAGE#38522:Network_Based_Retrospective:01/5_1", "nwparser.p0", "threat_name"); var select2461 = linear_select([ part87, @@ -96641,8 +96450,7 @@ var select2462 = linear_select([ msg38523, ]); -var part89 = // "Pattern{Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" -match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}", processor_chain([ +var part89 = match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}", processor_chain([ dup100, dup32, dup47, @@ -96651,8 +96459,7 @@ match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition var msg38524 = msg("MALWARE:02", part89); -var part90 = // "Pattern{Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('->'), Field(daddr,false)}" -match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ +var part90 = match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ dup100, dup32, dup47, @@ -96661,8 +96468,7 @@ match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition var msg38525 = msg("MALWARE:01", part90); -var part91 = // "Pattern{Field(threat_val,false)}" -match_copy("MESSAGE#38537:MALWARE", "nwparser.payload", "threat_val", processor_chain([ +var part91 = match_copy("MESSAGE#38537:MALWARE", "nwparser.payload", "threat_val", processor_chain([ dup71, dup31, dup45, @@ -96704,14 +96510,11 @@ var all81 = all_match({ var msg38527 = msg("Snort_AlertLog", all81); -var part92 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(p0,false)}" -match("MESSAGE#38526:New_TCP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{p0}"); +var part92 = match("MESSAGE#38526:New_TCP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{p0}"); -var part93 = // "Pattern{Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38526:New_TCP_Port/5_0", "nwparser.p0", "%{sport->} Service: %{protocol->} Confidence: %{result}"); +var part93 = match("MESSAGE#38526:New_TCP_Port/5_0", "nwparser.p0", "%{sport->} Service: %{protocol->} Confidence: %{result}"); -var part94 = // "Pattern{Field(sport,false)}" -match_copy("MESSAGE#38526:New_TCP_Port/5_1", "nwparser.p0", "sport"); +var part94 = match_copy("MESSAGE#38526:New_TCP_Port/5_1", "nwparser.p0", "sport"); var select2464 = linear_select([ part93, @@ -96737,8 +96540,7 @@ var all82 = all_match({ var msg38528 = msg("New_TCP_Port", all82); -var part95 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" -match("MESSAGE#38527:New_UDP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport}"); +var part95 = match("MESSAGE#38527:New_UDP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport}"); var all83 = all_match({ processors: [ @@ -96766,8 +96568,7 @@ var msg38532 = msg("UDP_Server_Information_Update", dup356); var msg38533 = msg("TCP_Server_Information_Update", dup356); -var part96 = // "Pattern{Constant('From '), Field(sensor,true), Constant(' at '), Field(p0,false)}" -match("MESSAGE#38532:Client_Timeout/1_1", "nwparser.p0", "From %{sensor->} at %{p0}"); +var part96 = match("MESSAGE#38532:Client_Timeout/1_1", "nwparser.p0", "From %{sensor->} at %{p0}"); var select2465 = linear_select([ dup155, @@ -96793,8 +96594,7 @@ var all84 = all_match({ var msg38534 = msg("Client_Timeout", all84); -var part97 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Category: '), Field(category,true), Constant(' Event Type: '), Field(event_type,false)}" -match("MESSAGE#38533:Host_IOC_Set/4", "nwparser.p0", "IP Address: %{saddr->} Category: %{category->} Event Type: %{event_type}"); +var part97 = match("MESSAGE#38533:Host_IOC_Set/4", "nwparser.p0", "IP Address: %{saddr->} Category: %{category->} Event Type: %{event_type}"); var all85 = all_match({ processors: [ @@ -96814,8 +96614,7 @@ var all85 = all_match({ var msg38535 = msg("Host_IOC_Set", all85); -var part98 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Host Type: '), Field(fld10,false)}" -match("MESSAGE#38534:Host_Type_Changed/4", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{fld10}"); +var part98 = match("MESSAGE#38534:Host_Type_Changed/4", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{fld10}"); var all86 = all_match({ processors: [ @@ -96835,8 +96634,7 @@ var all86 = all_match({ var msg38536 = msg("Host_Type_Changed", all86); -var part99 = // "Pattern{Constant('Login Success'), Field(,false)}" -match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_chain([ +var part99 = match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_chain([ dup112, dup31, dup32, @@ -96849,8 +96647,7 @@ match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_c var msg38537 = msg("Login", part99); -var part100 = // "Pattern{Constant('Logout Success'), Field(,false)}" -match("MESSAGE#38536:Logout", "nwparser.payload", "Logout Success%{}", processor_chain([ +var part100 = match("MESSAGE#38536:Logout", "nwparser.payload", "Logout Success%{}", processor_chain([ setc("eventcategory","1401070000"), dup31, dup32, @@ -96957,8 +96754,7 @@ var part101 = tagval("MESSAGE#38538:connection_events", "nwparser.payload", tvm, var msg38539 = msg("connection_events", part101); -var part102 = // "Pattern{Constant('SrcIP: '), Field(daddr,false), Constant(', DstIP: '), Field(saddr,false), Constant(', SrcPort: '), Field(dport,false), Constant(', DstPort: '), Field(sport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', FileDirection: Download, FileAction: '), Field(action,false), Constant(', FileSHA256: '), Field(checksum,false), Constant(', SHA_Disposition: '), Field(disposition,false), Constant(', SperoDisposition: '), Field(info,false), Constant(', ThreatName: '), Field(threat_name,false), Constant(', ThreatScore: '), Field(fld1,false), Constant(', FileName: '), Field(filename,false), Constant(', FileType: '), Field(filetype,false), Constant(', FileSize: '), Field(filename_size,false), Constant(', ApplicationProtocol: '), Field(protocol,false), Constant(', Client: '), Field(application,false), Constant(', User: '), Field(username,false), Constant(', FirstPacketSecond: '), Field(fld21,false), Constant(', FilePolicy: '), Field(policyname,false), Constant(', FileSandboxStatus: '), Field(result,false), Constant(', URI: '), Field(url,false)}" -match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP: %{saddr}, SrcPort: %{dport}, DstPort: %{sport}, Protocol: %{protocol}, FileDirection: Download, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ +var part102 = match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP: %{saddr}, SrcPort: %{dport}, DstPort: %{sport}, Protocol: %{protocol}, FileDirection: Download, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ dup150, dup161, dup162, @@ -96970,8 +96766,7 @@ match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP var msg38540 = msg("FTD_events_01", part102); -var part103 = // "Pattern{Constant('SrcIP: '), Field(saddr,false), Constant(', DstIP: '), Field(daddr,false), Constant(', SrcPort: '), Field(sport,false), Constant(', DstPort: '), Field(dport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', FileDirection: Upload, FileAction: '), Field(action,false), Constant(', FileSHA256: '), Field(checksum,false), Constant(', SHA_Disposition: '), Field(disposition,false), Constant(', SperoDisposition: '), Field(info,false), Constant(', ThreatName: '), Field(threat_name,false), Constant(', ThreatScore: '), Field(fld1,false), Constant(', FileName: '), Field(filename,false), Constant(', FileType: '), Field(filetype,false), Constant(', FileSize: '), Field(filename_size,false), Constant(', ApplicationProtocol: '), Field(protocol,false), Constant(', Client: '), Field(application,false), Constant(', User: '), Field(username,false), Constant(', FirstPacketSecond: '), Field(fld21,false), Constant(', FilePolicy: '), Field(policyname,false), Constant(', FileSandboxStatus: '), Field(result,false), Constant(', URI: '), Field(url,false)}" -match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP: %{daddr}, SrcPort: %{sport}, DstPort: %{dport}, Protocol: %{protocol}, FileDirection: Upload, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ +var part103 = match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP: %{daddr}, SrcPort: %{sport}, DstPort: %{dport}, Protocol: %{protocol}, FileDirection: Upload, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ dup150, dup161, dup162, @@ -96983,8 +96778,7 @@ match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP var msg38541 = msg("FTD_events_02", part103); -var part104 = // "Pattern{Constant('User ''), Field(username,false), Constant('' executed the ''), Field(fld1,false), Constant('' command.')}" -match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' executed the '%{fld1}' command.", processor_chain([ +var part104 = match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' executed the '%{fld1}' command.", processor_chain([ dup150, dup162, dup32, @@ -96993,8 +96787,7 @@ match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' exe var msg38542 = msg("FTD_events_03", part104); -var part105 = // "Pattern{Constant('User ''), Field(username,false), Constant('', running ''), Field(application,false), Constant('' from IP'), Field(hostip,false), Constant(', executed ''), Field(fld1,false), Constant(''')}" -match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', running '%{application}' from IP%{hostip}, executed '%{fld1}'", processor_chain([ +var part105 = match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', running '%{application}' from IP%{hostip}, executed '%{fld1}'", processor_chain([ dup150, dup162, dup32, @@ -97003,8 +96796,7 @@ match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', ru var msg38543 = msg("FTD_events_04", part105); -var part106 = // "Pattern{Field(dclass_counter1,false), Constant('in use,'), Field(fld2,false), Constant('most used')}" -match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in use,%{fld2}most used", processor_chain([ +var part106 = match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in use,%{fld2}most used", processor_chain([ dup150, dup162, dup32, @@ -97014,8 +96806,7 @@ match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in u var msg38544 = msg("FTD_events_05", part106); -var part107 = // "Pattern{Constant('Offloaded TCP Flow for connection'), Field(connectionid,false), Constant('from'), Field(dinterface,false), Constant(':'), Field(daddr,false), Constant('/'), Field(dport,false), Constant('('), Field(dtransaddr,false), Constant('/'), Field(dtransport,false), Constant(') to'), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,false), Constant('('), Field(stransaddr,false), Constant('/'), Field(stransport,false), Constant(')')}" -match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for connection%{connectionid}from%{dinterface}:%{daddr}/%{dport}(%{dtransaddr}/%{dtransport}) to%{sinterface}:%{saddr}/%{sport}(%{stransaddr}/%{stransport})", processor_chain([ +var part107 = match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for connection%{connectionid}from%{dinterface}:%{daddr}/%{dport}(%{dtransaddr}/%{dtransport}) to%{sinterface}:%{saddr}/%{sport}(%{stransaddr}/%{stransport})", processor_chain([ dup150, dup162, dup32, @@ -97025,8 +96816,7 @@ match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for var msg38545 = msg("FTD_events_06", part107); -var part108 = // "Pattern{Constant('Failed to locate egress interface for '), Field(protocol,true), Constant(' from '), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,false)}" -match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egress interface for %{protocol->} from %{sinterface}:%{saddr}/%{sport->} to %{daddr}/%{dport}", processor_chain([ +var part108 = match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egress interface for %{protocol->} from %{sinterface}:%{saddr}/%{sport->} to %{daddr}/%{dport}", processor_chain([ setc("eventcategory","1801010000"), dup162, dup32, @@ -97036,8 +96826,7 @@ match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egres var msg38546 = msg("FTD_events_07", part108); -var part109 = // "Pattern{Constant('TCP Flow is no longer offloaded for connection '), Field(connectionid,true), Constant(' from '), Field(dinterface,false), Constant(':'), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' ('), Field(dtransaddr,false), Constant('/'), Field(dtransport,false), Constant(') to '), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' ('), Field(stransaddr,false), Constant('/'), Field(stransport,false), Constant(')')}" -match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer offloaded for connection %{connectionid->} from %{dinterface}:%{daddr}/%{dport->} (%{dtransaddr}/%{dtransport}) to %{sinterface}:%{saddr}/%{sport->} (%{stransaddr}/%{stransport})", processor_chain([ +var part109 = match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer offloaded for connection %{connectionid->} from %{dinterface}:%{daddr}/%{dport->} (%{dtransaddr}/%{dtransport}) to %{sinterface}:%{saddr}/%{sport->} (%{stransaddr}/%{stransport})", processor_chain([ dup150, dup162, dup32, @@ -97047,8 +96836,7 @@ match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer var msg38547 = msg("FTD_events_08", part109); -var part110 = // "Pattern{Constant('CLOCK: System clock set, source: '), Field(event_source,false), Constant(', IP: '), Field(hostip,false), Constant(', before: '), Field(change_old,false), Constant(', after: '), Field(change_new,false)}" -match("MESSAGE#38547:FTD_events_09", "nwparser.payload", "CLOCK: System clock set, source: %{event_source}, IP: %{hostip}, before: %{change_old}, after: %{change_new}", processor_chain([ +var part110 = match("MESSAGE#38547:FTD_events_09", "nwparser.payload", "CLOCK: System clock set, source: %{event_source}, IP: %{hostip}, before: %{change_old}, after: %{change_new}", processor_chain([ dup150, dup162, dup32, @@ -97148,19 +96936,16 @@ var select2466 = linear_select([ msg38549, ]); -var part112 = // "Pattern{Constant('AccessControlRuleAction:'), Field(action,false), Constant(', AccessControlRuleReason:'), Field(result,false), Constant(', SrcIP:'), Field(saddr,false), Constant(', DstIP:'), Field(daddr,false), Constant(', SrcPort:'), Field(sport,false), Constant(', DstPort:'), Field(dport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', IngressInterface: '), Field(dinterface,false), Constant(', IngressZone:'), Field(dst_zone,false), Constant(', ACPolicy:'), Field(fld44,false), Constant(', AccessControlRuleName:'), Field(rulename,false), Constant(', Prefilter Policy:'), Field(fld2,false), Constant(', User:'), Field(fld48,false), Constant(', Client:'), Field(application,false), Constant(', ApplicationProtocol:'), Field(protocol,false), Constant(', InitiatorPackets:'), Field(fld14,false), Constant(', ResponderPackets:'), Field(fld13,false), Constant(', InitiatorBytes:'), Field(sbytes,false), Constant(', ResponderBytes:'), Field(rbytes,false), Constant(', NAPPolicy:'), Field(policyname,false), Constant(', DNSQuery:'), Field(hostname,false), Constant(', DNSRecordType: a host address,'), Field(p0,false)}" -match("MESSAGE#38549:NGIPS_events_01/0", "nwparser.payload", "AccessControlRuleAction:%{action}, AccessControlRuleReason:%{result}, SrcIP:%{saddr}, DstIP:%{daddr}, SrcPort:%{sport}, DstPort:%{dport}, Protocol: %{protocol}, IngressInterface: %{dinterface}, IngressZone:%{dst_zone}, ACPolicy:%{fld44}, AccessControlRuleName:%{rulename}, Prefilter Policy:%{fld2}, User:%{fld48}, Client:%{application}, ApplicationProtocol:%{protocol}, InitiatorPackets:%{fld14}, ResponderPackets:%{fld13}, InitiatorBytes:%{sbytes}, ResponderBytes:%{rbytes}, NAPPolicy:%{policyname}, DNSQuery:%{hostname}, DNSRecordType: a host address,%{p0}"); +var part112 = match("MESSAGE#38549:NGIPS_events_01/0", "nwparser.payload", "AccessControlRuleAction:%{action}, AccessControlRuleReason:%{result}, SrcIP:%{saddr}, DstIP:%{daddr}, SrcPort:%{sport}, DstPort:%{dport}, Protocol: %{protocol}, IngressInterface: %{dinterface}, IngressZone:%{dst_zone}, ACPolicy:%{fld44}, AccessControlRuleName:%{rulename}, Prefilter Policy:%{fld2}, User:%{fld48}, Client:%{application}, ApplicationProtocol:%{protocol}, InitiatorPackets:%{fld14}, ResponderPackets:%{fld13}, InitiatorBytes:%{sbytes}, ResponderBytes:%{rbytes}, NAPPolicy:%{policyname}, DNSQuery:%{hostname}, DNSRecordType: a host address,%{p0}"); -var part113 = // "Pattern{Constant(' DNS_TTL: '), Field(fld7,false), Constant(','), Field(p0,false)}" -match("MESSAGE#38549:NGIPS_events_01/1_0", "nwparser.p0", " DNS_TTL: %{fld7},%{p0}"); +var part113 = match("MESSAGE#38549:NGIPS_events_01/1_0", "nwparser.p0", " DNS_TTL: %{fld7},%{p0}"); var select2467 = linear_select([ part113, dup59, ]); -var part114 = // "Pattern{Field(,false), Constant('DNSSICategory:'), Field(category,false)}" -match("MESSAGE#38549:NGIPS_events_01/2", "nwparser.p0", "%{}DNSSICategory:%{category}"); +var part114 = match("MESSAGE#38549:NGIPS_events_01/2", "nwparser.p0", "%{}DNSSICategory:%{category}"); var all87 = all_match({ processors: [ @@ -133327,194 +133112,131 @@ var chain1 = processor_chain([ }), ]); -var hdr35 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr35 = match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var part116 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); +var part116 = match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); -var part117 = // "Pattern{Field(hfld10,true), Constant(' [Impact: '), Field(p0,false)}" -match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); +var part117 = match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); -var part118 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part118 = match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var part119 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); +var part119 = match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); -var part120 = // "Pattern{Field(hfld10,true), Constant(' [Classification: '), Field(p0,false)}" -match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); +var part120 = match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); -var part121 = // "Pattern{Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); +var part121 = match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); -var part122 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" ['), Field(p0,false)}" -match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); +var part122 = match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); -var part123 = // "Pattern{Field(hfld10,true), Constant(' ['), Field(p0,false)}" -match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); +var part123 = match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); -var part124 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); +var part124 = match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); -var hdr36 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr36 = match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var part125 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" -match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); +var part125 = match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); -var hdr37 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); +var hdr37 = match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); -var part126 = // "Pattern{Constant('at'), Field(p0,false)}" -match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); +var part126 = match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); -var part127 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); +var part127 = match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); -var part128 = // "Pattern{Constant('['), Field(hpid,false), Constant(']: ['), Field(p0,false)}" -match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); +var part128 = match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); -var part129 = // "Pattern{Constant(': ['), Field(p0,false)}" -match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); +var part129 = match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); -var part130 = // "Pattern{Constant(']'), Field(hversion,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hevent_source,true), Constant(' '), Field(payload,false)}" -match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); +var part130 = match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); -var hdr38 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" -match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); +var hdr38 = match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); -var part131 = // "Pattern{Field(threat_val,true), Constant(' ]:alert {'), Field(p0,false)}" -match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); +var part131 = match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); -var part132 = // "Pattern{Field(threat_val,true), Constant(' ]: '), Field(fld1,true), Constant(' {'), Field(p0,false)}" -match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); +var part132 = match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); -var part133 = // "Pattern{Field(threat_val,false), Constant(']: {'), Field(p0,false)}" -match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); +var part133 = match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); -var part134 = // "Pattern{Field(threat_val,true), Constant(' ] {'), Field(p0,false)}" -match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); +var part134 = match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); -var part135 = // "Pattern{Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); +var part135 = match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); -var part136 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(') -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); +var part136 = match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); -var part137 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); +var part137 = match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); -var part138 = // "Pattern{Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); +var part138 = match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); -var part139 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(location_dst,false), Constant(')')}" -match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); +var part139 = match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); -var part140 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false)}" -match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); +var part140 = match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); -var part141 = // "Pattern{Field(daddr,false)}" -match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); +var part141 = match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); -var part142 = // "Pattern{Field(context,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); +var part142 = match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); -var part143 = // "Pattern{Constant('<<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); +var part143 = match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); -var part144 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); +var part144 = match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); -var part145 = // "Pattern{Constant('{'), Field(protocol,false), Constant('} '), Field(p0,false)}" -match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); +var part145 = match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); -var part146 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" -match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); +var part146 = match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); -var part147 = // "Pattern{Constant(' <<'), Field(interface,false), Constant('> '), Field(p0,false)}" -match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); +var part147 = match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); -var part148 = // "Pattern{Constant(': '), Field(p0,false)}" -match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); +var part148 = match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); -var part149 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); +var part149 = match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); -var part150 = // "Pattern{Field(context,true), Constant(' <<'), Field(interface,false), Constant('> '), Field(protocol,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); +var part150 = match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); -var part151 = // "Pattern{Field(threat_val,true), Constant(' ]:alert '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); +var part151 = match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); -var part152 = // "Pattern{Field(threat_val,false), Constant(']: '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); +var part152 = match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); -var part153 = // "Pattern{Field(threat_val,true), Constant(' ] '), Field(p0,false)}" -match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); +var part153 = match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); -var part154 = // "Pattern{Constant(''), Field(p0,false)}" -match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); +var part154 = match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); -var part155 = // "Pattern{Constant(':alert '), Field(p0,false)}" -match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); +var part155 = match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); -var part156 = // "Pattern{Constant(''), Field(saddr,true), Constant(' -> '), Field(p0,false)}" -match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); +var part156 = match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); -var part157 = // "Pattern{Constant(''), Field(daddr,false)}" -match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); +var part157 = match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); -var part158 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' MAC: '), Field(smacaddr,true), Constant(' TTL '), Field(p0,false)}" -match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); +var part158 = match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); -var part159 = // "Pattern{Field(sinterface,true), Constant(' ('), Field(protocol,true), Constant(' detected)')}" -match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); +var part159 = match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); -var part160 = // "Pattern{Field(sinterface,false)}" -match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); +var part160 = match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); -var part161 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> '), Field(p0,false)}" -match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); +var part161 = match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); -var part162 = // "Pattern{Field(protocol,false)}" -match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); +var part162 = match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); -var part163 = // "Pattern{Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); +var part163 = match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); -var part164 = // "Pattern{Constant('>'), Field(p0,false)}" -match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); +var part164 = match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); -var part165 = // "Pattern{Field(fld1,false), Constant(']['), Field(policyname,false), Constant('] Connection Type: '), Field(event_state,false), Constant(', User: '), Field(username,false), Constant(', Client: '), Field(application,false), Constant(', Application Protocol: '), Field(protocol,false), Constant(', Web App: '), Field(application,false), Constant(', Access Control Rule Name: '), Field(rulename,false), Constant(', Access Control Rule Action: '), Field(action,false), Constant(', Access Control Rule Reasons: '), Field(result,false), Constant(', URL Category: '), Field(category,false), Constant(', URL Reputation: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); +var part165 = match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); -var part166 = // "Pattern{Constant('Risk unknown, URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); +var part166 = match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); -var part167 = // "Pattern{Field(reputation_num,false), Constant(', URL: '), Field(p0,false)}" -match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); +var part167 = match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); -var part168 = // "Pattern{Constant('-*> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); +var part168 = match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); -var part169 = // "Pattern{Constant('> '), Field(p0,false)}" -match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); +var part169 = match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); -var part170 = // "Pattern{Constant('From "'), Field(sensor,false), Constant('" at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); +var part170 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); -var part171 = // "Pattern{Constant('at '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); +var part171 = match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); -var part172 = // "Pattern{Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" -match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); +var part172 = match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); -var part173 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' '), Field(network_service,false)}" -match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); +var part173 = match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); -var part174 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" -match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); +var part174 = match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); var select2469 = linear_select([ dup3, @@ -133531,8 +133253,7 @@ var select2471 = linear_select([ dup10, ]); -var hdr39 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ +var hdr39 = match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ dup19, ])); @@ -133604,8 +133325,7 @@ var select2483 = linear_select([ dup132, ]); -var part175 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(version,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ +var part175 = match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ dup127, dup31, dup32, @@ -133613,8 +133333,7 @@ match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} Fr dup129, ])); -var part176 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" -match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ +var part176 = match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ dup135, dup31, dup32, @@ -133627,8 +133346,7 @@ var select2484 = linear_select([ dup134, ]); -var part177 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' '), Field(product,false)}" -match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ +var part177 = match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ dup135, dup31, dup32, @@ -133636,8 +133354,7 @@ match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} dup129, ])); -var part178 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" -match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ +var part178 = match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ dup135, dup31, dup32, @@ -133645,8 +133362,7 @@ match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \" dup129, ])); -var part179 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,false)}" -match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ +var part179 = match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ dup135, dup31, dup32, diff --git a/x-pack/filebeat/module/sophos/utm/config/pipeline.js b/x-pack/filebeat/module/sophos/utm/config/pipeline.js index 8b482480f25..47802f0ee26 100644 --- a/x-pack/filebeat/module/sophos/utm/config/pipeline.js +++ b/x-pack/filebeat/module/sophos/utm/config/pipeline.js @@ -105,8 +105,7 @@ var dup17 = setc("eventcategory","1702000000"); var dup18 = setc("comments","server certificate has a different hostname from actual hostname"); -var dup19 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); +var dup19 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); var dup20 = setc("eventcategory","1603060000"); @@ -170,35 +169,29 @@ var dup46 = lookup({ key: dup15, }); -var hdr1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#0:0001", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0001"), ])); -var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#1:0002", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0002"), ])); -var hdr3 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' reverseproxy: '), Field(payload,false)}" -match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ setc("header_id","0003"), setc("messageid","reverseproxy"), ])); -var hdr4 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' '), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ setc("header_id","0005"), ])); -var hdr5 = // "Pattern{Field(hfld1,true), Constant(' '), Field(id,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" -match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ setc("header_id","0004"), setc("messageid","astarosg_TVM"), ])); -var hdr6 = // "Pattern{Constant('device="'), Field(product,false), Constant('" date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' timezone="'), Field(timezone,false), Constant('" device_name="'), Field(device,false), Constant('" device_id='), Field(hardware_id,true), Constant(' log_id='), Field(id,true), Constant(' '), Field(payload,false)}" -match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ setc("header_id","0006"), setc("messageid","Sophos_Firewall"), ])); @@ -212,8 +205,7 @@ var select1 = linear_select([ hdr6, ]); -var part1 = // "Pattern{Constant('received control channel command ''), Field(action,false), Constant(''')}" -match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ +var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ dup1, dup2, dup3, @@ -221,8 +213,7 @@ match("MESSAGE#0:named:01", "nwparser.payload", "received control channel comman var msg1 = msg("named:01", part1); -var part2 = // "Pattern{Constant('flushing caches in all views '), Field(disposition,false)}" -match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ +var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ dup1, dup2, dup3, @@ -230,8 +221,7 @@ match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{ var msg2 = msg("named:02", part2); -var part3 = // "Pattern{Constant('error ('), Field(result,false), Constant(') resolving ''), Field(dhost,false), Constant('': '), Field(daddr,false), Constant('#'), Field(dport,false)}" -match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ +var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ dup4, dup2, dup3, @@ -239,8 +229,7 @@ match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{ var msg3 = msg("named:03", part3); -var part4 = // "Pattern{Constant('received '), Field(action,true), Constant(' signal to '), Field(fld3,false)}" -match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ +var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ dup5, dup2, dup3, @@ -248,8 +237,7 @@ match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to var msg4 = msg("named:04", part4); -var part5 = // "Pattern{Constant('loading configuration from ''), Field(filename,false), Constant(''')}" -match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ +var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ dup6, dup2, dup3, @@ -257,8 +245,7 @@ match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{f var msg5 = msg("named:05", part5); -var part6 = // "Pattern{Constant('no '), Field(protocol,true), Constant(' interfaces found')}" -match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ +var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ setc("eventcategory","1804000000"), dup2, dup3, @@ -266,8 +253,7 @@ match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces fou var msg6 = msg("named:06", part6); -var part7 = // "Pattern{Constant('sizing zone task pool based on '), Field(fld3,true), Constant(' zones')}" -match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ +var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ dup7, dup2, dup3, @@ -275,8 +261,7 @@ match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on var msg7 = msg("named:07", part7); -var part8 = // "Pattern{Constant('automatic empty zone: view '), Field(fld3,false), Constant(': '), Field(dns_ptr_record,false)}" -match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ +var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ dup8, dup2, dup3, @@ -284,8 +269,7 @@ match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fl var msg8 = msg("named:08", part8); -var part9 = // "Pattern{Constant('reloading '), Field(obj_type,true), Constant(' '), Field(disposition,false)}" -match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ +var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ dup7, dup2, dup3, @@ -294,8 +278,7 @@ match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{dispo var msg9 = msg("named:09", part9); -var part10 = // "Pattern{Constant('zone '), Field(dhost,false), Constant('/'), Field(fld3,false), Constant(': loaded serial '), Field(operation_id,false)}" -match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ +var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ dup7, dup9, dup2, @@ -304,8 +287,7 @@ match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded s var msg10 = msg("named:10", part10); -var part11 = // "Pattern{Constant('all zones loaded'), Field(,false)}" -match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ +var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ dup7, dup9, dup2, @@ -315,8 +297,7 @@ match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processo var msg11 = msg("named:11", part11); -var part12 = // "Pattern{Constant('running'), Field(,false)}" -match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ +var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ dup7, setc("disposition","running"), dup2, @@ -326,8 +307,7 @@ match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ var msg12 = msg("named:12", part12); -var part13 = // "Pattern{Constant('using built-in root key for view '), Field(fld3,false)}" -match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ +var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ dup7, setc("context","built-in root key"), dup2, @@ -336,8 +316,7 @@ match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for vi var msg13 = msg("named:13", part13); -var part14 = // "Pattern{Constant('zone '), Field(dns_ptr_record,false), Constant('/'), Field(fld3,false), Constant(': ('), Field(username,false), Constant(') '), Field(action,false)}" -match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ +var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ dup8, dup2, dup3, @@ -345,8 +324,7 @@ match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3} var msg14 = msg("named:14", part14); -var part15 = // "Pattern{Constant('too many timeouts resolving ''), Field(fld3,false), Constant('' ('), Field(fld4,false), Constant('): disabling EDNS')}" -match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ +var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ dup10, setc("event_description","named:too many timeouts resolving DNS."), dup11, @@ -355,8 +333,7 @@ match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '% var msg15 = msg("named:15", part15); -var part16 = // "Pattern{Constant('FORMERR resolving ''), Field(hostname,false), Constant('': '), Field(saddr,false), Constant('#'), Field(fld3,false)}" -match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ +var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ dup10, setc("event_description","named:FORMERR resolving DNS."), dup11, @@ -365,8 +342,7 @@ match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname} var msg16 = msg("named:16", part16); -var part17 = // "Pattern{Constant('unexpected RCODE (SERVFAIL) resolving ''), Field(hostname,false), Constant('': '), Field(saddr,false), Constant('#'), Field(fld3,false)}" -match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ +var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ dup10, setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), dup11, @@ -395,8 +371,7 @@ var select2 = linear_select([ msg17, ]); -var part18 = // "Pattern{Constant('Integrated HTTP-Proxy '), Field(version,false)}" -match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ +var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ dup12, setc("event_description","httpproxy:Integrated HTTP-Proxy."), dup11, @@ -405,8 +380,7 @@ match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{ve var msg18 = msg("httpproxy:09", part18); -var part19 = // "Pattern{Constant('['), Field(fld2,false), Constant('] parse_address ('), Field(fld3,false), Constant(') getaddrinfo: passthrough.fw-notify.net: Name or service not known')}" -match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ +var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ dup10, setc("event_description","httpproxy:Name or service not known."), dup11, @@ -415,8 +389,7 @@ match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (% var msg19 = msg("httpproxy:10", part19); -var part20 = // "Pattern{Constant('['), Field(fld2,false), Constant('] confd_config_filter ('), Field(fld3,false), Constant(') failed to resolve passthrough.fw-notify.net, using '), Field(saddr,false)}" -match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ +var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ dup10, setc("event_description","httpproxy:failed to resolve passthrough."), dup11, @@ -425,8 +398,7 @@ match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_fil var msg20 = msg("httpproxy:11", part20); -var part21 = // "Pattern{Constant('['), Field(fld2,false), Constant('] ssl_log_errors ('), Field(fld3,false), Constant(') '), Field(fld4,false), Constant('ssl handshake failure'), Field(fld5,false)}" -match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ +var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ dup10, setc("event_description","httpproxy:ssl handshake failure."), dup11, @@ -435,8 +407,7 @@ match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors ( var msg21 = msg("httpproxy:12", part21); -var part22 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_decrypt ('), Field(fld3,false), Constant(') EVP_DecryptFinal failed')}" -match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ +var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ dup10, setc("event_description","httpproxy:EVP_DecryptFinal failed."), dup11, @@ -445,8 +416,7 @@ match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fl var msg22 = msg("httpproxy:13", part22); -var part23 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_server_cmd ('), Field(fld3,false), Constant(') decrypt failed')}" -match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ +var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ dup10, setc("event_description","httpproxy:decrypt failed."), dup11, @@ -455,8 +425,7 @@ match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (% var msg23 = msg("httpproxy:14", part23); -var part24 = // "Pattern{Constant('['), Field(fld2,false), Constant('] clamav_reload ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ +var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:reloading av pattern"), dup11, @@ -465,8 +434,7 @@ match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (% var msg24 = msg("httpproxy:15", part24); -var part25 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_check_servers ('), Field(fld3,false), Constant(') server ''), Field(hostname,false), Constant('' access time: '), Field(fld4,false)}" -match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ +var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ dup12, setc("event_description","httpproxy:sc_check_servers.Server checked."), dup11, @@ -475,8 +443,7 @@ match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers var msg25 = msg("httpproxy:16", part25); -var part26 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') shutdown finished, exiting')}" -match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ +var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ dup12, setc("event_description","httpproxy:shutdown finished, exiting."), dup11, @@ -485,8 +452,7 @@ match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) s var msg26 = msg("httpproxy:17", part26); -var part27 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') reading configuration')}" -match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ +var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ dup12, setc("event_description","httpproxy:"), dup11, @@ -495,8 +461,7 @@ match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) r var msg27 = msg("httpproxy:18", part27); -var part28 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') reading profiles')}" -match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ +var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ dup12, setc("event_description","httpproxy:reading profiles"), dup11, @@ -505,8 +470,7 @@ match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) r var msg28 = msg("httpproxy:19", part28); -var part29 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') finished startup')}" -match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ +var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ dup12, setc("event_description","httpproxy:finished startup"), dup11, @@ -515,8 +479,7 @@ match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) f var msg29 = msg("httpproxy:20", part29); -var part30 = // "Pattern{Constant('['), Field(fld2,false), Constant('] read_request_headers ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ +var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:read_request_headers related message."), dup11, @@ -525,8 +488,7 @@ match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_hea var msg30 = msg("httpproxy:21", part30); -var part31 = // "Pattern{Constant('['), Field(fld2,false), Constant('] epoll_loop ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ +var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:epoll_loop related message."), dup11, @@ -535,8 +497,7 @@ match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fl var msg31 = msg("httpproxy:22", part31); -var part32 = // "Pattern{Constant('['), Field(fld2,false), Constant('] scan_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ +var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:scan_exit related message."), dup11, @@ -545,8 +506,7 @@ match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld var msg32 = msg("httpproxy:23", part32); -var part33 = // "Pattern{Constant('['), Field(fld2,false), Constant('] epoll_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ +var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:epoll_exit related message."), dup11, @@ -555,8 +515,7 @@ match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fl var msg33 = msg("httpproxy:24", part33); -var part34 = // "Pattern{Constant('['), Field(fld2,false), Constant('] disk_cache_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ +var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:disk_cache_exit related message."), dup11, @@ -565,8 +524,7 @@ match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit var msg34 = msg("httpproxy:25", part34); -var part35 = // "Pattern{Constant('['), Field(fld2,false), Constant('] disk_cache_zap ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ +var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:disk_cache_zap related message."), dup11, @@ -575,8 +533,7 @@ match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap ( var msg35 = msg("httpproxy:26", part35); -var part36 = // "Pattern{Constant('['), Field(fld2,false), Constant('] scanner_init ('), Field(fld3,false), Constant(') '), Field(info,false)}" -match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ +var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ dup12, setc("event_description","httpproxy:scanner_init related message."), dup11, @@ -663,8 +620,7 @@ var select3 = linear_select([ msg37, ]); -var part38 = // "Pattern{Constant('T='), Field(fld3,true), Constant(' ------ 1 - [exit] '), Field(action,false), Constant(': '), Field(disposition,false)}" -match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ +var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ dup16, dup2, dup3, @@ -711,8 +667,7 @@ var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { var msg39 = msg("ulogd:01", part39); -var part40 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity for Apache/'), Field(fld5,true), Constant(' ('), Field(fld6,false), Constant(') configured.')}" -match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ +var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ dup6, setc("disposition","configured"), dup2, @@ -721,8 +676,7 @@ match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log} var msg40 = msg("reverseproxy:01", part40); -var part41 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity: '), Field(fld5,true), Constant(' compiled version="'), Field(fld6,false), Constant('"; loaded version="'), Field(fld7,false), Constant('"')}" -match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ +var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ dup17, dup2, dup3, @@ -730,8 +684,7 @@ match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log} var msg41 = msg("reverseproxy:02", part41); -var part42 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity: '), Field(fld5,true), Constant(' compiled version="'), Field(fld6,false), Constant('"')}" -match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ +var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ dup17, dup2, dup3, @@ -739,8 +692,7 @@ match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log} var msg42 = msg("reverseproxy:03", part42); -var part43 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] '), Field(fld5,true), Constant(' configured -- '), Field(disposition,true), Constant(' normal operations')}" -match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ +var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ dup17, setc("event_id","AH00292"), dup2, @@ -749,8 +701,7 @@ match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log} var msg43 = msg("reverseproxy:04", part43); -var part44 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ['), Field(fld5,false), Constant('] Hostname in '), Field(network_service,true), Constant(' request ('), Field(fld6,false), Constant(') does not match the server name ('), Field(ddomain,false), Constant(')')}" -match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ +var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ setc("eventcategory","1805010000"), dup18, dup2, @@ -759,15 +710,13 @@ match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log} var msg44 = msg("reverseproxy:06", part44); -var part45 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00297: '), Field(action,true), Constant(' received. Doing'), Field(p0,false)}" -match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); +var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); var select4 = linear_select([ dup19, ]); -var part46 = // "Pattern{Field(,false), Constant('graceful '), Field(disposition,false)}" -match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); +var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); var all1 = all_match({ processors: [ @@ -785,8 +734,7 @@ var all1 = all_match({ var msg45 = msg("reverseproxy:07", all1); -var part47 = // "Pattern{Constant('AH00112: Warning: DocumentRoot ['), Field(web_root,false), Constant('] does not exist')}" -match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ +var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ dup4, setc("event_id","AH00112"), dup2, @@ -795,8 +743,7 @@ match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: Docum var msg46 = msg("reverseproxy:08", part47); -var part48 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00094: Command line: ''), Field(web_root,false), Constant(''')}" -match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ +var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ setc("eventcategory","1605010000"), setc("event_id","AH00094"), dup2, @@ -805,8 +752,7 @@ match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log} var msg47 = msg("reverseproxy:09", part48); -var part49 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00291: long lost child came home! (pid '), Field(fld5,false), Constant(')')}" -match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ +var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ dup12, setc("event_id","AH00291"), dup2, @@ -815,8 +761,7 @@ match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log} var msg48 = msg("reverseproxy:10", part49); -var part50 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH02572: Failed to configure at least one certificate and key for '), Field(fld5,false), Constant(':'), Field(fld6,false)}" -match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ +var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ dup20, setc("event_id","AH02572"), dup2, @@ -825,8 +770,7 @@ match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log} var msg49 = msg("reverseproxy:11", part50); -var part51 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] SSL Library Error: error:'), Field(resultcode,false), Constant(':'), Field(result,false)}" -match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ +var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ dup20, setc("context","SSL Library Error"), dup2, @@ -835,8 +779,7 @@ match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log} var msg50 = msg("reverseproxy:12", part51); -var part52 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH02312: Fatal error initialising mod_ssl, '), Field(disposition,false), Constant('.')}" -match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ +var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ dup20, setc("result","Fatal error"), setc("event_id","AH02312"), @@ -846,8 +789,7 @@ match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log} var msg51 = msg("reverseproxy:13", part52); -var part53 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00020: Configuration Failed, '), Field(disposition,false)}" -match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ +var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ dup20, setc("result","Configuration Failed"), setc("event_id","AH00020"), @@ -857,8 +799,7 @@ match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log} var msg52 = msg("reverseproxy:14", part53); -var part54 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00098: pid file '), Field(filename,true), Constant(' overwritten -- Unclean shutdown of previous Apache run?')}" -match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ +var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ setc("eventcategory","1609000000"), setc("context","Unclean shutdown"), setc("event_id","AH00098"), @@ -868,8 +809,7 @@ match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log} var msg53 = msg("reverseproxy:15", part54); -var part55 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00295: caught '), Field(action,false), Constant(', '), Field(disposition,false)}" -match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ +var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ dup16, setc("event_id","AH00295"), dup2, @@ -878,19 +818,16 @@ match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log} var msg54 = msg("reverseproxy:16", part55); -var part56 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(result,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); +var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); -var part57 = // "Pattern{Constant(' [rev "'), Field(fld6,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); +var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); var select5 = linear_select([ part57, dup19, ]); -var part58 = // "Pattern{Field(,false), Constant('[msg "'), Field(comments,false), Constant('"] [data "'), Field(daddr,false), Constant('"] [severity "'), Field(severity,false), Constant('"] [ver "'), Field(policyname,false), Constant('"] [maturity "'), Field(fld7,false), Constant('"] [accuracy "'), Field(fld8,false), Constant('"] '), Field(context,true), Constant(' [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); +var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); var all2 = all_match({ processors: [ @@ -907,8 +844,7 @@ var all2 = all_match({ var msg55 = msg("reverseproxy:17", all2); -var part59 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] No signature found, cookie: '), Field(fld5,false)}" -match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ +var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ dup4, dup22, dup2, @@ -917,8 +853,7 @@ match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log} var msg56 = msg("reverseproxy:18", part59); -var part60 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] '), Field(disposition,true), Constant(' ''), Field(fld5,false), Constant('' from request due to missing/invalid signature')}" -match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ +var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ dup23, dup22, dup2, @@ -927,8 +862,7 @@ match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log} var msg57 = msg("reverseproxy:19", part60); -var part61 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"] [msg "'), Field(comments,false), Constant('"] [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -936,8 +870,7 @@ match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log} var msg58 = msg("reverseproxy:20", part61); -var part62 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH01909: '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(':'), Field(fld5,true), Constant(' server certificate does NOT include an ID which matches the server name')}" -match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ +var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ dup20, dup18, setc("event_id","AH01909"), @@ -947,8 +880,7 @@ match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log} var msg59 = msg("reverseproxy:21", part62); -var part63 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH01915: Init: ('), Field(daddr,false), Constant(':'), Field(dport,false), Constant(') You configured '), Field(network_service,false), Constant('('), Field(fld5,false), Constant(') on the '), Field(fld6,false), Constant('('), Field(fld7,false), Constant(') port!')}" -match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ +var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ dup20, setc("comments","Invalid port configuration"), dup2, @@ -957,8 +889,7 @@ match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log} var msg60 = msg("reverseproxy:22", part63); -var part64 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Rule '), Field(rulename,true), Constant(' [id "'), Field(rule,false), Constant('"][file "'), Field(filename,false), Constant('"][line "'), Field(fld5,false), Constant('"] - Execution error - PCRE limits exceeded ('), Field(fld6,false), Constant('): ('), Field(fld7,false), Constant('). [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -966,8 +897,7 @@ match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log} var msg61 = msg("reverseproxy:23", part64); -var part65 = // "Pattern{Constant('rManage\\x22,\\x22manageLiveSystemSettings\\x22,\\x22accessViewJobs\\x22,\\x22exportList\\..."] [ver "'), Field(policyname,false), Constant('"] [maturity "'), Field(fld3,false), Constant('"] [accuracy "'), Field(fld4,false), Constant('"] '), Field(context,true), Constant(' [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -975,8 +905,7 @@ match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22m var msg62 = msg("reverseproxy:24", part65); -var part66 = // "Pattern{Constant('ARGS:userPermissions: [\\x22dashletAccessAlertingRecentAlertsPanel\\x22,\\x22dashletAccessAlerterTopAlertsDashlet\\x22,\\x22accessViewRules\\x22,\\x22deployLiveResources\\x22,\\x22vi..."] [severity [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ +var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ dup21, dup2, dup3, @@ -984,33 +913,27 @@ match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [ var msg63 = msg("reverseproxy:25", part66); -var part67 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: '), Field(disposition,true), Constant(' with code '), Field(resultcode,true), Constant(' ('), Field(fld5,false), Constant('). '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld6,false), Constant('"] [id "'), Field(rule,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); +var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); -var part68 = // "Pattern{Constant(' [rev "'), Field(fld7,false), Constant('"]'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); +var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); var select6 = linear_select([ part68, dup19, ]); -var part69 = // "Pattern{Field(,false), Constant('[msg "'), Field(comments,false), Constant('"] [data "Last Matched Data: '), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); +var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); -var part70 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false), Constant('"] [hostname "'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); +var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); -var part71 = // "Pattern{Field(daddr,false), Constant('"] [hostname "'), Field(p0,false)}" -match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); +var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); var select7 = linear_select([ part70, part71, ]); -var part72 = // "Pattern{Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" -match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); +var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); var all3 = all_match({ processors: [ @@ -1029,8 +952,7 @@ var all3 = all_match({ var msg64 = msg("reverseproxy:26", all3); -var part73 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] '), Field(disposition,true), Constant(' while reading reply from cssd, referer: '), Field(web_referer,false)}" -match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ +var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ dup25, dup2, dup3, @@ -1038,8 +960,7 @@ match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log} var msg65 = msg("reverseproxy:27", part73); -var part74 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon error found in request '), Field(web_root,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ +var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ dup26, setc("result","virus daemon error"), dup2, @@ -1048,8 +969,7 @@ match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log} var msg66 = msg("reverseproxy:28", part74); -var part75 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] mod_avscan_input_filter: virus found, referer: '), Field(web_referer,false)}" -match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ +var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ dup27, setc("result","virus found"), dup2, @@ -1058,8 +978,7 @@ match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log} var msg67 = msg("reverseproxy:29", part75); -var part76 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (13)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] AH01095: prefetch request body failed to '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld5,false), Constant(') from '), Field(fld6,true), Constant(' (), referer: '), Field(web_referer,false)}" -match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ +var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ dup24, dup28, dup2, @@ -1068,8 +987,7 @@ match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log} var msg68 = msg("reverseproxy:30", part76); -var part77 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot read reply: Operation now in progress (115), referer: '), Field(web_referer,false)}" -match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ +var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ dup25, setc("result","Cannot read reply"), dup2, @@ -1078,8 +996,7 @@ match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log} var msg69 = msg("reverseproxy:31", part77); -var part78 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot connect: '), Field(result,true), Constant(' (111), referer: '), Field(web_referer,false)}" -match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ +var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ dup25, dup2, dup3, @@ -1087,8 +1004,7 @@ match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log} var msg70 = msg("reverseproxy:32", part78); -var part79 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot connect: '), Field(result,true), Constant(' (111)')}" -match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ +var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ dup25, dup2, dup3, @@ -1096,8 +1012,7 @@ match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log} var msg71 = msg("reverseproxy:33", part79); -var part80 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon connection problem found in request '), Field(url,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ +var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ dup26, dup29, dup2, @@ -1106,8 +1021,7 @@ match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log} var msg72 = msg("reverseproxy:34", part80); -var part81 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon connection problem found in request '), Field(url,false)}" -match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ +var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ dup26, dup29, dup2, @@ -1116,8 +1030,7 @@ match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log} var msg73 = msg("reverseproxy:35", part81); -var part82 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] mod_avscan_input_filter: virus found')}" -match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ +var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ dup27, setc("result","Virus found"), dup2, @@ -1126,8 +1039,7 @@ match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log} var msg74 = msg("reverseproxy:36", part82); -var part83 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (13)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] AH01095: prefetch request body failed to '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld5,false), Constant(') from '), Field(fld6,true), Constant(' ()')}" -match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ +var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ dup24, dup28, dup2, @@ -1136,8 +1048,7 @@ match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log} var msg75 = msg("reverseproxy:37", part83); -var part84 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] Invalid signature, cookie: JSESSIONID')}" -match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ +var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ dup25, dup2, dup3, @@ -1145,8 +1056,7 @@ match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log} var msg76 = msg("reverseproxy:38", part84); -var part85 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] Form validation failed: Received unhardened form data, referer: '), Field(web_referer,false)}" -match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ +var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ dup23, setc("result","Form validation failed"), dup2, @@ -1155,8 +1065,7 @@ match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log} var msg77 = msg("reverseproxy:39", part85); -var part86 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] sending trickle failed: 103')}" -match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ +var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ dup25, setc("result","Sending trickle failed"), dup2, @@ -1165,8 +1074,7 @@ match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log} var msg78 = msg("reverseproxy:40", part86); -var part87 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] client requesting '), Field(web_root,true), Constant(' has '), Field(disposition,false)}" -match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ +var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ dup30, dup2, dup3, @@ -1174,8 +1082,7 @@ match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log} var msg79 = msg("reverseproxy:41", part87); -var part88 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] mod_avscan_check_file_single_part() called with parameter filename='), Field(filename,false)}" -match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ +var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ setc("eventcategory","1603050000"), dup2, dup3, @@ -1183,8 +1090,7 @@ match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log} var msg80 = msg("reverseproxy:42", part88); -var part89 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (70007)The '), Field(disposition,true), Constant(' specified has expired: [client '), Field(gateway,false), Constant('] AH01110: error reading response')}" -match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ +var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ dup30, setc("event_id","AH01110"), setc("result","Error reading response"), @@ -1194,8 +1100,7 @@ match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log} var msg81 = msg("reverseproxy:43", part89); -var part90 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (22)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] No form context found when parsing '), Field(fld5,true), Constant(' tag, referer: '), Field(web_referer,false)}" -match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ +var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ setc("eventcategory","1601020000"), setc("result","No form context found"), dup2, @@ -1204,8 +1109,7 @@ match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log} var msg82 = msg("reverseproxy:44", part90); -var part91 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (111)'), Field(result,false), Constant(': AH00957: '), Field(network_service,false), Constant(': attempt to connect to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld5,false), Constant(') failed')}" -match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ +var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ dup25, setc("event_id","AH00957"), dup2, @@ -1214,8 +1118,7 @@ match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log} var msg83 = msg("reverseproxy:45", part91); -var part92 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00959: ap_proxy_connect_backend disabling worker for ('), Field(daddr,false), Constant(') for '), Field(processing_time,false), Constant('s')}" -match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ +var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ dup16, setc("event_id","AH00959"), setc("result","disabling worker"), @@ -1225,8 +1128,7 @@ match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log} var msg84 = msg("reverseproxy:46", part92); -var part93 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] not all the file sent to the client: '), Field(fld6,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ +var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ setc("eventcategory","1801000000"), setc("context","Not all file sent to client"), dup2, @@ -1235,8 +1137,7 @@ match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log} var msg85 = msg("reverseproxy:47", part93); -var part94 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] AH01114: '), Field(network_service,false), Constant(': failed to make connection to backend: '), Field(daddr,false), Constant(', referer: '), Field(web_referer,false)}" -match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ +var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ dup25, dup31, dup32, @@ -1246,8 +1147,7 @@ match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log} var msg86 = msg("reverseproxy:48", part94); -var part95 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] AH01114: '), Field(network_service,false), Constant(': failed to make connection to backend: '), Field(daddr,false)}" -match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ +var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ dup25, dup31, dup32, @@ -1376,8 +1276,7 @@ var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { var msg90 = msg("confd:01", part98); -var part99 = // "Pattern{Constant('Frox started'), Field(,false)}" -match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ +var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ dup12, setc("event_description","frox:FTP Proxy Frox started."), dup11, @@ -1386,8 +1285,7 @@ match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain( var msg91 = msg("frox", part99); -var part100 = // "Pattern{Constant('Listening on '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ +var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ dup12, setc("event_description","frox:FTP Proxy listening on port."), dup11, @@ -1396,8 +1294,7 @@ match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}" var msg92 = msg("frox:01", part100); -var part101 = // "Pattern{Constant('Dropped privileges'), Field(,false)}" -match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ +var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ dup12, setc("event_description","frox:FTP Proxy dropped priveleges."), dup11, @@ -1412,8 +1309,7 @@ var select9 = linear_select([ msg93, ]); -var part102 = // "Pattern{Constant('Classifier configuration reloaded successfully'), Field(,false)}" -match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ +var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ dup12, setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), dup11, @@ -1422,8 +1318,7 @@ match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded var msg94 = msg("afcd", part102); -var part103 = // "Pattern{Constant('Starting strongSwan '), Field(fld2,true), Constant(' IPsec [starter]...')}" -match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ +var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ dup12, setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), dup11, @@ -1432,8 +1327,7 @@ match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld var msg95 = msg("ipsec_starter", part103); -var part104 = // "Pattern{Constant('IP address or index of physical interface changed -> reinit of ipsec interface'), Field(,false)}" -match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ +var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ dup12, setc("event_description","ipsec_starter: IP address or index of physical interface changed."), dup11, @@ -1447,8 +1341,7 @@ var select10 = linear_select([ msg96, ]); -var part105 = // "Pattern{Constant('Starting Pluto ('), Field(info,false), Constant(')')}" -match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ +var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ dup12, setc("event_description","pluto: Starting Pluto."), dup11, @@ -1457,8 +1350,7 @@ match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", proces var msg97 = msg("pluto", part105); -var part106 = // "Pattern{Constant('including NAT-Traversal patch ('), Field(info,false), Constant(')')}" -match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ +var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ dup12, setc("event_description","pluto: including NAT-Traversal patch."), dup11, @@ -1467,8 +1359,7 @@ match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch var msg98 = msg("pluto:01", part106); -var part107 = // "Pattern{Constant('ike_alg: Activating '), Field(info,true), Constant(' encryption: Ok')}" -match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ +var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ dup33, setc("event_description","pluto: Activating encryption algorithm."), dup11, @@ -1477,8 +1368,7 @@ match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} var msg99 = msg("pluto:02", part107); -var part108 = // "Pattern{Constant('ike_alg: Activating '), Field(info,true), Constant(' hash: Ok')}" -match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ +var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ dup33, setc("event_description","pluto: Activating hash algorithm."), dup11, @@ -1487,8 +1377,7 @@ match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} var msg100 = msg("pluto:03", part108); -var part109 = // "Pattern{Constant('Testing registered IKE encryption algorithms:'), Field(,false)}" -match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ +var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ dup12, setc("event_description","pluto: Testing registered IKE encryption algorithms"), dup11, @@ -1497,8 +1386,7 @@ match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryp var msg101 = msg("pluto:04", part109); -var part110 = // "Pattern{Field(info,true), Constant(' self-test not available')}" -match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ +var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ dup12, setc("event_description","pluto: Algorithm self-test not available."), dup11, @@ -1507,8 +1395,7 @@ match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not avail var msg102 = msg("pluto:05", part110); -var part111 = // "Pattern{Field(info,true), Constant(' self-test passed')}" -match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ +var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ dup12, setc("event_description","pluto: Algorithm self-test passed."), dup11, @@ -1517,8 +1404,7 @@ match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", var msg103 = msg("pluto:06", part111); -var part112 = // "Pattern{Constant('Using KLIPS IPsec interface code'), Field(,false)}" -match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ +var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ dup12, setc("event_description","pluto: Using KLIPS IPsec interface code"), dup11, @@ -1527,8 +1413,7 @@ match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface c var msg104 = msg("pluto:07", part112); -var part113 = // "Pattern{Constant('adding interface '), Field(interface,true), Constant(' '), Field(saddr,false), Constant(':'), Field(sport,false)}" -match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ +var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ dup12, setc("event_description","pluto: adding interface"), dup11, @@ -1537,8 +1422,7 @@ match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface- var msg105 = msg("pluto:08", part113); -var part114 = // "Pattern{Constant('loading secrets from "'), Field(filename,false), Constant('"')}" -match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ +var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ dup34, setc("event_description","pluto: loading secrets"), dup11, @@ -1547,8 +1431,7 @@ match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{file var msg106 = msg("pluto:09", part114); -var part115 = // "Pattern{Constant('loaded private key file ''), Field(filename,false), Constant('' ('), Field(filename_size,true), Constant(' bytes)')}" -match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ +var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ dup34, setc("event_description","pluto: loaded private key file"), dup11, @@ -1557,8 +1440,7 @@ match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{fi var msg107 = msg("pluto:10", part115); -var part116 = // "Pattern{Constant('added connection description "'), Field(fld2,false), Constant('"')}" -match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ +var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ dup12, setc("event_description","pluto: added connection description"), dup11, @@ -1567,8 +1449,7 @@ match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description var msg108 = msg("pluto:11", part116); -var part117 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': initiating Main Mode')}" -match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ +var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ dup12, dup35, dup11, @@ -1577,8 +1458,7 @@ match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiat var msg109 = msg("pluto:12", part117); -var part118 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': max number of retransmissions ('), Field(fld4,false), Constant(') reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message')}" -match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ +var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ dup10, dup36, dup11, @@ -1587,8 +1467,7 @@ match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max num var msg110 = msg("pluto:13", part118); -var part119 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': starting keying attempt '), Field(fld4,true), Constant(' of an unlimited number')}" -match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ +var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ dup12, dup37, dup11, @@ -1597,8 +1476,7 @@ match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: startin var msg111 = msg("pluto:14", part119); -var part120 = // "Pattern{Constant('forgetting secrets'), Field(,false)}" -match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ +var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ dup12, setc("event_description","pluto:forgetting secrets"), dup11, @@ -1607,8 +1485,7 @@ match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", proce var msg112 = msg("pluto:15", part120); -var part121 = // "Pattern{Constant('Changing to directory ''), Field(directory,false), Constant(''')}" -match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ +var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ dup12, setc("event_description","pluto:Changing to directory"), dup11, @@ -1617,8 +1494,7 @@ match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{dire var msg113 = msg("pluto:17", part121); -var part122 = // "Pattern{Constant('| *time to handle event'), Field(,false)}" -match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ +var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ dup12, setc("event_description","pluto:*time to handle event"), dup11, @@ -1627,8 +1503,7 @@ match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", var msg114 = msg("pluto:18", part122); -var part123 = // "Pattern{Constant('| *received kernel message'), Field(,false)}" -match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ +var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ dup12, setc("event_description","pluto:*received kernel message"), dup11, @@ -1637,8 +1512,7 @@ match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{} var msg115 = msg("pluto:19", part123); -var part124 = // "Pattern{Constant('| rejected packet:'), Field(,false)}" -match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ +var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ dup25, setc("event_description","pluto:rejected packet"), dup11, @@ -1647,8 +1521,7 @@ match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", proce var msg116 = msg("pluto:20", part124); -var part125 = // "Pattern{Constant('| next event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds for #'), Field(fld3,false)}" -match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ +var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ dup12, dup11, dup2, @@ -1656,8 +1529,7 @@ match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} var msg117 = msg("pluto:21", part125); -var part126 = // "Pattern{Constant('| next event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds')}" -match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ +var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ dup12, dup11, dup2, @@ -1665,8 +1537,7 @@ match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} var msg118 = msg("pluto:22", part126); -var part127 = // "Pattern{Constant('| inserting event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds for #'), Field(fld3,false)}" -match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ +var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ dup12, dup11, dup2, @@ -1674,8 +1545,7 @@ match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_typ var msg119 = msg("pluto:23", part127); -var part128 = // "Pattern{Constant('| event after this is '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds')}" -match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ +var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ dup12, dup11, dup2, @@ -1683,8 +1553,7 @@ match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event var msg120 = msg("pluto:24", part128); -var part129 = // "Pattern{Constant('| recent '), Field(action,true), Constant(' activity '), Field(fld2,true), Constant(' seconds ago, '), Field(info,false)}" -match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ +var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ dup12, dup11, dup2, @@ -1692,8 +1561,7 @@ match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity var msg121 = msg("pluto:25", part129); -var part130 = // "Pattern{Constant('| *received '), Field(rbytes,true), Constant(' bytes from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' on '), Field(dinterface,false)}" -match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ +var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ dup12, dup11, dup2, @@ -1701,8 +1569,7 @@ match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes var msg122 = msg("pluto:26", part130); -var part131 = // "Pattern{Constant('| received '), Field(action,true), Constant(' notification '), Field(msg,true), Constant(' with seqno = '), Field(fld2,false)}" -match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ +var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ dup12, dup11, dup2, @@ -1710,8 +1577,7 @@ match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notifi var msg123 = msg("pluto:27", part131); -var part132 = // "Pattern{Constant('| sent '), Field(action,true), Constant(' notification '), Field(msg,true), Constant(' with seqno = '), Field(fld2,false)}" -match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ +var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ dup12, dup11, dup2, @@ -1719,8 +1585,7 @@ match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notificati var msg124 = msg("pluto:28", part132); -var part133 = // "Pattern{Constant('| inserting event '), Field(event_type,false), Constant(', timeout in '), Field(fld2,true), Constant(' seconds')}" -match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ +var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ dup12, dup11, dup2, @@ -1728,8 +1593,7 @@ match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_typ var msg125 = msg("pluto:29", part133); -var part134 = // "Pattern{Constant('| handling event '), Field(event_type,true), Constant(' for '), Field(saddr,true), Constant(' "'), Field(fld2,false), Constant('" #'), Field(fld3,false)}" -match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ +var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ dup12, dup11, dup2, @@ -1737,8 +1601,7 @@ match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type var msg126 = msg("pluto:30", part134); -var part135 = // "Pattern{Constant('| '), Field(event_description,false)}" -match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ +var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ dup12, dup11, dup2, @@ -1746,8 +1609,7 @@ match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", proc var msg127 = msg("pluto:31", part135); -var part136 = // "Pattern{Field(fld2,false), Constant(': asynchronous network error report on '), Field(interface,true), Constant(' for message to '), Field(daddr,true), Constant(' port '), Field(dport,false), Constant(', complainant '), Field(saddr,false), Constant(': Connection refused [errno '), Field(fld4,false), Constant(', origin ICMP type '), Field(icmptype,true), Constant(' code '), Field(icmpcode,true), Constant(' (not authenticated)]')}" -match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ +var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ dup12, setc("event_description","not authenticated"), dup11, @@ -1756,8 +1618,7 @@ match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network var msg128 = msg("pluto:32", part136); -var part137 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': initiating Main Mode')}" -match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ +var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ dup12, dup35, dup11, @@ -1766,8 +1627,7 @@ match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr- var msg129 = msg("pluto:33", part137); -var part138 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': max number of retransmissions ('), Field(fld5,false), Constant(') reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message')}" -match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ +var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ dup12, dup36, dup11, @@ -1776,8 +1636,7 @@ match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr- var msg130 = msg("pluto:34", part138); -var part139 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': starting keying attempt '), Field(fld5,true), Constant(' of an unlimited number')}" -match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ +var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ dup12, dup37, dup11, @@ -1824,8 +1683,7 @@ var select11 = linear_select([ msg131, ]); -var part140 = // "Pattern{Constant('This binary does not support kernel L2TP.'), Field(,false)}" -match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ +var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ setc("eventcategory","1607000000"), setc("event_description","xl2tpd:This binary does not support kernel L2TP."), dup11, @@ -1834,8 +1692,7 @@ match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support ke var msg132 = msg("xl2tpd", part140); -var part141 = // "Pattern{Constant('xl2tpd version '), Field(version,true), Constant(' started on PID:'), Field(fld2,false)}" -match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ +var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ dup12, setc("event_description","xl2tpd:xl2tpd started."), dup11, @@ -1844,8 +1701,7 @@ match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} var msg133 = msg("xl2tpd:01", part141); -var part142 = // "Pattern{Constant('Written by '), Field(info,false)}" -match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ +var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ dup12, dup38, dup11, @@ -1854,8 +1710,7 @@ match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", process var msg134 = msg("xl2tpd:02", part142); -var part143 = // "Pattern{Constant('Forked by '), Field(info,false)}" -match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ +var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ dup12, dup38, dup11, @@ -1864,8 +1719,7 @@ match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processo var msg135 = msg("xl2tpd:03", part143); -var part144 = // "Pattern{Constant('Inherited by '), Field(info,false)}" -match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ +var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ dup12, dup38, dup11, @@ -1874,8 +1728,7 @@ match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", proce var msg136 = msg("xl2tpd:04", part144); -var part145 = // "Pattern{Constant('Listening on IP address '), Field(saddr,false), Constant(', port '), Field(sport,false)}" -match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ +var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ dup12, dup38, dup11, @@ -1893,8 +1746,7 @@ var select12 = linear_select([ msg137, ]); -var part146 = // "Pattern{Constant('Exiting'), Field(,false)}" -match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ +var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ dup12, setc("event_description","barnyard: Exiting"), dup11, @@ -1903,8 +1755,7 @@ match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_cha var msg138 = msg("barnyard:01", part146); -var part147 = // "Pattern{Constant('Initializing daemon mode'), Field(,false)}" -match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ +var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ dup12, setc("event_description","barnyard:Initializing daemon mode"), dup11, @@ -1913,8 +1764,7 @@ match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{ var msg139 = msg("barnyard:02", part147); -var part148 = // "Pattern{Constant('Opened spool file ''), Field(filename,false), Constant(''')}" -match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ +var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ dup12, setc("event_description","barnyard:Opened spool file."), dup11, @@ -1923,8 +1773,7 @@ match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filen var msg140 = msg("barnyard:03", part148); -var part149 = // "Pattern{Constant('Waiting for new data'), Field(,false)}" -match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ +var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ dup12, setc("event_description","barnyard:Waiting for new data"), dup11, @@ -1940,8 +1789,7 @@ var select13 = linear_select([ msg141, ]); -var part150 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP connection from localhost ('), Field(hostname,false), Constant(') ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' closed by QUIT')}" -match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ +var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ dup12, setc("event_description","exim:SMTP connection from localhost closed by QUIT"), dup11, @@ -1950,8 +1798,7 @@ match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg142 = msg("exim:01", part150); -var part151 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' ['), Field(saddr,false), Constant('] F=<<'), Field(from,false), Constant('> R=<<'), Field(to,false), Constant('> Accepted: '), Field(info,false)}" -match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ +var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ setc("eventcategory","1207010000"), setc("event_description","exim:e-mail accepted from relay."), dup11, @@ -1960,8 +1807,7 @@ match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg143 = msg("exim:02", part151); -var part152 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' <<= '), Field(from,true), Constant(' H=localhost ('), Field(hostname,false), Constant(') ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' P='), Field(protocol,true), Constant(' S='), Field(fld9,true), Constant(' id='), Field(info,false)}" -match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ +var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ setc("eventcategory","1207000000"), setc("event_description","exim: e-mail sent."), dup11, @@ -1970,8 +1816,7 @@ match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg144 = msg("exim:03", part152); -var part153 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' == '), Field(from,true), Constant(' R=dnslookup defer ('), Field(fld9,false), Constant('): host lookup did not complete')}" -match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ +var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ dup39, setc("event_description","exim: e-mail host lookup did not complete in DNS."), dup11, @@ -1980,8 +1825,7 @@ match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg145 = msg("exim:04", part153); -var part154 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' == '), Field(from,true), Constant(' routing defer ('), Field(fld9,false), Constant('): retry time not reached')}" -match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ +var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ dup39, setc("event_description","exim: e-mail routing defer:retry time not reached."), dup11, @@ -1990,8 +1834,7 @@ match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg146 = msg("exim:05", part154); -var part155 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' exim '), Field(version,true), Constant(' daemon started: pid='), Field(fld8,false), Constant(', no queue runs, listening for SMTP on port '), Field(sport,true), Constant(' ('), Field(info,false), Constant(') port '), Field(fld9,true), Constant(' ('), Field(fld10,false), Constant(') and for SMTPS on port '), Field(fld11,true), Constant(' ('), Field(fld12,false), Constant(')')}" -match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ +var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ dup12, setc("event_description","exim: exim daemon started."), dup11, @@ -2000,8 +1843,7 @@ match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg147 = msg("exim:06", part155); -var part156 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' Start queue run: pid='), Field(fld8,false)}" -match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ +var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ dup12, setc("event_description","exim: Start queue run."), dup11, @@ -2010,8 +1852,7 @@ match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg148 = msg("exim:07", part156); -var part157 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' pid '), Field(fld8,false), Constant(': SIGHUP received: re-exec daemon')}" -match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ +var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ dup12, setc("event_description","exim: SIGHUP received: re-exec daemon."), dup11, @@ -2020,8 +1861,7 @@ match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg149 = msg("exim:08", part157); -var part158 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP connection from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim: SMTP connection from host."), dup11, @@ -2030,8 +1870,7 @@ match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg150 = msg("exim:09", part158); -var part159 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' rejected EHLO from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim:rejected EHLO from host."), dup11, @@ -2040,8 +1879,7 @@ match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg151 = msg("exim:10", part159); -var part160 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP protocol synchronization error ('), Field(result,false), Constant('): '), Field(fld8,true), Constant(' H=['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ +var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), dup11, @@ -2050,8 +1888,7 @@ match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg152 = msg("exim:11", part160); -var part161 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' TLS error on connection from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, setc("event_description","exim:TLS error on connection from host."), dup11, @@ -2060,8 +1897,7 @@ match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg153 = msg("exim:12", part161); -var part162 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld10,true), Constant(' == '), Field(hostname,true), Constant(' R='), Field(fld8,true), Constant(' T='), Field(fld9,false), Constant(': '), Field(info,false)}" -match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ +var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ dup12, dup40, dup11, @@ -2070,8 +1906,7 @@ match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg154 = msg("exim:13", part162); -var part163 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld10,true), Constant(' '), Field(hostname,true), Constant(' ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" -match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ +var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ dup12, dup40, dup11, @@ -2080,8 +1915,7 @@ match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg155 = msg("exim:14", part163); -var part164 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' End queue run: '), Field(info,false)}" -match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ +var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ dup12, dup40, dup11, @@ -2090,8 +1924,7 @@ match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fl var msg156 = msg("exim:15", part164); -var part165 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ +var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ dup12, dup11, dup2, @@ -2118,8 +1951,7 @@ var select14 = linear_select([ msg157, ]); -var part166 = // "Pattern{Constant('QMGR['), Field(fld2,false), Constant(']: '), Field(fld3,true), Constant(' moved to work queue')}" -match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ +var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ dup12, setc("event_description","smtpd: Process moved to work queue."), dup11, @@ -2128,8 +1960,7 @@ match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} move var msg158 = msg("smtpd:01", part166); -var part167 = // "Pattern{Constant('SCANNER['), Field(fld3,false), Constant(']: id="1000" severity="'), Field(severity,false), Constant('" sys="'), Field(fld4,false), Constant('" sub="'), Field(service,false), Constant('" name="'), Field(event_description,false), Constant('" srcip="'), Field(saddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" queueid="'), Field(fld5,false), Constant('" size="'), Field(rbytes,false), Constant('"')}" -match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ +var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ setc("eventcategory","1207010100"), dup11, dup2, @@ -2137,8 +1968,7 @@ match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" var msg159 = msg("smtpd:02", part167); -var part168 = // "Pattern{Constant('SCANNER['), Field(fld3,false), Constant(']: Nothing to do, exiting.')}" -match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ +var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ dup12, setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), dup11, @@ -2147,8 +1977,7 @@ match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to var msg160 = msg("smtpd:03", part168); -var part169 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: QR globally disabled, status two set to 'disabled'')}" -match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ +var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ dup12, setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), dup11, @@ -2157,8 +1986,7 @@ match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally var msg161 = msg("smtpd:04", part169); -var part170 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: QR globally disabled, status one set to 'disabled'')}" -match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ +var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ dup12, setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), dup11, @@ -2167,8 +1995,7 @@ match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally var msg162 = msg("smtpd:07", part170); -var part171 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: (Re-)loading configuration from Confd')}" -match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ +var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ dup12, setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), dup11, @@ -2177,8 +2004,7 @@ match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading var msg163 = msg("smtpd:05", part171); -var part172 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: Sending QR one')}" -match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ +var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ dup12, setc("event_description","smtpd: MASTER:Sending QR one."), dup11, @@ -2197,8 +2023,7 @@ var select15 = linear_select([ msg164, ]); -var part173 = // "Pattern{Constant('Did not receive identification string from '), Field(fld18,false)}" -match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ +var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ dup10, setc("event_description","sshd: Did not receive identification string."), dup11, @@ -2207,8 +2032,7 @@ match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification var msg165 = msg("sshd:01", part173); -var part174 = // "Pattern{Constant('Received SIGHUP; restarting.'), Field(,false)}" -match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ +var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ dup12, setc("event_description","sshd:Received SIGHUP restarting."), dup11, @@ -2217,8 +2041,7 @@ match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{ var msg166 = msg("sshd:02", part174); -var part175 = // "Pattern{Constant('Server listening on '), Field(saddr,true), Constant(' port '), Field(sport,false), Constant('.')}" -match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ +var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ dup12, setc("event_description","sshd:Server listening; restarting."), dup11, @@ -2227,8 +2050,7 @@ match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} var msg167 = msg("sshd:03", part175); -var part176 = // "Pattern{Constant('Invalid user admin from '), Field(fld18,false)}" -match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ +var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ dup41, setc("event_description","sshd:Invalid user admin."), dup11, @@ -2237,8 +2059,7 @@ match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld1 var msg168 = msg("sshd:04", part176); -var part177 = // "Pattern{Constant('Failed none for invalid user admin from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ +var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ dup41, setc("event_description","sshd:Failed none for invalid user admin."), dup11, @@ -2247,8 +2068,7 @@ match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user a var msg169 = msg("sshd:05", part177); -var part178 = // "Pattern{Constant('error: Could not get shadow information for NOUSER'), Field(,false)}" -match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ +var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ dup10, setc("event_description","sshd:error:Could not get shadow information for NOUSER"), dup11, @@ -2257,8 +2077,7 @@ match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow in var msg170 = msg("sshd:06", part178); -var part179 = // "Pattern{Constant('Failed password for root from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ +var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ dup41, setc("event_description","sshd:Failed password for root."), dup11, @@ -2267,8 +2086,7 @@ match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from var msg171 = msg("sshd:07", part179); -var part180 = // "Pattern{Constant('Accepted password for loginuser from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" -match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ +var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ setc("eventcategory","1302000000"), setc("event_description","sshd:Accepted password for loginuser."), dup11, @@ -2277,8 +2095,7 @@ match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuse var msg172 = msg("sshd:08", part180); -var part181 = // "Pattern{Constant('subsystem request for sftp failed, subsystem not found'), Field(,false)}" -match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ +var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ dup10, setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), dup11, @@ -2319,8 +2136,7 @@ var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { var msg174 = msg("aua:01", part182); -var part183 = // "Pattern{Constant('created new negotiatorchild'), Field(,false)}" -match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ +var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ dup12, setc("event_description","sockd: created new negotiatorchild."), dup11, @@ -2329,8 +2145,7 @@ match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{ var msg175 = msg("sockd:01", part183); -var part184 = // "Pattern{Constant('dante/server '), Field(version,true), Constant(' running')}" -match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ +var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ dup12, setc("event_description","sockd:dante/server running."), dup11, @@ -2339,8 +2154,7 @@ match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} run var msg176 = msg("sockd:02", part184); -var part185 = // "Pattern{Constant('sockdexit(): terminating on signal '), Field(fld2,false)}" -match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ +var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ dup12, setc("event_description","sockd:sockdexit():terminating on signal."), dup11, @@ -2355,8 +2169,7 @@ var select17 = linear_select([ msg177, ]); -var part186 = // "Pattern{Constant('Master started'), Field(,false)}" -match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ +var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ dup12, setc("event_description","pop3proxy:Master started."), dup11, @@ -2546,8 +2359,7 @@ var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { var msg180 = msg("httpd", part188); -var part189 = // "Pattern{Constant('['), Field(event_log,false), Constant(':'), Field(result,false), Constant('] [pid '), Field(fld3,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"] [rev "'), Field(fld2,false), Constant('"] [msg "'), Field(event_description,false), Constant('"] [severity "'), Field(severity,false), Constant('"] [ver "'), Field(version,false), Constant('"] [maturity "'), Field(fld22,false), Constant('"] [accuracy "'), Field(fld23,false), Constant('"] [tag "'), Field(fld24,false), Constant('"] [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]'), Field(fld25,false)}" -match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ +var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ setc("eventcategory","1502000000"), dup2, dup3, @@ -2663,5 +2475,4 @@ var chain1 = processor_chain([ }), ]); -var part191 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); +var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js b/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js index 8ad35b18ca1..f05bc1b7497 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/pipeline.js @@ -143,11 +143,9 @@ var dup8 = call({ ], }); -var dup9 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var dup9 = match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var dup10 = // "Pattern{Field(domain,false)}" -match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); +var dup10 = match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); var dup11 = setc("eventcategory","1001020100"); @@ -257,8 +255,7 @@ var dup48 = setc("fld14","1"); var dup49 = field("fld14"); -var dup50 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var dup50 = match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var dup51 = setc("fld14","0"); @@ -282,29 +279,23 @@ var dup57 = setc("event_description","Proactive Threat Protection has been disab var dup58 = setc("event_description","Application has changed since the last time you opened it"); -var dup59 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); +var dup59 = match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); -var dup60 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var dup60 = match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var dup61 = // "Pattern{Constant('Intrusion URL: '), Field(url,false)}" -match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); +var dup61 = match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); var dup62 = setc("event_description","Traffic has been blocked from application."); -var dup63 = // "Pattern{Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); +var dup63 = match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); -var dup64 = // "Pattern{Field(url,false)}" -match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); +var dup64 = match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); var dup65 = setc("eventcategory","1401000000"); var dup66 = setc("event_description","Somebody is scanning your computer."); -var dup67 = // "Pattern{Constant('Domain:'), Field(p0,false)}" -match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); +var dup67 = match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); var dup68 = setc("event_description","Informational: File Download Hash."); @@ -312,8 +303,7 @@ var dup69 = setc("eventcategory","1001030000"); var dup70 = setc("event_description","Web Attack : Malvertisement Website Redirect"); -var dup71 = // "Pattern{Constant(':'), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); +var dup71 = match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); var dup72 = setc("event_description","Web Attack: Mass Injection Website."); @@ -323,23 +313,17 @@ var dup74 = setc("eventcategory","1603110000"); var dup75 = setc("event_description","The most recent Host Integrity content has not completed a download or cannot be authenticated."); -var dup76 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); +var dup76 = match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); -var dup77 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); +var dup77 = match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); -var dup78 = // "Pattern{Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); +var dup78 = match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); -var dup79 = // "Pattern{Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); +var dup79 = match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); -var dup80 = // "Pattern{Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); +var dup80 = match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); -var dup81 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var dup81 = match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var dup82 = setc("result","Traffic has not been blocked from application."); @@ -357,11 +341,9 @@ var dup88 = setc("event_description","Host Integrity check passed"); var dup89 = setc("event_description","Host Integrity check failed."); -var dup90 = // "Pattern{Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); +var dup90 = match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); -var dup91 = // "Pattern{}" -match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); +var dup91 = match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); var dup92 = setc("eventcategory","1702010000"); @@ -381,39 +363,29 @@ var dup96 = setc("ec_activity","Create"); var dup97 = setc("ec_theme","Configuration"); -var dup98 = // "Pattern{Constant('"Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); +var dup98 = match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); -var dup99 = // "Pattern{Constant('Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); +var dup99 = match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); -var dup100 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); +var dup100 = match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); -var dup101 = // "Pattern{Field(fld4,false), Constant(',MD-5:'), Field(fld5,false), Constant(',Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); +var dup101 = match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); -var dup102 = // "Pattern{Constant('Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); +var dup102 = match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); var dup103 = setc("event_description","Active Response"); var dup104 = setc("dclass_counter1_string","Occurrences"); -var dup105 = // "Pattern{Constant('Rule: '), Field(rulename,false), Constant(',Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); +var dup105 = match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); -var dup106 = // "Pattern{Constant(' "Rule: '), Field(rulename,false), Constant('",Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); +var dup106 = match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); -var dup107 = // "Pattern{Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); +var dup107 = match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); -var dup108 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); +var dup108 = match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); -var dup109 = // "Pattern{Constant(' Domain: '), Field(domain,false)}" -match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); +var dup109 = match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); var dup110 = setc("eventcategory","1003010000"); @@ -427,27 +399,21 @@ var dup111 = call({ ], }); -var dup112 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); +var dup112 = match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); -var dup113 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); +var dup113 = match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); -var dup114 = // "Pattern{Field(fld25,false)}" -match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); +var dup114 = match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); var dup115 = setc("ec_subject","Virus"); var dup116 = setc("ec_activity","Detect"); -var dup117 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var dup117 = match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var dup118 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var dup118 = match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var dup119 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); +var dup119 = match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); var dup120 = setc("eventcategory","1801000000"); @@ -499,14 +465,11 @@ var dup137 = setf("domain","hdomain"); var dup138 = setc("event_description","The client has downloaded file successfully."); -var dup139 = // "Pattern{Constant('The client will block traffic from IP address '), Field(fld14,true), Constant(' for the next '), Field(duration_string,true), Constant(' (from '), Field(fld13,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); +var dup139 = match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); -var dup140 = // "Pattern{Constant('.,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); +var dup140 = match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); -var dup141 = // "Pattern{Constant(' . ,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); +var dup141 = match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); var dup142 = setf("shost","hclient"); @@ -514,26 +477,19 @@ var dup143 = setc("event_description","The client will block traffic."); var dup144 = setc("event_description","The client has successfully downloaded and applied a license file"); -var dup145 = // "Pattern{Constant('Commercial application detected,Computer name: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); +var dup145 = match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); -var dup146 = // "Pattern{Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); +var dup146 = match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); -var dup147 = // "Pattern{Field(shost,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); +var dup147 = match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); -var dup148 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var dup148 = match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); -var dup149 = // "Pattern{Constant('"'), Field(filename,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); +var dup149 = match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); -var dup150 = // "Pattern{Field(filename,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); +var dup150 = match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); -var dup151 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var dup151 = match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var dup152 = setf("threat_name","virusname"); @@ -557,19 +513,15 @@ var dup155 = setc("event_description","Commercial application detected"); var dup156 = setc("eventcategory","1701030000"); -var dup157 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var dup157 = match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); var dup158 = setf("administrator","husername"); -var dup159 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); +var dup159 = match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); -var dup160 = // "Pattern{Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); +var dup160 = match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); -var dup161 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(','), Field(fld53,false), Constant(',Permitted application reason: '), Field(fld54,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var dup161 = match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var dup162 = setc("event_description","Security risk found"); @@ -617,8 +569,7 @@ var dup174 = setc("eventcategory","1301000000"); var dup175 = setc("event_description","Failed to Login to Remote Site"); -var dup176 = // "Pattern{Constant('"'), Field(,false)}" -match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); +var dup176 = match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); var dup177 = setc("ec_subject","Group"); @@ -630,18 +581,15 @@ var dup180 = setc("event_description","Host Integrity check is disabled."); var dup181 = setc("event_description","Host Integrity failed but reported as pass"); -var dup182 = // "Pattern{Constant(' Domain:'), Field(p0,false)}" -match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); +var dup182 = match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); -var dup183 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); +var dup183 = match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); var dup184 = setc("event_description","LiveUpdate"); var dup185 = setc("event_description","Submitting information to Symantec failed."); -var dup186 = // "Pattern{Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); +var dup186 = match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); var dup187 = setc("ec_outcome","Error"); @@ -651,8 +599,7 @@ var dup189 = setf("hostid","hhost"); var dup190 = setc("event_description","The latest SONAR Definitions update failed to load."); -var dup191 = // "Pattern{Constant('",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); +var dup191 = match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); var dup192 = date_time({ dest: "event_time", @@ -664,59 +611,43 @@ var dup192 = date_time({ var dup193 = setc("event_description","Virus Found"); -var dup194 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); +var dup194 = match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); var dup195 = setc("event_description","Virus Definition File Update"); var dup196 = setf("event_description","hfld1"); -var dup197 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var dup197 = match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var dup198 = // "Pattern{Constant('"'), Field(fld1,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); +var dup198 = match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); -var dup199 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); +var dup199 = match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); var dup200 = setc("event_description","Virus found"); -var dup201 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); +var dup201 = match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); -var dup202 = // "Pattern{Constant('Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); +var dup202 = match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); -var dup203 = // "Pattern{Constant('"Group: '), Field(group,false), Constant('",Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); +var dup203 = match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); -var dup204 = // "Pattern{Constant('Group: '), Field(group,false), Constant(',Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); +var dup204 = match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); -var dup205 = // "Pattern{Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); +var dup205 = match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); -var dup206 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); +var dup206 = match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); -var dup207 = // "Pattern{Field(filename_size,false)}" -match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); +var dup207 = match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); -var dup208 = // "Pattern{Constant('Virus found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var dup208 = match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var dup209 = // "Pattern{Constant('"'), Field(info,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); +var dup209 = match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); -var dup210 = // "Pattern{Field(info,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); +var dup210 = match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); -var dup211 = // "Pattern{Constant(''), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); +var dup211 = match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); -var dup212 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); +var dup212 = match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); var dup213 = setc("eventcategory","1701060000"); @@ -724,8 +655,7 @@ var dup214 = setc("event_description","Network Audit Search Unagented Hosts From var dup215 = setc("event_description","Network Intrusion Prevention is malfunctioning"); -var dup216 = // "Pattern{Constant(' by policy'), Field(,false)}" -match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); +var dup216 = match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); var dup217 = setc("event_description","Generic Exploit Mitigation"); @@ -745,16 +675,13 @@ var dup224 = setc("event_description","Policy has been added"); var dup225 = setc("event_description","Policy has been edited"); -var dup226 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); +var dup226 = match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); var dup227 = setc("event_description","Potential risk found"); -var dup228 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); +var dup228 = match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); -var dup229 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var dup229 = match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var dup230 = date_time({ dest: "recorded_time", @@ -764,8 +691,7 @@ var dup230 = date_time({ ], }); -var dup231 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was denied by user'), Field(fld6,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); +var dup231 = match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); var dup232 = setc("eventcategory","1606000000"); @@ -807,17 +733,13 @@ var dup247 = setc("dclass_counter1_string","Risk Count."); var dup248 = setc("dclass_counter2_string","Scan Count."); -var dup249 = // "Pattern{Constant('''), Field(context,false), Constant('','), Field(p0,false)}" -match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); +var dup249 = match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); -var dup250 = // "Pattern{Constant('Security risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); +var dup250 = match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); -var dup251 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var dup251 = match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var dup252 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false)}" -match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); +var dup252 = match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); var dup253 = setc("event_description","Compressed File"); @@ -833,39 +755,29 @@ var dup258 = setc("event_description","services failed to start"); var dup259 = setc("eventcategory","1608010000"); -var dup260 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); +var dup260 = match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); -var dup261 = // "Pattern{Constant('[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); +var dup261 = match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); -var dup262 = // "Pattern{Constant('"[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); +var dup262 = match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); -var dup263 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); +var dup263 = match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); -var dup264 = // "Pattern{Constant('detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); +var dup264 = match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); -var dup265 = // "Pattern{Constant('advanced heuristic detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); +var dup265 = match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); -var dup266 = // "Pattern{Constant(' Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var dup266 = match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var dup267 = // "Pattern{Constant('Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); +var dup267 = match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); var dup268 = setc("ec_theme","Communication"); -var dup269 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); +var dup269 = match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); var dup270 = setc("event_description","Traffic from IP address is blocked."); -var dup271 = // "Pattern{Constant(''), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); +var dup271 = match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); var dup272 = setc("event_description","Unexpected server error."); @@ -873,26 +785,21 @@ var dup273 = setc("event_description","Unsolicited incoming ARP reply detected." var dup274 = setc("event_description","Windows Version info."); -var dup275 = // "Pattern{Constant('"'), Field(filename,false), Constant('",User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); +var dup275 = match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); -var dup276 = // "Pattern{Field(filename,false), Constant(',User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); +var dup276 = match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); var dup277 = setc("event_description","File Write"); -var dup278 = // "Pattern{Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var dup278 = match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var dup279 = setc("event_description","File Delete"); var dup280 = setc("event_description","File Delete Begin."); -var dup281 = // "Pattern{Constant('""'), Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); +var dup281 = match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); -var dup282 = // "Pattern{Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); +var dup282 = match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); var dup283 = setc("dclass_counter1_string","Virus Count."); @@ -920,17 +827,13 @@ var dup288 = setc("ec_subject","Configuration"); var dup289 = setc("eventcategory","1801030000"); -var dup290 = // "Pattern{Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); +var dup290 = match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); -var dup291 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); +var dup291 = match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); -var dup292 = // "Pattern{Field(event_description,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); +var dup292 = match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); -var dup293 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); +var dup293 = match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); var dup294 = setc("eventcategory","1803000000"); @@ -966,8 +869,7 @@ var dup303 = setc("event_description","Block Local File Sharing to external comp var dup304 = setc("event_description","Block all other traffic"); -var dup305 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); +var dup305 = match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); var dup306 = field("fld11"); @@ -1139,55 +1041,47 @@ var dup341 = linear_select([ dup282, ]); -var dup342 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var dup342 = match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup53, dup15, ])); -var dup343 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var dup343 = match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup43, dup15, ])); -var dup344 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup344 = match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var dup345 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup345 = match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var dup346 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup346 = match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var dup347 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup347 = match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var dup348 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup348 = match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, ])); -var dup349 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup349 = match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, @@ -1235,8 +1129,7 @@ var dup356 = lookup({ key: dup306, }); -var dup357 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var dup357 = match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup294, dup295, dup37, @@ -1250,8 +1143,7 @@ match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var dup358 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var dup358 = match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -1265,8 +1157,7 @@ match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ dup302, ])); -var dup359 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var dup359 = match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup43, dup15, dup353, @@ -1277,8 +1168,7 @@ match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var dup360 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" -match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ +var dup360 = match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ dup43, dup15, dup355, @@ -1289,8 +1179,7 @@ match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id} dup308, ])); -var dup361 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" -match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ +var dup361 = match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ dup43, dup15, dup355, @@ -1301,20 +1190,15 @@ match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ dup308, ])); -var hdr1 = // "Pattern{Constant('%SYMANTECAV '), Field(p0,false)}" -match("HEADER#0:0001/0", "message", "%SYMANTECAV %{p0}"); +var hdr1 = match("HEADER#0:0001/0", "message", "%SYMANTECAV %{p0}"); -var part1 = // "Pattern{Constant('Delete '), Field(p0,false)}" -match("HEADER#0:0001/1_0", "nwparser.p0", "Delete %{p0}"); +var part1 = match("HEADER#0:0001/1_0", "nwparser.p0", "Delete %{p0}"); -var part2 = // "Pattern{Constant('Leave Alone '), Field(p0,false)}" -match("HEADER#0:0001/1_1", "nwparser.p0", "Leave Alone %{p0}"); +var part2 = match("HEADER#0:0001/1_1", "nwparser.p0", "Leave Alone %{p0}"); -var part3 = // "Pattern{Constant('Quarantine '), Field(p0,false)}" -match("HEADER#0:0001/1_2", "nwparser.p0", "Quarantine %{p0}"); +var part3 = match("HEADER#0:0001/1_2", "nwparser.p0", "Quarantine %{p0}"); -var part4 = // "Pattern{Constant('Undefined '), Field(p0,false)}" -match("HEADER#0:0001/1_3", "nwparser.p0", "Undefined %{p0}"); +var part4 = match("HEADER#0:0001/1_3", "nwparser.p0", "Undefined %{p0}"); var select1 = linear_select([ part1, @@ -1323,8 +1207,7 @@ var select1 = linear_select([ part4, ]); -var part5 = // "Pattern{Field(,false), Constant('..Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#0:0001/2", "nwparser.p0", "%{}..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ +var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{}..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ dup1, ])); @@ -1339,20 +1222,17 @@ var all1 = all_match({ ]), }); -var hdr2 = // "Pattern{Constant('%SYMANTECAV Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#1:0002", "message", "%SYMANTECAV Alert: %{messageid->} %{data}..%{p0}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%SYMANTECAV Alert: %{messageid->} %{data}..%{p0}", processor_chain([ setc("header_id","0002"), dup1, ])); -var hdr3 = // "Pattern{Constant('%SYMANTECAV ..'), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#2:0003", "message", "%SYMANTECAV ..%{messageid->} %{data}..%{p0}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%SYMANTECAV ..%{messageid->} %{data}..%{p0}", processor_chain([ setc("header_id","0003"), dup1, ])); -var hdr4 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' ..'), Field(messageid,true), Constant(' '), Field(hfld2,false), Constant('.. '), Field(p0,false)}" -match("HEADER#3:0004", "message", "%SYMANTECAV %{hfld1->} ..%{messageid->} %{hfld2}.. %{p0}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "%SYMANTECAV %{hfld1->} ..%{messageid->} %{hfld2}.. %{p0}", processor_chain([ setc("header_id","0004"), call({ dest: "nwparser.payload", @@ -1367,8 +1247,7 @@ match("HEADER#3:0004", "message", "%SYMANTECAV %{hfld1->} ..%{messageid->} %{hfl }), ])); -var hdr5 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(messageid,true), Constant(' Found '), Field(p0,false)}" -match("HEADER#4:0005", "message", "%SYMANTECAV %{hfld1->} %{messageid->} Found %{p0}", processor_chain([ +var hdr5 = match("HEADER#4:0005", "message", "%SYMANTECAV %{hfld1->} %{messageid->} Found %{p0}", processor_chain([ setc("header_id","0005"), call({ dest: "nwparser.payload", @@ -1381,8 +1260,7 @@ match("HEADER#4:0005", "message", "%SYMANTECAV %{hfld1->} %{messageid->} Found % }), ])); -var hdr6 = // "Pattern{Constant('%SYMANTECAV '), Field(messageid,true), Constant(' '), Field(hfld1,false), Constant('..'), Field(p0,false)}" -match("HEADER#5:0006", "message", "%SYMANTECAV %{messageid->} %{hfld1}..%{p0}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "%SYMANTECAV %{messageid->} %{hfld1}..%{p0}", processor_chain([ setc("header_id","0006"), call({ dest: "nwparser.payload", @@ -1397,242 +1275,202 @@ match("HEADER#5:0006", "message", "%SYMANTECAV %{messageid->} %{hfld1}..%{p0}", }), ])); -var hdr7 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#6:00081", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ +var hdr7 = match("HEADER#6:00081", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ setc("header_id","00081"), dup2, ])); -var hdr8 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#7:0008", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ +var hdr8 = match("HEADER#7:0008", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ setc("header_id","0008"), dup2, ])); -var hdr9 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#8:00091", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ +var hdr9 = match("HEADER#8:00091", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ setc("header_id","00091"), dup2, ])); -var hdr10 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#9:0009", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ +var hdr10 = match("HEADER#9:0009", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ setc("header_id","0009"), dup2, ])); -var hdr11 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#10:00421", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ +var hdr11 = match("HEADER#10:00421", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ setc("header_id","00421"), dup2, ])); -var hdr12 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#11:0042", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ +var hdr12 = match("HEADER#11:0042", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ setc("header_id","0042"), dup2, ])); -var hdr13 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#12:99991", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ +var hdr13 = match("HEADER#12:99991", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ setc("header_id","99991"), dup2, ])); -var hdr14 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#13:9999", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ +var hdr14 = match("HEADER#13:9999", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ setc("header_id","9999"), dup2, ])); -var hdr15 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#14:00101", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ +var hdr15 = match("HEADER#14:00101", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","00101"), dup2, ])); -var hdr16 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#15:0010", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ +var hdr16 = match("HEADER#15:0010", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","0010"), dup2, ])); -var hdr17 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#16:00111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ +var hdr17 = match("HEADER#16:00111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ setc("header_id","00111"), dup3, ])); -var hdr18 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#17:0011", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ +var hdr18 = match("HEADER#17:0011", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ setc("header_id","0011"), dup3, ])); -var hdr19 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#18:00121", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ +var hdr19 = match("HEADER#18:00121", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ setc("header_id","00121"), dup2, ])); -var hdr20 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#19:0012", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ +var hdr20 = match("HEADER#19:0012", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ setc("header_id","0012"), dup2, ])); -var hdr21 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(fld20,true), Constant(' '), Field(fld21,true), Constant(' '), Field(fld23,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#20:11111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ +var hdr21 = match("HEADER#20:11111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ setc("header_id","11111"), dup2, ])); -var hdr22 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(fld20,true), Constant(' '), Field(fld21,true), Constant(' '), Field(fld23,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#21:1111", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ +var hdr22 = match("HEADER#21:1111", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ setc("header_id","1111"), dup2, ])); -var hdr23 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#22:13131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ +var hdr23 = match("HEADER#22:13131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","13131"), dup2, ])); -var hdr24 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#23:1313", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ +var hdr24 = match("HEADER#23:1313", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","1313"), dup2, ])); -var hdr25 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#24:00131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ +var hdr25 = match("HEADER#24:00131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ setc("header_id","00131"), dup2, ])); -var hdr26 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#25:0013", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ +var hdr26 = match("HEADER#25:0013", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ setc("header_id","0013"), dup2, ])); -var hdr27 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#26:13142", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ +var hdr27 = match("HEADER#26:13142", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ setc("header_id","13142"), dup2, ])); -var hdr28 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#27:13141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ +var hdr28 = match("HEADER#27:13141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ setc("header_id","13141"), dup2, ])); -var hdr29 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#28:1314", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ +var hdr29 = match("HEADER#28:1314", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ setc("header_id","1314"), dup2, ])); -var hdr30 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',[SID: '), Field(hdata,false), Constant('] '), Field(hfld1,false), Constant('. Traffic has been '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#29:00141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ +var hdr30 = match("HEADER#29:00141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ setc("header_id","00141"), dup4, ])); -var hdr31 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',[SID: '), Field(hdata,false), Constant('] '), Field(hfld1,false), Constant('. Traffic has been '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#30:0014", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ +var hdr31 = match("HEADER#30:0014", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ setc("header_id","0014"), dup4, ])); -var hdr32 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#31:00161", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{messageid->} %{p0}", processor_chain([ +var hdr32 = match("HEADER#31:00161", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{messageid->} %{p0}", processor_chain([ setc("header_id","00161"), dup2, ])); -var hdr33 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#32:0016", "message", "%{htime->} SymantecServer %{hhost}: %{messageid->} %{p0}", processor_chain([ +var hdr33 = match("HEADER#32:0016", "message", "%{htime->} SymantecServer %{hhost}: %{messageid->} %{p0}", processor_chain([ setc("header_id","0016"), dup2, ])); -var hdr34 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#33:29292", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr34 = match("HEADER#33:29292", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","29292"), dup5, ])); -var hdr35 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#34:29291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr35 = match("HEADER#34:29291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","29291"), dup5, ])); -var hdr36 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#35:2929", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr36 = match("HEADER#35:2929", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","2929"), dup5, ])); -var hdr37 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#36:00291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr37 = match("HEADER#36:00291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","00291"), dup5, ])); -var hdr38 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#37:0029", "message", "%{htime->} SymantecServer %{hhost}: %{fld1->} %{messageid->} %{p0}", processor_chain([ +var hdr38 = match("HEADER#37:0029", "message", "%{htime->} SymantecServer %{hhost}: %{fld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0029"), dup5, ])); -var hdr39 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhostip,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#38:00173", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhostip->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ +var hdr39 = match("HEADER#38:00173", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhostip->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ setc("header_id","00173"), dup2, ])); -var hdr40 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#39:00172", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ +var hdr40 = match("HEADER#39:00172", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ setc("header_id","00172"), dup2, ])); -var hdr41 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#40:00171", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid->} %{p0}", processor_chain([ +var hdr41 = match("HEADER#40:00171", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid->} %{p0}", processor_chain([ setc("header_id","00171"), dup2, ])); -var hdr42 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#41:0017", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid->} %{p0}", processor_chain([ +var hdr42 = match("HEADER#41:0017", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid->} %{p0}", processor_chain([ setc("header_id","0017"), dup2, ])); -var hdr43 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hname,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#42:00151", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ +var hdr43 = match("HEADER#42:00151", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ setc("header_id","00151"), dup6, ])); -var hdr44 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(hname,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#43:0015", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ +var hdr44 = match("HEADER#43:0015", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ setc("header_id","0015"), dup6, ])); -var hdr45 = // "Pattern{Constant('%SYMANTECAV Actual Name: '), Field(hfld1,true), Constant(' ..Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" -match("HEADER#44:0018", "message", "%SYMANTECAV Actual Name: %{hfld1->} ..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ +var hdr45 = match("HEADER#44:0018", "message", "%SYMANTECAV Actual Name: %{hfld1->} ..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ setc("header_id","0018"), dup1, ])); -var hdr46 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(messageid,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(p0,false)}" -match("HEADER#45:0021", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{messageid->} %{hfld3->} %{p0}", processor_chain([ +var hdr46 = match("HEADER#45:0021", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{messageid->} %{hfld3->} %{p0}", processor_chain([ setc("header_id","0021"), call({ dest: "nwparser.payload", @@ -1651,8 +1489,7 @@ match("HEADER#45:0021", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{messagei }), ])); -var hdr47 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(messageid,true), Constant(' '), Field(hfld4,true), Constant(' '), Field(p0,false)}" -match("HEADER#46:0022", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} %{hfld4->} %{p0}", processor_chain([ +var hdr47 = match("HEADER#46:0022", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} %{hfld4->} %{p0}", processor_chain([ setc("header_id","0022"), call({ dest: "nwparser.payload", @@ -1673,74 +1510,61 @@ match("HEADER#46:0022", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{hfld3->} }), ])); -var hdr48 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(fld40,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#47:00191", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ +var hdr48 = match("HEADER#47:00191", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ setc("header_id","00191"), dup7, ])); -var hdr49 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(fld40,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#48:0019", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ +var hdr49 = match("HEADER#48:0019", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0019"), dup7, ])); -var hdr50 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#49:00201", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ +var hdr50 = match("HEADER#49:00201", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ setc("header_id","00201"), dup2, ])); -var hdr51 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#50:0020", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ +var hdr51 = match("HEADER#50:0020", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ setc("header_id","0020"), dup2, ])); -var hdr52 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#51:00231", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{messageid->} %{p0}", processor_chain([ +var hdr52 = match("HEADER#51:00231", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","00231"), dup2, ])); -var hdr53 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#52:0023", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{messageid->} %{p0}", processor_chain([ +var hdr53 = match("HEADER#52:0023", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{messageid->} %{p0}", processor_chain([ setc("header_id","0023"), dup2, ])); -var hdr54 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#53:00241", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid},%{payload}", processor_chain([ +var hdr54 = match("HEADER#53:00241", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid},%{payload}", processor_chain([ setc("header_id","00241"), ])); -var hdr55 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#54:0024", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid},%{payload}", processor_chain([ +var hdr55 = match("HEADER#54:0024", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid},%{payload}", processor_chain([ setc("header_id","0024"), ])); -var hdr56 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' """"'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#55:00261", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr56 = match("HEADER#55:00261", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","00261"), ])); -var hdr57 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' """"'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#56:0026", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr57 = match("HEADER#56:0026", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","0026"), ])); -var hdr58 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' ""'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#57:00371", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr58 = match("HEADER#57:00371", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","00371"), ])); -var hdr59 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' ""'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" -match("HEADER#58:0037", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ +var hdr59 = match("HEADER#58:0037", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ setc("header_id","0037"), ])); -var hdr60 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hsite,false), Constant(','), Field(messageid,false), Constant(': '), Field(p0,false)}" -match("HEADER#59:00271", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ +var hdr60 = match("HEADER#59:00271", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ setc("header_id","00271"), call({ dest: "nwparser.payload", @@ -1757,8 +1581,7 @@ match("HEADER#59:00271", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hs }), ])); -var hdr61 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hsite,false), Constant(','), Field(messageid,false), Constant(': '), Field(p0,false)}" -match("HEADER#60:0027", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ +var hdr61 = match("HEADER#60:0027", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ setc("header_id","0027"), call({ dest: "nwparser.payload", @@ -1775,23 +1598,19 @@ match("HEADER#60:0027", "message", "%{htime->} SymantecServer %{hhost}: Site: %{ }), ])); -var hdr62 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#61:00301", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid}: %{payload}", processor_chain([ +var hdr62 = match("HEADER#61:00301", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid}: %{payload}", processor_chain([ setc("header_id","00301"), ])); -var hdr63 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(': '), Field(payload,false)}" -match("HEADER#62:0030", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid}: %{payload}", processor_chain([ +var hdr63 = match("HEADER#62:0030", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid}: %{payload}", processor_chain([ setc("header_id","0030"), ])); -var hdr64 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#63:00242", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ +var hdr64 = match("HEADER#63:00242", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ setc("header_id","00242"), ])); -var hdr65 = // "Pattern{Field(htime,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#64:00243", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{hfld1},%{messageid->} %{p0}", processor_chain([ +var hdr65 = match("HEADER#64:00243", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{hfld1},%{messageid->} %{p0}", processor_chain([ setc("header_id","00243"), call({ dest: "nwparser.payload", @@ -1806,25 +1625,21 @@ match("HEADER#64:00243", "message", "%{htime->} %{hhost->} SymantecServer: %{hsh }), ])); -var hdr66 = // "Pattern{Field(htime,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" -match("HEADER#65:00244", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ +var hdr66 = match("HEADER#65:00244", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ setc("header_id","00244"), ])); -var hdr67 = // "Pattern{Constant('%SymantecEP: '), Field(messageid,false), Constant('^^'), Field(hhost,false), Constant('^^'), Field(p0,false)}" -match("HEADER#66:0031", "message", "%SymantecEP: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ +var hdr67 = match("HEADER#66:0031", "message", "%SymantecEP: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ setc("header_id","0031"), dup8, ])); -var hdr68 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(messageid,true), Constant(' '), Field(p0,false)}" -match("HEADER#67:0032", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid->} %{p0}", processor_chain([ +var hdr68 = match("HEADER#67:0032", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid->} %{p0}", processor_chain([ setc("header_id","0032"), dup2, ])); -var hdr69 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#68:0040", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ +var hdr69 = match("HEADER#68:0040", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0040"), call({ dest: "nwparser.payload", @@ -1849,14 +1664,12 @@ match("HEADER#68:0040", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr70 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" -match("HEADER#69:0033", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid}.%{fld2->} %{p0}", processor_chain([ +var hdr70 = match("HEADER#69:0033", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid}.%{fld2->} %{p0}", processor_chain([ setc("header_id","0033"), dup3, ])); -var hdr71 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#70:0034", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{messageid}^^%{p0}", processor_chain([ +var hdr71 = match("HEADER#70:0034", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0034"), call({ dest: "nwparser.payload", @@ -1869,14 +1682,12 @@ match("HEADER#70:0034", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel} }), ])); -var hdr72 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(messageid,false), Constant('^^'), Field(hhost,false), Constant('^^'), Field(p0,false)}" -match("HEADER#71:0035", "message", "%SymantecEP-%{hfld1}: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ +var hdr72 = match("HEADER#71:0035", "message", "%SymantecEP-%{hfld1}: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ setc("header_id","0035"), dup8, ])); -var hdr73 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#72:0038", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{messageid}^^%{p0}", processor_chain([ +var hdr73 = match("HEADER#72:0038", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0038"), call({ dest: "nwparser.payload", @@ -1899,8 +1710,7 @@ match("HEADER#72:0038", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr74 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#73:0041", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{messageid}^^%{p0}", processor_chain([ +var hdr74 = match("HEADER#73:0041", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0041"), call({ dest: "nwparser.payload", @@ -1919,8 +1729,7 @@ match("HEADER#73:0041", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr75 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#74:0043", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ +var hdr75 = match("HEADER#74:0043", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0043"), call({ dest: "nwparser.payload", @@ -1941,8 +1750,7 @@ match("HEADER#74:0043", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr76 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(hfld8,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#75:0039", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ +var hdr76 = match("HEADER#75:0039", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0039"), call({ dest: "nwparser.payload", @@ -1969,8 +1777,7 @@ match("HEADER#75:0039", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr77 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(hfld8,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" -match("HEADER#76:0044", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ +var hdr77 = match("HEADER#76:0044", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ setc("header_id","0044"), call({ dest: "nwparser.payload", @@ -1993,8 +1800,7 @@ match("HEADER#76:0044", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{ }), ])); -var hdr78 = // "Pattern{Constant('%NICWIN-4-'), Field(msgIdPart1,false), Constant('_'), Field(msgIdPart2,false), Constant('_Symantec: '), Field(payload,false)}" -match("HEADER#77:0045", "message", "%NICWIN-4-%{msgIdPart1}_%{msgIdPart2}_Symantec: %{payload}", processor_chain([ +var hdr78 = match("HEADER#77:0045", "message", "%NICWIN-4-%{msgIdPart1}_%{msgIdPart2}_Symantec: %{payload}", processor_chain([ setc("header_id","0045"), call({ dest: "nwparser.messageid", @@ -2007,8 +1813,7 @@ match("HEADER#77:0045", "message", "%NICWIN-4-%{msgIdPart1}_%{msgIdPart2}_Symant }), ])); -var hdr79 = // "Pattern{Constant('%NICWIN-4-'), Field(messageid,false), Constant('_'), Field(hfld2,false), Constant('_Symantec AntiVirus: '), Field(payload,false)}" -match("HEADER#78:0046", "message", "%NICWIN-4-%{messageid}_%{hfld2}_Symantec AntiVirus: %{payload}", processor_chain([ +var hdr79 = match("HEADER#78:0046", "message", "%NICWIN-4-%{messageid}_%{hfld2}_Symantec AntiVirus: %{payload}", processor_chain([ setc("header_id","0046"), ])); @@ -2094,8 +1899,7 @@ var select2 = linear_select([ hdr79, ]); -var part6 = // "Pattern{Constant('Active Response that started at '), Field(fld1,true), Constant(' is disengaged. The traffic from IP address '), Field(hostip,true), Constant(' was blocked for '), Field(fld2,true), Constant(' second(s).,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(','), Field(direction,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#0:Active/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{fld2->} second(s).,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part6 = match("MESSAGE#0:Active/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{fld2->} second(s).,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all2 = all_match({ processors: [ @@ -2117,8 +1921,7 @@ var all2 = all_match({ var msg1 = msg("Active", all2); -var part7 = // "Pattern{Constant('Active Response that started at '), Field(fld1,true), Constant(' is disengaged. The traffic from IP address '), Field(hostip,true), Constant(' was blocked for '), Field(duration,true), Constant(' second(s). ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(','), Field(direction,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#1:Active:01/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{duration->} second(s). ,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part7 = match("MESSAGE#1:Active:01/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{duration->} second(s). ,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all3 = all_match({ processors: [ @@ -2145,8 +1948,7 @@ var select3 = linear_select([ msg2, ]); -var part8 = // "Pattern{Constant('Administrator logout'), Field(,false)}" -match("MESSAGE#2:Administrator", "nwparser.payload", "Administrator logout%{}", processor_chain([ +var part8 = match("MESSAGE#2:Administrator", "nwparser.payload", "Administrator logout%{}", processor_chain([ setc("eventcategory","1401070000"), dup12, dup13, @@ -2162,8 +1964,7 @@ match("MESSAGE#2:Administrator", "nwparser.payload", "Administrator logout%{}", var msg3 = msg("Administrator", part8); -var part9 = // "Pattern{Constant('Administrator'), Field(space,false), Constant('log on failed')}" -match("MESSAGE#3:Administrator:01", "nwparser.payload", "Administrator%{space}log on failed", processor_chain([ +var part9 = match("MESSAGE#3:Administrator:01", "nwparser.payload", "Administrator%{space}log on failed", processor_chain([ setc("eventcategory","1401030000"), dup12, dup13, @@ -2179,8 +1980,7 @@ match("MESSAGE#3:Administrator:01", "nwparser.payload", "Administrator%{space}lo var msg4 = msg("Administrator:01", part9); -var part10 = // "Pattern{Constant('Administrator'), Field(space,false), Constant('log on succeeded')}" -match("MESSAGE#4:Administrator:02", "nwparser.payload", "Administrator%{space}log on succeeded", processor_chain([ +var part10 = match("MESSAGE#4:Administrator:02", "nwparser.payload", "Administrator%{space}log on succeeded", processor_chain([ setc("eventcategory","1401060000"), dup12, dup13, @@ -2202,8 +2002,7 @@ var select4 = linear_select([ msg5, ]); -var part11 = // "Pattern{Constant('password of System administrator ''), Field(username,false), Constant('' has been changed.')}" -match("MESSAGE#5:Administrator:03", "nwparser.payload", "password of System administrator '%{username}' has been changed.", processor_chain([ +var part11 = match("MESSAGE#5:Administrator:03", "nwparser.payload", "password of System administrator '%{username}' has been changed.", processor_chain([ dup26, dup12, dup13, @@ -2219,8 +2018,7 @@ match("MESSAGE#5:Administrator:03", "nwparser.payload", "password of System admi var msg6 = msg("Administrator:03", part11); -var part12 = // "Pattern{Constant('password of administrator "'), Field(c_username,false), Constant('" was changed')}" -match("MESSAGE#290:password", "nwparser.payload", "password of administrator \"%{c_username}\" was changed", processor_chain([ +var part12 = match("MESSAGE#290:password", "nwparser.payload", "password of administrator \"%{c_username}\" was changed", processor_chain([ dup26, dup12, dup13, @@ -2236,8 +2034,7 @@ match("MESSAGE#290:password", "nwparser.payload", "password of administrator \"% var msg7 = msg("password", part12); -var part13 = // "Pattern{Constant('password of System administrator "'), Field(c_username,false), Constant('" has been changed')}" -match("MESSAGE#291:password:01", "nwparser.payload", "password of System administrator \"%{c_username}\" has been changed", processor_chain([ +var part13 = match("MESSAGE#291:password:01", "nwparser.payload", "password of System administrator \"%{c_username}\" has been changed", processor_chain([ dup26, dup12, dup13, @@ -2259,8 +2056,7 @@ var select5 = linear_select([ msg8, ]); -var part14 = // "Pattern{Field(fld6,true), Constant(' detected. Traffic has been allowed from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#6:allowed", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part14 = match("MESSAGE#6:allowed", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup32, dup12, dup13, @@ -2275,8 +2071,7 @@ match("MESSAGE#6:allowed", "nwparser.payload", "%{fld6->} detected. Traffic has var msg9 = msg("allowed", part14); -var part15 = // "Pattern{Field(fld6,true), Constant(' detected. Traffic has been allowed from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#7:allowed:11", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part15 = match("MESSAGE#7:allowed:11", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup32, dup12, dup13, @@ -2296,8 +2091,7 @@ var select6 = linear_select([ msg10, ]); -var part16 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(dport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(sport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',"!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant('",!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld33,false)}" -match("MESSAGE#8:Malicious", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ +var part16 = match("MESSAGE#8:Malicious", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ dup36, dup12, dup13, @@ -2314,8 +2108,7 @@ match("MESSAGE#8:Malicious", "nwparser.payload", "Malicious Site: Malicious Web var msg11 = msg("Malicious", part16); -var part17 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(sport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(dport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',"!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant('",!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld33,false)}" -match("MESSAGE#9:Malicious:01", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ +var part17 = match("MESSAGE#9:Malicious:01", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ dup36, dup12, dup13, @@ -2332,22 +2125,18 @@ match("MESSAGE#9:Malicious:01", "nwparser.payload", "Malicious Site: Malicious W var msg12 = msg("Malicious:01", part17); -var part18 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(p0,false)}" -match("MESSAGE#10:Malicious:02/0", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Inbound,%{p0}"); +var part18 = match("MESSAGE#10:Malicious:02/0", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Inbound,%{p0}"); -var part19 = // "Pattern{Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#10:Malicious:02/1_0", "nwparser.p0", "%{protocol},Intrusion ID:%{fld23},Begin: %{p0}"); +var part19 = match("MESSAGE#10:Malicious:02/1_0", "nwparser.p0", "%{protocol},Intrusion ID:%{fld23},Begin: %{p0}"); -var part20 = // "Pattern{Field(protocol,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#10:Malicious:02/1_1", "nwparser.p0", "%{protocol},Begin: %{p0}"); +var part20 = match("MESSAGE#10:Malicious:02/1_1", "nwparser.p0", "%{protocol},Begin: %{p0}"); var select7 = linear_select([ part19, part20, ]); -var part21 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',"CIDS Signature string: '), Field(sigid_string,false), Constant('",CIDS Signature SubID: '), Field(fld29,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#10:Malicious:02/2", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},\"CIDS Signature string: %{sigid_string}\",CIDS Signature SubID: %{fld29},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}"); +var part21 = match("MESSAGE#10:Malicious:02/2", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},\"CIDS Signature string: %{sigid_string}\",CIDS Signature SubID: %{fld29},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}"); var all4 = all_match({ processors: [ @@ -2377,8 +2166,7 @@ var select8 = linear_select([ msg13, ]); -var part22 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' failed to update.')}" -match("MESSAGE#11:Antivirus", "nwparser.payload", "%{product->} definitions %{info->} failed to update.", processor_chain([ +var part22 = match("MESSAGE#11:Antivirus", "nwparser.payload", "%{product->} definitions %{info->} failed to update.", processor_chain([ dup43, dup12, dup13, @@ -2393,8 +2181,7 @@ match("MESSAGE#11:Antivirus", "nwparser.payload", "%{product->} definitions %{in var msg14 = msg("Antivirus", part22); -var part23 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' is up-to-date.')}" -match("MESSAGE#12:Antivirus:01", "nwparser.payload", "%{product->} definitions %{info->} is up-to-date.", processor_chain([ +var part23 = match("MESSAGE#12:Antivirus:01", "nwparser.payload", "%{product->} definitions %{info->} is up-to-date.", processor_chain([ dup43, dup12, dup13, @@ -2405,8 +2192,7 @@ match("MESSAGE#12:Antivirus:01", "nwparser.payload", "%{product->} definitions % var msg15 = msg("Antivirus:01", part23); -var part24 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' was successfully updated.')}" -match("MESSAGE#13:Antivirus:02", "nwparser.payload", "%{product->} definitions %{info->} was successfully updated.", processor_chain([ +var part24 = match("MESSAGE#13:Antivirus:02", "nwparser.payload", "%{product->} definitions %{info->} was successfully updated.", processor_chain([ dup43, dup44, dup45, @@ -2424,8 +2210,7 @@ var select9 = linear_select([ msg16, ]); -var part25 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',1,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#14:Somebody/0", "nwparser.payload", "%{event_description}\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},1,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part25 = match("MESSAGE#14:Somebody/0", "nwparser.payload", "%{event_description}\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},1,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all5 = all_match({ processors: [ @@ -2448,8 +2233,7 @@ var all5 = all_match({ var msg17 = msg("Somebody", all5); -var part26 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',0,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#15:Somebody:01/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},0,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part26 = match("MESSAGE#15:Somebody:01/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},0,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all6 = all_match({ processors: [ @@ -2472,8 +2256,7 @@ var all6 = all_match({ var msg18 = msg("Somebody:01", all6); -var part27 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',2,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" -match("MESSAGE#16:Somebody:02/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},2,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); +var part27 = match("MESSAGE#16:Somebody:02/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},2,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); var all7 = all_match({ processors: [ @@ -2502,11 +2285,9 @@ var select10 = linear_select([ msg19, ]); -var part28 = // "Pattern{Field(fld44,false), Constant(',Application and Device Control is ready,'), Field(fld8,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(p0,false)}" -match("MESSAGE#17:Application/0", "nwparser.payload", "%{fld44},Application and Device Control is ready,%{fld8},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{p0}"); +var part28 = match("MESSAGE#17:Application/0", "nwparser.payload", "%{fld44},Application and Device Control is ready,%{fld8},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{p0}"); -var part29 = // "Pattern{Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#17:Application/1_0", "nwparser.p0", "%{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part29 = match("MESSAGE#17:Application/1_0", "nwparser.p0", "%{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var select11 = linear_select([ part29, @@ -2531,8 +2312,7 @@ var all8 = all_match({ var msg20 = msg("Application", all8); -var part30 = // "Pattern{Field(fld44,false), Constant(',Application and Device Control engine is not verified,'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#18:Application:01", "nwparser.payload", "%{fld44},Application and Device Control engine is not verified,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ +var part30 = match("MESSAGE#18:Application:01", "nwparser.payload", "%{fld44},Application and Device Control engine is not verified,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ dup53, dup12, dup13, @@ -2545,8 +2325,7 @@ match("MESSAGE#18:Application:01", "nwparser.payload", "%{fld44},Application and var msg21 = msg("Application:01", part30); -var part31 = // "Pattern{Field(fld44,false), Constant('Blocked,['), Field(fld5,false), Constant('] '), Field(event_description,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld45,false)}" -match("MESSAGE#19:Application:02", "nwparser.payload", "%{fld44}Blocked,[%{fld5}] %{event_description->} - Caller MD5=%{fld6},Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld45}", processor_chain([ +var part31 = match("MESSAGE#19:Application:02", "nwparser.payload", "%{fld44}Blocked,[%{fld5}] %{event_description->} - Caller MD5=%{fld6},Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld45}", processor_chain([ dup53, dup12, dup13, @@ -2559,8 +2338,7 @@ match("MESSAGE#19:Application:02", "nwparser.payload", "%{fld44}Blocked,[%{fld5} var msg22 = msg("Application:02", part31); -var part32 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(event_description,false), Constant(',, Scan Complete: Risks: '), Field(fld7,true), Constant(' Scanned: '), Field(fld8,true), Constant(' Omitted: '), Field(fld9,true), Constant(' Trusted Files Skipped: '), Field(fld10,false)}" -match("MESSAGE#683:Application:03", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, Scan Complete: Risks: %{fld7->} Scanned: %{fld8->} Omitted: %{fld9->} Trusted Files Skipped: %{fld10}", processor_chain([ +var part32 = match("MESSAGE#683:Application:03", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, Scan Complete: Risks: %{fld7->} Scanned: %{fld8->} Omitted: %{fld9->} Trusted Files Skipped: %{fld10}", processor_chain([ dup43, dup15, dup55, @@ -2568,8 +2346,7 @@ match("MESSAGE#683:Application:03", "nwparser.payload", "Application,rn=%{fld1-> var msg23 = msg("Application:03", part32); -var part33 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(event_description,false), Constant(',, '), Field(info,false), Constant('.')}" -match("MESSAGE#684:Application:04", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, %{info}.", processor_chain([ +var part33 = match("MESSAGE#684:Application:04", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, %{info}.", processor_chain([ dup43, dup15, dup55, @@ -2577,8 +2354,7 @@ match("MESSAGE#684:Application:04", "nwparser.payload", "Application,rn=%{fld1-> var msg24 = msg("Application:04", part33); -var part34 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(fld22,false), Constant(',,'), Field(space,false), Constant('Proactive Threat Protection has been disabled')}" -match("MESSAGE#685:Application:05", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{fld22},,%{space}Proactive Threat Protection has been disabled", processor_chain([ +var part34 = match("MESSAGE#685:Application:05", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{fld22},,%{space}Proactive Threat Protection has been disabled", processor_chain([ dup43, dup56, dup15, @@ -2597,8 +2373,7 @@ var select12 = linear_select([ msg25, ]); -var part35 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"Application has changed since the last time you opened it, process id:'), Field(process_id,true), Constant(' Filename: '), Field(fld8,true), Constant(' The change was denied by user.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld11,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#20:Application:07", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id:%{process_id->} Filename: %{fld8->} The change was denied by user.\",Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld11},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part35 = match("MESSAGE#20:Application:07", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id:%{process_id->} Filename: %{fld8->} The change was denied by user.\",Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld11},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup34, dup58, @@ -2613,8 +2388,7 @@ match("MESSAGE#20:Application:07", "nwparser.payload", "SHA-256:%{checksum},MD-5 var msg26 = msg("Application:07", part35); -var part36 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' '), Field(fld1,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#27:Application:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} %{fld1}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part36 = match("MESSAGE#27:Application:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} %{fld1}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all9 = all_match({ processors: [ @@ -2637,8 +2411,7 @@ var all9 = all_match({ var msg27 = msg("Application:06", all9); -var part37 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',REMEDIATION WAS NEEDED - '), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#28:REMEDIATION/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},REMEDIATION WAS NEEDED - %{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part37 = match("MESSAGE#28:REMEDIATION/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},REMEDIATION WAS NEEDED - %{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all10 = all_match({ processors: [ @@ -2658,8 +2431,7 @@ var all10 = all_match({ var msg28 = msg("REMEDIATION", all10); -var part38 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#29:blocked:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part38 = match("MESSAGE#29:blocked:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all11 = all_match({ processors: [ @@ -2682,8 +2454,7 @@ var all11 = all_match({ var msg29 = msg("blocked:06", all11); -var part39 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#30:blocked:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part39 = match("MESSAGE#30:blocked:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all12 = all_match({ processors: [ @@ -2706,8 +2477,7 @@ var all12 = all_match({ var msg30 = msg("blocked:16", all12); -var part40 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,"Somebody is scanning your computer. Your computer's TCP ports: '), Field(fld60,false), Constant(', '), Field(fld61,false), Constant(', '), Field(fld62,false), Constant(', '), Field(fld63,true), Constant(' and '), Field(fld64,true), Constant(' have been scanned from '), Field(fld65,false), Constant('.",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#31:scanning:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part40 = match("MESSAGE#31:scanning:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all13 = all_match({ processors: [ @@ -2730,8 +2500,7 @@ var all13 = all_match({ var msg31 = msg("scanning:01", all13); -var part41 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,"Somebody is scanning your computer. Your computer's TCP ports: '), Field(fld60,false), Constant(', '), Field(fld61,false), Constant(', '), Field(fld62,false), Constant(', '), Field(fld63,true), Constant(' and '), Field(fld64,true), Constant(' have been scanned from '), Field(fld65,false), Constant('.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#32:scanning/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part41 = match("MESSAGE#32:scanning/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all14 = all_match({ processors: [ @@ -2754,19 +2523,16 @@ var all14 = all_match({ var msg32 = msg("scanning", all14); -var part42 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Informational: File Download Hash,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#33:Informational/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},%{p0}"); +var part42 = match("MESSAGE#33:Informational/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},%{p0}"); -var part43 = // "Pattern{Constant(' Domain: '), Field(p0,false)}" -match("MESSAGE#33:Informational/1_0", "nwparser.p0", " Domain: %{p0}"); +var part43 = match("MESSAGE#33:Informational/1_0", "nwparser.p0", " Domain: %{p0}"); var select13 = linear_select([ part43, dup67, ]); -var part44 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#33:Informational/2", "nwparser.p0", "%{} %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part44 = match("MESSAGE#33:Informational/2", "nwparser.p0", "%{} %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all15 = all_match({ processors: [ @@ -2791,8 +2557,7 @@ var all15 = all_match({ var msg33 = msg("Informational", all15); -var part45 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Informational: File Download Hash,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#34:Informational:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part45 = match("MESSAGE#34:Informational:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all16 = all_match({ processors: [ @@ -2815,8 +2580,7 @@ var all16 = all_match({ var msg34 = msg("Informational:01", all16); -var part46 = // "Pattern{Field(shost,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',CCD Notification: REMEDIATION NOT REQUIRED,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote:'), Field(fld2,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application:'), Field(fld6,false), Constant(',Location: '), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string:'), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:')}" -match("MESSAGE#35:SHA-256::01", "nwparser.payload", "%{shost}, SHA-256:%{checksum},MD-5:%{checksum},CCD Notification: REMEDIATION NOT REQUIRED,Local: %{saddr},Local: %{fld1},Remote:%{fld2},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application:%{fld6},Location: %{fld7},User: %{username}, Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string:%{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:", processor_chain([ +var part46 = match("MESSAGE#35:SHA-256::01", "nwparser.payload", "%{shost}, SHA-256:%{checksum},MD-5:%{checksum},CCD Notification: REMEDIATION NOT REQUIRED,Local: %{saddr},Local: %{fld1},Remote:%{fld2},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application:%{fld6},Location: %{fld7},User: %{username}, Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string:%{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:", processor_chain([ dup53, dup12, dup13, @@ -2831,8 +2595,7 @@ match("MESSAGE#35:SHA-256::01", "nwparser.payload", "%{shost}, SHA-256:%{checksu var msg35 = msg("SHA-256::01", part46); -var part47 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#36:Web_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part47 = match("MESSAGE#36:Web_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all17 = all_match({ processors: [ @@ -2855,8 +2618,7 @@ var all17 = all_match({ var msg36 = msg("Web_Attack", all17); -var part48 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Fake Flash Player Download '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#37:Web_Attack:13/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Flash Player Download %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part48 = match("MESSAGE#37:Web_Attack:13/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Flash Player Download %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all18 = all_match({ processors: [ @@ -2879,19 +2641,16 @@ var all18 = all_match({ var msg37 = msg("Web_Attack:13", all18); -var part49 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] Web Attack'), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack%{p0}"); +var part49 = match("MESSAGE#38:Web_Attack:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack%{p0}"); -var part50 = // "Pattern{Constant(' : '), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/1_0", "nwparser.p0", " : %{p0}"); +var part50 = match("MESSAGE#38:Web_Attack:16/1_0", "nwparser.p0", " : %{p0}"); var select14 = linear_select([ part50, dup71, ]); -var part51 = // "Pattern{Field(,false), Constant('JSCoinminer Download '), Field(fld21,true), Constant(' attack blocked. Traffic has been blocked for this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#38:Web_Attack:16/2", "nwparser.p0", "%{}JSCoinminer Download %{fld21->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); +var part51 = match("MESSAGE#38:Web_Attack:16/2", "nwparser.p0", "%{}JSCoinminer Download %{fld21->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); var all19 = all_match({ processors: [ @@ -2915,8 +2674,7 @@ var all19 = all_match({ var msg38 = msg("Web_Attack:16", all19); -var part52 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,[SID: '), Field(fld26,false), Constant('] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#39:Web_Attack:03", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,[SID: %{fld26}] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ +var part52 = match("MESSAGE#39:Web_Attack:03", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,[SID: %{fld26}] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ dup69, dup12, dup13, @@ -2931,8 +2689,7 @@ match("MESSAGE#39:Web_Attack:03", "nwparser.payload", "SHA-256:%{checksum},MD-5: var msg39 = msg("Web_Attack:03", part52); -var part53 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] Web Attack : Malvertisement Website Redirect '), Field(fld2,true), Constant(' attack blocked. Traffic has been blocked for this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#40:Web_Attack:15", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack : Malvertisement Website Redirect %{fld2->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ +var part53 = match("MESSAGE#40:Web_Attack:15", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack : Malvertisement Website Redirect %{fld2->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ dup69, dup12, dup13, @@ -2947,8 +2704,7 @@ match("MESSAGE#40:Web_Attack:15", "nwparser.payload", "SHA-256:%{checksum},MD-5: var msg40 = msg("Web_Attack:15", part53); -var part54 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#41:Web_Attack:11/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part54 = match("MESSAGE#41:Web_Attack:11/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all20 = all_match({ processors: [ @@ -2971,8 +2727,7 @@ var all20 = all_match({ var msg41 = msg("Web_Attack:11", all20); -var part55 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#42:Web_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part55 = match("MESSAGE#42:Web_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all21 = all_match({ processors: [ @@ -2995,8 +2750,7 @@ var all21 = all_match({ var msg42 = msg("Web_Attack:01", all21); -var part56 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#43:Web_Attack:12/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part56 = match("MESSAGE#43:Web_Attack:12/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all22 = all_match({ processors: [ @@ -3019,8 +2773,7 @@ var all22 = all_match({ var msg43 = msg("Web_Attack:12", all22); -var part57 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#44:Web_Attack:14/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part57 = match("MESSAGE#44:Web_Attack:14/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all23 = all_match({ processors: [ @@ -3043,8 +2796,7 @@ var all23 = all_match({ var msg44 = msg("Web_Attack:14", all23); -var part58 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#45:Web_Attack:17/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part58 = match("MESSAGE#45:Web_Attack:17/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all24 = all_match({ processors: [ @@ -3067,8 +2819,7 @@ var all24 = all_match({ var msg45 = msg("Web_Attack:17", all24); -var part59 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Fake Tech Support Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#46:Web_Attack:18/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Tech Support Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part59 = match("MESSAGE#46:Web_Attack:18/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Tech Support Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all25 = all_match({ processors: [ @@ -3091,8 +2842,7 @@ var all25 = all_match({ var msg46 = msg("Web_Attack:18", all25); -var part60 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#47:App_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part60 = match("MESSAGE#47:App_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all26 = all_match({ processors: [ @@ -3115,8 +2865,7 @@ var all26 = all_match({ var msg47 = msg("App_Attack", all26); -var part61 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#48:App_Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part61 = match("MESSAGE#48:App_Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all27 = all_match({ processors: [ @@ -3139,8 +2888,7 @@ var all27 = all_match({ var msg48 = msg("App_Attack:02", all27); -var part62 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#49:App_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Fake App Attack: Misleading Application Website%{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part62 = match("MESSAGE#49:App_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Fake App Attack: Misleading Application Website%{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all28 = all_match({ processors: [ @@ -3163,8 +2911,7 @@ var all28 = all_match({ var msg49 = msg("App_Attack:01", all28); -var part63 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#50:Host_Integrity/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part63 = match("MESSAGE#50:Host_Integrity/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all29 = all_match({ processors: [ @@ -3186,11 +2933,9 @@ var all29 = all_match({ var msg50 = msg("Host_Integrity", all29); -var part64 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"'), Field(p0,false)}" -match("MESSAGE#307:process:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"%{p0}"); +var part64 = match("MESSAGE#307:process:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"%{p0}"); -var part65 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile'), Field(fld6,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#307:process:12/2", "nwparser.p0", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile%{fld6}\"%{p0}"); +var part65 = match("MESSAGE#307:process:12/2", "nwparser.p0", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile%{fld6}\"%{p0}"); var all30 = all_match({ processors: [ @@ -3218,8 +2963,7 @@ var all30 = all_match({ var msg51 = msg("process:12", all30); -var part66 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('attack detected but not blocked. Application path:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#461:Audit:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part66 = match("MESSAGE#461:Audit:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all31 = all_match({ processors: [ @@ -3242,8 +2986,7 @@ var all31 = all_match({ var msg52 = msg("Audit:01", all31); -var part67 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('attack detected but not blocked. Application path:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#462:Audit:11/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part67 = match("MESSAGE#462:Audit:11/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all32 = all_match({ processors: [ @@ -3266,8 +3009,7 @@ var all32 = all_match({ var msg53 = msg("Audit:11", all32); -var part68 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('. Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#463:Audit:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part68 = match("MESSAGE#463:Audit:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all33 = all_match({ processors: [ @@ -3290,8 +3032,7 @@ var all33 = all_match({ var msg54 = msg("Audit:02", all33); -var part69 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('. Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(','), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#464:Audit:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part69 = match("MESSAGE#464:Audit:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all34 = all_match({ processors: [ @@ -3314,8 +3055,7 @@ var all34 = all_match({ var msg55 = msg("Audit:12", all34); -var part70 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld111,false), Constant('] '), Field(category,false), Constant(':'), Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#507:Attack:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part70 = match("MESSAGE#507:Attack:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all35 = all_match({ processors: [ @@ -3337,8 +3077,7 @@ var all35 = all_match({ var msg56 = msg("Attack:03", all35); -var part71 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld111,false), Constant('] '), Field(category,false), Constant(':'), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#508:Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part71 = match("MESSAGE#508:Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all36 = all_match({ processors: [ @@ -3360,8 +3099,7 @@ var all36 = all_match({ var msg57 = msg("Attack:02", all36); -var part72 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Auto-Block Event,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#710:Auto-block/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Auto-Block Event,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part72 = match("MESSAGE#710:Auto-block/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Auto-Block Event,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all37 = all_match({ processors: [ @@ -3383,8 +3121,7 @@ var all37 = all_match({ var msg58 = msg("Auto-block", all37); -var part73 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Denial of Service 'Smurf' attack detected. Description: '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#711:Denial/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part73 = match("MESSAGE#711:Denial/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all38 = all_match({ processors: [ @@ -3407,8 +3144,7 @@ var all38 = all_match({ var msg59 = msg("Denial", all38); -var part74 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Denial of Service 'Smurf' attack detected. Description: '), Field(info,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#712:Denial:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part74 = match("MESSAGE#712:Denial:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all39 = all_match({ processors: [ @@ -3431,8 +3167,7 @@ var all39 = all_match({ var msg60 = msg("Denial:01", all39); -var part75 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Denial of Service ''Smurf'' attack detected. Description: '), Field(info,false), Constant('',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#713:Denial:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part75 = match("MESSAGE#713:Denial:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all40 = all_match({ processors: [ @@ -3455,8 +3190,7 @@ var all40 = all_match({ var msg61 = msg("Denial:02", all40); -var part76 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Denial of Service ''Smurf'' attack detected. Description: '), Field(info,false), Constant('',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#714:Denial:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part76 = match("MESSAGE#714:Denial:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all41 = all_match({ processors: [ @@ -3479,8 +3213,7 @@ var all41 = all_match({ var msg62 = msg("Denial:03", all41); -var part77 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Host Integrity check passed'), Field(space,false), Constant('Requirement: '), Field(fld11,true), Constant(' passed ',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#715:Host:18", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check passed%{space}Requirement: %{fld11->} passed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part77 = match("MESSAGE#715:Host:18", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check passed%{space}Requirement: %{fld11->} passed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup86, dup87, dup12, @@ -3494,8 +3227,7 @@ match("MESSAGE#715:Host:18", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{che var msg63 = msg("Host:18", part77); -var part78 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Host Integrity check failed Requirement: '''), Field(fld11,false), Constant(''' passed Requirement: '''), Field(fld12,false), Constant(''' failed ',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#716:Host:19", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check failed Requirement: ''%{fld11}'' passed Requirement: ''%{fld12}'' failed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part78 = match("MESSAGE#716:Host:19", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check failed Requirement: ''%{fld11}'' passed Requirement: ''%{fld12}'' failed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup86, dup12, dup13, @@ -3508,8 +3240,7 @@ match("MESSAGE#716:Host:19", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{che var msg64 = msg("Host:19", part78); -var part79 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',DLP version is latest,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#719:DLP_version", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},DLP version is latest,Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part79 = match("MESSAGE#719:DLP_version", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},DLP version is latest,Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup13, @@ -3524,8 +3255,7 @@ match("MESSAGE#719:DLP_version", "nwparser.payload", "SHA-256:%{checksum},MD-5:% var msg65 = msg("DLP_version", part79); -var part80 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Brute force remote login,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld27,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#720:Brute_force/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Brute force remote login,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld27},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part80 = match("MESSAGE#720:Brute_force/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Brute force remote login,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld27},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all42 = all_match({ processors: [ @@ -3592,8 +3322,7 @@ var select15 = linear_select([ msg66, ]); -var part81 = // "Pattern{Constant('Applied new policy with '), Field(info,false), Constant('successfully.'), Field(p0,false)}" -match("MESSAGE#21:Applied/0", "nwparser.payload", "Applied new policy with %{info}successfully.%{p0}"); +var part81 = match("MESSAGE#21:Applied/0", "nwparser.payload", "Applied new policy with %{info}successfully.%{p0}"); var all43 = all_match({ processors: [ @@ -3613,8 +3342,7 @@ var all43 = all_match({ var msg67 = msg("Applied", all43); -var part82 = // "Pattern{Constant('Applied new profile with serial number '), Field(fld23,true), Constant(' successfully.')}" -match("MESSAGE#700:Smc:04", "nwparser.payload", "Applied new profile with serial number %{fld23->} successfully.", processor_chain([ +var part82 = match("MESSAGE#700:Smc:04", "nwparser.payload", "Applied new profile with serial number %{fld23->} successfully.", processor_chain([ dup53, dup94, dup13, @@ -3630,8 +3358,7 @@ var select16 = linear_select([ msg68, ]); -var part83 = // "Pattern{Constant('Add shared policy upon system install,LiveUpdate Settings policy'), Field(,false)}" -match("MESSAGE#22:Add", "nwparser.payload", "Add shared policy upon system install,LiveUpdate Settings policy%{}", processor_chain([ +var part83 = match("MESSAGE#22:Add", "nwparser.payload", "Add shared policy upon system install,LiveUpdate Settings policy%{}", processor_chain([ dup95, dup12, dup13, @@ -3645,11 +3372,9 @@ match("MESSAGE#22:Add", "nwparser.payload", "Add shared policy upon system insta var msg69 = msg("Add", part83); -var part84 = // "Pattern{Constant('System Infected: '), Field(threat_name,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part84 = match("MESSAGE#23:blocked:01/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part85 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#23:blocked:01/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part85 = match("MESSAGE#23:blocked:01/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all44 = all_match({ processors: [ @@ -3673,11 +3398,9 @@ var all44 = all_match({ var msg70 = msg("blocked:01", all44); -var part86 = // "Pattern{Constant('System Infected: '), Field(threat_name,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#24:blocked:12/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part86 = match("MESSAGE#24:blocked:12/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part87 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#24:blocked:12/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part87 = match("MESSAGE#24:blocked:12/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all45 = all_match({ processors: [ @@ -3701,11 +3424,9 @@ var all45 = all_match({ var msg71 = msg("blocked:12", all45); -var part88 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#25:blocked:05/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{daddr},Remote: %{fld15},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part88 = match("MESSAGE#25:blocked:05/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{daddr},Remote: %{fld15},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part89 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#25:blocked:05/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part89 = match("MESSAGE#25:blocked:05/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all46 = all_match({ processors: [ @@ -3729,11 +3450,9 @@ var all46 = all_match({ var msg72 = msg("blocked:05", all46); -var part90 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#26:blocked:15/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{saddr},Remote: %{fld15},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part90 = match("MESSAGE#26:blocked:15/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{saddr},Remote: %{fld15},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part91 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#26:blocked:15/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part91 = match("MESSAGE#26:blocked:15/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all47 = all_match({ processors: [ @@ -3757,8 +3476,7 @@ var all47 = all_match({ var msg73 = msg("blocked:15", all47); -var part92 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#52:blocked/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part92 = match("MESSAGE#52:blocked/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all48 = all_match({ processors: [ @@ -3782,8 +3500,7 @@ var all48 = all_match({ var msg74 = msg("blocked", all48); -var part93 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#53:blocked:11/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part93 = match("MESSAGE#53:blocked:11/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all49 = all_match({ processors: [ @@ -3816,8 +3533,7 @@ var select17 = linear_select([ msg75, ]); -var part94 = // "Pattern{Constant('The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#51:Host_Integrity:01/0", "nwparser.payload", "The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part94 = match("MESSAGE#51:Host_Integrity:01/0", "nwparser.payload", "The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all50 = all_match({ processors: [ @@ -3839,8 +3555,7 @@ var all50 = all_match({ var msg76 = msg("Host_Integrity:01", all50); -var part95 = // "Pattern{Field(,true), Constant(' '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Inbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Rule: '), Field(rulename,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#190:Local::01/1", "nwparser.p0", "%{} %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); +var part95 = match("MESSAGE#190:Local::01/1", "nwparser.p0", "%{} %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); var all51 = all_match({ processors: [ @@ -3863,8 +3578,7 @@ var all51 = all_match({ var msg77 = msg("Local::01", all51); -var part96 = // "Pattern{Field(,true), Constant(' '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Outbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Rule: '), Field(rulename,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#191:Local::13/1", "nwparser.p0", "%{} %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); +var part96 = match("MESSAGE#191:Local::13/1", "nwparser.p0", "%{} %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); var all52 = all_match({ processors: [ @@ -3887,8 +3601,7 @@ var all52 = all_match({ var msg78 = msg("Local::13", all52); -var part97 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Outbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(','), Field(p0,false)}" -match("MESSAGE#192:Local:/0", "nwparser.payload", "Local: %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); +var part97 = match("MESSAGE#192:Local:/0", "nwparser.payload", "Local: %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); var all53 = all_match({ processors: [ @@ -3913,8 +3626,7 @@ var all53 = all_match({ var msg79 = msg("Local:", all53); -var part98 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Inbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(','), Field(p0,false)}" -match("MESSAGE#193:Local:11/0", "nwparser.payload", "Local: %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); +var part98 = match("MESSAGE#193:Local:11/0", "nwparser.payload", "Local: %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); var all54 = all_match({ processors: [ @@ -3939,8 +3651,7 @@ var all54 = all_match({ var msg80 = msg("Local:11", all54); -var part99 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,true), Constant(' CVE-'), Field(cve,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#194:Local::09", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part99 = match("MESSAGE#194:Local::09", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -3955,8 +3666,7 @@ match("MESSAGE#194:Local::09", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg81 = msg("Local::09", part99); -var part100 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,true), Constant(' CVE-'), Field(cve,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#195:Local::20", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part100 = match("MESSAGE#195:Local::20", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -3971,8 +3681,7 @@ match("MESSAGE#195:Local::20", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg82 = msg("Local::20", part100); -var part101 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#196:Local::08", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part101 = match("MESSAGE#196:Local::08", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -3986,8 +3695,7 @@ match("MESSAGE#196:Local::08", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg83 = msg("Local::08", part101); -var part102 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#197:Local::18", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part102 = match("MESSAGE#197:Local::18", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup110, dup12, dup13, @@ -4001,8 +3709,7 @@ match("MESSAGE#197:Local::18", "nwparser.payload", "[SID: %{fld26}] %{category}: var msg84 = msg("Local::18", part102); -var part103 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#198:Local::04/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part103 = match("MESSAGE#198:Local::04/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all55 = all_match({ processors: [ @@ -4028,8 +3735,7 @@ var all55 = all_match({ var msg85 = msg("Local::04", all55); -var part104 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" -match("MESSAGE#199:Local::17/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); +var part104 = match("MESSAGE#199:Local::17/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); var all56 = all_match({ processors: [ @@ -4055,8 +3761,7 @@ var all56 = all_match({ var msg86 = msg("Local::17", all56); -var part105 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(dport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(sport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant(',!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld23,false)}" -match("MESSAGE#200:Local::06", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol}Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ +var part105 = match("MESSAGE#200:Local::06", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol}Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ dup86, dup12, dup13, @@ -4070,8 +3775,7 @@ match("MESSAGE#200:Local::06", "nwparser.payload", "%{event_description},Local: var msg87 = msg("Local::06", part105); -var part106 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(sport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(dport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant(',!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld23,false)}" -match("MESSAGE#201:Local::16", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ +var part106 = match("MESSAGE#201:Local::16", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ dup86, dup12, dup13, @@ -4085,8 +3789,7 @@ match("MESSAGE#201:Local::16", "nwparser.payload", "%{event_description},Local: var msg88 = msg("Local::16", part106); -var part107 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',0,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#202:Local::02", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},0,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part107 = match("MESSAGE#202:Local::02", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},0,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup86, dup12, dup13, @@ -4101,8 +3804,7 @@ match("MESSAGE#202:Local::02", "nwparser.payload", "%{event_description},Local: var msg89 = msg("Local::02", part107); -var part108 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',1,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#203:Local::22", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},%{protocol},1,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part108 = match("MESSAGE#203:Local::22", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},%{protocol},1,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup86, dup12, dup13, @@ -4117,8 +3819,7 @@ match("MESSAGE#203:Local::22", "nwparser.payload", "%{event_description},Local: var msg90 = msg("Local::22", part108); -var part109 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',2,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#204:Local::23", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},2,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ +var part109 = match("MESSAGE#204:Local::23", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},2,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ dup86, dup12, dup13, @@ -4133,8 +3834,7 @@ match("MESSAGE#204:Local::23", "nwparser.payload", "%{event_description},Local: var msg91 = msg("Local::23", part109); -var part110 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(': '), Field(fld22,true), Constant(' CVE-'), Field(cve,true), Constant(' '), Field(fld26,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#205:Local::07/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part110 = match("MESSAGE#205:Local::07/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all57 = all_match({ processors: [ @@ -4157,8 +3857,7 @@ var all57 = all_match({ var msg92 = msg("Local::07", all57); -var part111 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(': '), Field(fld22,true), Constant(' CVE-'), Field(cve,true), Constant(' '), Field(fld26,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#206:Local::19/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part111 = match("MESSAGE#206:Local::19/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all58 = all_match({ processors: [ @@ -4181,8 +3880,7 @@ var all58 = all_match({ var msg93 = msg("Local::19", all58); -var part112 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#207:Local::05/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part112 = match("MESSAGE#207:Local::05/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all59 = all_match({ processors: [ @@ -4208,8 +3906,7 @@ var all59 = all_match({ var msg94 = msg("Local::05", all59); -var part113 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#208:Local::15/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); +var part113 = match("MESSAGE#208:Local::15/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); var all60 = all_match({ processors: [ @@ -4283,8 +3980,7 @@ var all62 = all_match({ var msg97 = msg("Local::14", all62); -var part114 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Inbound,Application: '), Field(application,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#211:Local::10", "nwparser.payload", "Local: %{daddr},Local: %{dport},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Inbound,Application: %{application},Action: %{action}", processor_chain([ +var part114 = match("MESSAGE#211:Local::10", "nwparser.payload", "Local: %{daddr},Local: %{dport},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Inbound,Application: %{application},Action: %{action}", processor_chain([ dup86, dup12, dup13, @@ -4296,8 +3992,7 @@ match("MESSAGE#211:Local::10", "nwparser.payload", "Local: %{daddr},Local: %{dpo var msg98 = msg("Local::10", part114); -var part115 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Outbound,Application: '), Field(application,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#212:Local::21", "nwparser.payload", "Local: %{saddr},Local: %{sport},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Outbound,Application: %{application},Action: %{action}", processor_chain([ +var part115 = match("MESSAGE#212:Local::21", "nwparser.payload", "Local: %{saddr},Local: %{sport},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Outbound,Application: %{application},Action: %{action}", processor_chain([ dup86, dup12, dup13, @@ -4309,8 +4004,7 @@ match("MESSAGE#212:Local::21", "nwparser.payload", "Local: %{saddr},Local: %{spo var msg99 = msg("Local::21", part115); -var part116 = // "Pattern{Constant('Event Description: '), Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local Host MAC: '), Field(dmacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(saddr,false), Constant(',Remote Host MAC: '), Field(smacaddr,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: 0,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(dport,false), Constant(',Remote Port: '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" -match("MESSAGE#213:Local::24", "nwparser.payload", "Event Description: %{event_description},Local: %{daddr},Local Host MAC: %{dmacaddr},Remote Host Name: %{fld3},Remote Host IP: %{saddr},Remote Host MAC: %{smacaddr},Inbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{dport},Remote Port: %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ +var part116 = match("MESSAGE#213:Local::24", "nwparser.payload", "Event Description: %{event_description},Local: %{daddr},Local Host MAC: %{dmacaddr},Remote Host Name: %{fld3},Remote Host IP: %{saddr},Remote Host MAC: %{smacaddr},Inbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{dport},Remote Port: %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ dup120, dup12, dup13, @@ -4321,8 +4015,7 @@ match("MESSAGE#213:Local::24", "nwparser.payload", "Event Description: %{event_d var msg100 = msg("Local::24", part116); -var part117 = // "Pattern{Constant('Event Description: '), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local Host MAC: '), Field(smacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(daddr,false), Constant(',Remote Host MAC: '), Field(dmacaddr,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: 0,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(sport,false), Constant(',Remote Port: '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" -match("MESSAGE#214:Local::25", "nwparser.payload", "Event Description: %{event_description},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},Outbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ +var part117 = match("MESSAGE#214:Local::25", "nwparser.payload", "Event Description: %{event_description},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},Outbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ dup36, dup12, dup13, @@ -4333,8 +4026,7 @@ match("MESSAGE#214:Local::25", "nwparser.payload", "Event Description: %{event_d var msg101 = msg("Local::25", part117); -var part118 = // "Pattern{Constant('Event Description: '), Field(event_description,true), Constant(' [Volume]: '), Field(disk_volume,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant(',Local: '), Field(saddr,false), Constant(',Local Host MAC: '), Field(smacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(daddr,false), Constant(',Remote Host MAC: '), Field(dmacaddr,false), Constant(','), Field(direction,false), Constant(','), Field(fld2,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(sport,false), Constant(',Remote Port: '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" -match("MESSAGE#215:Local::26", "nwparser.payload", "Event Description: %{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},%{direction},%{fld2},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ +var part118 = match("MESSAGE#215:Local::26", "nwparser.payload", "Event Description: %{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},%{direction},%{fld2},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ dup53, dup12, dup13, @@ -4374,8 +4066,7 @@ var select18 = linear_select([ msg102, ]); -var part119 = // "Pattern{Constant('Blocked Attack: Memory Heap Spray attack against '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#54:Blocked:13/0", "nwparser.payload", "Blocked Attack: Memory Heap Spray attack against %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part119 = match("MESSAGE#54:Blocked:13/0", "nwparser.payload", "Blocked Attack: Memory Heap Spray attack against %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all63 = all_match({ processors: [ @@ -4398,8 +4089,7 @@ var all63 = all_match({ var msg103 = msg("Blocked:13", all63); -var part120 = // "Pattern{Constant('"'), Field(fld23,false), Constant(',",File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#483:File:01", "nwparser.payload", "\"%{fld23},\",File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part120 = match("MESSAGE#483:File:01", "nwparser.payload", "\"%{fld23},\",File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4415,8 +4105,7 @@ match("MESSAGE#483:File:01", "nwparser.payload", "\"%{fld23},\",File Read,Begin: var msg104 = msg("File:01", part120); -var part121 = // "Pattern{Constant('"'), Field(info,false), Constant('",Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld1,false), Constant(','), Field(process,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#484:File:11", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part121 = match("MESSAGE#484:File:11", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4429,8 +4118,7 @@ match("MESSAGE#484:File:11", "nwparser.payload", "\"%{info}\",Create Process,Beg var msg105 = msg("File:11", part121); -var part122 = // "Pattern{Constant('"'), Field(info,false), Constant('",Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld1,false), Constant(','), Field(process,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#485:File:02", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain}", processor_chain([ +var part122 = match("MESSAGE#485:File:02", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4443,8 +4131,7 @@ match("MESSAGE#485:File:02", "nwparser.payload", "\"%{info}\",Create Process,Beg var msg106 = msg("File:02", part122); -var part123 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#486:File:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part123 = match("MESSAGE#486:File:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4459,8 +4146,7 @@ match("MESSAGE#486:File:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fl var msg107 = msg("File:03", part123); -var part124 = // "Pattern{Field(info,false), Constant('.'), Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#487:Blocked:04", "nwparser.payload", "%{info}.%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part124 = match("MESSAGE#487:Blocked:04", "nwparser.payload", "%{info}.%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4476,8 +4162,7 @@ match("MESSAGE#487:Blocked:04", "nwparser.payload", "%{info}.%{fld1},File Read,B var msg108 = msg("Blocked:04", part124); -var part125 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" -match("MESSAGE#488:File:05", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ +var part125 = match("MESSAGE#488:File:05", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ dup121, dup12, dup13, @@ -4492,8 +4177,7 @@ match("MESSAGE#488:File:05", "nwparser.payload", "%{fld1},File Read,Begin: %{fld var msg109 = msg("File:05", part125); -var part126 = // "Pattern{Constant('"'), Field(fld23,false), Constant('",,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#489:File:04", "nwparser.payload", "\"%{fld23}\",,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part126 = match("MESSAGE#489:File:04", "nwparser.payload", "\"%{fld23}\",,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4507,8 +4191,7 @@ match("MESSAGE#489:File:04", "nwparser.payload", "\"%{fld23}\",,Begin: %{fld50-> var msg110 = msg("File:04", part126); -var part127 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',"Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#490:File:06", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part127 = match("MESSAGE#490:File:06", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4523,8 +4206,7 @@ match("MESSAGE#490:File:06", "nwparser.payload", "%{fld1},File Write,Begin: %{fl var msg111 = msg("File:06", part127); -var part128 = // "Pattern{Constant('''), Field(fld23,false), Constant('',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#491:File:07", "nwparser.payload", "'%{fld23}',,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part128 = match("MESSAGE#491:File:07", "nwparser.payload", "'%{fld23}',,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4538,8 +4220,7 @@ match("MESSAGE#491:File:07", "nwparser.payload", "'%{fld23}',,Begin: %{fld50->} var msg112 = msg("File:07", part128); -var part129 = // "Pattern{Field(fld23,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#492:File:12", "nwparser.payload", "%{fld23},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{process_id},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part129 = match("MESSAGE#492:File:12", "nwparser.payload", "%{fld23},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{process_id},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4550,8 +4231,7 @@ match("MESSAGE#492:File:12", "nwparser.payload", "%{fld23},,Begin: %{fld50->} %{ var msg113 = msg("File:12", part129); -var part130 = // "Pattern{Field(fld1,false), Constant(','), Field(fld7,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',"Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#493:File:08", "nwparser.payload", "%{fld1},%{fld7},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part130 = match("MESSAGE#493:File:08", "nwparser.payload", "%{fld1},%{fld7},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4564,8 +4244,7 @@ match("MESSAGE#493:File:08", "nwparser.payload", "%{fld1},%{fld7},Begin: %{fld50 var msg114 = msg("File:08", part130); -var part131 = // "Pattern{Field(fld1,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#494:File:09", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part131 = match("MESSAGE#494:File:09", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4580,8 +4259,7 @@ match("MESSAGE#494:File:09", "nwparser.payload", "%{fld1},File Delete,Begin: %{f var msg115 = msg("File:09", part131); -var part132 = // "Pattern{Constant('Unauthorized NT call rejected by protection driver.,'), Field(fld22,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(fld23,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#496:Blocked", "nwparser.payload", "Unauthorized NT call rejected by protection driver.,%{fld22},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{fld23},User: %{username},Domain: %{domain}", processor_chain([ +var part132 = match("MESSAGE#496:Blocked", "nwparser.payload", "Unauthorized NT call rejected by protection driver.,%{fld22},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{fld23},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -4596,8 +4274,7 @@ match("MESSAGE#496:Blocked", "nwparser.payload", "Unauthorized NT call rejected var msg116 = msg("Blocked", part132); -var part133 = // "Pattern{Constant(',Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#497:Blocked:01", "nwparser.payload", ",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part133 = match("MESSAGE#497:Blocked:01", "nwparser.payload", ",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -4610,8 +4287,7 @@ match("MESSAGE#497:Blocked:01", "nwparser.payload", ",Create Process,Begin: %{fl var msg117 = msg("Blocked:01", part133); -var part134 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',Registry Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#498:Blocked:02", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},Registry Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part134 = match("MESSAGE#498:Blocked:02", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},Registry Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -4624,19 +4300,16 @@ match("MESSAGE#498:Blocked:02", "nwparser.payload", "%{fld5->} - Caller MD5=%{fl var msg118 = msg("Blocked:02", part134); -var part135 = // "Pattern{Field(fld21,true), Constant(' - Caller MD5='), Field(fld22,false), Constant(',Create Process'), Field(p0,false)}" -match("MESSAGE#499:Blocked:03/0_0", "nwparser.payload", "%{fld21->} - Caller MD5=%{fld22},Create Process%{p0}"); +var part135 = match("MESSAGE#499:Blocked:03/0_0", "nwparser.payload", "%{fld21->} - Caller MD5=%{fld22},Create Process%{p0}"); -var part136 = // "Pattern{Field(fld23,false), Constant(',Load Dll'), Field(p0,false)}" -match("MESSAGE#499:Blocked:03/0_1", "nwparser.payload", "%{fld23},Load Dll%{p0}"); +var part136 = match("MESSAGE#499:Blocked:03/0_1", "nwparser.payload", "%{fld23},Load Dll%{p0}"); var select19 = linear_select([ part135, part136, ]); -var part137 = // "Pattern{Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld24,false), Constant(','), Field(process,false), Constant(','), Field(fld25,false), Constant(','), Field(fld26,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" -match("MESSAGE#499:Blocked:03/1", "nwparser.p0", ",Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld24},%{process},%{fld25},%{fld26},%{filename},User: %{username},Domain: %{domain},Action Type: %{fld8},File size (bytes):%{filename_size},Device ID:%{device}"); +var part137 = match("MESSAGE#499:Blocked:03/1", "nwparser.p0", ",Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld24},%{process},%{fld25},%{fld26},%{filename},User: %{username},Domain: %{domain},Action Type: %{fld8},File size (bytes):%{filename_size},Device ID:%{device}"); var all64 = all_match({ processors: [ @@ -4658,8 +4331,7 @@ var all64 = all_match({ var msg119 = msg("Blocked:03", all64); -var part138 = // "Pattern{Field(event_description,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(sdomain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID:')}" -match("MESSAGE#500:Blocked:05", "nwparser.payload", "%{event_description->} - Caller MD5=%{checksum},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{sdomain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID:", processor_chain([ +var part138 = match("MESSAGE#500:Blocked:05", "nwparser.payload", "%{event_description->} - Caller MD5=%{checksum},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{sdomain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID:", processor_chain([ dup121, dup12, dup13, @@ -4671,8 +4343,7 @@ match("MESSAGE#500:Blocked:05", "nwparser.payload", "%{event_description->} - Ca var msg120 = msg("Blocked:05", part138); -var part139 = // "Pattern{Constant('['), Field(id,false), Constant('] '), Field(event_description,true), Constant(' - '), Field(fld11,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#501:Blocked:06", "nwparser.payload", "[%{id}] %{event_description->} - %{fld11},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ +var part139 = match("MESSAGE#501:Blocked:06", "nwparser.payload", "[%{id}] %{event_description->} - %{fld11},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4684,8 +4355,7 @@ match("MESSAGE#501:Blocked:06", "nwparser.payload", "[%{id}] %{event_description var msg121 = msg("Blocked:06", part139); -var part140 = // "Pattern{Constant('['), Field(id,false), Constant('] '), Field(event_description,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#502:Blocked:07", "nwparser.payload", "[%{id}] %{event_description},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ +var part140 = match("MESSAGE#502:Blocked:07", "nwparser.payload", "[%{id}] %{event_description},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -4697,23 +4367,17 @@ match("MESSAGE#502:Blocked:07", "nwparser.payload", "[%{id}] %{event_description var msg122 = msg("Blocked:07", part140); -var part141 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('/service''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_0", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}/service'%{fld33->} ,Create Process,Begin: %{p0}"); +var part141 = match("MESSAGE#504:Blocked:09/0_0", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}/service'%{fld33->} ,Create Process,Begin: %{p0}"); -var part142 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('chrome-extension:'), Field(fld99,false), Constant('''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_1", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}chrome-extension:%{fld99}'%{fld33->} ,Create Process,Begin: %{p0}"); +var part142 = match("MESSAGE#504:Blocked:09/0_1", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}chrome-extension:%{fld99}'%{fld33->} ,Create Process,Begin: %{p0}"); -var part143 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('-ServerName:'), Field(hostid,false), Constant('''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_2", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}'%{fld33->} ,Create Process,Begin: %{p0}"); +var part143 = match("MESSAGE#504:Blocked:09/0_2", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}'%{fld33->} ,Create Process,Begin: %{p0}"); -var part144 = // "Pattern{Constant('- Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('-ServerName:'), Field(hostid,false), Constant('' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_3", "nwparser.payload", "- Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}' ,Create Process,Begin: %{p0}"); +var part144 = match("MESSAGE#504:Blocked:09/0_3", "nwparser.payload", "- Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}' ,Create Process,Begin: %{p0}"); -var part145 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_4", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7->} ,Create Process,Begin: %{p0}"); +var part145 = match("MESSAGE#504:Blocked:09/0_4", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7->} ,Create Process,Begin: %{p0}"); -var part146 = // "Pattern{Constant('- Target MD5='), Field(fld6,false), Constant(',Create Process,Begin: '), Field(p0,false)}" -match("MESSAGE#504:Blocked:09/0_5", "nwparser.payload", "- Target MD5=%{fld6},Create Process,Begin: %{p0}"); +var part146 = match("MESSAGE#504:Blocked:09/0_5", "nwparser.payload", "- Target MD5=%{fld6},Create Process,Begin: %{p0}"); var select20 = linear_select([ part141, @@ -4724,8 +4388,7 @@ var select20 = linear_select([ part146, ]); -var part147 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,true), Constant(' ,File size ('), Field(fld10,false), Constant('):'), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#504:Blocked:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44->} ,File size (%{fld10}):%{filename_size},Device ID: %{device}"); +var part147 = match("MESSAGE#504:Blocked:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44->} ,File size (%{fld10}):%{filename_size},Device ID: %{device}"); var all65 = all_match({ processors: [ @@ -4770,8 +4433,7 @@ var select21 = linear_select([ msg123, ]); -var part148 = // "Pattern{Constant('Changed value ''), Field(change_attribute,false), Constant('' from ''), Field(change_old,false), Constant('' to ''), Field(change_new,false), Constant('''), Field(p0,false)}" -match("MESSAGE#55:Changed/0", "nwparser.payload", "Changed value '%{change_attribute}' from '%{change_old}' to '%{change_new}'%{p0}"); +var part148 = match("MESSAGE#55:Changed/0", "nwparser.payload", "Changed value '%{change_attribute}' from '%{change_old}' to '%{change_new}'%{p0}"); var all66 = all_match({ processors: [ @@ -4795,8 +4457,7 @@ var all66 = all_match({ var msg124 = msg("Changed", all66); -var part149 = // "Pattern{Constant('Cleaned up '), Field(dclass_counter1,true), Constant(' LiveUpdate downloaded content')}" -match("MESSAGE#56:Cleaned", "nwparser.payload", "Cleaned up %{dclass_counter1->} LiveUpdate downloaded content", processor_chain([ +var part149 = match("MESSAGE#56:Cleaned", "nwparser.payload", "Cleaned up %{dclass_counter1->} LiveUpdate downloaded content", processor_chain([ dup43, dup12, dup13, @@ -4808,8 +4469,7 @@ match("MESSAGE#56:Cleaned", "nwparser.payload", "Cleaned up %{dclass_counter1->} var msg125 = msg("Cleaned", part149); -var part150 = // "Pattern{Constant('Client has downloaded the issued Command,'), Field(username,false)}" -match("MESSAGE#57:Client", "nwparser.payload", "Client has downloaded the issued Command,%{username}", processor_chain([ +var part150 = match("MESSAGE#57:Client", "nwparser.payload", "Client has downloaded the issued Command,%{username}", processor_chain([ dup53, dup12, dup13, @@ -4821,14 +4481,11 @@ match("MESSAGE#57:Client", "nwparser.payload", "Client has downloaded the issued var msg126 = msg("Client", part150); -var part151 = // "Pattern{Field(event_description,false), Constant(', type SymDelta version'), Field(version,true), Constant(' filesize'), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#58:Client:01/0_0", "nwparser.payload", "%{event_description}, type SymDelta version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part151 = match("MESSAGE#58:Client:01/0_0", "nwparser.payload", "%{event_description}, type SymDelta version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part152 = // "Pattern{Field(event_description,false), Constant(', type full version'), Field(version,true), Constant(' filesize'), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#58:Client:01/0_1", "nwparser.payload", "%{event_description}, type full version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part152 = match("MESSAGE#58:Client:01/0_1", "nwparser.payload", "%{event_description}, type full version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part153 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#58:Client:01/0_2", "nwparser.payload", "event_description"); +var part153 = match_copy("MESSAGE#58:Client:01/0_2", "nwparser.payload", "event_description"); var select22 = linear_select([ part151, @@ -4857,17 +4514,13 @@ var select23 = linear_select([ msg127, ]); -var part154 = // "Pattern{Constant('client has downloaded the '), Field(p0,false)}" -match("MESSAGE#59:client/0", "nwparser.payload", "client has downloaded the %{p0}"); +var part154 = match("MESSAGE#59:client/0", "nwparser.payload", "client has downloaded the %{p0}"); -var part155 = // "Pattern{Constant('content package'), Field(p0,false)}" -match("MESSAGE#59:client/1_0", "nwparser.p0", "content package%{p0}"); +var part155 = match("MESSAGE#59:client/1_0", "nwparser.p0", "content package%{p0}"); -var part156 = // "Pattern{Constant('policy'), Field(p0,false)}" -match("MESSAGE#59:client/1_1", "nwparser.p0", "policy%{p0}"); +var part156 = match("MESSAGE#59:client/1_1", "nwparser.p0", "policy%{p0}"); -var part157 = // "Pattern{Constant('Intrusion Prevention policy'), Field(p0,false)}" -match("MESSAGE#59:client/1_2", "nwparser.p0", "Intrusion Prevention policy%{p0}"); +var part157 = match("MESSAGE#59:client/1_2", "nwparser.p0", "Intrusion Prevention policy%{p0}"); var select24 = linear_select([ part155, @@ -4875,8 +4528,7 @@ var select24 = linear_select([ part157, ]); -var part158 = // "Pattern{Field(,false), Constant('successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#59:client/2", "nwparser.p0", "%{}successfully,%{shost},%{username},%{group}"); +var part158 = match("MESSAGE#59:client/2", "nwparser.p0", "%{}successfully,%{shost},%{username},%{group}"); var all68 = all_match({ processors: [ @@ -4896,8 +4548,7 @@ var all68 = all_match({ var msg128 = msg("client", all68); -var part159 = // "Pattern{Constant('client has reconnected with the management server,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#60:client:01", "nwparser.payload", "client has reconnected with the management server,%{shost},%{username},%{group}", processor_chain([ +var part159 = match("MESSAGE#60:client:01", "nwparser.payload", "client has reconnected with the management server,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4908,8 +4559,7 @@ match("MESSAGE#60:client:01", "nwparser.payload", "client has reconnected with t var msg129 = msg("client:01", part159); -var part160 = // "Pattern{Constant('client has downloaded '), Field(filename,true), Constant(' successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#61:client:02", "nwparser.payload", "client has downloaded %{filename->} successfully,%{shost},%{username},%{group}", processor_chain([ +var part160 = match("MESSAGE#61:client:02", "nwparser.payload", "client has downloaded %{filename->} successfully,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4920,8 +4570,7 @@ match("MESSAGE#61:client:02", "nwparser.payload", "client has downloaded %{filen var msg130 = msg("client:02", part160); -var part161 = // "Pattern{Constant('client registered with the management server successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#62:client:03", "nwparser.payload", "client registered with the management server successfully,%{shost},%{username},%{group}", processor_chain([ +var part161 = match("MESSAGE#62:client:03", "nwparser.payload", "client registered with the management server successfully,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4932,8 +4581,7 @@ match("MESSAGE#62:client:03", "nwparser.payload", "client registered with the ma var msg131 = msg("client:03", part161); -var part162 = // "Pattern{Constant('client has downloaded '), Field(filename,false), Constant(','), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#63:client:04", "nwparser.payload", "client has downloaded %{filename},%{shost},%{username},%{group}", processor_chain([ +var part162 = match("MESSAGE#63:client:04", "nwparser.payload", "client has downloaded %{filename},%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -4944,8 +4592,7 @@ match("MESSAGE#63:client:04", "nwparser.payload", "client has downloaded %{filen var msg132 = msg("client:04", part162); -var part163 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#64:client:05/2", "nwparser.p0", "Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); +var part163 = match("MESSAGE#64:client:05/2", "nwparser.p0", "Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); var all69 = all_match({ processors: [ @@ -4970,8 +4617,7 @@ var all69 = all_match({ var msg133 = msg("client:05", all69); -var part164 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#65:client:15/2", "nwparser.p0", "Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); +var part164 = match("MESSAGE#65:client:15/2", "nwparser.p0", "Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); var all70 = all_match({ processors: [ @@ -4996,8 +4642,7 @@ var all70 = all_match({ var msg134 = msg("client:15", all70); -var part165 = // "Pattern{Constant('client computer has been added to the group,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#66:client:06", "nwparser.payload", "client computer has been added to the group,%{shost},%{username},%{group}", processor_chain([ +var part165 = match("MESSAGE#66:client:06", "nwparser.payload", "client computer has been added to the group,%{shost},%{username},%{group}", processor_chain([ dup43, dup12, dup13, @@ -5008,8 +4653,7 @@ match("MESSAGE#66:client:06", "nwparser.payload", "client computer has been adde var msg135 = msg("client:06", part165); -var part166 = // "Pattern{Constant('client computer has been renamed,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(sdomain,false)}" -match("MESSAGE#67:client:07", "nwparser.payload", "client computer has been renamed,%{shost},%{username},%{sdomain}", processor_chain([ +var part166 = match("MESSAGE#67:client:07", "nwparser.payload", "client computer has been renamed,%{shost},%{username},%{sdomain}", processor_chain([ dup43, dup12, dup13, @@ -5020,8 +4664,7 @@ match("MESSAGE#67:client:07", "nwparser.payload", "client computer has been rena var msg136 = msg("client:07", part166); -var part167 = // "Pattern{Constant('The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#68:client:08", "nwparser.payload", "The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: %{event_time_string}", processor_chain([ +var part167 = match("MESSAGE#68:client:08", "nwparser.payload", "The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -5032,8 +4675,7 @@ match("MESSAGE#68:client:08", "nwparser.payload", "The client does not have a pa var msg137 = msg("client:08", part167); -var part168 = // "Pattern{Constant('The client has successfully downloaded and applied a license from the server.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#69:client:09", "nwparser.payload", "The client has successfully downloaded and applied a license from the server.,Event time: %{event_time_string}", processor_chain([ +var part168 = match("MESSAGE#69:client:09", "nwparser.payload", "The client has successfully downloaded and applied a license from the server.,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -5050,22 +4692,18 @@ match("MESSAGE#69:client:09", "nwparser.payload", "The client has successfully d var msg138 = msg("client:09", part168); -var part169 = // "Pattern{Constant('The client opted to download a full definitions package for AV definitions from the management server or GUP '), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/0", "nwparser.payload", "The client opted to download a full definitions package for AV definitions from the management server or GUP %{p0}"); +var part169 = match("MESSAGE#693:SYLINK:01/0", "nwparser.payload", "The client opted to download a full definitions package for AV definitions from the management server or GUP %{p0}"); -var part170 = // "Pattern{Constant('because LiveUpdate had no AV updates available'), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/1_0", "nwparser.p0", "because LiveUpdate had no AV updates available%{p0}"); +var part170 = match("MESSAGE#693:SYLINK:01/1_0", "nwparser.p0", "because LiveUpdate had no AV updates available%{p0}"); -var part171 = // "Pattern{Constant('rather than download a large package from LiveUpdate'), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/1_1", "nwparser.p0", "rather than download a large package from LiveUpdate%{p0}"); +var part171 = match("MESSAGE#693:SYLINK:01/1_1", "nwparser.p0", "rather than download a large package from LiveUpdate%{p0}"); var select25 = linear_select([ part170, part171, ]); -var part172 = // "Pattern{Constant('.'), Field(p0,false)}" -match("MESSAGE#693:SYLINK:01/2", "nwparser.p0", ".%{p0}"); +var part172 = match("MESSAGE#693:SYLINK:01/2", "nwparser.p0", ".%{p0}"); var all71 = all_match({ processors: [ @@ -5084,8 +4722,7 @@ var all71 = all_match({ var msg139 = msg("SYLINK:01", all71); -var part173 = // "Pattern{Constant('The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.'), Field(,false)}" -match("MESSAGE#694:SYLINK:02", "nwparser.payload", "The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.%{}", processor_chain([ +var part173 = match("MESSAGE#694:SYLINK:02", "nwparser.payload", "The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.%{}", processor_chain([ dup43, dup15, setc("event_description","The client opted to download an update for AV definitions from LiveUpdate"), @@ -5093,8 +4730,7 @@ match("MESSAGE#694:SYLINK:02", "nwparser.payload", "The client opted to download var msg140 = msg("SYLINK:02", part173); -var part174 = // "Pattern{Constant('The client has obtained an invalid license file ('), Field(filename,false), Constant(') from the server.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#695:SYLINK:04", "nwparser.payload", "The client has obtained an invalid license file (%{filename}) from the server.,Event time:%{fld17->} %{fld18}", processor_chain([ +var part174 = match("MESSAGE#695:SYLINK:04", "nwparser.payload", "The client has obtained an invalid license file (%{filename}) from the server.,Event time:%{fld17->} %{fld18}", processor_chain([ dup121, dup12, dup13, @@ -5105,8 +4741,7 @@ match("MESSAGE#695:SYLINK:04", "nwparser.payload", "The client has obtained an i var msg141 = msg("SYLINK:04", part174); -var part175 = // "Pattern{Constant('The client has successfully downloaded a license file ('), Field(filename,false), Constant(') from the server.')}" -match("MESSAGE#697:Smc", "nwparser.payload", "The client has successfully downloaded a license file (%{filename}) from the server.", processor_chain([ +var part175 = match("MESSAGE#697:Smc", "nwparser.payload", "The client has successfully downloaded a license file (%{filename}) from the server.", processor_chain([ dup121, dup12, dup13, @@ -5117,8 +4752,7 @@ match("MESSAGE#697:Smc", "nwparser.payload", "The client has successfully downlo var msg142 = msg("Smc", part175); -var part176 = // "Pattern{Constant('The client has successfully downloaded and applied a license file ('), Field(filename,false), Constant(') from the server.'), Field(p0,false)}" -match("MESSAGE#698:Smc:01/0", "nwparser.payload", "The client has successfully downloaded and applied a license file (%{filename}) from the server.%{p0}"); +var part176 = match("MESSAGE#698:Smc:01/0", "nwparser.payload", "The client has successfully downloaded and applied a license file (%{filename}) from the server.%{p0}"); var all72 = all_match({ processors: [ @@ -5138,8 +4772,7 @@ var all72 = all_match({ var msg143 = msg("Smc:01", all72); -var part177 = // "Pattern{Constant('"The client has successfully downloaded and applied a license file ('), Field(filename,false), Constant(', Serial: '), Field(serial_number,false), Constant(') from the server."'), Field(p0,false)}" -match("MESSAGE#701:Smc:05/0", "nwparser.payload", "\"The client has successfully downloaded and applied a license file (%{filename}, Serial: %{serial_number}) from the server.\"%{p0}"); +var part177 = match("MESSAGE#701:Smc:05/0", "nwparser.payload", "\"The client has successfully downloaded and applied a license file (%{filename}, Serial: %{serial_number}) from the server.\"%{p0}"); var all73 = all_match({ processors: [ @@ -5203,19 +4836,16 @@ var all74 = all_match({ var msg145 = msg("Commercial", all74); -var part178 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Application name: '), Field(p0,false)}" -match("MESSAGE#71:Commercial:02/2_0", "nwparser.p0", "%{severity},First Seen: %{fld50},Application name: %{p0}"); +var part178 = match("MESSAGE#71:Commercial:02/2_0", "nwparser.p0", "%{severity},First Seen: %{fld50},Application name: %{p0}"); -var part179 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(p0,false)}" -match("MESSAGE#71:Commercial:02/2_1", "nwparser.p0", "%{severity},Application name: %{p0}"); +var part179 = match("MESSAGE#71:Commercial:02/2_1", "nwparser.p0", "%{severity},Application name: %{p0}"); var select27 = linear_select([ part178, part179, ]); -var part180 = // "Pattern{Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(',Detection Submissions No,Permitted application reason: '), Field(fld42,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#71:Commercial:02/3", "nwparser.p0", "%{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part180 = match("MESSAGE#71:Commercial:02/3", "nwparser.p0", "%{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); var all75 = all_match({ processors: [ @@ -5242,8 +4872,7 @@ var all75 = all_match({ var msg146 = msg("Commercial:02", all75); -var part181 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',"Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#72:Commercial:01/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part181 = match("MESSAGE#72:Commercial:01/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all76 = all_match({ processors: [ @@ -5275,8 +4904,7 @@ var select28 = linear_select([ msg147, ]); -var part182 = // "Pattern{Constant('Computer has been deleted'), Field(,false)}" -match("MESSAGE#73:Computer:deleted", "nwparser.payload", "Computer has been deleted%{}", processor_chain([ +var part182 = match("MESSAGE#73:Computer:deleted", "nwparser.payload", "Computer has been deleted%{}", processor_chain([ dup156, dup12, dup13, @@ -5291,8 +4919,7 @@ match("MESSAGE#73:Computer:deleted", "nwparser.payload", "Computer has been dele var msg148 = msg("Computer:deleted", part182); -var part183 = // "Pattern{Constant('Computer has been moved'), Field(,false)}" -match("MESSAGE#74:Computer:moved", "nwparser.payload", "Computer has been moved%{}", processor_chain([ +var part183 = match("MESSAGE#74:Computer:moved", "nwparser.payload", "Computer has been moved%{}", processor_chain([ dup136, dup12, dup13, @@ -5307,8 +4934,7 @@ match("MESSAGE#74:Computer:moved", "nwparser.payload", "Computer has been moved% var msg149 = msg("Computer:moved", part183); -var part184 = // "Pattern{Constant('Computer properties have been changed'), Field(,false)}" -match("MESSAGE#75:Computer:propertieschanged", "nwparser.payload", "Computer properties have been changed%{}", processor_chain([ +var part184 = match("MESSAGE#75:Computer:propertieschanged", "nwparser.payload", "Computer properties have been changed%{}", processor_chain([ dup136, dup12, dup13, @@ -5323,19 +4949,16 @@ match("MESSAGE#75:Computer:propertieschanged", "nwparser.payload", "Computer pro var msg150 = msg("Computer:propertieschanged", part184); -var part185 = // "Pattern{Constant('"'), Field(filename,false), Constant('","'), Field(p0,false)}" -match("MESSAGE#76:Computer/1_0", "nwparser.p0", "\"%{filename}\",\"%{p0}"); +var part185 = match("MESSAGE#76:Computer/1_0", "nwparser.p0", "\"%{filename}\",\"%{p0}"); -var part186 = // "Pattern{Field(filename,false), Constant(',"'), Field(p0,false)}" -match("MESSAGE#76:Computer/1_1", "nwparser.p0", "%{filename},\"%{p0}"); +var part186 = match("MESSAGE#76:Computer/1_1", "nwparser.p0", "%{filename},\"%{p0}"); var select29 = linear_select([ part185, part186, ]); -var part187 = // "Pattern{Field(fld1,false), Constant('",Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#76:Computer/2", "nwparser.p0", "%{fld1}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); +var part187 = match("MESSAGE#76:Computer/2", "nwparser.p0", "%{fld1}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); var all77 = all_match({ processors: [ @@ -5355,19 +4978,16 @@ var all77 = all_match({ var msg151 = msg("Computer", all77); -var part188 = // "Pattern{Constant('"'), Field(filename,false), Constant('",''), Field(p0,false)}" -match("MESSAGE#77:Computer:01/1_0", "nwparser.p0", "\"%{filename}\",'%{p0}"); +var part188 = match("MESSAGE#77:Computer:01/1_0", "nwparser.p0", "\"%{filename}\",'%{p0}"); -var part189 = // "Pattern{Field(filename,false), Constant(',''), Field(p0,false)}" -match("MESSAGE#77:Computer:01/1_1", "nwparser.p0", "%{filename},'%{p0}"); +var part189 = match("MESSAGE#77:Computer:01/1_1", "nwparser.p0", "%{filename},'%{p0}"); var select30 = linear_select([ part188, part189, ]); -var part190 = // "Pattern{Field(fld1,false), Constant('',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#77:Computer:01/2", "nwparser.p0", "%{fld1}',Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); +var part190 = match("MESSAGE#77:Computer:01/2", "nwparser.p0", "%{fld1}',Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); var all78 = all_match({ processors: [ @@ -5387,11 +5007,9 @@ var all78 = all_match({ var msg152 = msg("Computer:01", all78); -var part191 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Intensive Protection Level: '), Field(fld55,false), Constant(',Certificate issuer: '), Field(cert_subject,false), Constant(',Certificate signer: '), Field(fld68,false), Constant(',Certificate thumbprint: '), Field(fld57,false), Constant(',Signing timestamp: '), Field(fld69,false), Constant(',Certificate serial number: '), Field(cert.serial,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#78:Computer:03/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Intensive Protection Level: %{fld55},Certificate issuer: %{cert_subject},Certificate signer: %{fld68},Certificate thumbprint: %{fld57},Signing timestamp: %{fld69},Certificate serial number: %{cert.serial},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var part191 = match("MESSAGE#78:Computer:03/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Intensive Protection Level: %{fld55},Certificate issuer: %{cert_subject},Certificate signer: %{fld68},Certificate thumbprint: %{fld57},Signing timestamp: %{fld69},Certificate serial number: %{cert.serial},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); -var part192 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(','), Field(fld67,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false), Constant(',Location:'), Field(fld65,false)}" -match("MESSAGE#78:Computer:03/2", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},%{fld67},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type},Location:%{fld65}"); +var part192 = match("MESSAGE#78:Computer:03/2", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},%{fld67},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type},Location:%{fld65}"); var all79 = all_match({ processors: [ @@ -5411,8 +5029,7 @@ var all79 = all_match({ var msg153 = msg("Computer:03", all79); -var part193 = // "Pattern{Constant('Computer name: '), Field(p0,false)}" -match("MESSAGE#79:Computer:02/0", "nwparser.payload", "Computer name: %{p0}"); +var part193 = match("MESSAGE#79:Computer:02/0", "nwparser.payload", "Computer name: %{p0}"); var all80 = all_match({ processors: [ @@ -5449,8 +5066,7 @@ var select31 = linear_select([ msg154, ]); -var part194 = // "Pattern{Constant('Configuration Change..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Description: '), Field(event_description,true), Constant(' ..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#80:Configuration", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{event_description->} ..Severity: %{severity}..Source: %{product}", processor_chain([ +var part194 = match("MESSAGE#80:Configuration", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{event_description->} ..Severity: %{severity}..Source: %{product}", processor_chain([ dup165, dup166, dup15, @@ -5458,8 +5074,7 @@ match("MESSAGE#80:Configuration", "nwparser.payload", "Configuration Change..Com var msg155 = msg("Configuration", part194); -var part195 = // "Pattern{Constant('Configuration Change..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('........'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..')}" -match("MESSAGE#81:Configuration:01", "nwparser.payload", "Configuration Change..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6->} %{fld7}..", processor_chain([ +var part195 = match("MESSAGE#81:Configuration:01", "nwparser.payload", "Configuration Change..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6->} %{fld7}..", processor_chain([ dup165, dup166, setc("event_description","Configuration Change"), @@ -5468,8 +5083,7 @@ match("MESSAGE#81:Configuration:01", "nwparser.payload", "Configuration Change.. var msg156 = msg("Configuration:01", part195); -var part196 = // "Pattern{Constant('Configuration Change..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#82:Configuration:02", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part196 = match("MESSAGE#82:Configuration:02", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ dup165, dup166, dup15, @@ -5483,14 +5097,11 @@ var select32 = linear_select([ msg157, ]); -var part197 = // "Pattern{Constant('Connected to Symantec Endpoint Protection Manager '), Field(p0,false)}" -match("MESSAGE#83:Connected/0", "nwparser.payload", "Connected to Symantec Endpoint Protection Manager %{p0}"); +var part197 = match("MESSAGE#83:Connected/0", "nwparser.payload", "Connected to Symantec Endpoint Protection Manager %{p0}"); -var part198 = // "Pattern{Field(fld11,true), Constant(' ,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#83:Connected/1_0", "nwparser.p0", "%{fld11->} ,Event time: %{fld17->} %{fld18}"); +var part198 = match("MESSAGE#83:Connected/1_0", "nwparser.p0", "%{fld11->} ,Event time: %{fld17->} %{fld18}"); -var part199 = // "Pattern{Constant(''), Field(fld11,false)}" -match("MESSAGE#83:Connected/1_1", "nwparser.p0", "%{fld11}"); +var part199 = match("MESSAGE#83:Connected/1_1", "nwparser.p0", "%{fld11}"); var select33 = linear_select([ part198, @@ -5515,8 +5126,7 @@ var all81 = all_match({ var msg158 = msg("Connected", all81); -var part200 = // "Pattern{Constant('Connected to Management Server '), Field(hostip,false), Constant('.')}" -match("MESSAGE#686:Connected:01", "nwparser.payload", "Connected to Management Server %{hostip}.", processor_chain([ +var part200 = match("MESSAGE#686:Connected:01", "nwparser.payload", "Connected to Management Server %{hostip}.", processor_chain([ dup43, dup12, dup13, @@ -5532,8 +5142,7 @@ var select34 = linear_select([ msg159, ]); -var part201 = // "Pattern{Constant('Connection reset'), Field(,false)}" -match("MESSAGE#84:Connection", "nwparser.payload", "Connection reset%{}", processor_chain([ +var part201 = match("MESSAGE#84:Connection", "nwparser.payload", "Connection reset%{}", processor_chain([ dup43, dup12, dup13, @@ -5544,8 +5153,7 @@ match("MESSAGE#84:Connection", "nwparser.payload", "Connection reset%{}", proces var msg160 = msg("Connection", part201); -var part202 = // "Pattern{Constant('Could '), Field(space,false), Constant('not start Service Engine err='), Field(resultcode,false)}" -match("MESSAGE#85:Could", "nwparser.payload", "Could %{space}not start Service Engine err=%{resultcode}", processor_chain([ +var part202 = match("MESSAGE#85:Could", "nwparser.payload", "Could %{space}not start Service Engine err=%{resultcode}", processor_chain([ dup86, dup12, dup13, @@ -5556,8 +5164,7 @@ match("MESSAGE#85:Could", "nwparser.payload", "Could %{space}not start Service E var msg161 = msg("Could", part202); -var part203 = // "Pattern{Constant('Could not scan '), Field(dclass_counter1,true), Constant(' files inside '), Field(directory,true), Constant(' due to extraction errors encountered by the Decomposer Engines.')}" -match("MESSAGE#86:Could:01", "nwparser.payload", "Could not scan %{dclass_counter1->} files inside %{directory->} due to extraction errors encountered by the Decomposer Engines.", processor_chain([ +var part203 = match("MESSAGE#86:Could:01", "nwparser.payload", "Could not scan %{dclass_counter1->} files inside %{directory->} due to extraction errors encountered by the Decomposer Engines.", processor_chain([ dup86, dup12, dup13, @@ -5574,8 +5181,7 @@ var select35 = linear_select([ msg162, ]); -var part204 = // "Pattern{Constant('Create trident engine failed.'), Field(,false)}" -match("MESSAGE#87:Create", "nwparser.payload", "Create trident engine failed.%{}", processor_chain([ +var part204 = match("MESSAGE#87:Create", "nwparser.payload", "Create trident engine failed.%{}", processor_chain([ dup168, dup12, dup13, @@ -5586,8 +5192,7 @@ match("MESSAGE#87:Create", "nwparser.payload", "Create trident engine failed.%{} var msg163 = msg("Create", part204); -var part205 = // "Pattern{Constant('Database Maintenance Finished Successfully'), Field(,false)}" -match("MESSAGE#88:Database", "nwparser.payload", "Database Maintenance Finished Successfully%{}", processor_chain([ +var part205 = match("MESSAGE#88:Database", "nwparser.payload", "Database Maintenance Finished Successfully%{}", processor_chain([ dup43, dup12, dup13, @@ -5598,8 +5203,7 @@ match("MESSAGE#88:Database", "nwparser.payload", "Database Maintenance Finished var msg164 = msg("Database", part205); -var part206 = // "Pattern{Constant('Database maintenance started.'), Field(,false)}" -match("MESSAGE#89:Database:01", "nwparser.payload", "Database maintenance started.%{}", processor_chain([ +var part206 = match("MESSAGE#89:Database:01", "nwparser.payload", "Database maintenance started.%{}", processor_chain([ dup43, dup15, setc("event_description","Database maintenance started."), @@ -5607,8 +5211,7 @@ match("MESSAGE#89:Database:01", "nwparser.payload", "Database maintenance starte var msg165 = msg("Database:01", part206); -var part207 = // "Pattern{Constant('Database maintenance finished successfully.'), Field(,false)}" -match("MESSAGE#90:Database:02", "nwparser.payload", "Database maintenance finished successfully.%{}", processor_chain([ +var part207 = match("MESSAGE#90:Database:02", "nwparser.payload", "Database maintenance finished successfully.%{}", processor_chain([ dup43, dup15, setc("event_description","Database maintenance finished successfully."), @@ -5616,8 +5219,7 @@ match("MESSAGE#90:Database:02", "nwparser.payload", "Database maintenance finish var msg166 = msg("Database:02", part207); -var part208 = // "Pattern{Constant('Database properties are changed'), Field(,false)}" -match("MESSAGE#91:Database:03", "nwparser.payload", "Database properties are changed%{}", processor_chain([ +var part208 = match("MESSAGE#91:Database:03", "nwparser.payload", "Database properties are changed%{}", processor_chain([ dup43, dup15, setc("event_description","Database properties are changed"), @@ -5632,8 +5234,7 @@ var select36 = linear_select([ msg167, ]); -var part209 = // "Pattern{Constant('Disconnected from Symantec Endpoint Protection Manager. --- server address : '), Field(hostid,false)}" -match("MESSAGE#92:Disconnected", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager. --- server address : %{hostid}", processor_chain([ +var part209 = match("MESSAGE#92:Disconnected", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager. --- server address : %{hostid}", processor_chain([ dup43, dup12, dup13, @@ -5644,8 +5245,7 @@ match("MESSAGE#92:Disconnected", "nwparser.payload", "Disconnected from Symantec var msg168 = msg("Disconnected", part209); -var part210 = // "Pattern{Constant('Disconnected from Symantec Endpoint Protection Manager ('), Field(hostip,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#93:Disconnected:01/0", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager (%{hostip})%{p0}"); +var part210 = match("MESSAGE#93:Disconnected:01/0", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager (%{hostip})%{p0}"); var all82 = all_match({ processors: [ @@ -5667,8 +5267,7 @@ var all82 = all_match({ var msg169 = msg("Disconnected:01", all82); -var part211 = // "Pattern{Constant('Disconnected to Management Server '), Field(hostip,false), Constant('.')}" -match("MESSAGE#687:Disconnected:02", "nwparser.payload", "Disconnected to Management Server %{hostip}.", processor_chain([ +var part211 = match("MESSAGE#687:Disconnected:02", "nwparser.payload", "Disconnected to Management Server %{hostip}.", processor_chain([ dup43, dup12, dup13, @@ -5685,8 +5284,7 @@ var select37 = linear_select([ msg170, ]); -var part212 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#94:Decomposer", "nwparser.payload", "event_description", processor_chain([ +var part212 = match_copy("MESSAGE#94:Decomposer", "nwparser.payload", "event_description", processor_chain([ dup92, dup12, dup13, @@ -5696,8 +5294,7 @@ match_copy("MESSAGE#94:Decomposer", "nwparser.payload", "event_description", pro var msg171 = msg("Decomposer", part212); -var part213 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was added')}" -match("MESSAGE#95:Domain:added", "nwparser.payload", "Domain \"%{domain}\" was added", processor_chain([ +var part213 = match("MESSAGE#95:Domain:added", "nwparser.payload", "Domain \"%{domain}\" was added", processor_chain([ dup95, dup12, dup13, @@ -5712,8 +5309,7 @@ match("MESSAGE#95:Domain:added", "nwparser.payload", "Domain \"%{domain}\" was a var msg172 = msg("Domain:added", part213); -var part214 = // "Pattern{Constant('Domain "'), Field(change_old,false), Constant('" was renamed to "'), Field(change_new,false), Constant('"')}" -match("MESSAGE#96:Domain:renamed", "nwparser.payload", "Domain \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ +var part214 = match("MESSAGE#96:Domain:renamed", "nwparser.payload", "Domain \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ dup136, dup12, dup13, @@ -5729,8 +5325,7 @@ match("MESSAGE#96:Domain:renamed", "nwparser.payload", "Domain \"%{change_old}\" var msg173 = msg("Domain:renamed", part214); -var part215 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was deleted!')}" -match("MESSAGE#97:Domain:deleted", "nwparser.payload", "Domain \"%{domain}\" was deleted!", processor_chain([ +var part215 = match("MESSAGE#97:Domain:deleted", "nwparser.payload", "Domain \"%{domain}\" was deleted!", processor_chain([ dup156, dup12, dup13, @@ -5745,8 +5340,7 @@ match("MESSAGE#97:Domain:deleted", "nwparser.payload", "Domain \"%{domain}\" was var msg174 = msg("Domain:deleted", part215); -var part216 = // "Pattern{Constant('Domain administrator "'), Field(username,false), Constant('" was added')}" -match("MESSAGE#98:Domain:administratoradded", "nwparser.payload", "Domain administrator \"%{username}\" was added", processor_chain([ +var part216 = match("MESSAGE#98:Domain:administratoradded", "nwparser.payload", "Domain administrator \"%{username}\" was added", processor_chain([ dup170, dup12, dup13, @@ -5762,8 +5356,7 @@ match("MESSAGE#98:Domain:administratoradded", "nwparser.payload", "Domain admini var msg175 = msg("Domain:administratoradded", part216); -var part217 = // "Pattern{Constant('Domain administrator "'), Field(username,false), Constant('" was deleted')}" -match("MESSAGE#99:Domain:administratordeleted", "nwparser.payload", "Domain administrator \"%{username}\" was deleted", processor_chain([ +var part217 = match("MESSAGE#99:Domain:administratordeleted", "nwparser.payload", "Domain administrator \"%{username}\" was deleted", processor_chain([ dup171, dup12, dup13, @@ -5779,8 +5372,7 @@ match("MESSAGE#99:Domain:administratordeleted", "nwparser.payload", "Domain admi var msg176 = msg("Domain:administratordeleted", part217); -var part218 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was disabled')}" -match("MESSAGE#100:Domain:disabled", "nwparser.payload", "Domain \"%{domain}\" was disabled", processor_chain([ +var part218 = match("MESSAGE#100:Domain:disabled", "nwparser.payload", "Domain \"%{domain}\" was disabled", processor_chain([ dup136, dup12, dup13, @@ -5795,8 +5387,7 @@ match("MESSAGE#100:Domain:disabled", "nwparser.payload", "Domain \"%{domain}\" w var msg177 = msg("Domain:disabled", part218); -var part219 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was enabled')}" -match("MESSAGE#101:Domain:enabled", "nwparser.payload", "Domain \"%{domain}\" was enabled", processor_chain([ +var part219 = match("MESSAGE#101:Domain:enabled", "nwparser.payload", "Domain \"%{domain}\" was enabled", processor_chain([ dup136, dup12, dup13, @@ -5821,8 +5412,7 @@ var select38 = linear_select([ msg178, ]); -var part220 = // "Pattern{Constant('Failed to connect to the server. '), Field(action,false), Constant('. ErrorCode: '), Field(resultcode,false)}" -match("MESSAGE#102:Failed", "nwparser.payload", "Failed to connect to the server. %{action}. ErrorCode: %{resultcode}", processor_chain([ +var part220 = match("MESSAGE#102:Failed", "nwparser.payload", "Failed to connect to the server. %{action}. ErrorCode: %{resultcode}", processor_chain([ dup168, dup12, dup13, @@ -5833,14 +5423,11 @@ match("MESSAGE#102:Failed", "nwparser.payload", "Failed to connect to the server var msg179 = msg("Failed", part220); -var part221 = // "Pattern{Constant('Failed to contact server for more than '), Field(p0,false)}" -match("MESSAGE#103:Failed:01/0", "nwparser.payload", "Failed to contact server for more than %{p0}"); +var part221 = match("MESSAGE#103:Failed:01/0", "nwparser.payload", "Failed to contact server for more than %{p0}"); -var part222 = // "Pattern{Constant(''), Field(fld1,true), Constant(' times.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#103:Failed:01/1_0", "nwparser.p0", "%{fld1->} times.,Event time:%{fld17->} %{fld18}"); +var part222 = match("MESSAGE#103:Failed:01/1_0", "nwparser.p0", "%{fld1->} times.,Event time:%{fld17->} %{fld18}"); -var part223 = // "Pattern{Field(fld1,true), Constant(' times.')}" -match("MESSAGE#103:Failed:01/1_1", "nwparser.p0", "%{fld1->} times."); +var part223 = match("MESSAGE#103:Failed:01/1_1", "nwparser.p0", "%{fld1->} times."); var select39 = linear_select([ part222, @@ -5865,8 +5452,7 @@ var all83 = all_match({ var msg180 = msg("Failed:01", all83); -var part224 = // "Pattern{Constant('Failed to disable Windows firewall'), Field(,false)}" -match("MESSAGE#104:Failed:02", "nwparser.payload", "Failed to disable Windows firewall%{}", processor_chain([ +var part224 = match("MESSAGE#104:Failed:02", "nwparser.payload", "Failed to disable Windows firewall%{}", processor_chain([ dup168, dup12, dup13, @@ -5877,8 +5463,7 @@ match("MESSAGE#104:Failed:02", "nwparser.payload", "Failed to disable Windows fi var msg181 = msg("Failed:02", part224); -var part225 = // "Pattern{Constant('Failed to install teefer driver'), Field(,false)}" -match("MESSAGE#105:Failed:03", "nwparser.payload", "Failed to install teefer driver%{}", processor_chain([ +var part225 = match("MESSAGE#105:Failed:03", "nwparser.payload", "Failed to install teefer driver%{}", processor_chain([ dup168, dup12, dup13, @@ -5889,8 +5474,7 @@ match("MESSAGE#105:Failed:03", "nwparser.payload", "Failed to install teefer dri var msg182 = msg("Failed:03", part225); -var part226 = // "Pattern{Constant('Failed to connect to '), Field(fld22,false), Constant('. Make sure the server can ping or resolve this domain. ErrorCode: '), Field(resultcode,false)}" -match("MESSAGE#106:Failed:04", "nwparser.payload", "Failed to connect to %{fld22}. Make sure the server can ping or resolve this domain. ErrorCode: %{resultcode}", processor_chain([ +var part226 = match("MESSAGE#106:Failed:04", "nwparser.payload", "Failed to connect to %{fld22}. Make sure the server can ping or resolve this domain. ErrorCode: %{resultcode}", processor_chain([ dup168, dup14, dup15, @@ -5899,8 +5483,7 @@ match("MESSAGE#106:Failed:04", "nwparser.payload", "Failed to connect to %{fld22 var msg183 = msg("Failed:04", part226); -var part227 = // "Pattern{Constant('Failed to download new client upgrade package from the management server. New Version: '), Field(version,true), Constant(' Package size: '), Field(filename_size,true), Constant(' bytes. Package url: '), Field(url,false)}" -match("MESSAGE#107:Failed:05", "nwparser.payload", "Failed to download new client upgrade package from the management server. New Version: %{version->} Package size: %{filename_size->} bytes. Package url: %{url}", processor_chain([ +var part227 = match("MESSAGE#107:Failed:05", "nwparser.payload", "Failed to download new client upgrade package from the management server. New Version: %{version->} Package size: %{filename_size->} bytes. Package url: %{url}", processor_chain([ dup168, dup12, dup13, @@ -5914,8 +5497,7 @@ match("MESSAGE#107:Failed:05", "nwparser.payload", "Failed to download new clien var msg184 = msg("Failed:05", part227); -var part228 = // "Pattern{Constant('Failed to import server policy.'), Field(,false)}" -match("MESSAGE#108:Failed:06", "nwparser.payload", "Failed to import server policy.%{}", processor_chain([ +var part228 = match("MESSAGE#108:Failed:06", "nwparser.payload", "Failed to import server policy.%{}", processor_chain([ dup168, dup12, dup13, @@ -5928,8 +5510,7 @@ match("MESSAGE#108:Failed:06", "nwparser.payload", "Failed to import server poli var msg185 = msg("Failed:06", part228); -var part229 = // "Pattern{Constant('Failed to load plugin:'), Field(filename,false)}" -match("MESSAGE#109:Failed:07", "nwparser.payload", "Failed to load plugin:%{filename}", processor_chain([ +var part229 = match("MESSAGE#109:Failed:07", "nwparser.payload", "Failed to load plugin:%{filename}", processor_chain([ dup168, dup12, dup13, @@ -5942,8 +5523,7 @@ match("MESSAGE#109:Failed:07", "nwparser.payload", "Failed to load plugin:%{file var msg186 = msg("Failed:07", part229); -var part230 = // "Pattern{Constant('Failed to clean up LiveUpdate downloaded content'), Field(,false)}" -match("MESSAGE#110:Failed:08", "nwparser.payload", "Failed to clean up LiveUpdate downloaded content%{}", processor_chain([ +var part230 = match("MESSAGE#110:Failed:08", "nwparser.payload", "Failed to clean up LiveUpdate downloaded content%{}", processor_chain([ dup168, dup12, dup13, @@ -5956,8 +5536,7 @@ match("MESSAGE#110:Failed:08", "nwparser.payload", "Failed to clean up LiveUpdat var msg187 = msg("Failed:08", part230); -var part231 = // "Pattern{Constant('Failed to Login to Remote Site ['), Field(node,false), Constant('] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.')}" -match("MESSAGE#111:Failed:09", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.", processor_chain([ +var part231 = match("MESSAGE#111:Failed:09", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.", processor_chain([ dup174, dup12, dup13, @@ -5970,8 +5549,7 @@ match("MESSAGE#111:Failed:09", "nwparser.payload", "Failed to Login to Remote Si var msg188 = msg("Failed:09", part231); -var part232 = // "Pattern{Constant('Failed to Login to Remote Site ['), Field(node,false), Constant('] Replication partnership has been deleted from remote site.')}" -match("MESSAGE#112:Failed:10", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Replication partnership has been deleted from remote site.", processor_chain([ +var part232 = match("MESSAGE#112:Failed:10", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Replication partnership has been deleted from remote site.", processor_chain([ dup174, dup12, dup13, @@ -5984,8 +5562,7 @@ match("MESSAGE#112:Failed:10", "nwparser.payload", "Failed to Login to Remote Si var msg189 = msg("Failed:10", part232); -var part233 = // "Pattern{Constant('Failed to import new policy.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#113:Failed:11", "nwparser.payload", "Failed to import new policy.,Event time: %{event_time_string}", processor_chain([ +var part233 = match("MESSAGE#113:Failed:11", "nwparser.payload", "Failed to import new policy.,Event time: %{event_time_string}", processor_chain([ setc("eventcategory","1601000000"), dup12, dup13, @@ -5995,8 +5572,7 @@ match("MESSAGE#113:Failed:11", "nwparser.payload", "Failed to import new policy. var msg190 = msg("Failed:11", part233); -var part234 = // "Pattern{Constant('Failed to set a custom action for IPS signature '), Field(sigid,true), Constant(' (errcode=0x'), Field(resultcode,false), Constant('). Most probably, this IPS signature was removed from the IPS content.'), Field(p0,false)}" -match("MESSAGE#250:Network:24/0", "nwparser.payload", "Failed to set a custom action for IPS signature %{sigid->} (errcode=0x%{resultcode}). Most probably, this IPS signature was removed from the IPS content.%{p0}"); +var part234 = match("MESSAGE#250:Network:24/0", "nwparser.payload", "Failed to set a custom action for IPS signature %{sigid->} (errcode=0x%{resultcode}). Most probably, this IPS signature was removed from the IPS content.%{p0}"); var select40 = linear_select([ dup176, @@ -6020,8 +5596,7 @@ var all84 = all_match({ var msg191 = msg("Network:24", all84); -var part235 = // "Pattern{Constant('Failed to connect to all GUPs, now trying to connect SEPM"'), Field(,false)}" -match("MESSAGE#696:SYLINK:03", "nwparser.payload", "Failed to connect to all GUPs, now trying to connect SEPM\"%{}", processor_chain([ +var part235 = match("MESSAGE#696:SYLINK:03", "nwparser.payload", "Failed to connect to all GUPs, now trying to connect SEPM\"%{}", processor_chain([ dup74, dup12, dup13, @@ -6049,8 +5624,7 @@ var select41 = linear_select([ msg192, ]); -var part236 = // "Pattern{Constant('Firewall driver failed to '), Field(info,false)}" -match("MESSAGE#114:Firewall", "nwparser.payload", "Firewall driver failed to %{info}", processor_chain([ +var part236 = match("MESSAGE#114:Firewall", "nwparser.payload", "Firewall driver failed to %{info}", processor_chain([ dup168, dup12, dup13, @@ -6061,8 +5635,7 @@ match("MESSAGE#114:Firewall", "nwparser.payload", "Firewall driver failed to %{i var msg193 = msg("Firewall", part236); -var part237 = // "Pattern{Constant('Firewall is enabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#115:Firewall:01", "nwparser.payload", "Firewall is enabled,Event time: %{event_time_string}", processor_chain([ +var part237 = match("MESSAGE#115:Firewall:01", "nwparser.payload", "Firewall is enabled,Event time: %{event_time_string}", processor_chain([ dup168, dup12, dup13, @@ -6073,8 +5646,7 @@ match("MESSAGE#115:Firewall:01", "nwparser.payload", "Firewall is enabled,Event var msg194 = msg("Firewall:01", part237); -var part238 = // "Pattern{Constant('Firewall is disabled by policy,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#116:Firewall:02", "nwparser.payload", "Firewall is disabled by policy,Event time: %{event_time_string}", processor_chain([ +var part238 = match("MESSAGE#116:Firewall:02", "nwparser.payload", "Firewall is disabled by policy,Event time: %{event_time_string}", processor_chain([ dup53, dup12, dup13, @@ -6085,8 +5657,7 @@ match("MESSAGE#116:Firewall:02", "nwparser.payload", "Firewall is disabled by po var msg195 = msg("Firewall:02", part238); -var part239 = // "Pattern{Constant('Firewall is disabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#117:Firewall:03", "nwparser.payload", "Firewall is disabled,Event time: %{event_time_string}", processor_chain([ +var part239 = match("MESSAGE#117:Firewall:03", "nwparser.payload", "Firewall is disabled,Event time: %{event_time_string}", processor_chain([ dup53, dup12, dup13, @@ -6104,8 +5675,7 @@ var select42 = linear_select([ msg196, ]); -var part240 = // "Pattern{Constant('Group has been created'), Field(,false)}" -match("MESSAGE#118:Group:created", "nwparser.payload", "Group has been created%{}", processor_chain([ +var part240 = match("MESSAGE#118:Group:created", "nwparser.payload", "Group has been created%{}", processor_chain([ dup95, dup12, dup13, @@ -6121,8 +5691,7 @@ match("MESSAGE#118:Group:created", "nwparser.payload", "Group has been created%{ var msg197 = msg("Group:created", part240); -var part241 = // "Pattern{Constant('Group has been deleted'), Field(,false)}" -match("MESSAGE#119:Group:deleted", "nwparser.payload", "Group has been deleted%{}", processor_chain([ +var part241 = match("MESSAGE#119:Group:deleted", "nwparser.payload", "Group has been deleted%{}", processor_chain([ dup156, dup12, dup13, @@ -6138,8 +5707,7 @@ match("MESSAGE#119:Group:deleted", "nwparser.payload", "Group has been deleted%{ var msg198 = msg("Group:deleted", part241); -var part242 = // "Pattern{Constant('Group ''), Field(group,false), Constant('' was deleted')}" -match("MESSAGE#120:Group:deleted_01", "nwparser.payload", "Group '%{group}' was deleted", processor_chain([ +var part242 = match("MESSAGE#120:Group:deleted_01", "nwparser.payload", "Group '%{group}' was deleted", processor_chain([ dup156, dup12, dup13, @@ -6155,8 +5723,7 @@ match("MESSAGE#120:Group:deleted_01", "nwparser.payload", "Group '%{group}' was var msg199 = msg("Group:deleted_01", part242); -var part243 = // "Pattern{Constant('Group has been moved'), Field(,false)}" -match("MESSAGE#121:Group:moved", "nwparser.payload", "Group has been moved%{}", processor_chain([ +var part243 = match("MESSAGE#121:Group:moved", "nwparser.payload", "Group has been moved%{}", processor_chain([ dup136, dup12, dup13, @@ -6172,8 +5739,7 @@ match("MESSAGE#121:Group:moved", "nwparser.payload", "Group has been moved%{}", var msg200 = msg("Group:moved", part243); -var part244 = // "Pattern{Constant('Group has been renamed'), Field(,false)}" -match("MESSAGE#122:Group:renamed", "nwparser.payload", "Group has been renamed%{}", processor_chain([ +var part244 = match("MESSAGE#122:Group:renamed", "nwparser.payload", "Group has been renamed%{}", processor_chain([ dup136, dup12, dup13, @@ -6189,8 +5755,7 @@ match("MESSAGE#122:Group:renamed", "nwparser.payload", "Group has been renamed%{ var msg201 = msg("Group:renamed", part244); -var part245 = // "Pattern{Constant('Group ''), Field(group,false), Constant('' was added')}" -match("MESSAGE#123:Group:added", "nwparser.payload", "Group '%{group}' was added", processor_chain([ +var part245 = match("MESSAGE#123:Group:added", "nwparser.payload", "Group '%{group}' was added", processor_chain([ dup95, dup12, dup13, @@ -6215,8 +5780,7 @@ var select43 = linear_select([ msg202, ]); -var part246 = // "Pattern{Constant('Host Integrity check is disabled. '), Field(info,true), Constant(' by the '), Field(username,false)}" -match("MESSAGE#124:Host", "nwparser.payload", "Host Integrity check is disabled. %{info->} by the %{username}", processor_chain([ +var part246 = match("MESSAGE#124:Host", "nwparser.payload", "Host Integrity check is disabled. %{info->} by the %{username}", processor_chain([ dup179, dup12, dup13, @@ -6230,8 +5794,7 @@ match("MESSAGE#124:Host", "nwparser.payload", "Host Integrity check is disabled. var msg203 = msg("Host", part246); -var part247 = // "Pattern{Field(info,true), Constant(' up-to-date')}" -match("MESSAGE#125:Host:01", "nwparser.payload", "%{info->} up-to-date", processor_chain([ +var part247 = match("MESSAGE#125:Host:01", "nwparser.payload", "%{info->} up-to-date", processor_chain([ dup92, dup12, dup13, @@ -6242,8 +5805,7 @@ match("MESSAGE#125:Host:01", "nwparser.payload", "%{info->} up-to-date", process var msg204 = msg("Host:01", part247); -var part248 = // "Pattern{Constant('Host Integrity check failed Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" failed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" passed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#126:Host:02", "nwparser.payload", "Host Integrity check failed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" failed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ +var part248 = match("MESSAGE#126:Host:02", "nwparser.payload", "Host Integrity check failed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" failed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ dup179, dup12, dup13, @@ -6255,8 +5817,7 @@ match("MESSAGE#126:Host:02", "nwparser.payload", "Host Integrity check failed Re var msg205 = msg("Host:02", part248); -var part249 = // "Pattern{Constant('Host Integrity failed but reported as pass Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" passed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" failed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#127:Host:05", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" failed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part249 = match("MESSAGE#127:Host:05", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" failed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6268,8 +5829,7 @@ match("MESSAGE#127:Host:05", "nwparser.payload", "Host Integrity failed but repo var msg206 = msg("Host:05", part249); -var part250 = // "Pattern{Constant('Host Integrity failed but reported as pass Requirement: "'), Field(fld11,false), Constant('" '), Field(fld18,true), Constant(' Requirement: "'), Field(fld12,false), Constant('" '), Field(fld17,true), Constant(' Requirement: "'), Field(fld13,false), Constant('" '), Field(fld16,true), Constant(' Requirement: "'), Field(fld14,false), Constant('" '), Field(fld15,true), Constant(' '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#128:Host:06", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" %{fld18->} Requirement: \"%{fld12}\" %{fld17->} Requirement: \"%{fld13}\" %{fld16->} Requirement: \"%{fld14}\" %{fld15->} %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part250 = match("MESSAGE#128:Host:06", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" %{fld18->} Requirement: \"%{fld12}\" %{fld17->} Requirement: \"%{fld13}\" %{fld16->} Requirement: \"%{fld14}\" %{fld15->} %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6281,8 +5841,7 @@ match("MESSAGE#128:Host:06", "nwparser.payload", "Host Integrity failed but repo var msg207 = msg("Host:06", part250); -var part251 = // "Pattern{Constant('Host Integrity check failed '), Field(result,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#129:Host:04", "nwparser.payload", "Host Integrity check failed %{result},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part251 = match("MESSAGE#129:Host:04", "nwparser.payload", "Host Integrity check failed %{result},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6294,8 +5853,7 @@ match("MESSAGE#129:Host:04", "nwparser.payload", "Host Integrity check failed %{ var msg208 = msg("Host:04", part251); -var part252 = // "Pattern{Constant('Host Integrity check passed Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" passed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" passed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#130:Host:03", "nwparser.payload", "Host Integrity check passed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part252 = match("MESSAGE#130:Host:03", "nwparser.payload", "Host Integrity check passed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6307,8 +5865,7 @@ match("MESSAGE#130:Host:03", "nwparser.payload", "Host Integrity check passed Re var msg209 = msg("Host:03", part252); -var part253 = // "Pattern{Constant('Host Integrity check passed'), Field(space,false), Constant('Requirement: ''), Field(fld11,false), Constant('' passed '), Field(fld12,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#132:Host:07", "nwparser.payload", "Host Integrity check passed%{space}Requirement: '%{fld11}' passed %{fld12},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part253 = match("MESSAGE#132:Host:07", "nwparser.payload", "Host Integrity check passed%{space}Requirement: '%{fld11}' passed %{fld12},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup87, dup12, @@ -6321,19 +5878,16 @@ match("MESSAGE#132:Host:07", "nwparser.payload", "Host Integrity check passed%{s var msg210 = msg("Host:07", part253); -var part254 = // "Pattern{Field(shost,false), Constant(', Host Integrity check passed '), Field(p0,false)}" -match("MESSAGE#133:Host:08/0_0", "nwparser.payload", "%{shost}, Host Integrity check passed %{p0}"); +var part254 = match("MESSAGE#133:Host:08/0_0", "nwparser.payload", "%{shost}, Host Integrity check passed %{p0}"); -var part255 = // "Pattern{Constant('Host Integrity check passed'), Field(p0,false)}" -match("MESSAGE#133:Host:08/0_1", "nwparser.payload", "Host Integrity check passed%{p0}"); +var part255 = match("MESSAGE#133:Host:08/0_1", "nwparser.payload", "Host Integrity check passed%{p0}"); var select44 = linear_select([ part254, part255, ]); -var part256 = // "Pattern{Field(,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#133:Host:08/1", "nwparser.p0", "%{},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); +var part256 = match("MESSAGE#133:Host:08/1", "nwparser.p0", "%{},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); var all85 = all_match({ processors: [ @@ -6355,16 +5909,14 @@ var all85 = all_match({ var msg211 = msg("Host:08", all85); -var part257 = // "Pattern{Field(shost,false), Constant(', Host Integrity check pass.'), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#134:Host:09/0", "nwparser.payload", "%{shost}, Host Integrity check pass.%{info},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); +var part257 = match("MESSAGE#134:Host:09/0", "nwparser.payload", "%{shost}, Host Integrity check pass.%{info},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); var select45 = linear_select([ dup67, dup182, ]); -var part258 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#134:Host:09/2", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); +var part258 = match("MESSAGE#134:Host:09/2", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); var all86 = all_match({ processors: [ @@ -6385,8 +5937,7 @@ var all86 = all_match({ var msg212 = msg("Host:09", all86); -var part259 = // "Pattern{Constant('Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#702:Smc:06", "nwparser.payload", "Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part259 = match("MESSAGE#702:Smc:06", "nwparser.payload", "Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: %{fld17->} %{fld18}", processor_chain([ dup53, dup12, dup13, @@ -6412,8 +5963,7 @@ var select46 = linear_select([ msg213, ]); -var part260 = // "Pattern{Field(fld31,true), Constant(' ??????????????? ??: "'), Field(fld11,false), Constant('"?? ??: "'), Field(fld12,false), Constant('"?? ??: "'), Field(fld13,false), Constant('"?? ??: "'), Field(fld14,false), Constant('"??,??????????? ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#131:??:", "nwparser.payload", "%{fld31->} ??????????????? ??: \"%{fld11}\"?? ??: \"%{fld12}\"?? ??: \"%{fld13}\"?? ??: \"%{fld14}\"??,??????????? ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ +var part260 = match("MESSAGE#131:??:", "nwparser.payload", "%{fld31->} ??????????????? ??: \"%{fld11}\"?? ??: \"%{fld12}\"?? ??: \"%{fld13}\"?? ??: \"%{fld14}\"??,??????????? ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ dup179, dup12, dup13, @@ -6423,19 +5973,16 @@ match("MESSAGE#131:??:", "nwparser.payload", "%{fld31->} ??????????????? ??: \"% var msg214 = msg("??:", part260); -var part261 = // "Pattern{Field(info,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/0", "nwparser.payload", "%{info->} %{p0}"); +var part261 = match("MESSAGE#135:Intrusion/0", "nwparser.payload", "%{info->} %{p0}"); -var part262 = // "Pattern{Constant('was '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/1_1", "nwparser.p0", "was %{p0}"); +var part262 = match("MESSAGE#135:Intrusion/1_1", "nwparser.p0", "was %{p0}"); var select47 = linear_select([ dup183, part262, ]); -var part263 = // "Pattern{Constant(''), Field(action,false)}" -match("MESSAGE#135:Intrusion/2", "nwparser.p0", "%{action}"); +var part263 = match("MESSAGE#135:Intrusion/2", "nwparser.p0", "%{action}"); var all87 = all_match({ processors: [ @@ -6455,8 +6002,7 @@ var all87 = all_match({ var msg215 = msg("Intrusion", all87); -var part264 = // "Pattern{Field(info,true), Constant(' failed to update')}" -match("MESSAGE#136:Intrusion:01", "nwparser.payload", "%{info->} failed to update", processor_chain([ +var part264 = match("MESSAGE#136:Intrusion:01", "nwparser.payload", "%{info->} failed to update", processor_chain([ dup92, dup12, dup13, @@ -6472,8 +6018,7 @@ var select48 = linear_select([ msg216, ]); -var part265 = // "Pattern{Constant('Invalid log record:'), Field(info,false)}" -match("MESSAGE#137:Invalid", "nwparser.payload", "Invalid log record:%{info}", processor_chain([ +var part265 = match("MESSAGE#137:Invalid", "nwparser.payload", "Invalid log record:%{info}", processor_chain([ dup168, dup12, dup13, @@ -6484,8 +6029,7 @@ match("MESSAGE#137:Invalid", "nwparser.payload", "Invalid log record:%{info}", p var msg217 = msg("Invalid", part265); -var part266 = // "Pattern{Constant('Limited Administrator administrator "'), Field(change_old,false), Constant('" was renamed to "'), Field(change_new,false), Constant('"')}" -match("MESSAGE#138:Limited", "nwparser.payload", "Limited Administrator administrator \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ +var part266 = match("MESSAGE#138:Limited", "nwparser.payload", "Limited Administrator administrator \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ setc("eventcategory","1402020300"), dup12, dup13, @@ -6500,8 +6044,7 @@ match("MESSAGE#138:Limited", "nwparser.payload", "Limited Administrator administ var msg218 = msg("Limited", part266); -var part267 = // "Pattern{Constant('LiveUpdate will start next on '), Field(info,true), Constant(' on '), Field(product,false)}" -match("MESSAGE#139:LiveUpdate:08", "nwparser.payload", "LiveUpdate will start next on %{info->} on %{product}", processor_chain([ +var part267 = match("MESSAGE#139:LiveUpdate:08", "nwparser.payload", "LiveUpdate will start next on %{info->} on %{product}", processor_chain([ dup43, dup15, dup184, @@ -6509,8 +6052,7 @@ match("MESSAGE#139:LiveUpdate:08", "nwparser.payload", "LiveUpdate will start ne var msg219 = msg("LiveUpdate:08", part267); -var part268 = // "Pattern{Constant('LiveUpdate '), Field(info,true), Constant(' on '), Field(product,false), Constant('"')}" -match("MESSAGE#140:LiveUpdate:01", "nwparser.payload", "LiveUpdate %{info->} on %{product}\"", processor_chain([ +var part268 = match("MESSAGE#140:LiveUpdate:01", "nwparser.payload", "LiveUpdate %{info->} on %{product}\"", processor_chain([ dup43, dup12, dup13, @@ -6521,8 +6063,7 @@ match("MESSAGE#140:LiveUpdate:01", "nwparser.payload", "LiveUpdate %{info->} on var msg220 = msg("LiveUpdate:01", part268); -var part269 = // "Pattern{Constant('LiveUpdate failed.'), Field(,false)}" -match("MESSAGE#141:LiveUpdate", "nwparser.payload", "LiveUpdate failed.%{}", processor_chain([ +var part269 = match("MESSAGE#141:LiveUpdate", "nwparser.payload", "LiveUpdate failed.%{}", processor_chain([ dup168, dup12, dup13, @@ -6533,8 +6074,7 @@ match("MESSAGE#141:LiveUpdate", "nwparser.payload", "LiveUpdate failed.%{}", pro var msg221 = msg("LiveUpdate", part269); -var part270 = // "Pattern{Constant('LiveUpdate encountered one or more errors. Return code = '), Field(resultcode,false)}" -match("MESSAGE#142:LiveUpdate:04", "nwparser.payload", "LiveUpdate encountered one or more errors. Return code = %{resultcode}", processor_chain([ +var part270 = match("MESSAGE#142:LiveUpdate:04", "nwparser.payload", "LiveUpdate encountered one or more errors. Return code = %{resultcode}", processor_chain([ dup168, dup15, setc("event_description","LiveUpdate encountered one or more errors"), @@ -6542,8 +6082,7 @@ match("MESSAGE#142:LiveUpdate:04", "nwparser.payload", "LiveUpdate encountered o var msg222 = msg("LiveUpdate:04", part270); -var part271 = // "Pattern{Constant('LiveUpdate succeeded'), Field(,false)}" -match("MESSAGE#143:LiveUpdate:02", "nwparser.payload", "LiveUpdate succeeded%{}", processor_chain([ +var part271 = match("MESSAGE#143:LiveUpdate:02", "nwparser.payload", "LiveUpdate succeeded%{}", processor_chain([ dup43, dup12, dup13, @@ -6554,8 +6093,7 @@ match("MESSAGE#143:LiveUpdate:02", "nwparser.payload", "LiveUpdate succeeded%{}" var msg223 = msg("LiveUpdate:02", part271); -var part272 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.')}" -match("MESSAGE#144:LiveUpdate:09", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.", processor_chain([ +var part272 = match("MESSAGE#144:LiveUpdate:09", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.", processor_chain([ dup43, dup12, dup13, @@ -6566,8 +6104,7 @@ match("MESSAGE#144:LiveUpdate:09", "nwparser.payload", "Category: %{fld22},LiveU var msg224 = msg("LiveUpdate:09", part272); -var part273 = // "Pattern{Constant('LiveUpdate encountered an error: Failed to connect to the LiveUpdate server ('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#145:LiveUpdate:10/0", "nwparser.payload", "LiveUpdate encountered an error: Failed to connect to the LiveUpdate server (%{resultcode})%{p0}"); +var part273 = match("MESSAGE#145:LiveUpdate:10/0", "nwparser.payload", "LiveUpdate encountered an error: Failed to connect to the LiveUpdate server (%{resultcode})%{p0}"); var select49 = linear_select([ dup186, @@ -6592,8 +6129,7 @@ var all88 = all_match({ var msg225 = msg("LiveUpdate:10", all88); -var part274 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"An update for '), Field(application,true), Constant(' failed to install. Error: '), Field(resultcode,false), Constant(', DuResult:'), Field(fld23,false), Constant('."'), Field(p0,false)}" -match("MESSAGE#146:LiveUpdate:11/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"An update for %{application->} failed to install. Error: %{resultcode}, DuResult:%{fld23}.\"%{p0}"); +var part274 = match("MESSAGE#146:LiveUpdate:11/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"An update for %{application->} failed to install. Error: %{resultcode}, DuResult:%{fld23}.\"%{p0}"); var all89 = all_match({ processors: [ @@ -6613,8 +6149,7 @@ var all89 = all_match({ var msg226 = msg("LiveUpdate:11", all89); -var part275 = // "Pattern{Constant('LiveUpdate re-run triggered by the download of content catalog.'), Field(,false)}" -match("MESSAGE#147:LiveUpdate:12", "nwparser.payload", "LiveUpdate re-run triggered by the download of content catalog.%{}", processor_chain([ +var part275 = match("MESSAGE#147:LiveUpdate:12", "nwparser.payload", "LiveUpdate re-run triggered by the download of content catalog.%{}", processor_chain([ dup43, dup12, dup13, @@ -6625,8 +6160,7 @@ match("MESSAGE#147:LiveUpdate:12", "nwparser.payload", "LiveUpdate re-run trigge var msg227 = msg("LiveUpdate:12", part275); -var part276 = // "Pattern{Constant('LiveUpdate cannot be run because all licenses have expired.'), Field(,false)}" -match("MESSAGE#148:LiveUpdate:13", "nwparser.payload", "LiveUpdate cannot be run because all licenses have expired.%{}", processor_chain([ +var part276 = match("MESSAGE#148:LiveUpdate:13", "nwparser.payload", "LiveUpdate cannot be run because all licenses have expired.%{}", processor_chain([ dup43, dup14, dup15, @@ -6635,8 +6169,7 @@ match("MESSAGE#148:LiveUpdate:13", "nwparser.payload", "LiveUpdate cannot be run var msg228 = msg("LiveUpdate:13", part276); -var part277 = // "Pattern{Constant('LiveUpdate started.'), Field(,false)}" -match("MESSAGE#149:LiveUpdate::05", "nwparser.payload", "LiveUpdate started.%{}", processor_chain([ +var part277 = match("MESSAGE#149:LiveUpdate::05", "nwparser.payload", "LiveUpdate started.%{}", processor_chain([ dup43, dup15, setc("action","LiveUpdate started."), @@ -6644,8 +6177,7 @@ match("MESSAGE#149:LiveUpdate::05", "nwparser.payload", "LiveUpdate started.%{}" var msg229 = msg("LiveUpdate::05", part277); -var part278 = // "Pattern{Constant('LiveUpdate retry started.'), Field(,false)}" -match("MESSAGE#150:LiveUpdate::06", "nwparser.payload", "LiveUpdate retry started.%{}", processor_chain([ +var part278 = match("MESSAGE#150:LiveUpdate::06", "nwparser.payload", "LiveUpdate retry started.%{}", processor_chain([ dup43, dup15, setc("action","LiveUpdate retry started."), @@ -6653,8 +6185,7 @@ match("MESSAGE#150:LiveUpdate::06", "nwparser.payload", "LiveUpdate retry starte var msg230 = msg("LiveUpdate::06", part278); -var part279 = // "Pattern{Constant('LiveUpdate retry succeeded.'), Field(,false)}" -match("MESSAGE#151:LiveUpdate::07", "nwparser.payload", "LiveUpdate retry succeeded.%{}", processor_chain([ +var part279 = match("MESSAGE#151:LiveUpdate::07", "nwparser.payload", "LiveUpdate retry succeeded.%{}", processor_chain([ dup43, dup15, setc("action","LiveUpdate retry succeeded."), @@ -6662,8 +6193,7 @@ match("MESSAGE#151:LiveUpdate::07", "nwparser.payload", "LiveUpdate retry succee var msg231 = msg("LiveUpdate::07", part279); -var part280 = // "Pattern{Constant('LiveUpdate retry failed. Will try again.'), Field(,false)}" -match("MESSAGE#152:LiveUpdate::08", "nwparser.payload", "LiveUpdate retry failed. Will try again.%{}", processor_chain([ +var part280 = match("MESSAGE#152:LiveUpdate::08", "nwparser.payload", "LiveUpdate retry failed. Will try again.%{}", processor_chain([ dup43, dup12, dup13, @@ -6673,8 +6203,7 @@ match("MESSAGE#152:LiveUpdate::08", "nwparser.payload", "LiveUpdate retry failed var msg232 = msg("LiveUpdate::08", part280); -var part281 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#153:LiveUpdate:14", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part281 = match("MESSAGE#153:LiveUpdate:14", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6685,8 +6214,7 @@ match("MESSAGE#153:LiveUpdate:14", "nwparser.payload", "Category: %{fld11},LiveU var msg233 = msg("LiveUpdate:14", part281); -var part282 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#154:LiveUpdate:15", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part282 = match("MESSAGE#154:LiveUpdate:15", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6700,8 +6228,7 @@ match("MESSAGE#154:LiveUpdate:15", "nwparser.payload", "Category: %{fld11},LiveU var msg234 = msg("LiveUpdate:15", part282); -var part283 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#155:LiveUpdate:16", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part283 = match("MESSAGE#155:LiveUpdate:16", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6715,8 +6242,7 @@ match("MESSAGE#155:LiveUpdate:16", "nwparser.payload", "Category: %{fld11},LiveU var msg235 = msg("LiveUpdate:16", part283); -var part284 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#156:LiveUpdate:17", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part284 = match("MESSAGE#156:LiveUpdate:17", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6727,8 +6253,7 @@ match("MESSAGE#156:LiveUpdate:17", "nwparser.payload", "Category: %{fld11},LiveU var msg236 = msg("LiveUpdate:17", part284); -var part285 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#157:LiveUpdate:18/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); +var part285 = match("MESSAGE#157:LiveUpdate:18/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); var all90 = all_match({ processors: [ @@ -6748,8 +6273,7 @@ var all90 = all_match({ var msg237 = msg("LiveUpdate:18", all90); -var part286 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#158:LiveUpdate:19/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); +var part286 = match("MESSAGE#158:LiveUpdate:19/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); var all91 = all_match({ processors: [ @@ -6769,8 +6293,7 @@ var all91 = all_match({ var msg238 = msg("LiveUpdate:19", all91); -var part287 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#159:LiveUpdate:20", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part287 = match("MESSAGE#159:LiveUpdate:20", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6784,8 +6307,7 @@ match("MESSAGE#159:LiveUpdate:20", "nwparser.payload", "Category: %{fld11},LiveU var msg239 = msg("LiveUpdate:20", part287); -var part288 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#160:LiveUpdate:21", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part288 = match("MESSAGE#160:LiveUpdate:21", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6799,8 +6321,7 @@ match("MESSAGE#160:LiveUpdate:21", "nwparser.payload", "Category: %{fld11},LiveU var msg240 = msg("LiveUpdate:21", part288); -var part289 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#161:LiveUpdate:22", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part289 = match("MESSAGE#161:LiveUpdate:22", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup12, dup13, @@ -6814,8 +6335,7 @@ match("MESSAGE#161:LiveUpdate:22", "nwparser.payload", "Category: %{fld11},LiveU var msg241 = msg("LiveUpdate:22", part289); -var part290 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#162:LiveUpdate:23", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ +var part290 = match("MESSAGE#162:LiveUpdate:23", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ dup43, dup94, dup13, @@ -6829,8 +6349,7 @@ match("MESSAGE#162:LiveUpdate:23", "nwparser.payload", "Category: %{fld11},LiveU var msg242 = msg("LiveUpdate:23", part290); -var part291 = // "Pattern{Constant('LiveUpdate encountered an error: '), Field(result,true), Constant(' ('), Field(resultcode,false), Constant(').'), Field(p0,false)}" -match("MESSAGE#163:LiveUpdate:24/0", "nwparser.payload", "LiveUpdate encountered an error: %{result->} (%{resultcode}).%{p0}"); +var part291 = match("MESSAGE#163:LiveUpdate:24/0", "nwparser.payload", "LiveUpdate encountered an error: %{result->} (%{resultcode}).%{p0}"); var all92 = all_match({ processors: [ @@ -6852,8 +6371,7 @@ var all92 = all_match({ var msg243 = msg("LiveUpdate:24", all92); -var part292 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#164:LiveUpdate:25", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part292 = match("MESSAGE#164:LiveUpdate:25", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -6864,8 +6382,7 @@ match("MESSAGE#164:LiveUpdate:25", "nwparser.payload", "Category: %{fld11},LiveU var msg244 = msg("LiveUpdate:25", part292); -var part293 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#165:LiveUpdate:26", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part293 = match("MESSAGE#165:LiveUpdate:26", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -6876,8 +6393,7 @@ match("MESSAGE#165:LiveUpdate:26", "nwparser.payload", "Category: %{fld11},LiveU var msg245 = msg("LiveUpdate:26", part293); -var part294 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,A LiveUpdate session encountered errors. '), Field(fld1,true), Constant(' update(s) were available. '), Field(fld2,true), Constant(' update(s) installed successfully. '), Field(fld3,true), Constant(' update(s) failed to install.'), Field(p0,false)}" -match("MESSAGE#166:LiveUpdate:27/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,A LiveUpdate session encountered errors. %{fld1->} update(s) were available. %{fld2->} update(s) installed successfully. %{fld3->} update(s) failed to install.%{p0}"); +var part294 = match("MESSAGE#166:LiveUpdate:27/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,A LiveUpdate session encountered errors. %{fld1->} update(s) were available. %{fld2->} update(s) installed successfully. %{fld3->} update(s) failed to install.%{p0}"); var all93 = all_match({ processors: [ @@ -6897,8 +6413,7 @@ var all93 = all_match({ var msg246 = msg("LiveUpdate:27", all93); -var part295 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.'), Field(p0,false)}" -match("MESSAGE#167:LiveUpdate:28/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.%{p0}"); +var part295 = match("MESSAGE#167:LiveUpdate:28/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.%{p0}"); var all94 = all_match({ processors: [ @@ -6918,8 +6433,7 @@ var all94 = all_match({ var msg247 = msg("LiveUpdate:28", all94); -var part296 = // "Pattern{Field(fld11,false), Constant(': Impossible de se connecter au serveur LiveUpdate '), Field(fld12,false), Constant('.')}" -match("MESSAGE#168:LiveUpdate:29", "nwparser.payload", "%{fld11}: Impossible de se connecter au serveur LiveUpdate %{fld12}.", processor_chain([ +var part296 = match("MESSAGE#168:LiveUpdate:29", "nwparser.payload", "%{fld11}: Impossible de se connecter au serveur LiveUpdate %{fld12}.", processor_chain([ dup43, dup12, dup13, @@ -6930,14 +6444,11 @@ match("MESSAGE#168:LiveUpdate:29", "nwparser.payload", "%{fld11}: Impossible de var msg248 = msg("LiveUpdate:29", part296); -var part297 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' was successfully installed.'), Field(space,false), Constant('The new sequence number is '), Field(fld23,false), Constant('.'), Field(p0,false)}" -match("MESSAGE#169:LiveUpdate:30/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} was successfully installed.%{space}The new sequence number is %{fld23}.%{p0}"); +var part297 = match("MESSAGE#169:LiveUpdate:30/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} was successfully installed.%{space}The new sequence number is %{fld23}.%{p0}"); -var part298 = // "Pattern{Field(space,false), Constant('Content was downloaded from '), Field(url,true), Constant(' ('), Field(sport,false), Constant(').,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#169:LiveUpdate:30/1_0", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport}).,Event time:%{fld17->} %{fld18}"); +var part298 = match("MESSAGE#169:LiveUpdate:30/1_0", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport}).,Event time:%{fld17->} %{fld18}"); -var part299 = // "Pattern{Field(space,false), Constant('Content was downloaded from '), Field(url,true), Constant(' ('), Field(sport,false), Constant(').')}" -match("MESSAGE#169:LiveUpdate:30/1_1", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport})."); +var part299 = match("MESSAGE#169:LiveUpdate:30/1_1", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport})."); var select50 = linear_select([ part298, @@ -6964,8 +6475,7 @@ var all95 = all_match({ var msg249 = msg("LiveUpdate:30", all95); -var part300 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest '), Field(application,true), Constant(' update failed to load. The component will continue to use its previous content.'), Field(p0,false)}" -match("MESSAGE#170:LiveUpdate:31/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest %{application->} update failed to load. The component will continue to use its previous content.%{p0}"); +var part300 = match("MESSAGE#170:LiveUpdate:31/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest %{application->} update failed to load. The component will continue to use its previous content.%{p0}"); var all96 = all_match({ processors: [ @@ -6985,8 +6495,7 @@ var all96 = all_match({ var msg250 = msg("LiveUpdate:31", all96); -var part301 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,Scheduled LiveUpdate switched to '), Field(change_new,false), Constant('.')}" -match("MESSAGE#171:LiveUpdate:32", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate switched to %{change_new}.", processor_chain([ +var part301 = match("MESSAGE#171:LiveUpdate:32", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate switched to %{change_new}.", processor_chain([ dup136, dup12, dup13, @@ -7000,8 +6509,7 @@ match("MESSAGE#171:LiveUpdate:32", "nwparser.payload", "Category: %{fld22},LiveU var msg251 = msg("LiveUpdate:32", part301); -var part302 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' from LiveUpdate failed to install. Error: '), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#172:LiveUpdate:33/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from LiveUpdate failed to install. Error: %{result}(%{resultcode})%{p0}"); +var part302 = match("MESSAGE#172:LiveUpdate:33/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from LiveUpdate failed to install. Error: %{result}(%{resultcode})%{p0}"); var all97 = all_match({ processors: [ @@ -7021,8 +6529,7 @@ var all97 = all_match({ var msg252 = msg("LiveUpdate:33", all97); -var part303 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' from Intelligent Updater was already installed.')}" -match("MESSAGE#173:LiveUpdate:34", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from Intelligent Updater was already installed.", processor_chain([ +var part303 = match("MESSAGE#173:LiveUpdate:34", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from Intelligent Updater was already installed.", processor_chain([ dup43, dup12, dup13, @@ -7033,33 +6540,27 @@ match("MESSAGE#173:LiveUpdate:34", "nwparser.payload", "Category: %{fld22},LiveU var msg253 = msg("LiveUpdate:34", part303); -var part304 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,'), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,%{p0}"); +var part304 = match("MESSAGE#174:LiveUpdate:35/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,%{p0}"); -var part305 = // "Pattern{Constant('A '), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/1_0", "nwparser.p0", "A %{p0}"); +var part305 = match("MESSAGE#174:LiveUpdate:35/1_0", "nwparser.p0", "A %{p0}"); -var part306 = // "Pattern{Constant(' The'), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/1_1", "nwparser.p0", " The%{p0}"); +var part306 = match("MESSAGE#174:LiveUpdate:35/1_1", "nwparser.p0", " The%{p0}"); var select51 = linear_select([ part305, part306, ]); -var part307 = // "Pattern{Field(,false), Constant('LiveUpdate session '), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/2", "nwparser.p0", "%{}LiveUpdate session %{p0}"); +var part307 = match("MESSAGE#174:LiveUpdate:35/2", "nwparser.p0", "%{}LiveUpdate session %{p0}"); -var part308 = // "Pattern{Constant('was'), Field(p0,false)}" -match("MESSAGE#174:LiveUpdate:35/3_1", "nwparser.p0", "was%{p0}"); +var part308 = match("MESSAGE#174:LiveUpdate:35/3_1", "nwparser.p0", "was%{p0}"); var select52 = linear_select([ dup183, part308, ]); -var part309 = // "Pattern{Field(,false), Constant('cancelled.')}" -match("MESSAGE#174:LiveUpdate:35/4", "nwparser.p0", "%{}cancelled."); +var part309 = match("MESSAGE#174:LiveUpdate:35/4", "nwparser.p0", "%{}cancelled."); var all98 = all_match({ processors: [ @@ -7081,8 +6582,7 @@ var all98 = all_match({ var msg254 = msg("LiveUpdate:35", all98); -var part310 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped."'), Field(p0,false)}" -match("MESSAGE#175:LiveUpdate:36/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped.\"%{p0}"); +var part310 = match("MESSAGE#175:LiveUpdate:36/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped.\"%{p0}"); var all99 = all_match({ processors: [ @@ -7102,8 +6602,7 @@ var all99 = all_match({ var msg255 = msg("LiveUpdate:36", all99); -var part311 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for '), Field(fld23,true), Constant(' times.')}" -match("MESSAGE#176:LiveUpdate:37", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for %{fld23->} times.", processor_chain([ +var part311 = match("MESSAGE#176:LiveUpdate:37", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for %{fld23->} times.", processor_chain([ dup43, dup94, dup13, @@ -7114,14 +6613,11 @@ match("MESSAGE#176:LiveUpdate:37", "nwparser.payload", "Category: %{fld22},LiveU var msg256 = msg("LiveUpdate:37", part311); -var part312 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,A LiveUpdate session ran successfully. '), Field(p0,false)}" -match("MESSAGE#177:LiveUpdate:38/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,A LiveUpdate session ran successfully. %{p0}"); +var part312 = match("MESSAGE#177:LiveUpdate:38/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,A LiveUpdate session ran successfully. %{p0}"); -var part313 = // "Pattern{Constant(''), Field(fld23,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#177:LiveUpdate:38/1_0", "nwparser.p0", "%{fld23},Event time:%{fld17->} %{fld18}"); +var part313 = match("MESSAGE#177:LiveUpdate:38/1_0", "nwparser.p0", "%{fld23},Event time:%{fld17->} %{fld18}"); -var part314 = // "Pattern{Field(fld23,false)}" -match_copy("MESSAGE#177:LiveUpdate:38/1_1", "nwparser.p0", "fld23"); +var part314 = match_copy("MESSAGE#177:LiveUpdate:38/1_1", "nwparser.p0", "fld23"); var select53 = linear_select([ part313, @@ -7146,8 +6642,7 @@ var all100 = all_match({ var msg257 = msg("LiveUpdate:38", all100); -var part315 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.'), Field(p0,false)}" -match("MESSAGE#178:LiveUpdate:39/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.%{p0}"); +var part315 = match("MESSAGE#178:LiveUpdate:39/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.%{p0}"); var all101 = all_match({ processors: [ @@ -7167,8 +6662,7 @@ var all101 = all_match({ var msg258 = msg("LiveUpdate:39", all101); -var part316 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#180:LiveUpdate:41", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part316 = match("MESSAGE#180:LiveUpdate:41", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -7179,8 +6673,7 @@ match("MESSAGE#180:LiveUpdate:41", "nwparser.payload", "Category: %{fld11},LiveU var msg259 = msg("LiveUpdate:41", part316); -var part317 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.')}" -match("MESSAGE#181:LiveUpdate:42", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ +var part317 = match("MESSAGE#181:LiveUpdate:42", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ dup43, dup12, dup13, @@ -7191,8 +6684,7 @@ match("MESSAGE#181:LiveUpdate:42", "nwparser.payload", "Category: %{fld11},LiveU var msg260 = msg("LiveUpdate:42", part317); -var part318 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#182:LiveUpdate:43", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part318 = match("MESSAGE#182:LiveUpdate:43", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -7203,8 +6695,7 @@ match("MESSAGE#182:LiveUpdate:43", "nwparser.payload", "Category: %{fld11},LiveU var msg261 = msg("LiveUpdate:43", part318); -var part319 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : ''), Field(result,false), Constant('''), Field(fld23,false), Constant('",Event time: '), Field(event_time_string,false)}" -match("MESSAGE#183:LiveUpdate:44", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : '%{result}'%{fld23}\",Event time: %{event_time_string}", processor_chain([ +var part319 = match("MESSAGE#183:LiveUpdate:44", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : '%{result}'%{fld23}\",Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7214,8 +6705,7 @@ match("MESSAGE#183:LiveUpdate:44", "nwparser.payload", "Category: %{fld22},LiveU var msg262 = msg("LiveUpdate:44", part319); -var part320 = // "Pattern{Constant('LiveUpdate encountered an error.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#184:LiveUpdate:45", "nwparser.payload", "LiveUpdate encountered an error.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part320 = match("MESSAGE#184:LiveUpdate:45", "nwparser.payload", "LiveUpdate encountered an error.,Event time: %{fld17->} %{fld18}", processor_chain([ dup86, dup12, dup13, @@ -7226,8 +6716,7 @@ match("MESSAGE#184:LiveUpdate:45", "nwparser.payload", "LiveUpdate encountered a var msg263 = msg("LiveUpdate:45", part320); -var part321 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#185:LiveUpdate:46", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part321 = match("MESSAGE#185:LiveUpdate:46", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7237,8 +6726,7 @@ match("MESSAGE#185:LiveUpdate:46", "nwparser.payload", "Category: %{fld22},LiveU var msg264 = msg("LiveUpdate:46", part321); -var part322 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#186:LiveUpdate:47", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part322 = match("MESSAGE#186:LiveUpdate:47", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7248,8 +6736,7 @@ match("MESSAGE#186:LiveUpdate:47", "nwparser.payload", "Category: %{fld22},LiveU var msg265 = msg("LiveUpdate:47", part322); -var part323 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#187:LiveUpdate:48", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part323 = match("MESSAGE#187:LiveUpdate:48", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7259,8 +6746,7 @@ match("MESSAGE#187:LiveUpdate:48", "nwparser.payload", "Category: %{fld22},LiveU var msg266 = msg("LiveUpdate:48", part323); -var part324 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#188:LiveUpdate:49", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part324 = match("MESSAGE#188:LiveUpdate:49", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7270,8 +6756,7 @@ match("MESSAGE#188:LiveUpdate:49", "nwparser.payload", "Category: %{fld22},LiveU var msg267 = msg("LiveUpdate:49", part324); -var part325 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#189:LiveUpdate:50", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ +var part325 = match("MESSAGE#189:LiveUpdate:50", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -7334,8 +6819,7 @@ var select54 = linear_select([ msg268, ]); -var part326 = // "Pattern{Constant('Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.'), Field(p0,false)}" -match("MESSAGE#179:LiveUpdate:40/0", "nwparser.payload", "Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.%{p0}"); +var part326 = match("MESSAGE#179:LiveUpdate:40/0", "nwparser.payload", "Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.%{p0}"); var select55 = linear_select([ dup191, @@ -7360,8 +6844,7 @@ var all102 = all_match({ var msg269 = msg("LiveUpdate:40", all102); -var part327 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Virus Name: '), Field(virusname,false), Constant('..Path: '), Field(filename,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#430:Virus", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Virus Name: %{virusname}..Path: %{filename}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part327 = match("MESSAGE#430:Virus", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Virus Name: %{virusname}..Path: %{filename}..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup115, dup116, @@ -7374,8 +6857,7 @@ match("MESSAGE#430:Virus", "nwparser.payload", "Virus Found..Computer: %{shost}. var msg270 = msg("Virus", part327); -var part328 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#431:Virus:01", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part328 = match("MESSAGE#431:Virus:01", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup192, dup15, @@ -7384,19 +6866,16 @@ match("MESSAGE#431:Virus:01", "nwparser.payload", "Virus Found..Computer: %{shos var msg271 = msg("Virus:01", part328); -var part329 = // "Pattern{Constant('Virus Definition File Update..'), Field(fld4,false), Constant('..'), Field(fld5,false), Constant('..Update to computer '), Field(shost,true), Constant(' of virus definition file '), Field(fld6,true), Constant(' failed. Status '), Field(fld7,true), Constant(' ..'), Field(p0,false)}" -match("MESSAGE#432:Virus:02/0", "nwparser.payload", "Virus Definition File Update..%{fld4}..%{fld5}..Update to computer %{shost->} of virus definition file %{fld6->} failed. Status %{fld7->} ..%{p0}"); +var part329 = match("MESSAGE#432:Virus:02/0", "nwparser.payload", "Virus Definition File Update..%{fld4}..%{fld5}..Update to computer %{shost->} of virus definition file %{fld6->} failed. Status %{fld7->} ..%{p0}"); -var part330 = // "Pattern{Constant('. '), Field(p0,false)}" -match("MESSAGE#432:Virus:02/1_0", "nwparser.p0", ". %{p0}"); +var part330 = match("MESSAGE#432:Virus:02/1_0", "nwparser.p0", ". %{p0}"); var select56 = linear_select([ part330, dup194, ]); -var part331 = // "Pattern{Constant(''), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld8,false)}" -match("MESSAGE#432:Virus:02/2", "nwparser.p0", "%{severity}..%{product}..%{fld8}"); +var part331 = match("MESSAGE#432:Virus:02/2", "nwparser.p0", "%{severity}..%{product}..%{fld8}"); var all103 = all_match({ processors: [ @@ -7424,8 +6903,7 @@ var all103 = all_match({ var msg272 = msg("Virus:02", all103); -var part332 = // "Pattern{Constant('Virus Definition File Update..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" -match("MESSAGE#433:Virus:03", "nwparser.payload", "Virus Definition File Update..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ +var part332 = match("MESSAGE#433:Virus:03", "nwparser.payload", "Virus Definition File Update..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ dup43, dup44, dup45, @@ -7438,8 +6916,7 @@ match("MESSAGE#433:Virus:03", "nwparser.payload", "Virus Definition File Update. var msg273 = msg("Virus:03", part332); -var part333 = // "Pattern{Constant('Virus Found..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('.....'), Field(info,false), Constant('..'), Field(action,false), Constant('....'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#434:Virus:09", "nwparser.payload", "Virus Found..%{shost}..%{fld5}..%{filename}.....%{info}..%{action}....%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ +var part333 = match("MESSAGE#434:Virus:09", "nwparser.payload", "Virus Found..%{shost}..%{fld5}..%{filename}.....%{info}..%{action}....%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ dup110, dup115, dup116, @@ -7452,8 +6929,7 @@ match("MESSAGE#434:Virus:09", "nwparser.payload", "Virus Found..%{shost}..%{fld5 var msg274 = msg("Virus:09", part333); -var part334 = // "Pattern{Constant('Virus Found..'), Field(fld12,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#435:Virus:04", "nwparser.payload", "Virus Found..%{fld12}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ +var part334 = match("MESSAGE#435:Virus:04", "nwparser.payload", "Virus Found..%{fld12}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ dup110, dup115, dup116, @@ -7466,8 +6942,7 @@ match("MESSAGE#435:Virus:04", "nwparser.payload", "Virus Found..%{fld12}..%{fld5 var msg275 = msg("Virus:04", part334); -var part335 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(',0,Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#436:Virus:12/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); +var part335 = match("MESSAGE#436:Virus:12/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); var all104 = all_match({ processors: [ @@ -7493,14 +6968,11 @@ var all104 = all_match({ var msg276 = msg("Virus:12", all104); -var part336 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#437:Virus:15/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var part336 = match("MESSAGE#437:Virus:15/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var part337 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#437:Virus:15/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var part337 = match("MESSAGE#437:Virus:15/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var part338 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(url,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(filename,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#437:Virus:15/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{url},Web domain: %{fld45},Downloaded by: %{filename},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); +var part338 = match("MESSAGE#437:Virus:15/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{url},Web domain: %{fld45},Downloaded by: %{filename},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); var all105 = all_match({ processors: [ @@ -7528,8 +7000,7 @@ var all105 = all_match({ var msg277 = msg("Virus:15", all105); -var part339 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" -match("MESSAGE#438:Virus:13/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},%{p0}"); +var part339 = match("MESSAGE#438:Virus:13/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},%{p0}"); var all106 = all_match({ processors: [ @@ -7558,8 +7029,7 @@ var all106 = all_match({ var msg278 = msg("Virus:13", all106); -var part340 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#439:Virus:10/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}"); +var part340 = match("MESSAGE#439:Virus:10/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}"); var all107 = all_match({ processors: [ @@ -7585,19 +7055,16 @@ var all107 = all_match({ var msg279 = msg("Virus:10", all107); -var part341 = // "Pattern{Constant('"'), Field(fld22,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#440:Virus:14/1_0", "nwparser.p0", "\"%{fld22}\",Actual action: %{p0}"); +var part341 = match("MESSAGE#440:Virus:14/1_0", "nwparser.p0", "\"%{fld22}\",Actual action: %{p0}"); -var part342 = // "Pattern{Field(fld22,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#440:Virus:14/1_1", "nwparser.p0", "%{fld22},Actual action: %{p0}"); +var part342 = match("MESSAGE#440:Virus:14/1_1", "nwparser.p0", "%{fld22},Actual action: %{p0}"); var select57 = linear_select([ part341, part342, ]); -var part343 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#440:Virus:14/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); +var part343 = match("MESSAGE#440:Virus:14/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); var all108 = all_match({ processors: [ @@ -7649,8 +7116,7 @@ var all109 = all_match({ var msg281 = msg("Virus:05", all109); -var part344 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',"Group: '), Field(group,false), Constant('",Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#442:Virus:11/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group}\",Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part344 = match("MESSAGE#442:Virus:11/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group}\",Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all110 = all_match({ processors: [ @@ -7677,22 +7143,18 @@ var all110 = all_match({ var msg282 = msg("Virus:11", all110); -var part345 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..'), Field(p0,false)}" -match("MESSAGE#443:Virus:06/0", "nwparser.payload", "Virus Found..Computer: %{shost}..%{p0}"); +var part345 = match("MESSAGE#443:Virus:06/0", "nwparser.payload", "Virus Found..Computer: %{shost}..%{p0}"); -var part346 = // "Pattern{Constant('Date: '), Field(fld5,false), Constant('..File Path:'), Field(p0,false)}" -match("MESSAGE#443:Virus:06/1_0", "nwparser.p0", "Date: %{fld5}..File Path:%{p0}"); +var part346 = match("MESSAGE#443:Virus:06/1_0", "nwparser.p0", "Date: %{fld5}..File Path:%{p0}"); -var part347 = // "Pattern{Field(fld5,false), Constant('..File Path:'), Field(p0,false)}" -match("MESSAGE#443:Virus:06/1_1", "nwparser.p0", "%{fld5}..File Path:%{p0}"); +var part347 = match("MESSAGE#443:Virus:06/1_1", "nwparser.p0", "%{fld5}..File Path:%{p0}"); var select58 = linear_select([ part346, part347, ]); -var part348 = // "Pattern{Field(filename,false), Constant('..'), Field(info,false), Constant('..Requested Action:'), Field(action,false), Constant('..Severity:'), Field(severity,false), Constant('..Source:'), Field(product,false), Constant('..Time:'), Field(fld6,false), Constant('..User:'), Field(username,false)}" -match("MESSAGE#443:Virus:06/2", "nwparser.p0", "%{filename}..%{info}..Requested Action:%{action}..Severity:%{severity}..Source:%{product}..Time:%{fld6}..User:%{username}"); +var part348 = match("MESSAGE#443:Virus:06/2", "nwparser.p0", "%{filename}..%{info}..Requested Action:%{action}..Severity:%{severity}..Source:%{product}..Time:%{fld6}..User:%{username}"); var all111 = all_match({ processors: [ @@ -7713,8 +7175,7 @@ var all111 = all_match({ var msg283 = msg("Virus:06", all111); -var part349 = // "Pattern{Field(fld1,true), Constant(' Virus Found '), Field(shost,true), Constant(' '), Field(fld5,true), Constant(' '), Field(filename,true), Constant(' Forward from '), Field(info,true), Constant(' '), Field(action,true), Constant(' '), Field(severity,true), Constant(' '), Field(product,true), Constant(' Edition '), Field(version,true), Constant(' '), Field(virusname,false)}" -match("MESSAGE#444:Virus:07", "nwparser.payload", "%{fld1->} Virus Found %{shost->} %{fld5->} %{filename->} Forward from %{info->} %{action->} %{severity->} %{product->} Edition %{version->} %{virusname}", processor_chain([ +var part349 = match("MESSAGE#444:Virus:07", "nwparser.payload", "%{fld1->} Virus Found %{shost->} %{fld5->} %{filename->} Forward from %{info->} %{action->} %{severity->} %{product->} Edition %{version->} %{virusname}", processor_chain([ dup110, dup115, dup116, @@ -7727,8 +7188,7 @@ match("MESSAGE#444:Virus:07", "nwparser.payload", "%{fld1->} Virus Found %{shost var msg284 = msg("Virus:07", part349); -var part350 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,false)}" -match("MESSAGE#445:Virus:08", "nwparser.payload", "%{product->} definitions %{info}", processor_chain([ +var part350 = match("MESSAGE#445:Virus:08", "nwparser.payload", "%{product->} definitions %{info}", processor_chain([ dup43, dup12, dup13, @@ -7759,8 +7219,7 @@ var select59 = linear_select([ msg285, ]); -var part351 = // "Pattern{Field(shost,false), Constant(', Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#216:Local:01", "nwparser.payload", "%{shost}, Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part351 = match("MESSAGE#216:Local:01", "nwparser.payload", "%{shost}, Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup15, @@ -7769,8 +7228,7 @@ match("MESSAGE#216:Local:01", "nwparser.payload", "%{shost}, Local Port %{sport} var msg286 = msg("Local:01", part351); -var part352 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#217:Local:02", "nwparser.payload", "Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part352 = match("MESSAGE#217:Local:02", "nwparser.payload", "Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup13, @@ -7785,22 +7243,18 @@ var select60 = linear_select([ msg287, ]); -var part353 = // "Pattern{Constant('Location has been '), Field(p0,false)}" -match("MESSAGE#218:Location/0", "nwparser.payload", "Location has been %{p0}"); +var part353 = match("MESSAGE#218:Location/0", "nwparser.payload", "Location has been %{p0}"); -var part354 = // "Pattern{Constant('changed '), Field(p0,false)}" -match("MESSAGE#218:Location/1_0", "nwparser.p0", "changed %{p0}"); +var part354 = match("MESSAGE#218:Location/1_0", "nwparser.p0", "changed %{p0}"); -var part355 = // "Pattern{Constant('switched'), Field(p0,false)}" -match("MESSAGE#218:Location/1_1", "nwparser.p0", "switched%{p0}"); +var part355 = match("MESSAGE#218:Location/1_1", "nwparser.p0", "switched%{p0}"); var select61 = linear_select([ part354, part355, ]); -var part356 = // "Pattern{Field(,false), Constant('to '), Field(p0,false)}" -match("MESSAGE#218:Location/2", "nwparser.p0", "%{}to %{p0}"); +var part356 = match("MESSAGE#218:Location/2", "nwparser.p0", "%{}to %{p0}"); var all112 = all_match({ processors: [ @@ -7825,8 +7279,7 @@ var all112 = all_match({ var msg288 = msg("Location", all112); -var part357 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#219:LUALL", "nwparser.payload", "event_description", processor_chain([ +var part357 = match_copy("MESSAGE#219:LUALL", "nwparser.payload", "event_description", processor_chain([ dup43, dup12, dup13, @@ -7835,8 +7288,7 @@ match_copy("MESSAGE#219:LUALL", "nwparser.payload", "event_description", process var msg289 = msg("LUALL", part357); -var part358 = // "Pattern{Constant('Management server started up successfully'), Field(,false)}" -match("MESSAGE#220:Management", "nwparser.payload", "Management server started up successfully%{}", processor_chain([ +var part358 = match("MESSAGE#220:Management", "nwparser.payload", "Management server started up successfully%{}", processor_chain([ dup43, dup12, dup13, @@ -7847,8 +7299,7 @@ match("MESSAGE#220:Management", "nwparser.payload", "Management server started u var msg290 = msg("Management", part358); -var part359 = // "Pattern{Constant('Management server shut down gracefully'), Field(,false)}" -match("MESSAGE#221:Management:01", "nwparser.payload", "Management server shut down gracefully%{}", processor_chain([ +var part359 = match("MESSAGE#221:Management:01", "nwparser.payload", "Management server shut down gracefully%{}", processor_chain([ dup43, dup12, dup13, @@ -7859,8 +7310,7 @@ match("MESSAGE#221:Management:01", "nwparser.payload", "Management server shut d var msg291 = msg("Management:01", part359); -var part360 = // "Pattern{Constant('Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:'), Field(fld12,false)}" -match("MESSAGE#222:Management:02", "nwparser.payload", "Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:%{fld12}", processor_chain([ +var part360 = match("MESSAGE#222:Management:02", "nwparser.payload", "Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:%{fld12}", processor_chain([ dup43, dup12, dup13, @@ -7877,8 +7327,7 @@ var select62 = linear_select([ msg292, ]); -var part361 = // "Pattern{Constant('management server received the client log successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#223:management", "nwparser.payload", "management server received the client log successfully,%{shost},%{username},%{group}", processor_chain([ +var part361 = match("MESSAGE#223:management", "nwparser.payload", "management server received the client log successfully,%{shost},%{username},%{group}", processor_chain([ dup53, dup12, dup13, @@ -7889,8 +7338,7 @@ match("MESSAGE#223:management", "nwparser.payload", "management server received var msg293 = msg("management", part361); -var part362 = // "Pattern{Constant('management server received a report that the client computer changed its hardware identity,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" -match("MESSAGE#224:management:01", "nwparser.payload", "management server received a report that the client computer changed its hardware identity,%{shost},%{username},%{group}", processor_chain([ +var part362 = match("MESSAGE#224:management:01", "nwparser.payload", "management server received a report that the client computer changed its hardware identity,%{shost},%{username},%{group}", processor_chain([ dup53, dup12, dup13, @@ -7906,22 +7354,18 @@ var select63 = linear_select([ msg294, ]); -var part363 = // "Pattern{Constant('Network Threat Protection --'), Field(p0,false)}" -match("MESSAGE#225:Network/0", "nwparser.payload", "Network Threat Protection --%{p0}"); +var part363 = match("MESSAGE#225:Network/0", "nwparser.payload", "Network Threat Protection --%{p0}"); -var part364 = // "Pattern{Constant('-- Engine version'), Field(p0,false)}" -match("MESSAGE#225:Network/1_0", "nwparser.p0", "-- Engine version%{p0}"); +var part364 = match("MESSAGE#225:Network/1_0", "nwparser.p0", "-- Engine version%{p0}"); -var part365 = // "Pattern{Constant(' Engine version'), Field(p0,false)}" -match("MESSAGE#225:Network/1_1", "nwparser.p0", " Engine version%{p0}"); +var part365 = match("MESSAGE#225:Network/1_1", "nwparser.p0", " Engine version%{p0}"); var select64 = linear_select([ part364, part365, ]); -var part366 = // "Pattern{Field(,false), Constant(': '), Field(version,true), Constant(' Windows Version info: Operating System: '), Field(os,true), Constant(' Network info:'), Field(info,false)}" -match("MESSAGE#225:Network/2", "nwparser.p0", "%{}: %{version->} Windows Version info: Operating System: %{os->} Network info:%{info}"); +var part366 = match("MESSAGE#225:Network/2", "nwparser.p0", "%{}: %{version->} Windows Version info: Operating System: %{os->} Network info:%{info}"); var all113 = all_match({ processors: [ @@ -7941,8 +7385,7 @@ var all113 = all_match({ var msg295 = msg("Network", all113); -var part367 = // "Pattern{Constant('Network Threat Protection has been activated'), Field(,false)}" -match("MESSAGE#226:Network:01", "nwparser.payload", "Network Threat Protection has been activated%{}", processor_chain([ +var part367 = match("MESSAGE#226:Network:01", "nwparser.payload", "Network Threat Protection has been activated%{}", processor_chain([ dup213, dup12, dup13, @@ -7956,22 +7399,18 @@ match("MESSAGE#226:Network:01", "nwparser.payload", "Network Threat Protection h var msg296 = msg("Network:01", part367); -var part368 = // "Pattern{Constant('Network Threat Protection applied a new IPS '), Field(p0,false)}" -match("MESSAGE#227:Network:02/0", "nwparser.payload", "Network Threat Protection applied a new IPS %{p0}"); +var part368 = match("MESSAGE#227:Network:02/0", "nwparser.payload", "Network Threat Protection applied a new IPS %{p0}"); -var part369 = // "Pattern{Constant('Library'), Field(p0,false)}" -match("MESSAGE#227:Network:02/1_0", "nwparser.p0", "Library%{p0}"); +var part369 = match("MESSAGE#227:Network:02/1_0", "nwparser.p0", "Library%{p0}"); -var part370 = // "Pattern{Constant('library'), Field(p0,false)}" -match("MESSAGE#227:Network:02/1_1", "nwparser.p0", "library%{p0}"); +var part370 = match("MESSAGE#227:Network:02/1_1", "nwparser.p0", "library%{p0}"); var select65 = linear_select([ part369, part370, ]); -var part371 = // "Pattern{Field(,false), Constant('.')}" -match("MESSAGE#227:Network:02/2", "nwparser.p0", "%{}."); +var part371 = match("MESSAGE#227:Network:02/2", "nwparser.p0", "%{}."); var all114 = all_match({ processors: [ @@ -7991,8 +7430,7 @@ var all114 = all_match({ var msg297 = msg("Network:02", all114); -var part372 = // "Pattern{Constant('The Network Threat Protection already has the newest policy.'), Field(,false)}" -match("MESSAGE#228:Network:03", "nwparser.payload", "The Network Threat Protection already has the newest policy.%{}", processor_chain([ +var part372 = match("MESSAGE#228:Network:03", "nwparser.payload", "The Network Threat Protection already has the newest policy.%{}", processor_chain([ dup92, dup12, dup13, @@ -8003,8 +7441,7 @@ match("MESSAGE#228:Network:03", "nwparser.payload", "The Network Threat Protecti var msg298 = msg("Network:03", part372); -var part373 = // "Pattern{Constant('The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#229:Network:04", "nwparser.payload", "The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part373 = match("MESSAGE#229:Network:04", "nwparser.payload", "The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup43, dup12, dup13, @@ -8015,8 +7452,7 @@ match("MESSAGE#229:Network:04", "nwparser.payload", "The Network Threat Protecti var msg299 = msg("Network:04", part373); -var part374 = // "Pattern{Constant('Network Threat Protection's firewall and Intrusion Prevention features are disabled'), Field(,false)}" -match("MESSAGE#230:Network:05", "nwparser.payload", "Network Threat Protection's firewall and Intrusion Prevention features are disabled%{}", processor_chain([ +var part374 = match("MESSAGE#230:Network:05", "nwparser.payload", "Network Threat Protection's firewall and Intrusion Prevention features are disabled%{}", processor_chain([ dup92, dup12, dup13, @@ -8027,8 +7463,7 @@ match("MESSAGE#230:Network:05", "nwparser.payload", "Network Threat Protection's var msg300 = msg("Network:05", part374); -var part375 = // "Pattern{Constant('The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#231:Network:06", "nwparser.payload", "The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part375 = match("MESSAGE#231:Network:06", "nwparser.payload", "The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup92, dup12, dup13, @@ -8039,8 +7474,7 @@ match("MESSAGE#231:Network:06", "nwparser.payload", "The Network Threat Protecti var msg301 = msg("Network:06", part375); -var part376 = // "Pattern{Constant('Network Audit Search Unagented Hosts Started'), Field(,false)}" -match("MESSAGE#232:Network:07", "nwparser.payload", "Network Audit Search Unagented Hosts Started%{}", processor_chain([ +var part376 = match("MESSAGE#232:Network:07", "nwparser.payload", "Network Audit Search Unagented Hosts Started%{}", processor_chain([ dup92, dup12, dup13, @@ -8051,8 +7485,7 @@ match("MESSAGE#232:Network:07", "nwparser.payload", "Network Audit Search Unagen var msg302 = msg("Network:07", part376); -var part377 = // "Pattern{Constant('Network Audit Search Unagented Hosts From NST Finished Abnormally'), Field(,false)}" -match("MESSAGE#233:Network:08", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Abnormally%{}", processor_chain([ +var part377 = match("MESSAGE#233:Network:08", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Abnormally%{}", processor_chain([ dup92, dup12, dup13, @@ -8063,8 +7496,7 @@ match("MESSAGE#233:Network:08", "nwparser.payload", "Network Audit Search Unagen var msg303 = msg("Network:08", part377); -var part378 = // "Pattern{Constant('Network Audit Search Unagented Hosts From NST Finished Normally'), Field(,false)}" -match("MESSAGE#234:Network:09", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Normally%{}", processor_chain([ +var part378 = match("MESSAGE#234:Network:09", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Normally%{}", processor_chain([ dup92, dup12, dup13, @@ -8075,8 +7507,7 @@ match("MESSAGE#234:Network:09", "nwparser.payload", "Network Audit Search Unagen var msg304 = msg("Network:09", part378); -var part379 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Started'), Field(,false)}" -match("MESSAGE#235:Network:10", "nwparser.payload", "Network Audit Client Remote Pushing Install Started%{}", processor_chain([ +var part379 = match("MESSAGE#235:Network:10", "nwparser.payload", "Network Audit Client Remote Pushing Install Started%{}", processor_chain([ dup92, dup12, dup13, @@ -8087,8 +7518,7 @@ match("MESSAGE#235:Network:10", "nwparser.payload", "Network Audit Client Remote var msg305 = msg("Network:10", part379); -var part380 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Finished Normally'), Field(,false)}" -match("MESSAGE#236:Network:11", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Normally%{}", processor_chain([ +var part380 = match("MESSAGE#236:Network:11", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Normally%{}", processor_chain([ dup92, dup12, dup13, @@ -8099,8 +7529,7 @@ match("MESSAGE#236:Network:11", "nwparser.payload", "Network Audit Client Remote var msg306 = msg("Network:11", part380); -var part381 = // "Pattern{Constant('Network Intrusion Prevention is malfunctioning, '), Field(result,false), Constant('"')}" -match("MESSAGE#237:Network:12", "nwparser.payload", "Network Intrusion Prevention is malfunctioning, %{result}\"", processor_chain([ +var part381 = match("MESSAGE#237:Network:12", "nwparser.payload", "Network Intrusion Prevention is malfunctioning, %{result}\"", processor_chain([ dup92, dup12, dup13, @@ -8112,8 +7541,7 @@ match("MESSAGE#237:Network:12", "nwparser.payload", "Network Intrusion Preventio var msg307 = msg("Network:12", part381); -var part382 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: '), Field(obj_name,false), Constant('.Try to update the signatures Browser path: '), Field(filename,false)}" -match("MESSAGE#238:Network:13", "nwparser.payload", "Category: %{fld11},Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: %{obj_name}.Try to update the signatures Browser path: %{filename}", processor_chain([ +var part382 = match("MESSAGE#238:Network:13", "nwparser.payload", "Category: %{fld11},Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: %{obj_name}.Try to update the signatures Browser path: %{filename}", processor_chain([ dup92, dup12, dup13, @@ -8125,8 +7553,7 @@ match("MESSAGE#238:Network:13", "nwparser.payload", "Category: %{fld11},Network var msg308 = msg("Network:13", part382); -var part383 = // "Pattern{Constant('Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically'), Field(,false)}" -match("MESSAGE#241:Network:16", "nwparser.payload", "Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically%{}", processor_chain([ +var part383 = match("MESSAGE#241:Network:16", "nwparser.payload", "Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically%{}", processor_chain([ dup92, dup12, dup13, @@ -8138,8 +7565,7 @@ match("MESSAGE#241:Network:16", "nwparser.payload", "Network Intrusion Preventio var msg309 = msg("Network:16", part383); -var part384 = // "Pattern{Constant('Network Intrusion Prevention is malfunctioning'), Field(,false)}" -match("MESSAGE#242:Network:17", "nwparser.payload", "Network Intrusion Prevention is malfunctioning%{}", processor_chain([ +var part384 = match("MESSAGE#242:Network:17", "nwparser.payload", "Network Intrusion Prevention is malfunctioning%{}", processor_chain([ dup92, dup12, dup13, @@ -8151,8 +7577,7 @@ match("MESSAGE#242:Network:17", "nwparser.payload", "Network Intrusion Preventio var msg310 = msg("Network:17", part384); -var part385 = // "Pattern{Constant('Network Intrusion Prevention is not protecting machine because its driver was unloaded'), Field(,false)}" -match("MESSAGE#243:Network:18", "nwparser.payload", "Network Intrusion Prevention is not protecting machine because its driver was unloaded%{}", processor_chain([ +var part385 = match("MESSAGE#243:Network:18", "nwparser.payload", "Network Intrusion Prevention is not protecting machine because its driver was unloaded%{}", processor_chain([ dup92, dup12, dup13, @@ -8163,8 +7588,7 @@ match("MESSAGE#243:Network:18", "nwparser.payload", "Network Intrusion Preventio var msg311 = msg("Network:18", part385); -var part386 = // "Pattern{Constant('Network Threat Protection's firewall is disabled by policy'), Field(,false)}" -match("MESSAGE#244:Network:19", "nwparser.payload", "Network Threat Protection's firewall is disabled by policy%{}", processor_chain([ +var part386 = match("MESSAGE#244:Network:19", "nwparser.payload", "Network Threat Protection's firewall is disabled by policy%{}", processor_chain([ dup92, dup12, dup13, @@ -8175,8 +7599,7 @@ match("MESSAGE#244:Network:19", "nwparser.payload", "Network Threat Protection's var msg312 = msg("Network:19", part386); -var part387 = // "Pattern{Field(service,true), Constant(' has been restored and '), Field(result,false)}" -match("MESSAGE#246:Network:21", "nwparser.payload", "%{service->} has been restored and %{result}", processor_chain([ +var part387 = match("MESSAGE#246:Network:21", "nwparser.payload", "%{service->} has been restored and %{result}", processor_chain([ dup92, dup12, dup13, @@ -8187,8 +7610,7 @@ match("MESSAGE#246:Network:21", "nwparser.payload", "%{service->} has been resto var msg313 = msg("Network:21", part387); -var part388 = // "Pattern{Field(service,true), Constant(' is not protecting machine because its driver was disabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#247:Network:33", "nwparser.payload", "%{service->} is not protecting machine because its driver was disabled,Event time: %{event_time_string}", processor_chain([ +var part388 = match("MESSAGE#247:Network:33", "nwparser.payload", "%{service->} is not protecting machine because its driver was disabled,Event time: %{event_time_string}", processor_chain([ dup86, dup12, dup13, @@ -8198,8 +7620,7 @@ match("MESSAGE#247:Network:33", "nwparser.payload", "%{service->} is not protect var msg314 = msg("Network:33", part388); -var part389 = // "Pattern{Constant('Network Threat Protection's firewall is enabled'), Field(p0,false)}" -match("MESSAGE#251:Network:25/0", "nwparser.payload", "Network Threat Protection's firewall is enabled%{p0}"); +var part389 = match("MESSAGE#251:Network:25/0", "nwparser.payload", "Network Threat Protection's firewall is enabled%{p0}"); var all115 = all_match({ processors: [ @@ -8219,8 +7640,7 @@ var all115 = all_match({ var msg315 = msg("Network:25", all115); -var part390 = // "Pattern{Constant('Network Intrusion Prevention disabled'), Field(p0,false)}" -match("MESSAGE#253:Network:27/0", "nwparser.payload", "Network Intrusion Prevention disabled%{p0}"); +var part390 = match("MESSAGE#253:Network:27/0", "nwparser.payload", "Network Intrusion Prevention disabled%{p0}"); var all116 = all_match({ processors: [ @@ -8239,8 +7659,7 @@ var all116 = all_match({ var msg316 = msg("Network:27", all116); -var part391 = // "Pattern{Constant('Network Intrusion Prevention enabled'), Field(p0,false)}" -match("MESSAGE#254:Network:28/0", "nwparser.payload", "Network Intrusion Prevention enabled%{p0}"); +var part391 = match("MESSAGE#254:Network:28/0", "nwparser.payload", "Network Intrusion Prevention enabled%{p0}"); var all117 = all_match({ processors: [ @@ -8260,8 +7679,7 @@ var all117 = all_match({ var msg317 = msg("Network:28", all117); -var part392 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage'), Field(,false)}" -match("MESSAGE#257:Network:30", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage%{}", processor_chain([ +var part392 = match("MESSAGE#257:Network:30", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage%{}", processor_chain([ dup92, dup12, dup13, @@ -8299,8 +7717,7 @@ var select66 = linear_select([ msg318, ]); -var part393 = // "Pattern{Constant('Firefox Browser Intrusion Prevention is malfunctioning'), Field(,false)}" -match("MESSAGE#239:Network:14", "nwparser.payload", "Firefox Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ +var part393 = match("MESSAGE#239:Network:14", "nwparser.payload", "Firefox Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ dup92, dup12, dup13, @@ -8312,8 +7729,7 @@ match("MESSAGE#239:Network:14", "nwparser.payload", "Firefox Browser Intrusion P var msg319 = msg("Network:14", part393); -var part394 = // "Pattern{Constant('Firefox Browser Intrusion Prevention disabled'), Field(p0,false)}" -match("MESSAGE#245:Network:20/0", "nwparser.payload", "Firefox Browser Intrusion Prevention disabled%{p0}"); +var part394 = match("MESSAGE#245:Network:20/0", "nwparser.payload", "Firefox Browser Intrusion Prevention disabled%{p0}"); var all118 = all_match({ processors: [ @@ -8332,8 +7748,7 @@ var all118 = all_match({ var msg320 = msg("Network:20", all118); -var part395 = // "Pattern{Constant('Firefox Browser Intrusion Prevention enabled'), Field(p0,false)}" -match("MESSAGE#252:Network:26/0", "nwparser.payload", "Firefox Browser Intrusion Prevention enabled%{p0}"); +var part395 = match("MESSAGE#252:Network:26/0", "nwparser.payload", "Firefox Browser Intrusion Prevention enabled%{p0}"); var all119 = all_match({ processors: [ @@ -8359,8 +7774,7 @@ var select67 = linear_select([ msg321, ]); -var part396 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention is malfunctioning'), Field(,false)}" -match("MESSAGE#240:Network:15", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ +var part396 = match("MESSAGE#240:Network:15", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ dup92, dup12, dup13, @@ -8372,8 +7786,7 @@ match("MESSAGE#240:Network:15", "nwparser.payload", "Internet Explorer Browser I var msg322 = msg("Network:15", part396); -var part397 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention enabled'), Field(p0,false)}" -match("MESSAGE#248:Network:22/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention enabled%{p0}"); +var part397 = match("MESSAGE#248:Network:22/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention enabled%{p0}"); var all120 = all_match({ processors: [ @@ -8393,8 +7806,7 @@ var all120 = all_match({ var msg323 = msg("Network:22", all120); -var part398 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention disabled'), Field(p0,false)}" -match("MESSAGE#249:Network:23/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention disabled%{p0}"); +var part398 = match("MESSAGE#249:Network:23/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention disabled%{p0}"); var all121 = all_match({ processors: [ @@ -8419,17 +7831,13 @@ var select68 = linear_select([ msg324, ]); -var part399 = // "Pattern{Constant('Generic Exploit Mitigation '), Field(p0,false)}" -match("MESSAGE#255:Network:29/0", "nwparser.payload", "Generic Exploit Mitigation %{p0}"); +var part399 = match("MESSAGE#255:Network:29/0", "nwparser.payload", "Generic Exploit Mitigation %{p0}"); -var part400 = // "Pattern{Constant('enabled'), Field(p0,false)}" -match("MESSAGE#255:Network:29/1_0", "nwparser.p0", "enabled%{p0}"); +var part400 = match("MESSAGE#255:Network:29/1_0", "nwparser.p0", "enabled%{p0}"); -var part401 = // "Pattern{Constant('disabled'), Field(p0,false)}" -match("MESSAGE#255:Network:29/1_1", "nwparser.p0", "disabled%{p0}"); +var part401 = match("MESSAGE#255:Network:29/1_1", "nwparser.p0", "disabled%{p0}"); -var part402 = // "Pattern{Constant('is malfunctioning'), Field(p0,false)}" -match("MESSAGE#255:Network:29/1_2", "nwparser.p0", "is malfunctioning%{p0}"); +var part402 = match("MESSAGE#255:Network:29/1_2", "nwparser.p0", "is malfunctioning%{p0}"); var select69 = linear_select([ part400, @@ -8437,8 +7845,7 @@ var select69 = linear_select([ part402, ]); -var part403 = // "Pattern{Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#255:Network:29/2", "nwparser.p0", ",Event time: %{event_time_string}"); +var part403 = match("MESSAGE#255:Network:29/2", "nwparser.p0", ",Event time: %{event_time_string}"); var all122 = all_match({ processors: [ @@ -8458,8 +7865,7 @@ var all122 = all_match({ var msg325 = msg("Network:29", all122); -var part404 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Generic Exploit Mitigation Syste,Already running process (PID:'), Field(process_id,false), Constant(') ''), Field(process,false), Constant('' is affected by a change to the application rules.,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#256:Network:31", "nwparser.payload", "Category: %{fld22},Generic Exploit Mitigation Syste,Already running process (PID:%{process_id}) '%{process}' is affected by a change to the application rules.,Event time: %{event_time_string}", processor_chain([ +var part404 = match("MESSAGE#256:Network:31", "nwparser.payload", "Category: %{fld22},Generic Exploit Mitigation Syste,Already running process (PID:%{process_id}) '%{process}' is affected by a change to the application rules.,Event time: %{event_time_string}", processor_chain([ dup92, dup12, dup13, @@ -8475,8 +7881,7 @@ var select70 = linear_select([ msg326, ]); -var part405 = // "Pattern{Field(event_description,false), Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#258:Network:32", "nwparser.payload", "%{event_description},Event time: %{event_time_string}", processor_chain([ +var part405 = match("MESSAGE#258:Network:32", "nwparser.payload", "%{event_description},Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -8486,14 +7891,11 @@ match("MESSAGE#258:Network:32", "nwparser.payload", "%{event_description},Event var msg327 = msg("Network:32", part405); -var part406 = // "Pattern{Constant('New virus definition file loaded. Version: '), Field(p0,false)}" -match("MESSAGE#259:New/0", "nwparser.payload", "New virus definition file loaded. Version: %{p0}"); +var part406 = match("MESSAGE#259:New/0", "nwparser.payload", "New virus definition file loaded. Version: %{p0}"); -var part407 = // "Pattern{Field(version,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#259:New/1_0", "nwparser.p0", "%{version},Event time:%{fld17->} %{fld18}"); +var part407 = match("MESSAGE#259:New/1_0", "nwparser.p0", "%{version},Event time:%{fld17->} %{fld18}"); -var part408 = // "Pattern{Field(version,false)}" -match_copy("MESSAGE#259:New/1_1", "nwparser.p0", "version"); +var part408 = match_copy("MESSAGE#259:New/1_1", "nwparser.p0", "version"); var select71 = linear_select([ part407, @@ -8522,8 +7924,7 @@ var all123 = all_match({ var msg328 = msg("New", all123); -var part409 = // "Pattern{Constant('New Value ''), Field(change_attribute,false), Constant('' = ''), Field(change_new,false), Constant('''), Field(p0,false)}" -match("MESSAGE#260:New:01/0", "nwparser.payload", "New Value '%{change_attribute}' = '%{change_new}'%{p0}"); +var part409 = match("MESSAGE#260:New:01/0", "nwparser.payload", "New Value '%{change_attribute}' = '%{change_new}'%{p0}"); var all124 = all_match({ processors: [ @@ -8547,8 +7948,7 @@ var all124 = all_match({ var msg329 = msg("New:01", all124); -var part410 = // "Pattern{Constant('New AgentGUID = '), Field(fld22,false)}" -match("MESSAGE#261:New:02", "nwparser.payload", "New AgentGUID = %{fld22}", processor_chain([ +var part410 = match("MESSAGE#261:New:02", "nwparser.payload", "New AgentGUID = %{fld22}", processor_chain([ dup43, dup12, dup13, @@ -8560,8 +7960,7 @@ match("MESSAGE#261:New:02", "nwparser.payload", "New AgentGUID = %{fld22}", proc var msg330 = msg("New:02", part410); -var part411 = // "Pattern{Constant('New policy has been imported.'), Field(,false)}" -match("MESSAGE#262:New:03", "nwparser.payload", "New policy has been imported.%{}", processor_chain([ +var part411 = match("MESSAGE#262:New:03", "nwparser.payload", "New policy has been imported.%{}", processor_chain([ dup43, dup12, dup13, @@ -8573,11 +7972,9 @@ match("MESSAGE#262:New:03", "nwparser.payload", "New policy has been imported.%{ var msg331 = msg("New:03", part411); -var part412 = // "Pattern{Constant('New content update failed to download from the management server. Remote file path: '), Field(p0,false)}" -match("MESSAGE#263:New:04/0", "nwparser.payload", "New content update failed to download from the management server. Remote file path: %{p0}"); +var part412 = match("MESSAGE#263:New:04/0", "nwparser.payload", "New content update failed to download from the management server. Remote file path: %{p0}"); -var part413 = // "Pattern{Field(url,false), Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#263:New:04/1_0", "nwparser.p0", "%{url},Event time: %{event_time_string}"); +var part413 = match("MESSAGE#263:New:04/1_0", "nwparser.p0", "%{url},Event time: %{event_time_string}"); var select72 = linear_select([ part413, @@ -8602,8 +7999,7 @@ var all125 = all_match({ var msg332 = msg("New:04", all125); -var part414 = // "Pattern{Constant('New content update failed to download from Group Update Provider. Remote file path: '), Field(url,false)}" -match("MESSAGE#264:New:05", "nwparser.payload", "New content update failed to download from Group Update Provider. Remote file path: %{url}", processor_chain([ +var part414 = match("MESSAGE#264:New:05", "nwparser.payload", "New content update failed to download from Group Update Provider. Remote file path: %{url}", processor_chain([ dup43, dup12, dup13, @@ -8624,8 +8020,7 @@ var select73 = linear_select([ msg333, ]); -var part415 = // "Pattern{Constant('No '), Field(virusname,true), Constant(' virus found events got swept.')}" -match("MESSAGE#265:No", "nwparser.payload", "No %{virusname->} virus found events got swept.", processor_chain([ +var part415 = match("MESSAGE#265:No", "nwparser.payload", "No %{virusname->} virus found events got swept.", processor_chain([ dup43, dup12, dup13, @@ -8637,8 +8032,7 @@ match("MESSAGE#265:No", "nwparser.payload", "No %{virusname->} virus found event var msg334 = msg("No", part415); -var part416 = // "Pattern{Constant('No clients got swept.'), Field(,false)}" -match("MESSAGE#266:No:01", "nwparser.payload", "No clients got swept.%{}", processor_chain([ +var part416 = match("MESSAGE#266:No:01", "nwparser.payload", "No clients got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No clients got swept."), @@ -8646,8 +8040,7 @@ match("MESSAGE#266:No:01", "nwparser.payload", "No clients got swept.%{}", proce var msg335 = msg("No:01", part416); -var part417 = // "Pattern{Constant('No objects got swept.'), Field(,false)}" -match("MESSAGE#267:No:02", "nwparser.payload", "No objects got swept.%{}", processor_chain([ +var part417 = match("MESSAGE#267:No:02", "nwparser.payload", "No objects got swept.%{}", processor_chain([ dup43, dup15, dup218, @@ -8655,8 +8048,7 @@ match("MESSAGE#267:No:02", "nwparser.payload", "No objects got swept.%{}", proce var msg336 = msg("No:02", part417); -var part418 = // "Pattern{Constant('No clients got swept [Domain: '), Field(sdomain,false), Constant('].')}" -match("MESSAGE#268:No:06", "nwparser.payload", "No clients got swept [Domain: %{sdomain}].", processor_chain([ +var part418 = match("MESSAGE#268:No:06", "nwparser.payload", "No clients got swept [Domain: %{sdomain}].", processor_chain([ dup43, dup12, dup13, @@ -8666,8 +8058,7 @@ match("MESSAGE#268:No:06", "nwparser.payload", "No clients got swept [Domain: %{ var msg337 = msg("No:06", part418); -var part419 = // "Pattern{Constant('No old risk events got swept.'), Field(,false)}" -match("MESSAGE#269:No:03", "nwparser.payload", "No old risk events got swept.%{}", processor_chain([ +var part419 = match("MESSAGE#269:No:03", "nwparser.payload", "No old risk events got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No old risk events got swept."), @@ -8675,8 +8066,7 @@ match("MESSAGE#269:No:03", "nwparser.payload", "No old risk events got swept.%{} var msg338 = msg("No:03", part419); -var part420 = // "Pattern{Constant('No physical files got swept.'), Field(,false)}" -match("MESSAGE#270:No:04", "nwparser.payload", "No physical files got swept.%{}", processor_chain([ +var part420 = match("MESSAGE#270:No:04", "nwparser.payload", "No physical files got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No physical files got swept."), @@ -8684,8 +8074,7 @@ match("MESSAGE#270:No:04", "nwparser.payload", "No physical files got swept.%{}" var msg339 = msg("No:04", part420); -var part421 = // "Pattern{Constant('No risk events from deleted clients got swept.'), Field(,false)}" -match("MESSAGE#271:No:05", "nwparser.payload", "No risk events from deleted clients got swept.%{}", processor_chain([ +var part421 = match("MESSAGE#271:No:05", "nwparser.payload", "No risk events from deleted clients got swept.%{}", processor_chain([ dup43, dup15, setc("event_description","No risk events from deleted clients got swept."), @@ -8693,8 +8082,7 @@ match("MESSAGE#271:No:05", "nwparser.payload", "No risk events from deleted clie var msg340 = msg("No:05", part421); -var part422 = // "Pattern{Constant('No updates found for '), Field(application,false), Constant('.')}" -match("MESSAGE#272:No:07", "nwparser.payload", "No updates found for %{application}.", processor_chain([ +var part422 = match("MESSAGE#272:No:07", "nwparser.payload", "No updates found for %{application}.", processor_chain([ dup43, dup12, dup13, @@ -8715,8 +8103,7 @@ var select74 = linear_select([ msg341, ]); -var part423 = // "Pattern{Constant('Organization Unit or Container importing finished successfully'), Field(,false)}" -match("MESSAGE#273:Organization:03", "nwparser.payload", "Organization Unit or Container importing finished successfully%{}", processor_chain([ +var part423 = match("MESSAGE#273:Organization:03", "nwparser.payload", "Organization Unit or Container importing finished successfully%{}", processor_chain([ dup53, dup12, dup13, @@ -8727,8 +8114,7 @@ match("MESSAGE#273:Organization:03", "nwparser.payload", "Organization Unit or C var msg342 = msg("Organization:03", part423); -var part424 = // "Pattern{Constant('Organization Unit or Container importing started'), Field(,false)}" -match("MESSAGE#274:Organization:02", "nwparser.payload", "Organization Unit or Container importing started%{}", processor_chain([ +var part424 = match("MESSAGE#274:Organization:02", "nwparser.payload", "Organization Unit or Container importing started%{}", processor_chain([ dup53, dup12, dup13, @@ -8739,8 +8125,7 @@ match("MESSAGE#274:Organization:02", "nwparser.payload", "Organization Unit or C var msg343 = msg("Organization:02", part424); -var part425 = // "Pattern{Constant('Organization importing finished successfully'), Field(,false)}" -match("MESSAGE#275:Organization:01", "nwparser.payload", "Organization importing finished successfully%{}", processor_chain([ +var part425 = match("MESSAGE#275:Organization:01", "nwparser.payload", "Organization importing finished successfully%{}", processor_chain([ dup53, dup12, dup13, @@ -8751,8 +8136,7 @@ match("MESSAGE#275:Organization:01", "nwparser.payload", "Organization importing var msg344 = msg("Organization:01", part425); -var part426 = // "Pattern{Constant('Organization importing started'), Field(,false)}" -match("MESSAGE#276:Organization", "nwparser.payload", "Organization importing started%{}", processor_chain([ +var part426 = match("MESSAGE#276:Organization", "nwparser.payload", "Organization importing started%{}", processor_chain([ dup53, dup12, dup13, @@ -8770,8 +8154,7 @@ var select75 = linear_select([ msg345, ]); -var part427 = // "Pattern{Constant('Number of '), Field(virusname,true), Constant(' virus found events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#277:Number:01", "nwparser.payload", "Number of %{virusname->} virus found events swept: %{dclass_counter1}", processor_chain([ +var part427 = match("MESSAGE#277:Number:01", "nwparser.payload", "Number of %{virusname->} virus found events swept: %{dclass_counter1}", processor_chain([ dup43, dup152, dup15, @@ -8781,8 +8164,7 @@ match("MESSAGE#277:Number:01", "nwparser.payload", "Number of %{virusname->} vir var msg346 = msg("Number:01", part427); -var part428 = // "Pattern{Constant('Number of virus definition records swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#278:Number", "nwparser.payload", "Number of virus definition records swept: %{dclass_counter1}", processor_chain([ +var part428 = match("MESSAGE#278:Number", "nwparser.payload", "Number of virus definition records swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8794,8 +8176,7 @@ match("MESSAGE#278:Number", "nwparser.payload", "Number of virus definition reco var msg347 = msg("Number", part428); -var part429 = // "Pattern{Constant('Number of scan events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#279:Number:02", "nwparser.payload", "Number of scan events swept: %{dclass_counter1}", processor_chain([ +var part429 = match("MESSAGE#279:Number:02", "nwparser.payload", "Number of scan events swept: %{dclass_counter1}", processor_chain([ dup43, dup15, setc("event_description","Number of scan events swept."), @@ -8804,8 +8185,7 @@ match("MESSAGE#279:Number:02", "nwparser.payload", "Number of scan events swept: var msg348 = msg("Number:02", part429); -var part430 = // "Pattern{Constant('Number of clients swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#280:Number:04", "nwparser.payload", "Number of clients swept: %{dclass_counter1}", processor_chain([ +var part430 = match("MESSAGE#280:Number:04", "nwparser.payload", "Number of clients swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8816,8 +8196,7 @@ match("MESSAGE#280:Number:04", "nwparser.payload", "Number of clients swept: %{d var msg349 = msg("Number:04", part430); -var part431 = // "Pattern{Constant('Number of old risk events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#281:Number:05", "nwparser.payload", "Number of old risk events swept: %{dclass_counter1}", processor_chain([ +var part431 = match("MESSAGE#281:Number:05", "nwparser.payload", "Number of old risk events swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8828,8 +8207,7 @@ match("MESSAGE#281:Number:05", "nwparser.payload", "Number of old risk events sw var msg350 = msg("Number:05", part431); -var part432 = // "Pattern{Constant('Number of unacknowledged notifications swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#282:Number:06", "nwparser.payload", "Number of unacknowledged notifications swept: %{dclass_counter1}", processor_chain([ +var part432 = match("MESSAGE#282:Number:06", "nwparser.payload", "Number of unacknowledged notifications swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8840,8 +8218,7 @@ match("MESSAGE#282:Number:06", "nwparser.payload", "Number of unacknowledged not var msg351 = msg("Number:06", part432); -var part433 = // "Pattern{Constant('Number of objects swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#283:Number:07", "nwparser.payload", "Number of objects swept: %{dclass_counter1}", processor_chain([ +var part433 = match("MESSAGE#283:Number:07", "nwparser.payload", "Number of objects swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8852,8 +8229,7 @@ match("MESSAGE#283:Number:07", "nwparser.payload", "Number of objects swept: %{d var msg352 = msg("Number:07", part433); -var part434 = // "Pattern{Constant('Number of risk events from deleted clients swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#284:Number:08", "nwparser.payload", "Number of risk events from deleted clients swept: %{dclass_counter1}", processor_chain([ +var part434 = match("MESSAGE#284:Number:08", "nwparser.payload", "Number of risk events from deleted clients swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8864,8 +8240,7 @@ match("MESSAGE#284:Number:08", "nwparser.payload", "Number of risk events from d var msg353 = msg("Number:08", part434); -var part435 = // "Pattern{Constant('Number of old risk events compressed: '), Field(dclass_counter1,false)}" -match("MESSAGE#285:Number:09", "nwparser.payload", "Number of old risk events compressed: %{dclass_counter1}", processor_chain([ +var part435 = match("MESSAGE#285:Number:09", "nwparser.payload", "Number of old risk events compressed: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8876,8 +8251,7 @@ match("MESSAGE#285:Number:09", "nwparser.payload", "Number of old risk events co var msg354 = msg("Number:09", part435); -var part436 = // "Pattern{Constant('Number of compressed risk events swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#286:Number:10", "nwparser.payload", "Number of compressed risk events swept: %{dclass_counter1}", processor_chain([ +var part436 = match("MESSAGE#286:Number:10", "nwparser.payload", "Number of compressed risk events swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8888,14 +8262,11 @@ match("MESSAGE#286:Number:10", "nwparser.payload", "Number of compressed risk ev var msg355 = msg("Number:10", part436); -var part437 = // "Pattern{Constant('Number of '), Field(info,true), Constant(' in the policy: '), Field(p0,false)}" -match("MESSAGE#287:Number:11/0", "nwparser.payload", "Number of %{info->} in the policy: %{p0}"); +var part437 = match("MESSAGE#287:Number:11/0", "nwparser.payload", "Number of %{info->} in the policy: %{p0}"); -var part438 = // "Pattern{Field(dclass_counter1,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#287:Number:11/1_0", "nwparser.p0", "%{dclass_counter1},Event time:%{fld17->} %{fld18}"); +var part438 = match("MESSAGE#287:Number:11/1_0", "nwparser.p0", "%{dclass_counter1},Event time:%{fld17->} %{fld18}"); -var part439 = // "Pattern{Field(dclass_counter1,false)}" -match_copy("MESSAGE#287:Number:11/1_1", "nwparser.p0", "dclass_counter1"); +var part439 = match_copy("MESSAGE#287:Number:11/1_1", "nwparser.p0", "dclass_counter1"); var select76 = linear_select([ part438, @@ -8920,8 +8291,7 @@ var all126 = all_match({ var msg356 = msg("Number:11", all126); -var part440 = // "Pattern{Constant('Number of physical files swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#288:Number:12", "nwparser.payload", "Number of physical files swept: %{dclass_counter1}", processor_chain([ +var part440 = match("MESSAGE#288:Number:12", "nwparser.payload", "Number of physical files swept: %{dclass_counter1}", processor_chain([ dup43, dup12, dup13, @@ -8932,8 +8302,7 @@ match("MESSAGE#288:Number:12", "nwparser.payload", "Number of physical files swe var msg357 = msg("Number:12", part440); -var part441 = // "Pattern{Constant('Number of '), Field(fld1,true), Constant(' swept: '), Field(dclass_counter1,false)}" -match("MESSAGE#289:Number:13", "nwparser.payload", "Number of %{fld1->} swept: %{dclass_counter1}", processor_chain([ +var part441 = match("MESSAGE#289:Number:13", "nwparser.payload", "Number of %{fld1->} swept: %{dclass_counter1}", processor_chain([ dup43, dup15, dup12, @@ -8978,8 +8347,7 @@ var select77 = linear_select([ msg358, ]); -var part442 = // "Pattern{Constant('Policy has been added,'), Field(info,false)}" -match("MESSAGE#292:Policy:added", "nwparser.payload", "Policy has been added,%{info}", processor_chain([ +var part442 = match("MESSAGE#292:Policy:added", "nwparser.payload", "Policy has been added,%{info}", processor_chain([ dup95, dup12, dup13, @@ -8994,8 +8362,7 @@ match("MESSAGE#292:Policy:added", "nwparser.payload", "Policy has been added,%{i var msg359 = msg("Policy:added", part442); -var part443 = // "Pattern{Constant('Policy has been added:'), Field(info,false)}" -match("MESSAGE#293:Policy:added_01", "nwparser.payload", "Policy has been added:%{info}", processor_chain([ +var part443 = match("MESSAGE#293:Policy:added_01", "nwparser.payload", "Policy has been added:%{info}", processor_chain([ dup95, dup12, dup13, @@ -9010,8 +8377,7 @@ match("MESSAGE#293:Policy:added_01", "nwparser.payload", "Policy has been added: var msg360 = msg("Policy:added_01", part443); -var part444 = // "Pattern{Constant('Policy has been edited,'), Field(info,false)}" -match("MESSAGE#294:Policy:edited", "nwparser.payload", "Policy has been edited,%{info}", processor_chain([ +var part444 = match("MESSAGE#294:Policy:edited", "nwparser.payload", "Policy has been edited,%{info}", processor_chain([ dup136, dup12, dup13, @@ -9026,8 +8392,7 @@ match("MESSAGE#294:Policy:edited", "nwparser.payload", "Policy has been edited,% var msg361 = msg("Policy:edited", part444); -var part445 = // "Pattern{Constant('Policy has been edited:'), Field(info,false), Constant(','), Field(fld1,false)}" -match("MESSAGE#295:Policy:edited_01", "nwparser.payload", "Policy has been edited:%{info},%{fld1}", processor_chain([ +var part445 = match("MESSAGE#295:Policy:edited_01", "nwparser.payload", "Policy has been edited:%{info},%{fld1}", processor_chain([ dup136, dup12, dup13, @@ -9042,8 +8407,7 @@ match("MESSAGE#295:Policy:edited_01", "nwparser.payload", "Policy has been edite var msg362 = msg("Policy:edited_01", part445); -var part446 = // "Pattern{Constant('Policy has been deleted'), Field(p0,false)}" -match("MESSAGE#296:Policy:deleted/0", "nwparser.payload", "Policy has been deleted%{p0}"); +var part446 = match("MESSAGE#296:Policy:deleted/0", "nwparser.payload", "Policy has been deleted%{p0}"); var select78 = linear_select([ dup226, @@ -9080,8 +8444,7 @@ var select79 = linear_select([ msg363, ]); -var part447 = // "Pattern{Constant('Potential risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld53,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld100,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false), Constant(',Location:'), Field(fld55,false)}" -match("MESSAGE#297:Potential:03", "nwparser.payload", "Potential risk found,IP Address: %{saddr},Computer name: %{shost},Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld53},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld100},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{vendor_event_cat},Location:%{fld55}", processor_chain([ +var part447 = match("MESSAGE#297:Potential:03", "nwparser.payload", "Potential risk found,IP Address: %{saddr},Computer name: %{shost},Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld53},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld100},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{vendor_event_cat},Location:%{fld55}", processor_chain([ dup110, dup12, dup152, @@ -9096,11 +8459,9 @@ match("MESSAGE#297:Potential:03", "nwparser.payload", "Potential risk found,IP A var msg364 = msg("Potential:03", part447); -var part448 = // "Pattern{Field(severity,false), Constant(',First Seen:'), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(',Detection Submissions No,Permitted application reason: '), Field(fld42,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#298:Potential:02/2", "nwparser.p0", "%{severity},First Seen:%{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var part448 = match("MESSAGE#298:Potential:02/2", "nwparser.p0", "%{severity},First Seen:%{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); -var part449 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#298:Potential:02/4", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part449 = match("MESSAGE#298:Potential:02/4", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all128 = all_match({ processors: [ @@ -9126,8 +8487,7 @@ var all128 = all_match({ var msg365 = msg("Potential:02", all128); -var part450 = // "Pattern{Field(fld23,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#299:Potential/2", "nwparser.p0", "%{fld23},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part450 = match("MESSAGE#299:Potential/2", "nwparser.p0", "%{fld23},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); var all129 = all_match({ processors: [ @@ -9156,8 +8516,7 @@ var all129 = all_match({ var msg366 = msg("Potential", all129); -var part451 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#300:Potential:01/0", "nwparser.payload", "Potential risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part451 = match("MESSAGE#300:Potential:01/0", "nwparser.payload", "Potential risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); var all130 = all_match({ processors: [ @@ -9191,8 +8550,7 @@ var select80 = linear_select([ msg367, ]); -var part452 = // "Pattern{Constant('Previous virus definition file loaded. Version: '), Field(version,false)}" -match("MESSAGE#301:Previous", "nwparser.payload", "Previous virus definition file loaded. Version: %{version}", processor_chain([ +var part452 = match("MESSAGE#301:Previous", "nwparser.payload", "Previous virus definition file loaded. Version: %{version}", processor_chain([ dup92, dup12, dup13, @@ -9203,8 +8561,7 @@ match("MESSAGE#301:Previous", "nwparser.payload", "Previous virus definition fil var msg368 = msg("Previous", part452); -var part453 = // "Pattern{Constant('Proactive Threat Scan '), Field(info,true), Constant(' failed to update.')}" -match("MESSAGE#302:Proactive", "nwparser.payload", "Proactive Threat Scan %{info->} failed to update.", processor_chain([ +var part453 = match("MESSAGE#302:Proactive", "nwparser.payload", "Proactive Threat Scan %{info->} failed to update.", processor_chain([ setc("eventcategory","1703020000"), dup12, dup13, @@ -9215,8 +8572,7 @@ match("MESSAGE#302:Proactive", "nwparser.payload", "Proactive Threat Scan %{info var msg369 = msg("Proactive", part453); -var part454 = // "Pattern{Constant('Proactive Threat Scan whitelist '), Field(info,true), Constant(' is up-to-date.')}" -match("MESSAGE#303:Proactive:01", "nwparser.payload", "Proactive Threat Scan whitelist %{info->} is up-to-date.", processor_chain([ +var part454 = match("MESSAGE#303:Proactive:01", "nwparser.payload", "Proactive Threat Scan whitelist %{info->} is up-to-date.", processor_chain([ dup92, dup12, dup13, @@ -9227,8 +8583,7 @@ match("MESSAGE#303:Proactive:01", "nwparser.payload", "Proactive Threat Scan whi var msg370 = msg("Proactive:01", part454); -var part455 = // "Pattern{Constant('Proactive Threat Protection has been enabled'), Field(p0,false)}" -match("MESSAGE#399:Symantec:38/0", "nwparser.payload", "Proactive Threat Protection has been enabled%{p0}"); +var part455 = match("MESSAGE#399:Symantec:38/0", "nwparser.payload", "Proactive Threat Protection has been enabled%{p0}"); var all131 = all_match({ processors: [ @@ -9247,8 +8602,7 @@ var all131 = all_match({ var msg371 = msg("Symantec:38", all131); -var part456 = // "Pattern{Constant('Proactive Threat Protection has been disabled'), Field(,false)}" -match("MESSAGE#400:Symantec:42", "nwparser.payload", "Proactive Threat Protection has been disabled%{}", processor_chain([ +var part456 = match("MESSAGE#400:Symantec:42", "nwparser.payload", "Proactive Threat Protection has been disabled%{}", processor_chain([ dup43, dup56, dup12, @@ -9266,8 +8620,7 @@ var select81 = linear_select([ msg372, ]); -var part457 = // "Pattern{Constant('process '), Field(process,true), Constant(' can not lock the process status table. The process status has been locked by the server '), Field(info,true), Constant(' since '), Field(fld50,false), Constant('.')}" -match("MESSAGE#304:process", "nwparser.payload", "process %{process->} can not lock the process status table. The process status has been locked by the server %{info->} since %{fld50}.", processor_chain([ +var part457 = match("MESSAGE#304:process", "nwparser.payload", "process %{process->} can not lock the process status table. The process status has been locked by the server %{info->} since %{fld50}.", processor_chain([ dup168, dup12, dup13, @@ -9278,8 +8631,7 @@ match("MESSAGE#304:process", "nwparser.payload", "process %{process->} can not l var msg373 = msg("process", part457); -var part458 = // "Pattern{Constant('"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile.",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#305:process:01", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ +var part458 = match("MESSAGE#305:process:01", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ dup168, dup12, dup13, @@ -9294,8 +8646,7 @@ match("MESSAGE#305:process:01", "nwparser.payload", "\"Application has changed s var msg374 = msg("process:01", part458); -var part459 = // "Pattern{Constant('"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#306:process:11", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ +var part459 = match("MESSAGE#306:process:11", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ dup168, dup12, dup13, @@ -9310,11 +8661,9 @@ match("MESSAGE#306:process:11", "nwparser.payload", "\"Application has changed s var msg375 = msg("process:11", part459); -var part460 = // "Pattern{Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#308:process:03/2", "nwparser.p0", ",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{p0}"); +var part460 = match("MESSAGE#308:process:03/2", "nwparser.p0", ",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{p0}"); -var part461 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#308:process:03/4", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part461 = match("MESSAGE#308:process:03/4", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); var all132 = all_match({ processors: [ @@ -9372,22 +8721,18 @@ var select82 = linear_select([ msg377, ]); -var part462 = // "Pattern{Constant('properties of domain '), Field(p0,false)}" -match("MESSAGE#310:properties/0", "nwparser.payload", "properties of domain %{p0}"); +var part462 = match("MESSAGE#310:properties/0", "nwparser.payload", "properties of domain %{p0}"); -var part463 = // "Pattern{Constant('"'), Field(domain,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#310:properties/1_0", "nwparser.p0", "\"%{domain}\"%{p0}"); +var part463 = match("MESSAGE#310:properties/1_0", "nwparser.p0", "\"%{domain}\"%{p0}"); -var part464 = // "Pattern{Constant('''), Field(domain,false), Constant('''), Field(p0,false)}" -match("MESSAGE#310:properties/1_1", "nwparser.p0", "'%{domain}'%{p0}"); +var part464 = match("MESSAGE#310:properties/1_1", "nwparser.p0", "'%{domain}'%{p0}"); var select83 = linear_select([ part463, part464, ]); -var part465 = // "Pattern{Field(,false), Constant('were changed')}" -match("MESSAGE#310:properties/2", "nwparser.p0", "%{}were changed"); +var part465 = match("MESSAGE#310:properties/2", "nwparser.p0", "%{}were changed"); var all134 = all_match({ processors: [ @@ -9410,22 +8755,18 @@ var all134 = all_match({ var msg378 = msg("properties", all134); -var part466 = // "Pattern{Constant('properties for system administrator '), Field(p0,false)}" -match("MESSAGE#311:properties:01/0", "nwparser.payload", "properties for system administrator %{p0}"); +var part466 = match("MESSAGE#311:properties:01/0", "nwparser.payload", "properties for system administrator %{p0}"); -var part467 = // "Pattern{Constant('"'), Field(c_username,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#311:properties:01/1_0", "nwparser.p0", "\"%{c_username}\"%{p0}"); +var part467 = match("MESSAGE#311:properties:01/1_0", "nwparser.p0", "\"%{c_username}\"%{p0}"); -var part468 = // "Pattern{Constant('''), Field(c_username,false), Constant('''), Field(p0,false)}" -match("MESSAGE#311:properties:01/1_1", "nwparser.p0", "'%{c_username}'%{p0}"); +var part468 = match("MESSAGE#311:properties:01/1_1", "nwparser.p0", "'%{c_username}'%{p0}"); var select84 = linear_select([ part467, part468, ]); -var part469 = // "Pattern{Field(,false), Constant('have been changed')}" -match("MESSAGE#311:properties:01/2", "nwparser.p0", "%{}have been changed"); +var part469 = match("MESSAGE#311:properties:01/2", "nwparser.p0", "%{}have been changed"); var all135 = all_match({ processors: [ @@ -9453,8 +8794,7 @@ var select85 = linear_select([ msg379, ]); -var part470 = // "Pattern{Constant('PTS has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(info,false)}" -match("MESSAGE#312:PTS", "nwparser.payload", "PTS has generated an error: code %{resultcode}: description: %{info}", processor_chain([ +var part470 = match("MESSAGE#312:PTS", "nwparser.payload", "PTS has generated an error: code %{resultcode}: description: %{info}", processor_chain([ dup168, dup12, dup13, @@ -9465,11 +8805,9 @@ match("MESSAGE#312:PTS", "nwparser.payload", "PTS has generated an error: code % var msg380 = msg("PTS", part470); -var part471 = // "Pattern{Constant('Received a new policy with '), Field(p0,false)}" -match("MESSAGE#313:Received/0", "nwparser.payload", "Received a new policy with %{p0}"); +var part471 = match("MESSAGE#313:Received/0", "nwparser.payload", "Received a new policy with %{p0}"); -var part472 = // "Pattern{Field(info,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#313:Received/1_0", "nwparser.p0", "%{info},Event time: %{fld17->} %{fld18}"); +var part472 = match("MESSAGE#313:Received/1_0", "nwparser.p0", "%{info},Event time: %{fld17->} %{fld18}"); var select86 = linear_select([ part472, @@ -9494,8 +8832,7 @@ var all136 = all_match({ var msg381 = msg("Received", all136); -var part473 = // "Pattern{Constant('Received a new profile with serial number '), Field(fld23,true), Constant(' from Symantec Endpoint Protection Manager.')}" -match("MESSAGE#699:Smc:03", "nwparser.payload", "Received a new profile with serial number %{fld23->} from Symantec Endpoint Protection Manager.", processor_chain([ +var part473 = match("MESSAGE#699:Smc:03", "nwparser.payload", "Received a new profile with serial number %{fld23->} from Symantec Endpoint Protection Manager.", processor_chain([ dup53, dup94, dup13, @@ -9511,8 +8848,7 @@ var select87 = linear_select([ msg382, ]); -var part474 = // "Pattern{Constant('Reconfiguring Symantec Management Client....'), Field(,false)}" -match("MESSAGE#314:Reconfiguring", "nwparser.payload", "Reconfiguring Symantec Management Client....%{}", processor_chain([ +var part474 = match("MESSAGE#314:Reconfiguring", "nwparser.payload", "Reconfiguring Symantec Management Client....%{}", processor_chain([ dup136, dup12, dup13, @@ -9526,8 +8862,7 @@ match("MESSAGE#314:Reconfiguring", "nwparser.payload", "Reconfiguring Symantec M var msg383 = msg("Reconfiguring", part474); -var part475 = // "Pattern{Constant('Reconnected to server after server was unreacheable.'), Field(p0,false)}" -match("MESSAGE#315:Reconnected/0", "nwparser.payload", "Reconnected to server after server was unreacheable.%{p0}"); +var part475 = match("MESSAGE#315:Reconnected/0", "nwparser.payload", "Reconnected to server after server was unreacheable.%{p0}"); var all137 = all_match({ processors: [ @@ -9547,8 +8882,7 @@ var all137 = all_match({ var msg384 = msg("Reconnected", all137); -var part476 = // "Pattern{Constant('Please restart your computer to enable '), Field(info,true), Constant(' changes.'), Field(p0,false)}" -match("MESSAGE#316:restart/0", "nwparser.payload", "Please restart your computer to enable %{info->} changes.%{p0}"); +var part476 = match("MESSAGE#316:restart/0", "nwparser.payload", "Please restart your computer to enable %{info->} changes.%{p0}"); var all138 = all_match({ processors: [ @@ -9568,8 +8902,7 @@ var all138 = all_match({ var msg385 = msg("restart", all138); -var part477 = // "Pattern{Constant('Retry '), Field(info,false), Constant('"')}" -match("MESSAGE#317:Retry", "nwparser.payload", "Retry %{info}\"", processor_chain([ +var part477 = match("MESSAGE#317:Retry", "nwparser.payload", "Retry %{info}\"", processor_chain([ dup43, dup12, dup13, @@ -9580,8 +8913,7 @@ match("MESSAGE#317:Retry", "nwparser.payload", "Retry %{info}\"", processor_chai var msg386 = msg("Retry", part477); -var part478 = // "Pattern{Constant('Retry timestamp is equal or over the next schedule time, switching to regular schedule run.'), Field(,false)}" -match("MESSAGE#318:Retry:01", "nwparser.payload", "Retry timestamp is equal or over the next schedule time, switching to regular schedule run.%{}", processor_chain([ +var part478 = match("MESSAGE#318:Retry:01", "nwparser.payload", "Retry timestamp is equal or over the next schedule time, switching to regular schedule run.%{}", processor_chain([ dup43, dup15, setc("action","Retry timestamp is equal or over the next schedule time, switching to regular schedule run."), @@ -9589,8 +8921,7 @@ match("MESSAGE#318:Retry:01", "nwparser.payload", "Retry timestamp is equal or o var msg387 = msg("Retry:01", part478); -var part479 = // "Pattern{Constant('Retry timestamp is over the maximum retry window, switching to regular schedule run.'), Field(,false)}" -match("MESSAGE#319:Retry:02", "nwparser.payload", "Retry timestamp is over the maximum retry window, switching to regular schedule run.%{}", processor_chain([ +var part479 = match("MESSAGE#319:Retry:02", "nwparser.payload", "Retry timestamp is over the maximum retry window, switching to regular schedule run.%{}", processor_chain([ dup43, dup233, dup15, @@ -9604,8 +8935,7 @@ var select88 = linear_select([ msg388, ]); -var part480 = // "Pattern{Constant('Successfully downloaded the '), Field(application,true), Constant(' security definitions from LiveUpdate. The security definitions are now available for deployment.')}" -match("MESSAGE#320:Successfully", "nwparser.payload", "Successfully downloaded the %{application->} security definitions from LiveUpdate. The security definitions are now available for deployment.", processor_chain([ +var part480 = match("MESSAGE#320:Successfully", "nwparser.payload", "Successfully downloaded the %{application->} security definitions from LiveUpdate. The security definitions are now available for deployment.", processor_chain([ dup43, setc("event_description","Successfully Downloaded."), dup15, @@ -9613,8 +8943,7 @@ match("MESSAGE#320:Successfully", "nwparser.payload", "Successfully downloaded t var msg389 = msg("Successfully", part480); -var part481 = // "Pattern{Constant('Successfully deleted the client install package ''), Field(info,false), Constant(''.')}" -match("MESSAGE#321:Successfully:01", "nwparser.payload", "Successfully deleted the client install package '%{info}'.", processor_chain([ +var part481 = match("MESSAGE#321:Successfully:01", "nwparser.payload", "Successfully deleted the client install package '%{info}'.", processor_chain([ dup43, dup234, dup15, @@ -9622,8 +8951,7 @@ match("MESSAGE#321:Successfully:01", "nwparser.payload", "Successfully deleted t var msg390 = msg("Successfully:01", part481); -var part482 = // "Pattern{Constant('Successfully imported the Symantec Endpoint Protection version '), Field(version,true), Constant(' for '), Field(fld3,true), Constant(' package during the server upgrade. This package is now available for deployment.')}" -match("MESSAGE#322:Successfully:02", "nwparser.payload", "Successfully imported the Symantec Endpoint Protection version %{version->} for %{fld3->} package during the server upgrade. This package is now available for deployment.", processor_chain([ +var part482 = match("MESSAGE#322:Successfully:02", "nwparser.payload", "Successfully imported the Symantec Endpoint Protection version %{version->} for %{fld3->} package during the server upgrade. This package is now available for deployment.", processor_chain([ dup43, dup234, dup15, @@ -9637,8 +8965,7 @@ var select89 = linear_select([ msg391, ]); -var part483 = // "Pattern{Constant('Risk Repair Failed..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,true), Constant(' ..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#323:Risk:01", "nwparser.payload", "Risk Repair Failed..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7->} ..Severity: %{severity}..Source: %{product}", processor_chain([ +var part483 = match("MESSAGE#323:Risk:01", "nwparser.payload", "Risk Repair Failed..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7->} ..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup166, dup15, @@ -9647,8 +8974,7 @@ match("MESSAGE#323:Risk:01", "nwparser.payload", "Risk Repair Failed..Computer: var msg392 = msg("Risk:01", part483); -var part484 = // "Pattern{Constant('Risk Repair Failed..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#324:Risk:02", "nwparser.payload", "Risk Repair Failed..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ +var part484 = match("MESSAGE#324:Risk:02", "nwparser.payload", "Risk Repair Failed..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ dup110, dup152, dup166, @@ -9658,8 +8984,7 @@ match("MESSAGE#324:Risk:02", "nwparser.payload", "Risk Repair Failed..%{shost}.. var msg393 = msg("Risk:02", part484); -var part485 = // "Pattern{Constant('Risk Repaired..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#325:Risk:03", "nwparser.payload", "Risk Repaired..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part485 = match("MESSAGE#325:Risk:03", "nwparser.payload", "Risk Repaired..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ dup110, dup166, dup15, @@ -9668,8 +8993,7 @@ match("MESSAGE#325:Risk:03", "nwparser.payload", "Risk Repaired..Computer: %{sho var msg394 = msg("Risk:03", part485); -var part486 = // "Pattern{Constant('Risk Repaired..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#326:Risk:04", "nwparser.payload", "Risk Repaired..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ +var part486 = match("MESSAGE#326:Risk:04", "nwparser.payload", "Risk Repaired..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ dup110, dup152, dup166, @@ -9679,14 +9003,11 @@ match("MESSAGE#326:Risk:04", "nwparser.payload", "Risk Repaired..%{shost}..%{fld var msg395 = msg("Risk:04", part486); -var part487 = // "Pattern{Constant('Risk sample submitted to Symantec,Computer name: '), Field(p0,false)}" -match("MESSAGE#327:Risk:05/0", "nwparser.payload", "Risk sample submitted to Symantec,Computer name: %{p0}"); +var part487 = match("MESSAGE#327:Risk:05/0", "nwparser.payload", "Risk sample submitted to Symantec,Computer name: %{p0}"); -var part488 = // "Pattern{Field(event_type,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#327:Risk:05/2", "nwparser.p0", "%{event_type},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part488 = match("MESSAGE#327:Risk:05/2", "nwparser.p0", "%{event_type},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); -var part489 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld16,true), Constant(' '), Field(fld17,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#327:Risk:05/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld16->} %{fld17},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part489 = match("MESSAGE#327:Risk:05/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld16->} %{fld17},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all139 = all_match({ processors: [ @@ -9726,8 +9047,7 @@ var select90 = linear_select([ msg396, ]); -var part490 = // "Pattern{Constant('Scan Start/Stop..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(fld22,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" -match("MESSAGE#328:Scan", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{filename}..%{info}..%{fld22}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ +var part490 = match("MESSAGE#328:Scan", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{filename}..%{info}..%{fld22}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ dup43, dup152, dup166, @@ -9737,8 +9057,7 @@ match("MESSAGE#328:Scan", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5 var msg397 = msg("Scan", part490); -var part491 = // "Pattern{Constant('Scan Start/Stop..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(info,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false)}" -match("MESSAGE#329:Scan:01", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{info}..%{severity}..%{product}..%{fld6}..%{username}", processor_chain([ +var part491 = match("MESSAGE#329:Scan:01", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{info}..%{severity}..%{product}..%{fld6}..%{username}", processor_chain([ dup43, dup166, dup15, @@ -9747,8 +9066,7 @@ match("MESSAGE#329:Scan:01", "nwparser.payload", "Scan Start/Stop..%{shost}..%{f var msg398 = msg("Scan:01", part491); -var part492 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(',"'), Field(info,false), Constant('","'), Field(context,false), Constant('",Command: Not a command scan (),Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant('Domain: '), Field(domain,false), Constant('Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#330:Scan:02", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},\"%{info}\",\"%{context}\",Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr}Domain: %{domain}Group: %{group},Server: %{hostid}", processor_chain([ +var part492 = match("MESSAGE#330:Scan:02", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},\"%{info}\",\"%{context}\",Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr}Domain: %{domain}Group: %{group},Server: %{hostid}", processor_chain([ dup43, dup12, dup14, @@ -9762,8 +9080,7 @@ match("MESSAGE#330:Scan:02", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld var msg399 = msg("Scan:02", part492); -var part493 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld1,false), Constant(',End: '), Field(fld2,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(','), Field(fld22,false), Constant(',,Command: '), Field(fld4,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(fld5,false), Constant(',Omitted: '), Field(fld21,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',"Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#331:Scan:09", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{fld22},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},\"Group: %{group},Server: %{hostid}", processor_chain([ +var part493 = match("MESSAGE#331:Scan:09", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{fld22},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},\"Group: %{group},Server: %{hostid}", processor_chain([ dup43, dup12, dup14, @@ -9777,11 +9094,9 @@ match("MESSAGE#331:Scan:09", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld var msg400 = msg("Scan:09", part493); -var part494 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld22,false), Constant(','), Field(info,false), Constant(',Command: Not a command scan (),Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld21,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" -match("MESSAGE#332:Scan:03/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld22},%{info},Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld21}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},%{p0}"); +var part494 = match("MESSAGE#332:Scan:03/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld22},%{info},Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld21}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},%{p0}"); -var part495 = // "Pattern{Field(hostid,false)}" -match_copy("MESSAGE#332:Scan:03/2", "nwparser.p0", "hostid"); +var part495 = match_copy("MESSAGE#332:Scan:03/2", "nwparser.p0", "hostid"); var all140 = all_match({ processors: [ @@ -9804,8 +9119,7 @@ var all140 = all_match({ var msg401 = msg("Scan:03", all140); -var part496 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld1,false), Constant(',End: '), Field(fld2,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(',Files scanned: '), Field(dclass_counter2,false), Constant(',,Command: '), Field(fld4,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(fld5,false), Constant(',Omitted: '), Field(fld21,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#333:Scan:08", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},Files scanned: %{dclass_counter2},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}", processor_chain([ +var part496 = match("MESSAGE#333:Scan:08", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},Files scanned: %{dclass_counter2},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}", processor_chain([ dup43, dup12, dup14, @@ -9819,14 +9133,11 @@ match("MESSAGE#333:Scan:08", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld var msg402 = msg("Scan:08", part496); -var part497 = // "Pattern{Constant('Scan Delayed: Risks: '), Field(dclass_counter1,true), Constant(' Scanned: '), Field(dclass_counter2,true), Constant(' Files/Folders/Drives Omitted: '), Field(p0,false)}" -match("MESSAGE#334:Scan:04/0", "nwparser.payload", "Scan Delayed: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{p0}"); +var part497 = match("MESSAGE#334:Scan:04/0", "nwparser.payload", "Scan Delayed: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{p0}"); -var part498 = // "Pattern{Field(dclass_counter3,true), Constant(' Trusted Files Skipped: '), Field(fld1,false)}" -match("MESSAGE#334:Scan:04/1_0", "nwparser.p0", "%{dclass_counter3->} Trusted Files Skipped: %{fld1}"); +var part498 = match("MESSAGE#334:Scan:04/1_0", "nwparser.p0", "%{dclass_counter3->} Trusted Files Skipped: %{fld1}"); -var part499 = // "Pattern{Field(dclass_counter3,false)}" -match_copy("MESSAGE#334:Scan:04/1_1", "nwparser.p0", "dclass_counter3"); +var part499 = match_copy("MESSAGE#334:Scan:04/1_1", "nwparser.p0", "dclass_counter3"); var select91 = linear_select([ part498, @@ -9855,8 +9166,7 @@ var all141 = all_match({ var msg403 = msg("Scan:04", all141); -var part500 = // "Pattern{Field(action,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant(': Risks: '), Field(dclass_counter1,true), Constant(' Scanned: '), Field(dclass_counter2,true), Constant(' Files/Folders/Drives Omitted: '), Field(dclass_counter3,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld4,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#335:Scan:05", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{dclass_counter3}..Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part500 = match("MESSAGE#335:Scan:05", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{dclass_counter3}..Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, dup166, dup15, @@ -9867,8 +9177,7 @@ match("MESSAGE#335:Scan:05", "nwparser.payload", "%{action}..Computer: %{shost}. var msg404 = msg("Scan:05", part500); -var part501 = // "Pattern{Field(action,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant('...Time: '), Field(fld6,true), Constant(' '), Field(fld4,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#336:Scan:06", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}...Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part501 = match("MESSAGE#336:Scan:06", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}...Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, dup166, dup15, @@ -9876,8 +9185,7 @@ match("MESSAGE#336:Scan:06", "nwparser.payload", "%{action}..Computer: %{shost}. var msg405 = msg("Scan:06", part501); -var part502 = // "Pattern{Constant('Scan started on all drives and all extensions.'), Field(,false)}" -match("MESSAGE#337:Scan:07", "nwparser.payload", "Scan started on all drives and all extensions.%{}", processor_chain([ +var part502 = match("MESSAGE#337:Scan:07", "nwparser.payload", "Scan started on all drives and all extensions.%{}", processor_chain([ dup43, dup12, dup13, @@ -9888,8 +9196,7 @@ match("MESSAGE#337:Scan:07", "nwparser.payload", "Scan started on all drives and var msg406 = msg("Scan:07", part502); -var part503 = // "Pattern{Constant('Scan Suspended: '), Field(info,false)}" -match("MESSAGE#338:Scan:11", "nwparser.payload", "Scan Suspended: %{info}", processor_chain([ +var part503 = match("MESSAGE#338:Scan:11", "nwparser.payload", "Scan Suspended: %{info}", processor_chain([ dup43, dup12, dup13, @@ -9900,8 +9207,7 @@ match("MESSAGE#338:Scan:11", "nwparser.payload", "Scan Suspended: %{info}", proc var msg407 = msg("Scan:11", part503); -var part504 = // "Pattern{Constant('Scan resumed on all drives and all extensions.'), Field(,false)}" -match("MESSAGE#339:Scan:10", "nwparser.payload", "Scan resumed on all drives and all extensions.%{}", processor_chain([ +var part504 = match("MESSAGE#339:Scan:10", "nwparser.payload", "Scan resumed on all drives and all extensions.%{}", processor_chain([ dup43, dup12, dup13, @@ -9912,11 +9218,9 @@ match("MESSAGE#339:Scan:10", "nwparser.payload", "Scan resumed on all drives and var msg408 = msg("Scan:10", part504); -var part505 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(uid,false), Constant(',User2: '), Field(fld3,false), Constant(',''), Field(info,false), Constant('','), Field(p0,false)}" -match("MESSAGE#340:Scan:12/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2: %{fld3},'%{info}',%{p0}"); +var part505 = match("MESSAGE#340:Scan:12/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2: %{fld3},'%{info}',%{p0}"); -var part506 = // "Pattern{Constant('Command: Update Content and Scan Active,Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#340:Scan:12/2", "nwparser.p0", "Command: Update Content and Scan Active,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); +var part506 = match("MESSAGE#340:Scan:12/2", "nwparser.p0", "Command: Update Content and Scan Active,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); var all142 = all_match({ processors: [ @@ -9939,11 +9243,9 @@ var all142 = all_match({ var msg409 = msg("Scan:12", all142); -var part507 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End:'), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(uid,false), Constant(',User2:'), Field(fld3,false), Constant(',''), Field(info,false), Constant('','), Field(p0,false)}" -match("MESSAGE#341:Scan:13/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End:%{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2:%{fld3},'%{info}',%{p0}"); +var part507 = match("MESSAGE#341:Scan:13/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End:%{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2:%{fld3},'%{info}',%{p0}"); -var part508 = // "Pattern{Constant('Command: Full Scan,Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#341:Scan:13/2", "nwparser.p0", "Command: Full Scan,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); +var part508 = match("MESSAGE#341:Scan:13/2", "nwparser.p0", "Command: Full Scan,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); var all143 = all_match({ processors: [ @@ -9966,33 +9268,27 @@ var all143 = all_match({ var msg410 = msg("Scan:13", all143); -var part509 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(','), Field(p0,false)}" -match("MESSAGE#342:Scan:14/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{p0}"); +var part509 = match("MESSAGE#342:Scan:14/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{p0}"); -var part510 = // "Pattern{Field(info,false), Constant('","'), Field(p0,false)}" -match("MESSAGE#342:Scan:14/2_0", "nwparser.p0", "%{info}\",\"%{p0}"); +var part510 = match("MESSAGE#342:Scan:14/2_0", "nwparser.p0", "%{info}\",\"%{p0}"); -var part511 = // "Pattern{Field(info,false), Constant(','), Field(p0,false)}" -match("MESSAGE#342:Scan:14/2_1", "nwparser.p0", "%{info},%{p0}"); +var part511 = match("MESSAGE#342:Scan:14/2_1", "nwparser.p0", "%{info},%{p0}"); var select92 = linear_select([ part510, part511, ]); -var part512 = // "Pattern{Field(context,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#342:Scan:14/3_0", "nwparser.p0", "%{context}\",%{p0}"); +var part512 = match("MESSAGE#342:Scan:14/3_0", "nwparser.p0", "%{context}\",%{p0}"); -var part513 = // "Pattern{Field(context,false), Constant(','), Field(p0,false)}" -match("MESSAGE#342:Scan:14/3_1", "nwparser.p0", "%{context},%{p0}"); +var part513 = match("MESSAGE#342:Scan:14/3_1", "nwparser.p0", "%{context},%{p0}"); var select93 = linear_select([ part512, part513, ]); -var part514 = // "Pattern{Constant('Command: '), Field(fld10,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" -match("MESSAGE#342:Scan:14/4", "nwparser.p0", "Command: %{fld10},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); +var part514 = match("MESSAGE#342:Scan:14/4", "nwparser.p0", "Command: %{fld10},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); var all144 = all_match({ processors: [ @@ -10035,8 +9331,7 @@ var select94 = linear_select([ msg411, ]); -var part515 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#343:Security:03/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part515 = match("MESSAGE#343:Security:03/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all145 = all_match({ processors: [ @@ -10088,33 +9383,27 @@ var all146 = all_match({ var msg413 = msg("Security:06", all146); -var part516 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Cookie:'), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Last update time: '), Field(fld57,false), Constant(',Domain: '), Field(domain,true), Constant(' ,'), Field(p0,false)}" -match("MESSAGE#345:Security:05/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie:%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain->} ,%{p0}"); +var part516 = match("MESSAGE#345:Security:05/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie:%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain->} ,%{p0}"); -var part517 = // "Pattern{Constant('" '), Field(p0,false)}" -match("MESSAGE#345:Security:05/3_0", "nwparser.p0", "\" %{p0}"); +var part517 = match("MESSAGE#345:Security:05/3_0", "nwparser.p0", "\" %{p0}"); var select95 = linear_select([ part517, dup194, ]); -var part518 = // "Pattern{Constant('Group: '), Field(group,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#345:Security:05/4", "nwparser.p0", "Group: %{group->} %{p0}"); +var part518 = match("MESSAGE#345:Security:05/4", "nwparser.p0", "Group: %{group->} %{p0}"); -var part519 = // "Pattern{Constant('", '), Field(p0,false)}" -match("MESSAGE#345:Security:05/5_0", "nwparser.p0", "\", %{p0}"); +var part519 = match("MESSAGE#345:Security:05/5_0", "nwparser.p0", "\", %{p0}"); -var part520 = // "Pattern{Constant(', '), Field(p0,false)}" -match("MESSAGE#345:Security:05/5_1", "nwparser.p0", ", %{p0}"); +var part520 = match("MESSAGE#345:Security:05/5_1", "nwparser.p0", ", %{p0}"); var select96 = linear_select([ part519, part520, ]); -var part521 = // "Pattern{Constant('Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(', File size (bytes): '), Field(p0,false)}" -match("MESSAGE#345:Security:05/6", "nwparser.p0", "Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); +var part521 = match("MESSAGE#345:Security:05/6", "nwparser.p0", "Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); var all147 = all_match({ processors: [ @@ -10146,8 +9435,7 @@ var all147 = all_match({ var msg414 = msg("Security:05", all147); -var part522 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(',0,Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" -match("MESSAGE#346:Security:04", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}", processor_chain([ +var part522 = match("MESSAGE#346:Security:04", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}", processor_chain([ dup110, dup12, dup115, @@ -10165,8 +9453,7 @@ match("MESSAGE#346:Security:04", "nwparser.payload", "Security risk found,IP Add var msg415 = msg("Security:04", part522); -var part523 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Last update time: '), Field(fld57,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(', File size (bytes): '), Field(p0,false)}" -match("MESSAGE#347:Security:07/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); +var part523 = match("MESSAGE#347:Security:07/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); var all148 = all_match({ processors: [ @@ -10194,19 +9481,16 @@ var all148 = all_match({ var msg416 = msg("Security:07", all148); -var part524 = // "Pattern{Constant('Security risk found,Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#348:Security:13/0", "nwparser.payload", "Security risk found,Computer name: %{shost},%{p0}"); +var part524 = match("MESSAGE#348:Security:13/0", "nwparser.payload", "Security risk found,Computer name: %{shost},%{p0}"); -var part525 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(','), Field(p0,false)}" -match("MESSAGE#348:Security:13/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},%{p0}"); +var part525 = match("MESSAGE#348:Security:13/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},%{p0}"); var select97 = linear_select([ part525, dup77, ]); -var part526 = // "Pattern{Constant('IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(severity,false), Constant(',First Seen: '), Field(fld1,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,true), Constant(' ,Hash type: '), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld3,true), Constant(' ,File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld4,false), Constant(',Detection score: '), Field(fld5,false), Constant(',COH Engine Version: '), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',Permitted application reason: '), Field(fld8,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld10,false), Constant(',Web domain:'), Field(fld11,true), Constant(' ,Downloaded by: '), Field(fld12,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld15,false), Constant(',Risk Level: '), Field(fld16,false), Constant(',Risk type: '), Field(fld17,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name:'), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld18,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld19,true), Constant(' '), Field(fld20,false), Constant(',Inserted: '), Field(fld21,false), Constant(',End: '), Field(fld22,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld23,false), Constant(',Source IP: '), Field(fld24,false)}" -match("MESSAGE#348:Security:13/2", "nwparser.p0", "IP Address: %{saddr},Detection type: %{severity},First Seen: %{fld1},Application name: %{application},Application type: %{obj_type},Application version:%{version->} ,Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld3->} ,File size (bytes): %{filename_size},Sensitivity: %{fld4},Detection score: %{fld5},COH Engine Version: %{fld6},%{fld7},Permitted application reason: %{fld8},Disposition: %{result},Download site: %{fld10},Web domain:%{fld11->} ,Downloaded by: %{fld12},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld15},Risk Level: %{fld16},Risk type: %{fld17},Source: %{event_source},Risk name:%{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld18},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld19->} %{fld20},Inserted: %{fld21},End: %{fld22},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld23},Source IP: %{fld24}"); +var part526 = match("MESSAGE#348:Security:13/2", "nwparser.p0", "IP Address: %{saddr},Detection type: %{severity},First Seen: %{fld1},Application name: %{application},Application type: %{obj_type},Application version:%{version->} ,Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld3->} ,File size (bytes): %{filename_size},Sensitivity: %{fld4},Detection score: %{fld5},COH Engine Version: %{fld6},%{fld7},Permitted application reason: %{fld8},Disposition: %{result},Download site: %{fld10},Web domain:%{fld11->} ,Downloaded by: %{fld12},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld15},Risk Level: %{fld16},Risk type: %{fld17},Source: %{event_source},Risk name:%{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld18},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld19->} %{fld20},Inserted: %{fld21},End: %{fld22},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld23},Source IP: %{fld24}"); var all149 = all_match({ processors: [ @@ -10249,8 +9533,7 @@ var all149 = all_match({ var msg417 = msg("Security:13", all149); -var part527 = // "Pattern{Constant('Security risk found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#349:Security", "nwparser.payload", "Security risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ +var part527 = match("MESSAGE#349:Security", "nwparser.payload", "Security risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ dup110, dup12, dup115, @@ -10268,8 +9551,7 @@ match("MESSAGE#349:Security", "nwparser.payload", "Security risk found,Computer var msg418 = msg("Security", part527); -var part528 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Cookie: '), Field(fld1,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#350:Security:01", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie: %{fld1},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ +var part528 = match("MESSAGE#350:Security:01", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie: %{fld1},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ dup110, dup12, dup115, @@ -10286,8 +9568,7 @@ match("MESSAGE#350:Security:01", "nwparser.payload", "Security risk found,IP Add var msg419 = msg("Security:01", part528); -var part529 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#351:Security:02", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ +var part529 = match("MESSAGE#351:Security:02", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ dup110, dup12, dup115, @@ -10317,8 +9598,7 @@ var select98 = linear_select([ msg420, ]); -var part530 = // "Pattern{Constant('Compressed File,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#352:Compressed", "nwparser.payload", "Compressed File,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ +var part530 = match("MESSAGE#352:Compressed", "nwparser.payload", "Compressed File,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ dup110, dup12, dup152, @@ -10333,11 +9613,9 @@ match("MESSAGE#352:Compressed", "nwparser.payload", "Compressed File,Computer na var msg421 = msg("Compressed", part530); -var part531 = // "Pattern{Constant('Compressed File,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#353:Compressed:02/0", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var part531 = match("MESSAGE#353:Compressed:02/0", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var part532 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" -match("MESSAGE#353:Compressed:02/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},%{p0}"); +var part532 = match("MESSAGE#353:Compressed:02/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},%{p0}"); var all150 = all_match({ processors: [ @@ -10364,8 +9642,7 @@ var all150 = all_match({ var msg422 = msg("Compressed:02", all150); -var part533 = // "Pattern{Constant('Compressed File,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" -match("MESSAGE#354:Compressed:01", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ +var part533 = match("MESSAGE#354:Compressed:01", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ dup110, dup12, dup152, @@ -10386,8 +9663,7 @@ var select99 = linear_select([ msg423, ]); -var part534 = // "Pattern{Constant('Stop serving as the Group Update Provider (proxy server)'), Field(,false)}" -match("MESSAGE#355:Stop", "nwparser.payload", "Stop serving as the Group Update Provider (proxy server)%{}", processor_chain([ +var part534 = match("MESSAGE#355:Stop", "nwparser.payload", "Stop serving as the Group Update Provider (proxy server)%{}", processor_chain([ dup43, dup12, dup13, @@ -10398,8 +9674,7 @@ match("MESSAGE#355:Stop", "nwparser.payload", "Stop serving as the Group Update var msg424 = msg("Stop", part534); -var part535 = // "Pattern{Constant('Stop Symantec Network Access Control client.'), Field(,false)}" -match("MESSAGE#356:Stop:01", "nwparser.payload", "Stop Symantec Network Access Control client.%{}", processor_chain([ +var part535 = match("MESSAGE#356:Stop:01", "nwparser.payload", "Stop Symantec Network Access Control client.%{}", processor_chain([ dup43, dup12, dup13, @@ -10410,8 +9685,7 @@ match("MESSAGE#356:Stop:01", "nwparser.payload", "Stop Symantec Network Access C var msg425 = msg("Stop:01", part535); -var part536 = // "Pattern{Constant('Stop using Group Update Provider (proxy server) @ '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" -match("MESSAGE#357:Stop:02", "nwparser.payload", "Stop using Group Update Provider (proxy server) @ %{saddr}:%{sport}.", processor_chain([ +var part536 = match("MESSAGE#357:Stop:02", "nwparser.payload", "Stop using Group Update Provider (proxy server) @ %{saddr}:%{sport}.", processor_chain([ dup43, dup12, dup13, @@ -10428,8 +9702,7 @@ var select100 = linear_select([ msg426, ]); -var part537 = // "Pattern{Constant('Stopping Symantec Management Client....'), Field(p0,false)}" -match("MESSAGE#358:Stopping/0", "nwparser.payload", "Stopping Symantec Management Client....%{p0}"); +var part537 = match("MESSAGE#358:Stopping/0", "nwparser.payload", "Stopping Symantec Management Client....%{p0}"); var all151 = all_match({ processors: [ @@ -10452,8 +9725,7 @@ var all151 = all_match({ var msg427 = msg("Stopping", all151); -var part538 = // "Pattern{Constant('Submission Control signatures '), Field(version,true), Constant(' is up-to-date.')}" -match("MESSAGE#359:Submission", "nwparser.payload", "Submission Control signatures %{version->} is up-to-date.", processor_chain([ +var part538 = match("MESSAGE#359:Submission", "nwparser.payload", "Submission Control signatures %{version->} is up-to-date.", processor_chain([ dup92, dup12, dup13, @@ -10464,8 +9736,7 @@ match("MESSAGE#359:Submission", "nwparser.payload", "Submission Control signatur var msg428 = msg("Submission", part538); -var part539 = // "Pattern{Constant('Switched to server control.'), Field(,false)}" -match("MESSAGE#360:Switched", "nwparser.payload", "Switched to server control.%{}", processor_chain([ +var part539 = match("MESSAGE#360:Switched", "nwparser.payload", "Switched to server control.%{}", processor_chain([ dup136, dup12, dup13, @@ -10479,8 +9750,7 @@ match("MESSAGE#360:Switched", "nwparser.payload", "Switched to server control.%{ var msg429 = msg("Switched", part539); -var part540 = // "Pattern{Constant('Symantec Endpoint Protection Manager Content Catalog '), Field(version,true), Constant(' is up-to-date.')}" -match("MESSAGE#361:Symantec:18", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} is up-to-date.", processor_chain([ +var part540 = match("MESSAGE#361:Symantec:18", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} is up-to-date.", processor_chain([ dup86, dup15, setc("event_description","Symantec Endpoint Protection Manager Content Catalog is up to date."), @@ -10488,8 +9758,7 @@ match("MESSAGE#361:Symantec:18", "nwparser.payload", "Symantec Endpoint Protecti var msg430 = msg("Symantec:18", part540); -var part541 = // "Pattern{Constant('Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list '), Field(application,false), Constant('.')}" -match("MESSAGE#362:Symantec:33", "nwparser.payload", "Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list %{application}.", processor_chain([ +var part541 = match("MESSAGE#362:Symantec:33", "nwparser.payload", "Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list %{application}.", processor_chain([ dup43, dup15, setc("event_description","Symantec Endpoint Protection Manager could not update TruScan proactive threat scan."), @@ -10497,8 +9766,7 @@ match("MESSAGE#362:Symantec:33", "nwparser.payload", "Symantec Endpoint Protecti var msg431 = msg("Symantec:33", part541); -var part542 = // "Pattern{Constant('Symantec Endpoint Protection '), Field(application,true), Constant(' '), Field(version,true), Constant(' ('), Field(info,false), Constant(') is up-to-date.')}" -match("MESSAGE#363:Symantec:17", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) is up-to-date.", processor_chain([ +var part542 = match("MESSAGE#363:Symantec:17", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) is up-to-date.", processor_chain([ dup86, dup15, setc("event_description","Symantec Endpoint Protection is up to date."), @@ -10506,8 +9774,7 @@ match("MESSAGE#363:Symantec:17", "nwparser.payload", "Symantec Endpoint Protecti var msg432 = msg("Symantec:17", part542); -var part543 = // "Pattern{Constant('Symantec Endpoint Protection '), Field(application,true), Constant(' '), Field(version,true), Constant(' ('), Field(info,false), Constant(') failed to update.')}" -match("MESSAGE#364:Symantec:20", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) failed to update.", processor_chain([ +var part543 = match("MESSAGE#364:Symantec:20", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) failed to update.", processor_chain([ dup86, dup12, dup13, @@ -10517,8 +9784,7 @@ match("MESSAGE#364:Symantec:20", "nwparser.payload", "Symantec Endpoint Protecti var msg433 = msg("Symantec:20", part543); -var part544 = // "Pattern{Constant('Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled'), Field(p0,false)}" -match("MESSAGE#365:Symantec:16/0", "nwparser.payload", "Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled%{p0}"); +var part544 = match("MESSAGE#365:Symantec:16/0", "nwparser.payload", "Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled%{p0}"); var all152 = all_match({ processors: [ @@ -10537,8 +9803,7 @@ var all152 = all_match({ var msg434 = msg("Symantec:16", all152); -var part545 = // "Pattern{Constant('Symantec Network Access Control client started.'), Field(,false)}" -match("MESSAGE#366:Symantec:15", "nwparser.payload", "Symantec Network Access Control client started.%{}", processor_chain([ +var part545 = match("MESSAGE#366:Symantec:15", "nwparser.payload", "Symantec Network Access Control client started.%{}", processor_chain([ dup43, dup12, dup13, @@ -10548,8 +9813,7 @@ match("MESSAGE#366:Symantec:15", "nwparser.payload", "Symantec Network Access Co var msg435 = msg("Symantec:15", part545); -var part546 = // "Pattern{Constant('Symantec Endpoint Protection Tamper Protection Disabled'), Field(,false)}" -match("MESSAGE#367:Symantec:11", "nwparser.payload", "Symantec Endpoint Protection Tamper Protection Disabled%{}", processor_chain([ +var part546 = match("MESSAGE#367:Symantec:11", "nwparser.payload", "Symantec Endpoint Protection Tamper Protection Disabled%{}", processor_chain([ dup168, dup12, dup13, @@ -10560,8 +9824,7 @@ match("MESSAGE#367:Symantec:11", "nwparser.payload", "Symantec Endpoint Protecti var msg436 = msg("Symantec:11", part546); -var part547 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Description: '), Field(info,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#368:Symantec", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{info}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part547 = match("MESSAGE#368:Symantec", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{info}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, dup166, dup15, @@ -10570,8 +9833,7 @@ match("MESSAGE#368:Symantec", "nwparser.payload", "Symantec AntiVirus Startup/Sh var msg437 = msg("Symantec", part547); -var part548 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('........'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" -match("MESSAGE#369:Symantec:01", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6}", processor_chain([ +var part548 = match("MESSAGE#369:Symantec:01", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6}", processor_chain([ dup43, dup166, dup15, @@ -10580,8 +9842,7 @@ match("MESSAGE#369:Symantec:01", "nwparser.payload", "Symantec AntiVirus Startup var msg438 = msg("Symantec:01", part548); -var part549 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" -match("MESSAGE#370:Symantec:02", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ +var part549 = match("MESSAGE#370:Symantec:02", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ dup43, dup166, dup15, @@ -10590,22 +9851,18 @@ match("MESSAGE#370:Symantec:02", "nwparser.payload", "Symantec AntiVirus Startup var msg439 = msg("Symantec:02", part549); -var part550 = // "Pattern{Constant('Symantec Endpoint Protection Manager Content Catalog '), Field(version,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#371:Symantec:03/0", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} %{p0}"); +var part550 = match("MESSAGE#371:Symantec:03/0", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} %{p0}"); -var part551 = // "Pattern{Constant('is up-to-date '), Field(p0,false)}" -match("MESSAGE#371:Symantec:03/1_0", "nwparser.p0", "is up-to-date %{p0}"); +var part551 = match("MESSAGE#371:Symantec:03/1_0", "nwparser.p0", "is up-to-date %{p0}"); -var part552 = // "Pattern{Constant('was successfully updated '), Field(p0,false)}" -match("MESSAGE#371:Symantec:03/1_1", "nwparser.p0", "was successfully updated %{p0}"); +var part552 = match("MESSAGE#371:Symantec:03/1_1", "nwparser.p0", "was successfully updated %{p0}"); var select101 = linear_select([ part551, part552, ]); -var part553 = // "Pattern{Constant('.'), Field(,false)}" -match("MESSAGE#371:Symantec:03/2", "nwparser.p0", ".%{}"); +var part553 = match("MESSAGE#371:Symantec:03/2", "nwparser.p0", ".%{}"); var all153 = all_match({ processors: [ @@ -10625,8 +9882,7 @@ var all153 = all_match({ var msg440 = msg("Symantec:03", all153); -var part554 = // "Pattern{Constant('Symantec Endpoint Protection services shutdown was successful.'), Field(p0,false)}" -match("MESSAGE#372:Symantec:04/0", "nwparser.payload", "Symantec Endpoint Protection services shutdown was successful.%{p0}"); +var part554 = match("MESSAGE#372:Symantec:04/0", "nwparser.payload", "Symantec Endpoint Protection services shutdown was successful.%{p0}"); var all154 = all_match({ processors: [ @@ -10646,8 +9902,7 @@ var all154 = all_match({ var msg441 = msg("Symantec:04", all154); -var part555 = // "Pattern{Constant('Symantec Endpoint Protection services startup was successful.'), Field(p0,false)}" -match("MESSAGE#373:Symantec:05/0", "nwparser.payload", "Symantec Endpoint Protection services startup was successful.%{p0}"); +var part555 = match("MESSAGE#373:Symantec:05/0", "nwparser.payload", "Symantec Endpoint Protection services startup was successful.%{p0}"); var all155 = all_match({ processors: [ @@ -10667,8 +9922,7 @@ var all155 = all_match({ var msg442 = msg("Symantec:05", all155); -var part556 = // "Pattern{Constant('Symantec Management Client is stopped.'), Field(p0,false)}" -match("MESSAGE#374:Symantec:06/0", "nwparser.payload", "Symantec Management Client is stopped.%{p0}"); +var part556 = match("MESSAGE#374:Symantec:06/0", "nwparser.payload", "Symantec Management Client is stopped.%{p0}"); var all156 = all_match({ processors: [ @@ -10688,22 +9942,18 @@ var all156 = all_match({ var msg443 = msg("Symantec:06", all156); -var part557 = // "Pattern{Constant('Symantec Management Client has been '), Field(p0,false)}" -match("MESSAGE#375:Symantec:07/0", "nwparser.payload", "Symantec Management Client has been %{p0}"); +var part557 = match("MESSAGE#375:Symantec:07/0", "nwparser.payload", "Symantec Management Client has been %{p0}"); -var part558 = // "Pattern{Constant('started'), Field(p0,false)}" -match("MESSAGE#375:Symantec:07/1_0", "nwparser.p0", "started%{p0}"); +var part558 = match("MESSAGE#375:Symantec:07/1_0", "nwparser.p0", "started%{p0}"); -var part559 = // "Pattern{Constant('activated'), Field(p0,false)}" -match("MESSAGE#375:Symantec:07/1_1", "nwparser.p0", "activated%{p0}"); +var part559 = match("MESSAGE#375:Symantec:07/1_1", "nwparser.p0", "activated%{p0}"); var select102 = linear_select([ part558, part559, ]); -var part560 = // "Pattern{Constant(' .'), Field(,false)}" -match("MESSAGE#375:Symantec:07/2_1", "nwparser.p0", " .%{}"); +var part560 = match("MESSAGE#375:Symantec:07/2_1", "nwparser.p0", " .%{}"); var select103 = linear_select([ dup186, @@ -10729,8 +9979,7 @@ var all157 = all_match({ var msg444 = msg("Symantec:07", all157); -var part561 = // "Pattern{Constant('Symantec Management Client has been '), Field(info,false)}" -match("MESSAGE#376:Symantec:08", "nwparser.payload", "Symantec Management Client has been %{info}", processor_chain([ +var part561 = match("MESSAGE#376:Symantec:08", "nwparser.payload", "Symantec Management Client has been %{info}", processor_chain([ dup257, dup12, dup13, @@ -10741,8 +9990,7 @@ match("MESSAGE#376:Symantec:08", "nwparser.payload", "Symantec Management Client var msg445 = msg("Symantec:08", part561); -var part562 = // "Pattern{Constant('Symantec Endpoint Protection Auto-Protect failed to load.'), Field(,false)}" -match("MESSAGE#377:Symantec:09", "nwparser.payload", "Symantec Endpoint Protection Auto-Protect failed to load.%{}", processor_chain([ +var part562 = match("MESSAGE#377:Symantec:09", "nwparser.payload", "Symantec Endpoint Protection Auto-Protect failed to load.%{}", processor_chain([ dup43, dup12, dup13, @@ -10753,8 +10001,7 @@ match("MESSAGE#377:Symantec:09", "nwparser.payload", "Symantec Endpoint Protecti var msg446 = msg("Symantec:09", part562); -var part563 = // "Pattern{Constant('Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. '), Field(p0,false)}" -match("MESSAGE#378:Symantec:10/0", "nwparser.payload", "Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. %{p0}"); +var part563 = match("MESSAGE#378:Symantec:10/0", "nwparser.payload", "Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. %{p0}"); var all158 = all_match({ processors: [ @@ -10774,8 +10021,7 @@ var all158 = all_match({ var msg447 = msg("Symantec:10", all158); -var part564 = // "Pattern{Constant('Symantec AntiVirus services startup was successful'), Field(,false)}" -match("MESSAGE#379:Symantec:12", "nwparser.payload", "Symantec AntiVirus services startup was successful%{}", processor_chain([ +var part564 = match("MESSAGE#379:Symantec:12", "nwparser.payload", "Symantec AntiVirus services startup was successful%{}", processor_chain([ dup53, dup12, dup13, @@ -10786,8 +10032,7 @@ match("MESSAGE#379:Symantec:12", "nwparser.payload", "Symantec AntiVirus service var msg448 = msg("Symantec:12", part564); -var part565 = // "Pattern{Constant('Symantec AntiVirus services shutdown was successful'), Field(,false)}" -match("MESSAGE#380:Symantec:13", "nwparser.payload", "Symantec AntiVirus services shutdown was successful%{}", processor_chain([ +var part565 = match("MESSAGE#380:Symantec:13", "nwparser.payload", "Symantec AntiVirus services shutdown was successful%{}", processor_chain([ dup53, dup12, dup13, @@ -10798,8 +10043,7 @@ match("MESSAGE#380:Symantec:13", "nwparser.payload", "Symantec AntiVirus service var msg449 = msg("Symantec:13", part565); -var part566 = // "Pattern{Constant('Symantec AntiVirus services failed to start. '), Field(space,true), Constant(' ('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#381:Symantec:14", "nwparser.payload", "Symantec AntiVirus services failed to start. %{space->} (%{resultcode})", processor_chain([ +var part566 = match("MESSAGE#381:Symantec:14", "nwparser.payload", "Symantec AntiVirus services failed to start. %{space->} (%{resultcode})", processor_chain([ dup86, dup12, dup13, @@ -10810,8 +10054,7 @@ match("MESSAGE#381:Symantec:14", "nwparser.payload", "Symantec AntiVirus service var msg450 = msg("Symantec:14", part566); -var part567 = // "Pattern{Constant('Symantec Endpoint Protection services failed to start. '), Field(space,true), Constant(' ('), Field(resultcode,false), Constant(')')}" -match("MESSAGE#382:Symantec:19", "nwparser.payload", "Symantec Endpoint Protection services failed to start. %{space->} (%{resultcode})", processor_chain([ +var part567 = match("MESSAGE#382:Symantec:19", "nwparser.payload", "Symantec Endpoint Protection services failed to start. %{space->} (%{resultcode})", processor_chain([ dup86, dup12, dup13, @@ -10822,8 +10065,7 @@ match("MESSAGE#382:Symantec:19", "nwparser.payload", "Symantec Endpoint Protecti var msg451 = msg("Symantec:19", part567); -var part568 = // "Pattern{Constant('Symantec Endpoint Protection Manager server started with trial license.'), Field(,false)}" -match("MESSAGE#383:Symantec:21", "nwparser.payload", "Symantec Endpoint Protection Manager server started with trial license.%{}", processor_chain([ +var part568 = match("MESSAGE#383:Symantec:21", "nwparser.payload", "Symantec Endpoint Protection Manager server started with trial license.%{}", processor_chain([ dup43, dup15, setc("event_description","Symantec Endpoint Protection Manager server started with trial license."), @@ -10831,8 +10073,7 @@ match("MESSAGE#383:Symantec:21", "nwparser.payload", "Symantec Endpoint Protecti var msg452 = msg("Symantec:21", part568); -var part569 = // "Pattern{Constant('Symantec trial license has expired.'), Field(,false)}" -match("MESSAGE#384:Symantec:22", "nwparser.payload", "Symantec trial license has expired.%{}", processor_chain([ +var part569 = match("MESSAGE#384:Symantec:22", "nwparser.payload", "Symantec trial license has expired.%{}", processor_chain([ dup259, dup15, setc("event_description","Symantec trial license has expired."), @@ -10840,8 +10081,7 @@ match("MESSAGE#384:Symantec:22", "nwparser.payload", "Symantec trial license has var msg453 = msg("Symantec:22", part569); -var part570 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,"Reputation check timed out during unproven file evaluation, likely due to network delays."')}" -match("MESSAGE#385:Symantec:23", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,\"Reputation check timed out during unproven file evaluation, likely due to network delays.\"", processor_chain([ +var part570 = match("MESSAGE#385:Symantec:23", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,\"Reputation check timed out during unproven file evaluation, likely due to network delays.\"", processor_chain([ dup259, dup12, dup13, @@ -10851,8 +10091,7 @@ match("MESSAGE#385:Symantec:23", "nwparser.payload", "Category: %{fld22},Symante var msg454 = msg("Symantec:23", part570); -var part571 = // "Pattern{Constant('Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled'), Field(,false)}" -match("MESSAGE#386:Symantec:24", "nwparser.payload", "Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled%{}", processor_chain([ +var part571 = match("MESSAGE#386:Symantec:24", "nwparser.payload", "Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled%{}", processor_chain([ dup43, dup12, dup13, @@ -10862,8 +10101,7 @@ match("MESSAGE#386:Symantec:24", "nwparser.payload", "Symantec Endpoint Protecti var msg455 = msg("Symantec:24", part571); -var part572 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : ''), Field(filename,false), Constant(''.')}" -match("MESSAGE#387:Symantec:25", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : '%{filename}'.", processor_chain([ +var part572 = match("MESSAGE#387:Symantec:25", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : '%{filename}'.", processor_chain([ dup43, dup12, dup13, @@ -10878,11 +10116,9 @@ var select104 = linear_select([ dup262, ]); -var part573 = // "Pattern{Field(,false), Constant('advanced heuristic detection submission] Submitting information to Symantec about file failed. File : ''), Field(filename,false), Constant(''.'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/2", "nwparser.p0", "%{}advanced heuristic detection submission] Submitting information to Symantec about file failed. File : '%{filename}'.%{p0}"); +var part573 = match("MESSAGE#388:Symantec:26/2", "nwparser.p0", "%{}advanced heuristic detection submission] Submitting information to Symantec about file failed. File : '%{filename}'.%{p0}"); -var part574 = // "Pattern{Constant(' Network error : ''), Field(fld56,false), Constant(''.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#388:Symantec:26/3_0", "nwparser.p0", " Network error : '%{fld56}'.,Event time: %{fld17->} %{fld18}"); +var part574 = match("MESSAGE#388:Symantec:26/3_0", "nwparser.p0", " Network error : '%{fld56}'.,Event time: %{fld17->} %{fld18}"); var select105 = linear_select([ part574, @@ -10909,8 +10145,7 @@ var all159 = all_match({ var msg457 = msg("Symantec:26", all159); -var part575 = // "Pattern{Field(,false), Constant('submission] Information submitted to Symantec about file. File : ''), Field(filename,false), Constant('','), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/4", "nwparser.p0", "%{}submission] Information submitted to Symantec about file. File : '%{filename}',%{p0}"); +var part575 = match("MESSAGE#389:Symantec:39/4", "nwparser.p0", "%{}submission] Information submitted to Symantec about file. File : '%{filename}',%{p0}"); var all160 = all_match({ processors: [ @@ -10933,8 +10168,7 @@ var all160 = all_match({ var msg458 = msg("Symantec:39", all160); -var part576 = // "Pattern{Field(,false), Constant('submission] File submitted to Symantec for analysis. File : ''), Field(filename,false), Constant('','), Field(p0,false)}" -match("MESSAGE#390:Symantec:40/4", "nwparser.p0", "%{}submission] File submitted to Symantec for analysis. File : '%{filename}',%{p0}"); +var part576 = match("MESSAGE#390:Symantec:40/4", "nwparser.p0", "%{}submission] File submitted to Symantec for analysis. File : '%{filename}',%{p0}"); var all161 = all_match({ processors: [ @@ -10957,8 +10191,7 @@ var all161 = all_match({ var msg459 = msg("Symantec:40", all161); -var part577 = // "Pattern{Constant('Symantec Endpoint Protection Manager server started with paid license.'), Field(,false)}" -match("MESSAGE#391:Symantec:27", "nwparser.payload", "Symantec Endpoint Protection Manager server started with paid license.%{}", processor_chain([ +var part577 = match("MESSAGE#391:Symantec:27", "nwparser.payload", "Symantec Endpoint Protection Manager server started with paid license.%{}", processor_chain([ dup43, dup12, dup13, @@ -10968,8 +10201,7 @@ match("MESSAGE#391:Symantec:27", "nwparser.payload", "Symantec Endpoint Protecti var msg460 = msg("Symantec:27", part577); -var part578 = // "Pattern{Constant('Uninstalling Symantec Management Client....'), Field(,false)}" -match("MESSAGE#392:Symantec:28", "nwparser.payload", "Uninstalling Symantec Management Client....%{}", processor_chain([ +var part578 = match("MESSAGE#392:Symantec:28", "nwparser.payload", "Uninstalling Symantec Management Client....%{}", processor_chain([ dup43, dup12, dup13, @@ -10979,8 +10211,7 @@ match("MESSAGE#392:Symantec:28", "nwparser.payload", "Uninstalling Symantec Mana var msg461 = msg("Symantec:28", part578); -var part579 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(result,false)}" -match("MESSAGE#393:Symantec:29", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code %{resultcode}: description: %{result}", processor_chain([ +var part579 = match("MESSAGE#393:Symantec:29", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code %{resultcode}: description: %{result}", processor_chain([ dup43, dup12, dup13, @@ -10991,8 +10222,7 @@ match("MESSAGE#393:Symantec:29", "nwparser.payload", "Category: 2,Symantec Endpo var msg462 = msg("Symantec:29", part579); -var part580 = // "Pattern{Constant('Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. '), Field(result,false), Constant('.')}" -match("MESSAGE#394:Symantec:30", "nwparser.payload", "Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. %{result}.", processor_chain([ +var part580 = match("MESSAGE#394:Symantec:30", "nwparser.payload", "Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. %{result}.", processor_chain([ dup43, dup12, dup13, @@ -11004,8 +10234,7 @@ match("MESSAGE#394:Symantec:30", "nwparser.payload", "Symantec Endpoint Protecti var msg463 = msg("Symantec:30", part580); -var part581 = // "Pattern{Constant('The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#395:Symantec:31", "nwparser.payload", "The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part581 = match("MESSAGE#395:Symantec:31", "nwparser.payload", "The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup43, dup12, dup13, @@ -11017,8 +10246,7 @@ match("MESSAGE#395:Symantec:31", "nwparser.payload", "The Symantec Endpoint Prot var msg464 = msg("Symantec:31", part581); -var part582 = // "Pattern{Constant('The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.'), Field(,false)}" -match("MESSAGE#396:Symantec:32", "nwparser.payload", "The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ +var part582 = match("MESSAGE#396:Symantec:32", "nwparser.payload", "The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ dup43, dup12, dup13, @@ -11028,8 +10256,7 @@ match("MESSAGE#396:Symantec:32", "nwparser.payload", "The Symantec Endpoint Prot var msg465 = msg("Symantec:32", part582); -var part583 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled'), Field(p0,false)}" -match("MESSAGE#397:Symantec:36/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled%{p0}"); +var part583 = match("MESSAGE#397:Symantec:36/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled%{p0}"); var all162 = all_match({ processors: [ @@ -11048,8 +10275,7 @@ var all162 = all_match({ var msg466 = msg("Symantec:36", all162); -var part584 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SONAR has been enabled'), Field(p0,false)}" -match("MESSAGE#398:Symantec:37/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has been enabled%{p0}"); +var part584 = match("MESSAGE#398:Symantec:37/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has been enabled%{p0}"); var all163 = all_match({ processors: [ @@ -11068,8 +10294,7 @@ var all163 = all_match({ var msg467 = msg("Symantec:37", all163); -var part585 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,SONAR has been disabled')}" -match("MESSAGE#401:Symantec:41", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,SONAR has been disabled", processor_chain([ +var part585 = match("MESSAGE#401:Symantec:41", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,SONAR has been disabled", processor_chain([ dup43, dup56, dup12, @@ -11080,8 +10305,7 @@ match("MESSAGE#401:Symantec:41", "nwparser.payload", "Category: %{fld22},Symante var msg468 = msg("Symantec:41", part585); -var part586 = // "Pattern{Constant('Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: '), Field(event_time_string,false)}" -match("MESSAGE#403:Symantec:44", "nwparser.payload", "Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: %{event_time_string}", processor_chain([ +var part586 = match("MESSAGE#403:Symantec:44", "nwparser.payload", "Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -11091,8 +10315,7 @@ match("MESSAGE#403:Symantec:44", "nwparser.payload", "Symantec Endpoint Protecti var msg469 = msg("Symantec:44", part586); -var part587 = // "Pattern{Constant('Symantec Network Access Control is overdeployed'), Field(,false)}" -match("MESSAGE#511:Server:02", "nwparser.payload", "Symantec Network Access Control is overdeployed%{}", processor_chain([ +var part587 = match("MESSAGE#511:Server:02", "nwparser.payload", "Symantec Network Access Control is overdeployed%{}", processor_chain([ dup86, dup12, dup222, @@ -11102,8 +10325,7 @@ match("MESSAGE#511:Server:02", "nwparser.payload", "Symantec Network Access Cont var msg470 = msg("Server:02", part587); -var part588 = // "Pattern{Constant('Symantec Endpoint Protection is overdeployed'), Field(,false)}" -match("MESSAGE#513:Server:04", "nwparser.payload", "Symantec Endpoint Protection is overdeployed%{}", processor_chain([ +var part588 = match("MESSAGE#513:Server:04", "nwparser.payload", "Symantec Endpoint Protection is overdeployed%{}", processor_chain([ dup86, dup12, dup222, @@ -11114,8 +10336,7 @@ match("MESSAGE#513:Server:04", "nwparser.payload", "Symantec Endpoint Protection var msg471 = msg("Server:04", part588); -var part589 = // "Pattern{Constant('Symantec Endpoint Protection Manager could not update '), Field(application,false), Constant('.')}" -match("MESSAGE#688:Symantec:34", "nwparser.payload", "Symantec Endpoint Protection Manager could not update %{application}.", processor_chain([ +var part589 = match("MESSAGE#688:Symantec:34", "nwparser.payload", "Symantec Endpoint Protection Manager could not update %{application}.", processor_chain([ dup43, dup14, dup15, @@ -11124,20 +10345,15 @@ match("MESSAGE#688:Symantec:34", "nwparser.payload", "Symantec Endpoint Protecti var msg472 = msg("Symantec:34", part589); -var part590 = // "Pattern{Field(event_description,false), Constant('. File : '), Field(filename,false), Constant(', Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_0", "nwparser.payload", "%{event_description}. File : %{filename}, Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part590 = match("MESSAGE#689:Symantec:35/0_0", "nwparser.payload", "%{event_description}. File : %{filename}, Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part591 = // "Pattern{Field(event_description,false), Constant('. File : '), Field(filename,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_1", "nwparser.payload", "%{event_description}. File : %{filename},Event time:%{fld17->} %{fld18}"); +var part591 = match("MESSAGE#689:Symantec:35/0_1", "nwparser.payload", "%{event_description}. File : %{filename},Event time:%{fld17->} %{fld18}"); -var part592 = // "Pattern{Field(event_description,false), Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_2", "nwparser.payload", "%{event_description}.,Event time:%{fld17->} %{fld18}"); +var part592 = match("MESSAGE#689:Symantec:35/0_2", "nwparser.payload", "%{event_description}.,Event time:%{fld17->} %{fld18}"); -var part593 = // "Pattern{Field(event_description,false), Constant('Operating System: '), Field(os,false), Constant('Network info:'), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#689:Symantec:35/0_3", "nwparser.payload", "%{event_description}Operating System: %{os}Network info:%{info},Event time:%{fld17->} %{fld18}"); +var part593 = match("MESSAGE#689:Symantec:35/0_3", "nwparser.payload", "%{event_description}Operating System: %{os}Network info:%{info},Event time:%{fld17->} %{fld18}"); -var part594 = // "Pattern{Field(event_description,false), Constant('.')}" -match("MESSAGE#689:Symantec:35/0_4", "nwparser.payload", "%{event_description}."); +var part594 = match("MESSAGE#689:Symantec:35/0_4", "nwparser.payload", "%{event_description}."); var select106 = linear_select([ part590, @@ -11163,8 +10379,7 @@ var all164 = all_match({ var msg473 = msg("Symantec:35", all164); -var part595 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,'), Field(event_description,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#690:Symantec:45", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,%{event_description},Event time:%{fld17->} %{fld18}", processor_chain([ +var part595 = match("MESSAGE#690:Symantec:45", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,%{event_description},Event time:%{fld17->} %{fld18}", processor_chain([ dup43, dup12, dup13, @@ -11174,8 +10389,7 @@ match("MESSAGE#690:Symantec:45", "nwparser.payload", "Category: %{fld22},Symante var msg474 = msg("Symantec:45", part595); -var part596 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#691:Server:05", "nwparser.payload", "event_description", processor_chain([ +var part596 = match_copy("MESSAGE#691:Server:05", "nwparser.payload", "event_description", processor_chain([ dup53, dup12, dup222, @@ -11234,8 +10448,7 @@ var select107 = linear_select([ msg475, ]); -var part597 = // "Pattern{Constant('Suspicious Behavior Detection has been '), Field(fld2,false), Constant(',Event time: '), Field(event_time_string,false)}" -match("MESSAGE#402:Symantec:43", "nwparser.payload", "Suspicious Behavior Detection has been %{fld2},Event time: %{event_time_string}", processor_chain([ +var part597 = match("MESSAGE#402:Symantec:43", "nwparser.payload", "Suspicious Behavior Detection has been %{fld2},Event time: %{event_time_string}", processor_chain([ dup43, dup12, dup13, @@ -11253,8 +10466,7 @@ match("MESSAGE#402:Symantec:43", "nwparser.payload", "Suspicious Behavior Detect var msg476 = msg("Symantec:43", part597); -var part598 = // "Pattern{Constant('System has been restarted '), Field(info,false), Constant('.')}" -match("MESSAGE#404:System", "nwparser.payload", "System has been restarted %{info}.", processor_chain([ +var part598 = match("MESSAGE#404:System", "nwparser.payload", "System has been restarted %{info}.", processor_chain([ dup53, dup12, dup13, @@ -11265,8 +10477,7 @@ match("MESSAGE#404:System", "nwparser.payload", "System has been restarted %{inf var msg477 = msg("System", part598); -var part599 = // "Pattern{Constant('System client-server activity logs have been swept.'), Field(,false)}" -match("MESSAGE#405:System:01", "nwparser.payload", "System client-server activity logs have been swept.%{}", processor_chain([ +var part599 = match("MESSAGE#405:System:01", "nwparser.payload", "System client-server activity logs have been swept.%{}", processor_chain([ dup53, dup12, dup13, @@ -11277,8 +10488,7 @@ match("MESSAGE#405:System:01", "nwparser.payload", "System client-server activit var msg478 = msg("System:01", part599); -var part600 = // "Pattern{Constant('System server activity logs have been swept.'), Field(,false)}" -match("MESSAGE#406:System:02", "nwparser.payload", "System server activity logs have been swept.%{}", processor_chain([ +var part600 = match("MESSAGE#406:System:02", "nwparser.payload", "System server activity logs have been swept.%{}", processor_chain([ dup53, dup12, dup13, @@ -11289,8 +10499,7 @@ match("MESSAGE#406:System:02", "nwparser.payload", "System server activity logs var msg479 = msg("System:02", part600); -var part601 = // "Pattern{Constant('System administrative logs have been swept.'), Field(,false)}" -match("MESSAGE#407:System:03", "nwparser.payload", "System administrative logs have been swept.%{}", processor_chain([ +var part601 = match("MESSAGE#407:System:03", "nwparser.payload", "System administrative logs have been swept.%{}", processor_chain([ dup53, dup12, dup13, @@ -11301,8 +10510,7 @@ match("MESSAGE#407:System:03", "nwparser.payload", "System administrative logs h var msg480 = msg("System:03", part601); -var part602 = // "Pattern{Constant('System enforcer activity logs have been swept.'), Field(,false)}" -match("MESSAGE#408:System:04", "nwparser.payload", "System enforcer activity logs have been swept.%{}", processor_chain([ +var part602 = match("MESSAGE#408:System:04", "nwparser.payload", "System enforcer activity logs have been swept.%{}", processor_chain([ dup53, dup14, dup15, @@ -11311,8 +10519,7 @@ match("MESSAGE#408:System:04", "nwparser.payload", "System enforcer activity log var msg481 = msg("System:04", part602); -var part603 = // "Pattern{Constant('System administrator "'), Field(username,false), Constant('" was added')}" -match("MESSAGE#409:System:05", "nwparser.payload", "System administrator \"%{username}\" was added", processor_chain([ +var part603 = match("MESSAGE#409:System:05", "nwparser.payload", "System administrator \"%{username}\" was added", processor_chain([ dup53, dup12, dup13, @@ -11331,16 +10538,14 @@ var select108 = linear_select([ msg482, ]); -var part604 = // "Pattern{Constant('- Caller MD5='), Field(fld6,false), Constant(','), Field(p0,false)}" -match("MESSAGE#410:Terminated/0_0", "nwparser.payload", "- Caller MD5=%{fld6},%{p0}"); +var part604 = match("MESSAGE#410:Terminated/0_0", "nwparser.payload", "- Caller MD5=%{fld6},%{p0}"); var select109 = linear_select([ part604, dup269, ]); -var part605 = // "Pattern{Field(action,false), Constant(',Begin:'), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End:'), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule:'), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User:'), Field(username,false), Constant(',Domain:'), Field(domain,false), Constant(',Action Type:'), Field(fld45,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" -match("MESSAGE#410:Terminated/1", "nwparser.p0", "%{action},Begin:%{fld50->} %{fld52},End:%{fld51->} %{fld53},Rule:%{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User:%{username},Domain:%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); +var part605 = match("MESSAGE#410:Terminated/1", "nwparser.p0", "%{action},Begin:%{fld50->} %{fld52},End:%{fld51->} %{fld53},Rule:%{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User:%{username},Domain:%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); var all165 = all_match({ processors: [ @@ -11363,20 +10568,15 @@ var all165 = all_match({ var msg483 = msg("Terminated", all165); -var part606 = // "Pattern{Constant('Compliance '), Field(p0,false)}" -match("MESSAGE#411:Compliance/0", "nwparser.payload", "Compliance %{p0}"); +var part606 = match("MESSAGE#411:Compliance/0", "nwparser.payload", "Compliance %{p0}"); -var part607 = // "Pattern{Constant('server '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_0", "nwparser.p0", "server %{p0}"); +var part607 = match("MESSAGE#411:Compliance/1_0", "nwparser.p0", "server %{p0}"); -var part608 = // "Pattern{Constant('client '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_1", "nwparser.p0", "client %{p0}"); +var part608 = match("MESSAGE#411:Compliance/1_1", "nwparser.p0", "client %{p0}"); -var part609 = // "Pattern{Constant('traffic '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_2", "nwparser.p0", "traffic %{p0}"); +var part609 = match("MESSAGE#411:Compliance/1_2", "nwparser.p0", "traffic %{p0}"); -var part610 = // "Pattern{Constant('criteria '), Field(p0,false)}" -match("MESSAGE#411:Compliance/1_3", "nwparser.p0", "criteria %{p0}"); +var part610 = match("MESSAGE#411:Compliance/1_3", "nwparser.p0", "criteria %{p0}"); var select110 = linear_select([ part607, @@ -11385,8 +10585,7 @@ var select110 = linear_select([ part610, ]); -var part611 = // "Pattern{Constant('logs have been swept.'), Field(,false)}" -match("MESSAGE#411:Compliance/2", "nwparser.p0", "logs have been swept.%{}"); +var part611 = match("MESSAGE#411:Compliance/2", "nwparser.p0", "logs have been swept.%{}"); var all166 = all_match({ processors: [ @@ -11404,8 +10603,7 @@ var all166 = all_match({ var msg484 = msg("Compliance", all166); -var part612 = // "Pattern{Constant('Download started.'), Field(,false)}" -match("MESSAGE#412:Download", "nwparser.payload", "Download started.%{}", processor_chain([ +var part612 = match("MESSAGE#412:Download", "nwparser.payload", "Download started.%{}", processor_chain([ dup43, dup14, dup15, @@ -11414,8 +10612,7 @@ match("MESSAGE#412:Download", "nwparser.payload", "Download started.%{}", proces var msg485 = msg("Download", part612); -var part613 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld14,true), Constant(' to '), Field(fld15,false), Constant('.,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Inbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld10,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#413:Traffic", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ +var part613 = match("MESSAGE#413:Traffic", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11430,8 +10627,7 @@ match("MESSAGE#413:Traffic", "nwparser.payload", "Traffic from IP address %{host var msg486 = msg("Traffic", part613); -var part614 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld14,true), Constant(' to '), Field(fld15,false), Constant('.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Outbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld10,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#414:Traffic:11", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ +var part614 = match("MESSAGE#414:Traffic:11", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11446,8 +10642,7 @@ match("MESSAGE#414:Traffic:11", "nwparser.payload", "Traffic from IP address %{h var msg487 = msg("Traffic:11", part614); -var part615 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',1,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#415:Traffic:01", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},1,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ +var part615 = match("MESSAGE#415:Traffic:01", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},1,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11461,8 +10656,7 @@ match("MESSAGE#415:Traffic:01", "nwparser.payload", "Traffic from IP address %{h var msg488 = msg("Traffic:01", part615); -var part616 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#416:Traffic:02/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{daddr},Local: %{fld3},Remote: %{fld4},Remote: %{saddr},Remote: %{fld5},Inbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part616 = match("MESSAGE#416:Traffic:02/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{daddr},Local: %{fld3},Remote: %{fld4},Remote: %{saddr},Remote: %{fld5},Inbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all167 = all_match({ processors: [ @@ -11486,8 +10680,7 @@ var all167 = all_match({ var msg489 = msg("Traffic:02", all167); -var part617 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Outbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#417:Traffic:12/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Outbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part617 = match("MESSAGE#417:Traffic:12/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Outbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); var all168 = all_match({ processors: [ @@ -11511,8 +10704,7 @@ var all168 = all_match({ var msg490 = msg("Traffic:12", all168); -var part618 = // "Pattern{Field(fld1,true), Constant(' Traffic Redirection disabled.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#717:Traffic:13", "nwparser.payload", "%{fld1->} Traffic Redirection disabled.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part618 = match("MESSAGE#717:Traffic:13", "nwparser.payload", "%{fld1->} Traffic Redirection disabled.,Event time: %{fld17->} %{fld18}", processor_chain([ dup86, dup12, dup13, @@ -11523,8 +10715,7 @@ match("MESSAGE#717:Traffic:13", "nwparser.payload", "%{fld1->} Traffic Redirecti var msg491 = msg("Traffic:13", part618); -var part619 = // "Pattern{Field(fld1,true), Constant(' Traffic Redirection is malfunctioning.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#718:Traffic:14", "nwparser.payload", "%{fld1->} Traffic Redirection is malfunctioning.,Event time: %{fld17->} %{fld18}", processor_chain([ +var part619 = match("MESSAGE#718:Traffic:14", "nwparser.payload", "%{fld1->} Traffic Redirection is malfunctioning.,Event time: %{fld17->} %{fld18}", processor_chain([ dup86, dup12, dup13, @@ -11545,8 +10736,7 @@ var select111 = linear_select([ msg492, ]); -var part620 = // "Pattern{Constant('TruScan has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(info,false)}" -match("MESSAGE#418:TruScan", "nwparser.payload", "TruScan has generated an error: code %{resultcode}: description: %{info}", processor_chain([ +var part620 = match("MESSAGE#418:TruScan", "nwparser.payload", "TruScan has generated an error: code %{resultcode}: description: %{info}", processor_chain([ dup168, dup12, dup13, @@ -11557,11 +10747,9 @@ match("MESSAGE#418:TruScan", "nwparser.payload", "TruScan has generated an error var msg493 = msg("TruScan", part620); -var part621 = // "Pattern{Constant('Forced TruScan proactive threat detected,Computer name: '), Field(p0,false)}" -match("MESSAGE#419:TruScan:01/0", "nwparser.payload", "Forced TruScan proactive threat detected,Computer name: %{p0}"); +var part621 = match("MESSAGE#419:TruScan:01/0", "nwparser.payload", "Forced TruScan proactive threat detected,Computer name: %{p0}"); -var part622 = // "Pattern{Field(fld1,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version: '), Field(version,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld13,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score: '), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(',"'), Field(fld12,false), Constant('",Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld15,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#419:TruScan:01/2", "nwparser.p0", "%{fld1},Application name: %{application},Application type: %{obj_type},Application version: %{version},Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld13},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score: %{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},\"%{fld12}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld15},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part622 = match("MESSAGE#419:TruScan:01/2", "nwparser.p0", "%{fld1},Application name: %{application},Application type: %{obj_type},Application version: %{version},Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld13},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score: %{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},\"%{fld12}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld15},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); var all169 = all_match({ processors: [ @@ -11591,14 +10779,11 @@ var all169 = all_match({ var msg494 = msg("TruScan:01", all169); -var part623 = // "Pattern{Constant('TruScan '), Field(info,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#420:TruScan:update/0", "nwparser.payload", "TruScan %{info->} %{p0}"); +var part623 = match("MESSAGE#420:TruScan:update/0", "nwparser.payload", "TruScan %{info->} %{p0}"); -var part624 = // "Pattern{Constant('was successfully updated'), Field(,false)}" -match("MESSAGE#420:TruScan:update/1_0", "nwparser.p0", "was successfully updated%{}"); +var part624 = match("MESSAGE#420:TruScan:update/1_0", "nwparser.p0", "was successfully updated%{}"); -var part625 = // "Pattern{Constant('is up-to-date'), Field(,false)}" -match("MESSAGE#420:TruScan:update/1_1", "nwparser.p0", "is up-to-date%{}"); +var part625 = match("MESSAGE#420:TruScan:update/1_1", "nwparser.p0", "is up-to-date%{}"); var select112 = linear_select([ part624, @@ -11622,8 +10807,7 @@ var all170 = all_match({ var msg495 = msg("TruScan:update", all170); -var part626 = // "Pattern{Constant('TruScan '), Field(info,true), Constant(' failed to update.')}" -match("MESSAGE#421:TruScan:updatefailed", "nwparser.payload", "TruScan %{info->} failed to update.", processor_chain([ +var part626 = match("MESSAGE#421:TruScan:updatefailed", "nwparser.payload", "TruScan %{info->} failed to update.", processor_chain([ dup168, dup12, dup13, @@ -11641,8 +10825,7 @@ var select113 = linear_select([ msg496, ]); -var part627 = // "Pattern{Constant('Unexpected server error. ErrorCode: '), Field(resultcode,false)}" -match("MESSAGE#422:Unexpected", "nwparser.payload", "Unexpected server error. ErrorCode: %{resultcode}", processor_chain([ +var part627 = match("MESSAGE#422:Unexpected", "nwparser.payload", "Unexpected server error. ErrorCode: %{resultcode}", processor_chain([ dup43, dup12, dup13, @@ -11653,8 +10836,7 @@ match("MESSAGE#422:Unexpected", "nwparser.payload", "Unexpected server error. Er var msg497 = msg("Unexpected", part627); -var part628 = // "Pattern{Constant('Unexpected server error.'), Field(,false)}" -match("MESSAGE#423:Unexpected:01", "nwparser.payload", "Unexpected server error.%{}", processor_chain([ +var part628 = match("MESSAGE#423:Unexpected:01", "nwparser.payload", "Unexpected server error.%{}", processor_chain([ dup43, dup12, dup13, @@ -11670,8 +10852,7 @@ var select114 = linear_select([ msg498, ]); -var part629 = // "Pattern{Constant('Unsolicited incoming ARP reply detected,'), Field(info,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Inbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld20,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#424:Unsolicited", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ +var part629 = match("MESSAGE#424:Unsolicited", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11686,8 +10867,7 @@ match("MESSAGE#424:Unsolicited", "nwparser.payload", "Unsolicited incoming ARP r var msg499 = msg("Unsolicited", part629); -var part630 = // "Pattern{Constant('Unsolicited incoming ARP reply detected,'), Field(info,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Outbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld20,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#425:Unsolicited:01", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ +var part630 = match("MESSAGE#425:Unsolicited:01", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ dup11, dup12, dup13, @@ -11707,11 +10887,9 @@ var select115 = linear_select([ msg500, ]); -var part631 = // "Pattern{Constant('User is attempting to terminate Symantec Management Client'), Field(p0,false)}" -match("MESSAGE#426:User/0", "nwparser.payload", "User is attempting to terminate Symantec Management Client%{p0}"); +var part631 = match("MESSAGE#426:User/0", "nwparser.payload", "User is attempting to terminate Symantec Management Client%{p0}"); -var part632 = // "Pattern{Constant('....,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#426:User/1_0", "nwparser.p0", "....,Event time:%{fld17->} %{fld18}"); +var part632 = match("MESSAGE#426:User/1_0", "nwparser.p0", "....,Event time:%{fld17->} %{fld18}"); var select116 = linear_select([ part632, @@ -11736,8 +10914,7 @@ var all171 = all_match({ var msg501 = msg("User", all171); -var part633 = // "Pattern{Field(fld44,false), Constant(',User - Kernel Hook Error,'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#427:User:01", "nwparser.payload", "%{fld44},User - Kernel Hook Error,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ +var part633 = match("MESSAGE#427:User:01", "nwparser.payload", "%{fld44},User - Kernel Hook Error,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ dup171, dup12, dup13, @@ -11753,8 +10930,7 @@ match("MESSAGE#427:User:01", "nwparser.payload", "%{fld44},User - Kernel Hook Er var msg502 = msg("User:01", part633); -var part634 = // "Pattern{Constant('User has been created'), Field(,false)}" -match("MESSAGE#428:User:created", "nwparser.payload", "User has been created%{}", processor_chain([ +var part634 = match("MESSAGE#428:User:created", "nwparser.payload", "User has been created%{}", processor_chain([ dup170, dup12, dup13, @@ -11770,8 +10946,7 @@ match("MESSAGE#428:User:created", "nwparser.payload", "User has been created%{}" var msg503 = msg("User:created", part634); -var part635 = // "Pattern{Constant('User has been deleted'), Field(,false)}" -match("MESSAGE#429:User:deleted", "nwparser.payload", "User has been deleted%{}", processor_chain([ +var part635 = match("MESSAGE#429:User:deleted", "nwparser.payload", "User has been deleted%{}", processor_chain([ dup171, dup12, dup13, @@ -11794,11 +10969,9 @@ var select117 = linear_select([ msg504, ]); -var part636 = // "Pattern{Constant('Windows Version info: Operating System: '), Field(os,true), Constant(' Network info:'), Field(p0,false)}" -match("MESSAGE#446:Windows/0", "nwparser.payload", "Windows Version info: Operating System: %{os->} Network info:%{p0}"); +var part636 = match("MESSAGE#446:Windows/0", "nwparser.payload", "Windows Version info: Operating System: %{os->} Network info:%{p0}"); -var part637 = // "Pattern{Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#446:Windows/1_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); +var part637 = match("MESSAGE#446:Windows/1_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); var select118 = linear_select([ part637, @@ -11823,8 +10996,7 @@ var all172 = all_match({ var msg505 = msg("Windows", all172); -var part638 = // "Pattern{Constant('Windows Host Integrity Content '), Field(version,true), Constant(' was successfully updated.')}" -match("MESSAGE#447:Windows:01", "nwparser.payload", "Windows Host Integrity Content %{version->} was successfully updated.", processor_chain([ +var part638 = match("MESSAGE#447:Windows:01", "nwparser.payload", "Windows Host Integrity Content %{version->} was successfully updated.", processor_chain([ dup92, dup12, dup13, @@ -11840,8 +11012,7 @@ var select119 = linear_select([ msg506, ]); -var part639 = // "Pattern{Constant('"=======EXCEPTION:'), Field(event_description,false), Constant('"')}" -match("MESSAGE#448:\"=======EXCEPTION:", "nwparser.payload", "\"=======EXCEPTION:%{event_description}\"", processor_chain([ +var part639 = match("MESSAGE#448:\"=======EXCEPTION:", "nwparser.payload", "\"=======EXCEPTION:%{event_description}\"", processor_chain([ dup168, dup12, dup13, @@ -11851,8 +11022,7 @@ match("MESSAGE#448:\"=======EXCEPTION:", "nwparser.payload", "\"=======EXCEPTION var msg507 = msg("\"=======EXCEPTION:", part639); -var part640 = // "Pattern{Constant('Sysfer exception: '), Field(info,false), Constant(',Sysfer exception,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(event_description,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#449:Allowed:08", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part640 = match("MESSAGE#449:Allowed:08", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -11865,8 +11035,7 @@ match("MESSAGE#449:Allowed:08", "nwparser.payload", "Sysfer exception: %{info},S var msg508 = msg("Allowed:08", part640); -var part641 = // "Pattern{Constant('Sysfer exception: '), Field(info,false), Constant(',Sysfer exception,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(event_description,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#450:Allowed", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain}", processor_chain([ +var part641 = match("MESSAGE#450:Allowed", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -11879,8 +11048,7 @@ match("MESSAGE#450:Allowed", "nwparser.payload", "Sysfer exception: %{info},Sysf var msg509 = msg("Allowed", part641); -var part642 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#451:Allowed:05", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part642 = match("MESSAGE#451:Allowed:05", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -11893,8 +11061,7 @@ match("MESSAGE#451:Allowed:05", "nwparser.payload", "\"%{filename}\",%{fld1},Beg var msg510 = msg("Allowed:05", part642); -var part643 = // "Pattern{Constant('"'), Field(filename,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#452:Allowed:06", "nwparser.payload", "\"%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part643 = match("MESSAGE#452:Allowed:06", "nwparser.payload", "\"%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -11907,8 +11074,7 @@ match("MESSAGE#452:Allowed:06", "nwparser.payload", "\"%{filename},%{fld1},Begin var msg511 = msg("Allowed:06", part643); -var part644 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#453:Allowed:01", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain}", processor_chain([ +var part644 = match("MESSAGE#453:Allowed:01", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -11921,11 +11087,9 @@ match("MESSAGE#453:Allowed:01", "nwparser.payload", "\"%{filename}\",%{fld1},Beg var msg512 = msg("Allowed:01", part644); -var part645 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(p0,false)}" -match("MESSAGE#454:Allowed:02/0", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{p0}"); +var part645 = match("MESSAGE#454:Allowed:02/0", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{p0}"); -var part646 = // "Pattern{Field(domain,false), Constant(',Action Type:'), Field(fld45,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" -match("MESSAGE#454:Allowed:02/1_0", "nwparser.p0", "%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); +var part646 = match("MESSAGE#454:Allowed:02/1_0", "nwparser.p0", "%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); var select120 = linear_select([ part646, @@ -11954,22 +11118,18 @@ var all173 = all_match({ var msg513 = msg("Allowed:02", all173); -var part647 = // "Pattern{Constant('- Caller MD5='), Field(checksum,false), Constant(',File Write,Begin: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/0_0", "nwparser.payload", "- Caller MD5=%{checksum},File Write,Begin: %{p0}"); +var part647 = match("MESSAGE#455:Allowed:09/0_0", "nwparser.payload", "- Caller MD5=%{checksum},File Write,Begin: %{p0}"); -var part648 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/0_1", "nwparser.payload", "%{fld1},File Write,Begin: %{p0}"); +var part648 = match("MESSAGE#455:Allowed:09/0_1", "nwparser.payload", "%{fld1},File Write,Begin: %{p0}"); var select121 = linear_select([ part647, part648, ]); -var part649 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part649 = match("MESSAGE#455:Allowed:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part650 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#455:Allowed:09/3", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part650 = match("MESSAGE#455:Allowed:09/3", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var all174 = all_match({ processors: [ @@ -11994,8 +11154,7 @@ var all174 = all_match({ var msg514 = msg("Allowed:09", all174); -var part651 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" -match("MESSAGE#456:Allowed:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ +var part651 = match("MESSAGE#456:Allowed:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ dup121, dup12, dup13, @@ -12011,14 +11170,11 @@ match("MESSAGE#456:Allowed:03", "nwparser.payload", "%{fld1},File Write,Begin: % var msg515 = msg("Allowed:03", part651); -var part652 = // "Pattern{Constant('- Caller MD5='), Field(checksum,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#457:Allowed:10/0", "nwparser.payload", "- Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part652 = match("MESSAGE#457:Allowed:10/0", "nwparser.payload", "- Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part653 = // "Pattern{Constant('User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(p0,false)}" -match("MESSAGE#457:Allowed:10/2", "nwparser.p0", "User: %{username},Domain: %{domain},Action Type:%{p0}"); +var part653 = match("MESSAGE#457:Allowed:10/2", "nwparser.p0", "User: %{username},Domain: %{domain},Action Type:%{p0}"); -var part654 = // "Pattern{Field(fld46,false)}" -match_copy("MESSAGE#457:Allowed:10/3_1", "nwparser.p0", "fld46"); +var part654 = match_copy("MESSAGE#457:Allowed:10/3_1", "nwparser.p0", "fld46"); var select122 = linear_select([ dup278, @@ -12049,8 +11205,7 @@ var all175 = all_match({ var msg516 = msg("Allowed:10", all175); -var part655 = // "Pattern{Field(fld1,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" -match("MESSAGE#458:Allowed:04", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ +var part655 = match("MESSAGE#458:Allowed:04", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ dup121, dup12, dup13, @@ -12067,8 +11222,7 @@ match("MESSAGE#458:Allowed:04", "nwparser.payload", "%{fld1},File Delete,Begin: var msg517 = msg("Allowed:04", part655); -var part656 = // "Pattern{Field(filename,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" -match("MESSAGE#459:Allowed:07", "nwparser.payload", "%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ +var part656 = match("MESSAGE#459:Allowed:07", "nwparser.payload", "%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ dup121, dup12, dup13, @@ -12095,8 +11249,7 @@ var select123 = linear_select([ msg518, ]); -var part657 = // "Pattern{Constant('Audit logs have been swept.'), Field(,false)}" -match("MESSAGE#460:Audit", "nwparser.payload", "Audit logs have been swept.%{}", processor_chain([ +var part657 = match("MESSAGE#460:Audit", "nwparser.payload", "Audit logs have been swept.%{}", processor_chain([ dup43, dup12, dup13, @@ -12107,8 +11260,7 @@ match("MESSAGE#460:Audit", "nwparser.payload", "Audit logs have been swept.%{}", var msg519 = msg("Audit", part657); -var part658 = // "Pattern{Field(fld24,false), Constant(','), Field(fld1,false), Constant(',FATAL: '), Field(event_description,false)}" -match("MESSAGE#465:Category", "nwparser.payload", "%{fld24},%{fld1},FATAL: %{event_description}", processor_chain([ +var part658 = match("MESSAGE#465:Category", "nwparser.payload", "%{fld24},%{fld1},FATAL: %{event_description}", processor_chain([ dup53, dup12, dup13, @@ -12118,11 +11270,9 @@ match("MESSAGE#465:Category", "nwparser.payload", "%{fld24},%{fld1},FATAL: %{eve var msg520 = msg("Category", part658); -var part659 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(','), Field(event_description,true), Constant(' Remote file path:'), Field(p0,false)}" -match("MESSAGE#466:Category:03/0", "nwparser.payload", "%{fld1},%{fld2},%{event_description->} Remote file path:%{p0}"); +var part659 = match("MESSAGE#466:Category:03/0", "nwparser.payload", "%{fld1},%{fld2},%{event_description->} Remote file path:%{p0}"); -var part660 = // "Pattern{Field(url,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#466:Category:03/1_0", "nwparser.p0", "%{url},Event time:%{fld17->} %{fld18}"); +var part660 = match("MESSAGE#466:Category:03/1_0", "nwparser.p0", "%{url},Event time:%{fld17->} %{fld18}"); var select124 = linear_select([ part660, @@ -12148,14 +11298,11 @@ var all176 = all_match({ var msg521 = msg("Category:03", all176); -var part661 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(',Downloaded content from GUP '), Field(daddr,false), Constant(': '), Field(p0,false)}" -match("MESSAGE#467:Category:02/0", "nwparser.payload", "%{fld1},%{fld2},Downloaded content from GUP %{daddr}: %{p0}"); +var part661 = match("MESSAGE#467:Category:02/0", "nwparser.payload", "%{fld1},%{fld2},Downloaded content from GUP %{daddr}: %{p0}"); -var part662 = // "Pattern{Field(dport,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#467:Category:02/1_0", "nwparser.p0", "%{dport},Event time:%{fld17->} %{fld18}"); +var part662 = match("MESSAGE#467:Category:02/1_0", "nwparser.p0", "%{dport},Event time:%{fld17->} %{fld18}"); -var part663 = // "Pattern{Field(dport,false)}" -match_copy("MESSAGE#467:Category:02/1_1", "nwparser.p0", "dport"); +var part663 = match_copy("MESSAGE#467:Category:02/1_1", "nwparser.p0", "dport"); var select125 = linear_select([ part662, @@ -12180,29 +11327,21 @@ var all177 = all_match({ var msg522 = msg("Category:02", all177); -var part664 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(','), Field(p0,false)}" -match("MESSAGE#468:Category:01/0", "nwparser.payload", "%{fld1},%{fld2},%{p0}"); +var part664 = match("MESSAGE#468:Category:01/0", "nwparser.payload", "%{fld1},%{fld2},%{p0}"); -var part665 = // "Pattern{Field(event_description,false), Constant('. File : ''), Field(filename,false), Constant('',",Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#468:Category:01/1_0", "nwparser.p0", "%{event_description}. File : '%{filename}',\",Event time: %{fld17->} %{fld18}"); +var part665 = match("MESSAGE#468:Category:01/1_0", "nwparser.p0", "%{event_description}. File : '%{filename}',\",Event time: %{fld17->} %{fld18}"); -var part666 = // "Pattern{Field(event_description,false), Constant('Size (bytes): '), Field(filename_size,false), Constant('.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#468:Category:01/1_1", "nwparser.p0", "%{event_description}Size (bytes): %{filename_size}.,Event time: %{fld17->} %{fld18}"); +var part666 = match("MESSAGE#468:Category:01/1_1", "nwparser.p0", "%{event_description}Size (bytes): %{filename_size}.,Event time: %{fld17->} %{fld18}"); -var part667 = // "Pattern{Field(event_description,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#468:Category:01/1_2", "nwparser.p0", "%{event_description},Event time: %{fld17->} %{fld18}"); +var part667 = match("MESSAGE#468:Category:01/1_2", "nwparser.p0", "%{event_description},Event time: %{fld17->} %{fld18}"); -var part668 = // "Pattern{Field(event_description,false), Constant('. Size (bytes):'), Field(filename_size,false), Constant('.')}" -match("MESSAGE#468:Category:01/1_3", "nwparser.p0", "%{event_description}. Size (bytes):%{filename_size}."); +var part668 = match("MESSAGE#468:Category:01/1_3", "nwparser.p0", "%{event_description}. Size (bytes):%{filename_size}."); -var part669 = // "Pattern{Field(event_description,false), Constant('. '), Field(space,true), Constant(' File : ''), Field(filename,false), Constant('',"')}" -match("MESSAGE#468:Category:01/1_4", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}',\""); +var part669 = match("MESSAGE#468:Category:01/1_4", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}',\""); -var part670 = // "Pattern{Field(event_description,false), Constant('. '), Field(space,true), Constant(' File : ''), Field(filename,false), Constant(''')}" -match("MESSAGE#468:Category:01/1_5", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}'"); +var part670 = match("MESSAGE#468:Category:01/1_5", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}'"); -var part671 = // "Pattern{Field(event_description,false)}" -match_copy("MESSAGE#468:Category:01/1_6", "nwparser.p0", "event_description"); +var part671 = match_copy("MESSAGE#468:Category:01/1_6", "nwparser.p0", "event_description"); var select126 = linear_select([ part665, @@ -12238,8 +11377,7 @@ var select127 = linear_select([ msg523, ]); -var part672 = // "Pattern{Constant('Default '), Field(info,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld2,false), Constant('..Failed Alert Name: '), Field(action,false), Constant('..Time: '), Field(fld3,true), Constant(' '), Field(fld1,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" -match("MESSAGE#469:Default", "nwparser.payload", "Default %{info}..Computer: %{shost}..Date: %{fld2}..Failed Alert Name: %{action}..Time: %{fld3->} %{fld1}..Severity: %{severity}..Source: %{product}", processor_chain([ +var part672 = match("MESSAGE#469:Default", "nwparser.payload", "Default %{info}..Computer: %{shost}..Date: %{fld2}..Failed Alert Name: %{action}..Time: %{fld3->} %{fld1}..Severity: %{severity}..Source: %{product}", processor_chain([ dup43, date_time({ dest: "event_time", @@ -12254,8 +11392,7 @@ match("MESSAGE#469:Default", "nwparser.payload", "Default %{info}..Computer: %{s var msg524 = msg("Default", part672); -var part673 = // "Pattern{Constant('Default Group blocks new clients. The client cannot register with the Default Group.'), Field(,false)}" -match("MESSAGE#470:Default:01", "nwparser.payload", "Default Group blocks new clients. The client cannot register with the Default Group.%{}", processor_chain([ +var part673 = match("MESSAGE#470:Default:01", "nwparser.payload", "Default Group blocks new clients. The client cannot register with the Default Group.%{}", processor_chain([ dup43, dup12, dup13, @@ -12270,8 +11407,7 @@ var select128 = linear_select([ msg525, ]); -var part674 = // "Pattern{Field(action,false), Constant('. '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(','), Field(direction,false), Constant(','), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" -match("MESSAGE#471:Device:01", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ +var part674 = match("MESSAGE#471:Device:01", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ dup43, dup12, dup13, @@ -12285,14 +11421,11 @@ match("MESSAGE#471:Device:01", "nwparser.payload", "%{action}. %{info},Local: %{ var msg526 = msg("Device:01", part674); -var part675 = // "Pattern{Field(action,false), Constant('. '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(','), Field(direction,false), Constant(','), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(','), Field(p0,false)}" -match("MESSAGE#472:Device/0", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},%{p0}"); +var part675 = match("MESSAGE#472:Device/0", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},%{p0}"); -var part676 = // "Pattern{Constant('"User:'), Field(username,false), Constant('",Domain:'), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld26,false)}" -match("MESSAGE#472:Device/1_0", "nwparser.p0", "\"User:%{username}\",Domain:%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld26}"); +var part676 = match("MESSAGE#472:Device/1_0", "nwparser.p0", "\"User:%{username}\",Domain:%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld26}"); -var part677 = // "Pattern{Constant(' User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#472:Device/1_1", "nwparser.p0", " User: %{username},Domain: %{domain}"); +var part677 = match("MESSAGE#472:Device/1_1", "nwparser.p0", " User: %{username},Domain: %{domain}"); var select129 = linear_select([ part676, @@ -12324,8 +11457,7 @@ var select130 = linear_select([ msg527, ]); -var part678 = // "Pattern{Constant('Email sending failed'), Field(,false)}" -match("MESSAGE#473:Email", "nwparser.payload", "Email sending failed%{}", processor_chain([ +var part678 = match("MESSAGE#473:Email", "nwparser.payload", "Email sending failed%{}", processor_chain([ dup53, dup12, dup13, @@ -12336,14 +11468,11 @@ match("MESSAGE#473:Email", "nwparser.payload", "Email sending failed%{}", proces var msg528 = msg("Email", part678); -var part679 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#474:FileWrite:02/0", "nwparser.payload", "%{fld5->} - Caller MD5=%{checksum},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part679 = match("MESSAGE#474:FileWrite:02/0", "nwparser.payload", "%{fld5->} - Caller MD5=%{checksum},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part680 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(p0,false)}" -match("MESSAGE#474:FileWrite:02/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{p0}"); +var part680 = match("MESSAGE#474:FileWrite:02/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{p0}"); -var part681 = // "Pattern{Field(fld44,false)}" -match_copy("MESSAGE#474:FileWrite:02/3_1", "nwparser.p0", "fld44"); +var part681 = match_copy("MESSAGE#474:FileWrite:02/3_1", "nwparser.p0", "fld44"); var select131 = linear_select([ dup278, @@ -12373,8 +11502,7 @@ var all180 = all_match({ var msg529 = msg("FileWrite:02", all180); -var part682 = // "Pattern{Constant('[AC5-1.1] Log files written to Removable Media,File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#475:FileWrite:01", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part682 = match("MESSAGE#475:FileWrite:01", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12389,8 +11517,7 @@ match("MESSAGE#475:FileWrite:01", "nwparser.payload", "[AC5-1.1] Log files writt var msg530 = msg("FileWrite:01", part682); -var part683 = // "Pattern{Field(fld5,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#476:FileWrite:03", "nwparser.payload", "%{fld5},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part683 = match("MESSAGE#476:FileWrite:03", "nwparser.payload", "%{fld5},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12405,8 +11532,7 @@ match("MESSAGE#476:FileWrite:03", "nwparser.payload", "%{fld5},File Write,Begin: var msg531 = msg("FileWrite:03", part683); -var part684 = // "Pattern{Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#477:FileWrite", "nwparser.payload", ",File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ +var part684 = match("MESSAGE#477:FileWrite", "nwparser.payload", ",File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ dup121, dup12, dup13, @@ -12421,8 +11547,7 @@ match("MESSAGE#477:FileWrite", "nwparser.payload", ",File Write,Begin: %{fld50-> var msg532 = msg("FileWrite", part684); -var part685 = // "Pattern{Constant('[AC5-1.1] Log files written to Removable Media,File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#478:FileDelete", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part685 = match("MESSAGE#478:FileDelete", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12437,11 +11562,9 @@ match("MESSAGE#478:FileDelete", "nwparser.payload", "[AC5-1.1] Log files written var msg533 = msg("FileDelete", part685); -var part686 = // "Pattern{Field(info,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" -match("MESSAGE#479:Continue/0", "nwparser.payload", "%{info->} - Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); +var part686 = match("MESSAGE#479:Continue/0", "nwparser.payload", "%{info->} - Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); -var part687 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#479:Continue/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld44},File size (bytes): %{filename_size},Device ID: %{device}"); +var part687 = match("MESSAGE#479:Continue/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld44},File size (bytes): %{filename_size},Device ID: %{device}"); var all181 = all_match({ processors: [ @@ -12466,8 +11589,7 @@ var all181 = all_match({ var msg534 = msg("Continue", all181); -var part688 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#480:FileDelete:01", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part688 = match("MESSAGE#480:FileDelete:01", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12482,8 +11604,7 @@ match("MESSAGE#480:FileDelete:01", "nwparser.payload", "%{fld5->} - Caller MD5=% var msg535 = msg("FileDelete:01", part688); -var part689 = // "Pattern{Field(fld5,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#481:FileDelete:02", "nwparser.payload", "%{fld5},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part689 = match("MESSAGE#481:FileDelete:02", "nwparser.payload", "%{fld5},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12498,8 +11619,7 @@ match("MESSAGE#481:FileDelete:02", "nwparser.payload", "%{fld5},File Delete,Begi var msg536 = msg("FileDelete:02", part689); -var part690 = // "Pattern{Field(fld5,false), Constant(',System,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld6,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" -match("MESSAGE#482:System:06", "nwparser.payload", "%{fld5},System,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld6},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ +var part690 = match("MESSAGE#482:System:06", "nwparser.payload", "%{fld5},System,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld6},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ dup121, dup12, dup13, @@ -12511,8 +11631,7 @@ match("MESSAGE#482:System:06", "nwparser.payload", "%{fld5},System,Begin: %{fld5 var msg537 = msg("System:06", part690); -var part691 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#495:File:10", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ +var part691 = match("MESSAGE#495:File:10", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ dup121, dup12, dup13, @@ -12527,16 +11646,14 @@ match("MESSAGE#495:File:10", "nwparser.payload", "%{fld1},File Read,Begin: %{fld var msg538 = msg("File:10", part691); -var part692 = // "Pattern{Field(fld11,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(','), Field(p0,false)}" -match("MESSAGE#503:Blocked:08/0_0", "nwparser.payload", "%{fld11->} - Caller MD5=%{fld6},%{p0}"); +var part692 = match("MESSAGE#503:Blocked:08/0_0", "nwparser.payload", "%{fld11->} - Caller MD5=%{fld6},%{p0}"); var select132 = linear_select([ part692, dup269, ]); -var part693 = // "Pattern{Field(action,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#503:Blocked:08/1", "nwparser.p0", "%{action},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part693 = match("MESSAGE#503:Blocked:08/1", "nwparser.p0", "%{action},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}"); var all182 = all_match({ processors: [ @@ -12570,8 +11687,7 @@ var select133 = linear_select([ msg539, ]); -var part694 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(fld7,false)}" -match("MESSAGE#505:Ping/1", "nwparser.p0", "%{event_description}\",Local: %{daddr},Local: %{fld1},Remote: %{fld9},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); +var part694 = match("MESSAGE#505:Ping/1", "nwparser.p0", "%{event_description}\",Local: %{daddr},Local: %{fld1},Remote: %{fld9},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); var all183 = all_match({ processors: [ @@ -12594,8 +11710,7 @@ var all183 = all_match({ var msg540 = msg("Ping", all183); -var part695 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(fld7,false)}" -match("MESSAGE#506:Ping:01/1", "nwparser.p0", "%{event_description}\",Local: %{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); +var part695 = match("MESSAGE#506:Ping:01/1", "nwparser.p0", "%{event_description}\",Local: %{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); var all184 = all_match({ processors: [ @@ -12623,8 +11738,7 @@ var select134 = linear_select([ msg541, ]); -var part696 = // "Pattern{Field(fld1,false), Constant(': Site: '), Field(fld2,false), Constant(',Server: '), Field(hostid,false), Constant(','), Field(directory,true), Constant(' '), Field(event_description,false)}" -match("MESSAGE#509:Server", "nwparser.payload", "%{fld1}: Site: %{fld2},Server: %{hostid},%{directory->} %{event_description}", processor_chain([ +var part696 = match("MESSAGE#509:Server", "nwparser.payload", "%{fld1}: Site: %{fld2},Server: %{hostid},%{directory->} %{event_description}", processor_chain([ dup53, dup12, dup13, @@ -12634,8 +11748,7 @@ match("MESSAGE#509:Server", "nwparser.payload", "%{fld1}: Site: %{fld2},Server: var msg542 = msg("Server", part696); -var part697 = // "Pattern{Constant('Server returned HTTP response code: '), Field(resultcode,true), Constant(' for URL: '), Field(url,false)}" -match("MESSAGE#510:Server:01", "nwparser.payload", "Server returned HTTP response code: %{resultcode->} for URL: %{url}", processor_chain([ +var part697 = match("MESSAGE#510:Server:01", "nwparser.payload", "Server returned HTTP response code: %{resultcode->} for URL: %{url}", processor_chain([ dup53, dup12, dup13, @@ -12645,8 +11758,7 @@ match("MESSAGE#510:Server:01", "nwparser.payload", "Server returned HTTP respons var msg543 = msg("Server:01", part697); -var part698 = // "Pattern{Constant('Server security validation failed.'), Field(,false)}" -match("MESSAGE#512:Server:03", "nwparser.payload", "Server security validation failed.%{}", processor_chain([ +var part698 = match("MESSAGE#512:Server:03", "nwparser.payload", "Server security validation failed.%{}", processor_chain([ dup174, dup94, setf("saddr","hhostid"), @@ -12662,8 +11774,7 @@ var select135 = linear_select([ msg544, ]); -var part699 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#514:1", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part699 = match("MESSAGE#514:1", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12676,8 +11787,7 @@ match("MESSAGE#514:1", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg545 = msg("1", part699); -var part700 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#515:2", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part700 = match("MESSAGE#515:2", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12690,8 +11800,7 @@ match("MESSAGE#515:2", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg546 = msg("2", part700); -var part701 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#516:3", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part701 = match("MESSAGE#516:3", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12704,8 +11813,7 @@ match("MESSAGE#516:3", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg547 = msg("3", part701); -var part702 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#517:4", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part702 = match("MESSAGE#517:4", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12718,8 +11826,7 @@ match("MESSAGE#517:4", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg548 = msg("4", part702); -var part703 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#518:5", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part703 = match("MESSAGE#518:5", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12732,8 +11839,7 @@ match("MESSAGE#518:5", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg549 = msg("5", part703); -var part704 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#519:6", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part704 = match("MESSAGE#519:6", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12746,8 +11852,7 @@ match("MESSAGE#519:6", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg550 = msg("6", part704); -var part705 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#520:7", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part705 = match("MESSAGE#520:7", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12760,8 +11865,7 @@ match("MESSAGE#520:7", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg551 = msg("7", part705); -var part706 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#521:8", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part706 = match("MESSAGE#521:8", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12774,8 +11878,7 @@ match("MESSAGE#521:8", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg552 = msg("8", part706); -var part707 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#522:9", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part707 = match("MESSAGE#522:9", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12788,8 +11891,7 @@ match("MESSAGE#522:9", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^% var msg553 = msg("9", part707); -var part708 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" -match("MESSAGE#523:10", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ +var part708 = match("MESSAGE#523:10", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ dup110, dup115, dup116, @@ -12808,8 +11910,7 @@ var msg556 = msg("257", dup342); var msg557 = msg("259", dup342); -var part709 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Organization importing started')}" -match("MESSAGE#527:264", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing started", processor_chain([ +var part709 = match("MESSAGE#527:264", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing started", processor_chain([ dup53, dup284, dup15, @@ -12818,8 +11919,7 @@ match("MESSAGE#527:264", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3- var msg558 = msg("264", part709); -var part710 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Organization importing finished successfully')}" -match("MESSAGE#528:265", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing finished successfully", processor_chain([ +var part710 = match("MESSAGE#528:265", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing finished successfully", processor_chain([ dup53, dup284, dup15, @@ -12830,8 +11930,7 @@ var msg559 = msg("265", part710); var msg560 = msg("273", dup342); -var part711 = // "Pattern{Field(id,false), Constant('^^The process '), Field(process,true), Constant(' can not lock the process status table. The process status has been locked by the server '), Field(shost,true), Constant(' ('), Field(fld22,false), Constant(') since '), Field(recorded_time,false), Constant('.')}" -match("MESSAGE#530:275", "nwparser.payload", "%{id}^^The process %{process->} can not lock the process status table. The process status has been locked by the server %{shost->} (%{fld22}) since %{recorded_time}.", processor_chain([ +var part711 = match("MESSAGE#530:275", "nwparser.payload", "%{id}^^The process %{process->} can not lock the process status table. The process status has been locked by the server %{shost->} (%{fld22}) since %{recorded_time}.", processor_chain([ dup53, dup15, setc("event_description","The process can not lock the process status table"), @@ -12851,8 +11950,7 @@ var msg566 = msg("779", dup342); var msg567 = msg("782", dup342); -var part712 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Backup succeeded and finished at '), Field(fld4,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant('. The backup file resides at the following location on the server '), Field(shost,false), Constant(': '), Field(directory,false)}" -match("MESSAGE#537:1029", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup succeeded and finished at %{fld4->} %{fld5->} %{fld6}. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ +var part712 = match("MESSAGE#537:1029", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup succeeded and finished at %{fld4->} %{fld5->} %{fld6}. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ dup53, dup284, date_time({ @@ -12868,8 +11966,7 @@ match("MESSAGE#537:1029", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3 var msg568 = msg("1029", part712); -var part713 = // "Pattern{Field(id,false), Constant('^^Backup succeeded and finished. The backup file resides at the following location on the server '), Field(shost,false), Constant(': '), Field(directory,false)}" -match("MESSAGE#538:1029:01", "nwparser.payload", "%{id}^^Backup succeeded and finished. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ +var part713 = match("MESSAGE#538:1029:01", "nwparser.payload", "%{id}^^Backup succeeded and finished. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ dup53, dup15, dup285, @@ -12882,8 +11979,7 @@ var select136 = linear_select([ msg569, ]); -var part714 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Backup started')}" -match("MESSAGE#539:1030", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup started", processor_chain([ +var part714 = match("MESSAGE#539:1030", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup started", processor_chain([ dup53, dup284, dup15, @@ -12892,8 +11988,7 @@ match("MESSAGE#539:1030", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3 var msg570 = msg("1030", part714); -var part715 = // "Pattern{Field(id,false), Constant('^^Backup started')}" -match("MESSAGE#540:1030:01", "nwparser.payload", "%{id}^^Backup started", processor_chain([ +var part715 = match("MESSAGE#540:1030:01", "nwparser.payload", "%{id}^^Backup started", processor_chain([ dup53, dup15, dup286, @@ -12914,8 +12009,7 @@ var msg574 = msg("5121", dup342); var msg575 = msg("5122", dup342); -var part716 = // "Pattern{Field(id,false), Constant('^^Sending Email Failed for following email address ['), Field(user_address,false), Constant('].')}" -match("MESSAGE#545:4609", "nwparser.payload", "%{id}^^Sending Email Failed for following email address [%{user_address}].", processor_chain([ +var part716 = match("MESSAGE#545:4609", "nwparser.payload", "%{id}^^Sending Email Failed for following email address [%{user_address}].", processor_chain([ setc("eventcategory","1207010200"), setc("event_description","Sending Email Failed"), dup15, @@ -12974,8 +12068,7 @@ var select142 = linear_select([ msg589, ]); -var part717 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#559:302449166", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part717 = match("MESSAGE#559:302449166", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup165, dup15, dup287, @@ -12983,8 +12076,7 @@ match("MESSAGE#559:302449166", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg590 = msg("302449166", part717); -var part718 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#560:302449166:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part718 = match("MESSAGE#560:302449166:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup165, dup15, dup287, @@ -12997,8 +12089,7 @@ var select143 = linear_select([ msg591, ]); -var part719 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#561:302449168", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part719 = match("MESSAGE#561:302449168", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup136, dup288, dup56, @@ -13009,8 +12100,7 @@ match("MESSAGE#561:302449168", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg592 = msg("302449168", part719); -var part720 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#562:302449168:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part720 = match("MESSAGE#562:302449168:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup136, dup288, dup56, @@ -13035,8 +12125,7 @@ var select145 = linear_select([ msg595, ]); -var part721 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#565:302449176", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part721 = match("MESSAGE#565:302449176", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup213, dup288, dup172, @@ -13047,8 +12136,7 @@ match("MESSAGE#565:302449176", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg596 = msg("302449176", part721); -var part722 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#566:302449176:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part722 = match("MESSAGE#566:302449176:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup213, dup288, dup172, @@ -13064,8 +12152,7 @@ var select146 = linear_select([ msg597, ]); -var part723 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#567:302449178", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part723 = match("MESSAGE#567:302449178", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup256, dup15, dup287, @@ -13073,8 +12160,7 @@ match("MESSAGE#567:302449178", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg598 = msg("302449178", part723); -var part724 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#568:302449178:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part724 = match("MESSAGE#568:302449178:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup256, dup15, dup287, @@ -13105,8 +12191,7 @@ var select149 = linear_select([ msg603, ]); -var part725 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#573:302449412", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part725 = match("MESSAGE#573:302449412", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup289, dup15, dup287, @@ -13114,8 +12199,7 @@ match("MESSAGE#573:302449412", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg604 = msg("302449412", part725); -var part726 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#574:302449412:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part726 = match("MESSAGE#574:302449412:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup289, dup15, dup287, @@ -13128,8 +12212,7 @@ var select150 = linear_select([ msg605, ]); -var part727 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#575:302449413", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part727 = match("MESSAGE#575:302449413", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup232, dup15, dup287, @@ -13137,8 +12220,7 @@ match("MESSAGE#575:302449413", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg606 = msg("302449413", part727); -var part728 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#576:302449413:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part728 = match("MESSAGE#576:302449413:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup232, dup15, dup287, @@ -13430,8 +12512,7 @@ var select182 = linear_select([ msg669, ]); -var part729 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); +var part729 = match("MESSAGE#639:303235080/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); var all185 = all_match({ processors: [ @@ -13448,8 +12529,7 @@ var all185 = all_match({ var msg670 = msg("303235080", all185); -var part730 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#640:303235080:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); +var part730 = match("MESSAGE#640:303235080:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); var all186 = all_match({ processors: [ @@ -13511,8 +12591,7 @@ var select187 = linear_select([ var msg681 = msg("302448900", dup345); -var part731 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#651:301", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part731 = match("MESSAGE#651:301", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup351, @@ -13530,8 +12609,7 @@ match("MESSAGE#651:301", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg682 = msg("301", part731); -var part732 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#652:301:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part732 = match("MESSAGE#652:301:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup351, @@ -13549,8 +12627,7 @@ match("MESSAGE#652:301:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ var msg683 = msg("301:01", part732); -var part733 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#653:301:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part733 = match("MESSAGE#653:301:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup120, dup295, dup268, @@ -13572,8 +12649,7 @@ var select188 = linear_select([ msg684, ]); -var part734 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#654:302", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part734 = match("MESSAGE#654:302", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13590,8 +12666,7 @@ match("MESSAGE#654:302", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg685 = msg("302", part734); -var part735 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#655:302:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part735 = match("MESSAGE#655:302:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13613,8 +12688,7 @@ var select189 = linear_select([ msg686, ]); -var part736 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#656:306", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part736 = match("MESSAGE#656:306", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13631,8 +12705,7 @@ match("MESSAGE#656:306", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg687 = msg("306", part736); -var part737 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#657:306:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part737 = match("MESSAGE#657:306:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13654,8 +12727,7 @@ var select190 = linear_select([ msg688, ]); -var part738 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#658:307", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part738 = match("MESSAGE#658:307", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13672,8 +12744,7 @@ match("MESSAGE#658:307", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg689 = msg("307", part738); -var part739 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#659:307:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part739 = match("MESSAGE#659:307:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13695,8 +12766,7 @@ var select191 = linear_select([ msg690, ]); -var part740 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#660:308", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part740 = match("MESSAGE#660:308", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13714,8 +12784,7 @@ match("MESSAGE#660:308", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg691 = msg("308", part740); -var part741 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#661:308:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part741 = match("MESSAGE#661:308:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -13733,8 +12802,7 @@ match("MESSAGE#661:308:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ var msg692 = msg("308:01", part741); -var part742 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#662:308:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part742 = match("MESSAGE#662:308:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup120, dup295, dup351, @@ -13756,8 +12824,7 @@ var select192 = linear_select([ msg693, ]); -var part743 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#663:202", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part743 = match("MESSAGE#663:202", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup36, dup295, setc("ec_activity","Scan"), @@ -13791,8 +12858,7 @@ var select194 = linear_select([ msg698, ]); -var part744 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#668:208", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part744 = match("MESSAGE#668:208", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup36, dup295, dup268, @@ -13809,8 +12875,7 @@ var msg699 = msg("208", part744); var msg700 = msg("210", dup359); -var part745 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#670:210:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part745 = match("MESSAGE#670:210:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup353, @@ -13839,8 +12904,7 @@ var select196 = linear_select([ var msg704 = msg("221", dup359); -var part746 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#674:238/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); +var part746 = match("MESSAGE#674:238/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); var all187 = all_match({ processors: [ @@ -13862,11 +12926,9 @@ var all187 = all_match({ var msg705 = msg("238", all187); -var part747 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#675:238:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); +var part747 = match("MESSAGE#675:238:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); -var part748 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#675:238:01/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); +var part748 = match("MESSAGE#675:238:01/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); var all188 = all_match({ processors: [ @@ -13902,8 +12964,7 @@ var select198 = linear_select([ msg708, ]); -var part749 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" -match("MESSAGE#678:502", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ +var part749 = match("MESSAGE#678:502", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ dup43, dup15, dup356, @@ -13917,8 +12978,7 @@ match("MESSAGE#678:502", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id} var msg709 = msg("502", part749); -var part750 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" -match("MESSAGE#679:502:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ +var part750 = match("MESSAGE#679:502:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ dup43, dup15, dup356, @@ -13946,8 +13006,7 @@ var select200 = linear_select([ msg712, ]); -var part751 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,SYSTEM,Information,'), Field(shost,false), Constant(','), Field(event_description,false), Constant('. string-data=[ Scan type: '), Field(event_type,true), Constant(' Event: '), Field(result,true), Constant(' Security risk detected: '), Field(directory,true), Constant(' File: '), Field(filename,true), Constant(' Location: '), Field(fld7,true), Constant(' Computer: '), Field(fld8,true), Constant(' User: '), Field(username,true), Constant(' Action taken:'), Field(action,true), Constant(' Date found: '), Field(fld9,false), Constant(']')}" -match("MESSAGE#682:Application_45", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,SYSTEM,Information,%{shost},%{event_description}. string-data=[ Scan type: %{event_type->} Event: %{result->} Security risk detected: %{directory->} File: %{filename->} Location: %{fld7->} Computer: %{fld8->} User: %{username->} Action taken:%{action->} Date found: %{fld9}]", processor_chain([ +var part751 = match("MESSAGE#682:Application_45", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,SYSTEM,Information,%{shost},%{event_description}. string-data=[ Scan type: %{event_type->} Event: %{result->} Security risk detected: %{directory->} File: %{filename->} Location: %{fld7->} Computer: %{fld8->} User: %{username->} Action taken:%{action->} Date found: %{fld9}]", processor_chain([ dup43, dup15, dup55, @@ -13955,26 +13014,19 @@ match("MESSAGE#682:Application_45", "nwparser.payload", "Application,rn=%{fld1-> var msg713 = msg("Application_45", part751); -var part752 = // "Pattern{Constant('Using Group Update Provider type: '), Field(p0,false)}" -match("MESSAGE#692:SYLINK/0", "nwparser.payload", "Using Group Update Provider type: %{p0}"); +var part752 = match("MESSAGE#692:SYLINK/0", "nwparser.payload", "Using Group Update Provider type: %{p0}"); -var part753 = // "Pattern{Constant('Single Group Update Provider,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#692:SYLINK/1_0", "nwparser.p0", "Single Group Update Provider,Event time:%{fld17->} %{fld18}"); +var part753 = match("MESSAGE#692:SYLINK/1_0", "nwparser.p0", "Single Group Update Provider,Event time:%{fld17->} %{fld18}"); -var part754 = // "Pattern{Constant('Multiple Group Update Providers,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#692:SYLINK/1_1", "nwparser.p0", "Multiple Group Update Providers,Event time:%{fld17->} %{fld18}"); +var part754 = match("MESSAGE#692:SYLINK/1_1", "nwparser.p0", "Multiple Group Update Providers,Event time:%{fld17->} %{fld18}"); -var part755 = // "Pattern{Constant('Mapped Group Update Providers,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#692:SYLINK/1_2", "nwparser.p0", "Mapped Group Update Providers,Event time:%{fld17->} %{fld18}"); +var part755 = match("MESSAGE#692:SYLINK/1_2", "nwparser.p0", "Mapped Group Update Providers,Event time:%{fld17->} %{fld18}"); -var part756 = // "Pattern{Constant('Single Group Update Provider'), Field(,false)}" -match("MESSAGE#692:SYLINK/1_3", "nwparser.p0", "Single Group Update Provider%{}"); +var part756 = match("MESSAGE#692:SYLINK/1_3", "nwparser.p0", "Single Group Update Provider%{}"); -var part757 = // "Pattern{Constant('Multiple Group Update Providers'), Field(,false)}" -match("MESSAGE#692:SYLINK/1_4", "nwparser.p0", "Multiple Group Update Providers%{}"); +var part757 = match("MESSAGE#692:SYLINK/1_4", "nwparser.p0", "Multiple Group Update Providers%{}"); -var part758 = // "Pattern{Constant('Mapped Group Update Providers'), Field(,false)}" -match("MESSAGE#692:SYLINK/1_5", "nwparser.p0", "Mapped Group Update Providers%{}"); +var part758 = match("MESSAGE#692:SYLINK/1_5", "nwparser.p0", "Mapped Group Update Providers%{}"); var select201 = linear_select([ part753, @@ -14003,8 +13055,7 @@ var all189 = all_match({ var msg714 = msg("SYLINK", all189); -var part759 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#703:242", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part759 = match("MESSAGE#703:242", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup53, dup15, dup353, @@ -14017,22 +13068,18 @@ match("MESSAGE#703:242", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos var msg715 = msg("242", part759); -var part760 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' ['), Field(p0,false)}" -match("MESSAGE#704:242:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [%{p0}"); +var part760 = match("MESSAGE#704:242:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [%{p0}"); -var part761 = // "Pattern{Constant('Device]: '), Field(device,true), Constant(' [guid]: '), Field(hardware_id,true), Constant(' [Volume]:'), Field(p0,false)}" -match("MESSAGE#704:242:01/1_0", "nwparser.p0", "Device]: %{device->} [guid]: %{hardware_id->} [Volume]:%{p0}"); +var part761 = match("MESSAGE#704:242:01/1_0", "nwparser.p0", "Device]: %{device->} [guid]: %{hardware_id->} [Volume]:%{p0}"); -var part762 = // "Pattern{Constant('Volume]:'), Field(p0,false)}" -match("MESSAGE#704:242:01/1_1", "nwparser.p0", "Volume]:%{p0}"); +var part762 = match("MESSAGE#704:242:01/1_1", "nwparser.p0", "Volume]:%{p0}"); var select202 = linear_select([ part761, part762, ]); -var part763 = // "Pattern{Field(,true), Constant(' '), Field(disk_volume,true), Constant(' [Vendor]:'), Field(devvendor,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#704:242:01/2", "nwparser.p0", "%{} %{disk_volume->} [Vendor]:%{devvendor->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); +var part763 = match("MESSAGE#704:242:01/2", "nwparser.p0", "%{} %{disk_volume->} [Vendor]:%{devvendor->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); var all190 = all_match({ processors: [ @@ -14054,8 +13101,7 @@ var all190 = all_match({ var msg716 = msg("242:01", all190); -var part764 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' [Volume]: '), Field(disk_volume,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#705:242:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part764 = match("MESSAGE#705:242:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup53, dup15, dup353, @@ -14068,14 +13114,11 @@ match("MESSAGE#705:242:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ var msg717 = msg("242:02", part764); -var part765 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#706:242:03/1_0", "nwparser.p0", "%{event_description}. %{info->} [Access]: %{accesses}^^%{p0}"); +var part765 = match("MESSAGE#706:242:03/1_0", "nwparser.p0", "%{event_description}. %{info->} [Access]: %{accesses}^^%{p0}"); -var part766 = // "Pattern{Constant(' '), Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#706:242:03/1_1", "nwparser.p0", " %{event_description}. %{info}^^%{p0}"); +var part766 = match("MESSAGE#706:242:03/1_1", "nwparser.p0", " %{event_description}. %{info}^^%{p0}"); -var part767 = // "Pattern{Constant(' '), Field(event_description,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#706:242:03/1_2", "nwparser.p0", " %{event_description}^^%{p0}"); +var part767 = match("MESSAGE#706:242:03/1_2", "nwparser.p0", " %{event_description}^^%{p0}"); var select203 = linear_select([ part765, @@ -14083,8 +13126,7 @@ var select203 = linear_select([ part767, ]); -var part768 = // "Pattern{Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#706:242:03/2", "nwparser.p0", "%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); +var part768 = match("MESSAGE#706:242:03/2", "nwparser.p0", "%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); var all191 = all_match({ processors: [ @@ -14113,8 +13155,7 @@ var select204 = linear_select([ msg718, ]); -var part769 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#707:303169540", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part769 = match("MESSAGE#707:303169540", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ setc("eventcategory","1801010000"), dup15, dup287, @@ -14122,8 +13163,7 @@ match("MESSAGE#707:303169540", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^ var msg719 = msg("303169540", part769); -var part770 = // "Pattern{Field(shost,false), Constant(', Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#708:Remote::01", "nwparser.payload", "%{shost}, Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}", processor_chain([ +var part770 = match("MESSAGE#708:Remote::01", "nwparser.payload", "%{shost}, Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}", processor_chain([ dup53, dup12, dup15, @@ -14135,27 +13175,23 @@ match("MESSAGE#708:Remote::01", "nwparser.payload", "%{shost}, Remote: %{fld4},R var msg720 = msg("Remote::01", part770); -var part771 = // "Pattern{Constant('"'), Field(info,false), Constant('",Local: '), Field(p0,false)}" -match("MESSAGE#709:Notification::01/0_0", "nwparser.payload", "\"%{info}\",Local: %{p0}"); +var part771 = match("MESSAGE#709:Notification::01/0_0", "nwparser.payload", "\"%{info}\",Local: %{p0}"); -var part772 = // "Pattern{Field(info,false), Constant(',Local: '), Field(p0,false)}" -match("MESSAGE#709:Notification::01/0_1", "nwparser.payload", "%{info},Local: %{p0}"); +var part772 = match("MESSAGE#709:Notification::01/0_1", "nwparser.payload", "%{info},Local: %{p0}"); var select205 = linear_select([ part771, part772, ]); -var part773 = // "Pattern{Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#709:Notification::01/1", "nwparser.p0", "%{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); +var part773 = match("MESSAGE#709:Notification::01/1", "nwparser.p0", "%{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); var select206 = linear_select([ dup182, dup67, ]); -var part774 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#709:Notification::01/3", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part774 = match("MESSAGE#709:Notification::01/3", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); var all192 = all_match({ processors: [ @@ -14388,299 +13424,201 @@ var chain1 = processor_chain([ }), ]); -var part775 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part775 = match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var part776 = // "Pattern{Field(domain,false)}" -match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); +var part776 = match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); -var part777 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part777 = match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var part778 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); +var part778 = match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); -var part779 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); +var part779 = match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); -var part780 = // "Pattern{Constant('Intrusion URL: '), Field(url,false)}" -match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); +var part780 = match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); -var part781 = // "Pattern{Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" -match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); +var part781 = match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); -var part782 = // "Pattern{Field(url,false)}" -match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); +var part782 = match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); -var part783 = // "Pattern{Constant('Domain:'), Field(p0,false)}" -match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); +var part783 = match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); -var part784 = // "Pattern{Constant(':'), Field(p0,false)}" -match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); +var part784 = match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); -var part785 = // "Pattern{Constant('"'), Field(p0,false)}" -match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); +var part785 = match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); -var part786 = // "Pattern{Field(p0,false)}" -match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); +var part786 = match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); -var part787 = // "Pattern{Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" -match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); +var part787 = match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); -var part788 = // "Pattern{Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); +var part788 = match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); -var part789 = // "Pattern{Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" -match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); +var part789 = match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); -var part790 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" -match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); +var part790 = match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); -var part791 = // "Pattern{Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); +var part791 = match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); -var part792 = // "Pattern{}" -match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); +var part792 = match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); -var part793 = // "Pattern{Constant('"Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); +var part793 = match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); -var part794 = // "Pattern{Constant('Location: '), Field(p0,false)}" -match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); +var part794 = match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); -var part795 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); +var part795 = match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); -var part796 = // "Pattern{Field(fld4,false), Constant(',MD-5:'), Field(fld5,false), Constant(',Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); +var part796 = match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); -var part797 = // "Pattern{Constant('Local:'), Field(p0,false)}" -match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); +var part797 = match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); -var part798 = // "Pattern{Constant('Rule: '), Field(rulename,false), Constant(',Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); +var part798 = match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); -var part799 = // "Pattern{Constant(' "Rule: '), Field(rulename,false), Constant('",Location: '), Field(p0,false)}" -match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); +var part799 = match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); -var part800 = // "Pattern{Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" -match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); +var part800 = match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); -var part801 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" -match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); +var part801 = match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); -var part802 = // "Pattern{Constant(' Domain: '), Field(domain,false)}" -match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); +var part802 = match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); -var part803 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); +var part803 = match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); -var part804 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(p0,false)}" -match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); +var part804 = match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); -var part805 = // "Pattern{Field(fld25,false)}" -match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); +var part805 = match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); -var part806 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part806 = match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part807 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" -match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); +var part807 = match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); -var part808 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); +var part808 = match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); -var part809 = // "Pattern{Constant('The client will block traffic from IP address '), Field(fld14,true), Constant(' for the next '), Field(duration_string,true), Constant(' (from '), Field(fld13,false), Constant(')'), Field(p0,false)}" -match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); +var part809 = match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); -var part810 = // "Pattern{Constant('.,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); +var part810 = match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); -var part811 = // "Pattern{Constant(' . ,'), Field(p0,false)}" -match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); +var part811 = match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); -var part812 = // "Pattern{Constant('Commercial application detected,Computer name: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); +var part812 = match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); -var part813 = // "Pattern{Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); +var part813 = match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); -var part814 = // "Pattern{Field(shost,false), Constant(',Detection type: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); +var part814 = match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); -var part815 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); +var part815 = match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); -var part816 = // "Pattern{Constant('"'), Field(filename,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); +var part816 = match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); -var part817 = // "Pattern{Field(filename,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); +var part817 = match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); -var part818 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part818 = match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); -var part819 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" -match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); +var part819 = match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); -var part820 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); +var part820 = match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); -var part821 = // "Pattern{Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); +var part821 = match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); -var part822 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(','), Field(fld53,false), Constant(',Permitted application reason: '), Field(fld54,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part822 = match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); -var part823 = // "Pattern{Constant('"'), Field(,false)}" -match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); +var part823 = match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); -var part824 = // "Pattern{Constant(' Domain:'), Field(p0,false)}" -match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); +var part824 = match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); -var part825 = // "Pattern{Constant('is '), Field(p0,false)}" -match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); +var part825 = match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); -var part826 = // "Pattern{Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); +var part826 = match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); -var part827 = // "Pattern{Constant('",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); +var part827 = match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); -var part828 = // "Pattern{Constant(' '), Field(p0,false)}" -match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); +var part828 = match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); -var part829 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var part829 = match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var part830 = // "Pattern{Constant('"'), Field(fld1,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); +var part830 = match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); -var part831 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); +var part831 = match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); -var part832 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); +var part832 = match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); -var part833 = // "Pattern{Constant('Source: '), Field(p0,false)}" -match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); +var part833 = match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); -var part834 = // "Pattern{Constant('"Group: '), Field(group,false), Constant('",Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); +var part834 = match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); -var part835 = // "Pattern{Constant('Group: '), Field(group,false), Constant(',Server: '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); +var part835 = match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); -var part836 = // "Pattern{Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(p0,false)}" -match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); +var part836 = match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); -var part837 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" -match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); +var part837 = match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); -var part838 = // "Pattern{Field(filename_size,false)}" -match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); +var part838 = match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); -var part839 = // "Pattern{Constant('Virus found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" -match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); +var part839 = match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); -var part840 = // "Pattern{Constant('"'), Field(info,false), Constant('",Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); +var part840 = match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); -var part841 = // "Pattern{Field(info,false), Constant(',Actual action: '), Field(p0,false)}" -match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); +var part841 = match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); -var part842 = // "Pattern{Constant(''), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); +var part842 = match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); -var part843 = // "Pattern{Field(info,false)}" -match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); +var part843 = match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); -var part844 = // "Pattern{Constant(' by policy'), Field(,false)}" -match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); +var part844 = match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); -var part845 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); +var part845 = match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); -var part846 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); +var part846 = match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); -var part847 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" -match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); +var part847 = match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); -var part848 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was denied by user'), Field(fld6,false), Constant('"'), Field(p0,false)}" -match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); +var part848 = match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); -var part849 = // "Pattern{Constant('''), Field(context,false), Constant('','), Field(p0,false)}" -match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); +var part849 = match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); -var part850 = // "Pattern{Constant('Security risk found,Computer name: '), Field(p0,false)}" -match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); +var part850 = match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); -var part851 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" -match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); +var part851 = match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); -var part852 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false)}" -match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); +var part852 = match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); -var part853 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); +var part853 = match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); -var part854 = // "Pattern{Constant('[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); +var part854 = match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); -var part855 = // "Pattern{Constant('"[Antivirus'), Field(p0,false)}" -match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); +var part855 = match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); -var part856 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); +var part856 = match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); -var part857 = // "Pattern{Constant('detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); +var part857 = match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); -var part858 = // "Pattern{Constant('advanced heuristic detection'), Field(p0,false)}" -match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); +var part858 = match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); -var part859 = // "Pattern{Constant(' Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); +var part859 = match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); -var part860 = // "Pattern{Constant('Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" -match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); +var part860 = match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); -var part861 = // "Pattern{Constant(','), Field(p0,false)}" -match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); +var part861 = match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); -var part862 = // "Pattern{Constant(''), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" -match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); +var part862 = match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); -var part863 = // "Pattern{Constant('"'), Field(filename,false), Constant('",User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); +var part863 = match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); -var part864 = // "Pattern{Field(filename,false), Constant(',User: '), Field(p0,false)}" -match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); +var part864 = match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); -var part865 = // "Pattern{Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" -match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); +var part865 = match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); -var part866 = // "Pattern{Constant('""'), Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); +var part866 = match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); -var part867 = // "Pattern{Field(action,true), Constant(' . Description: '), Field(p0,false)}" -match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); +var part867 = match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); -var part868 = // "Pattern{Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); +var part868 = match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); -var part869 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); +var part869 = match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); -var part870 = // "Pattern{Field(event_description,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); +var part870 = match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); -var part871 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); +var part871 = match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); -var part872 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" -match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); +var part872 = match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); var select207 = linear_select([ dup9, @@ -14836,55 +13774,47 @@ var select236 = linear_select([ dup282, ]); -var part873 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var part873 = match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup53, dup15, ])); -var part874 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" -match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ +var part874 = match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ dup43, dup15, ])); -var part875 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part875 = match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var part876 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part876 = match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup43, dup15, dup287, ])); -var part877 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part877 = match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var part878 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part878 = match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup74, dup15, dup287, ])); -var part879 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part879 = match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, ])); -var part880 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part880 = match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup168, dup15, dup287, @@ -14896,8 +13826,7 @@ var select237 = linear_select([ dup292, ]); -var part881 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part881 = match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup294, dup295, dup37, @@ -14911,8 +13840,7 @@ match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var part882 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" -match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ +var part882 = match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ dup294, dup295, dup37, @@ -14926,8 +13854,7 @@ match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{ dup302, ])); -var part883 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" -match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ +var part883 = match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ dup43, dup15, dup353, @@ -14938,8 +13865,7 @@ match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hos dup302, ])); -var part884 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" -match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ +var part884 = match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ dup43, dup15, dup355, @@ -14950,8 +13876,7 @@ match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id} dup308, ])); -var part885 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" -match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ +var part885 = match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ dup43, dup15, dup355, diff --git a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json index 52041a1c64c..6b937817527 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json +++ b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-pubsub-overview.json @@ -2,7 +2,7 @@ "objects": [ { "attributes": { - "description": "Overview of Googlecloud Pubsub Metrics", + "description": "Overview of Googlecloud PubSub Metrics", "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -23,212 +23,242 @@ "title": "Filters" }, "gridData": { - "h": 13, - "i": "575df0fe-b44d-471f-8386-c4bd118a3810", - "w": 10, + "h": 6, + "i": "3674673e-83e6-42df-8392-5284960a12ea", + "w": 48, "x": 0, "y": 0 }, - "panelIndex": "575df0fe-b44d-471f-8386-c4bd118a3810", + "panelIndex": "3674673e-83e6-42df-8392-5284960a12ea", "panelRefName": "panel_0", "title": "Filters", - "version": "7.6.1" + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Oldest Unacked Message" + "title": "Topic Send Request" }, "gridData": { "h": 13, - "i": "5c336037-7c71-4eab-b544-926aaff73736", - "w": 17, - "x": 11, - "y": 0 + "i": "c1d89f36-43ed-42e6-98a0-8820b28f7953", + "w": 16, + "x": 0, + "y": 6 }, - "panelIndex": "5c336037-7c71-4eab-b544-926aaff73736", + "panelIndex": "c1d89f36-43ed-42e6-98a0-8820b28f7953", "panelRefName": "panel_1", - "title": "Subscription Oldest Unacked Message", - "version": "7.6.1" + "title": "Topic Send Request", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Undelivered Messages" + "title": "Topic Oldest Retained Acked Message Age" }, "gridData": { "h": 13, - "i": "389bc633-eeaf-4deb-815c-3a6b8e5d95ac", - "w": 19, - "x": 29, - "y": 0 + "i": "b26a6238-b982-4082-9e4e-3e3d9361a865", + "w": 16, + "x": 16, + "y": 6 }, - "panelIndex": "389bc633-eeaf-4deb-815c-3a6b8e5d95ac", + "panelIndex": "b26a6238-b982-4082-9e4e-3e3d9361a865", "panelRefName": "panel_2", - "title": "Subscription Undelivered Messages", - "version": "7.6.1" + "title": "Topic Oldest Retained Acked Message Age", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Backlog Size" + "title": "Topic Oldest Unacked Message Age" }, "gridData": { - "h": 15, - "i": "2e8dc479-ba85-4424-87c4-40b93e801006", - "w": 24, - "x": 0, - "y": 13 + "h": 13, + "i": "c7bbeabc-b158-4bdd-9ba3-9d45264d250b", + "w": 16, + "x": 32, + "y": 6 }, - "panelIndex": "2e8dc479-ba85-4424-87c4-40b93e801006", + "panelIndex": "c7bbeabc-b158-4bdd-9ba3-9d45264d250b", "panelRefName": "panel_3", - "title": "Subscription Backlog Size", - "version": "7.6.1" + "title": "Topic Oldest Unacked Message Age", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Pull Request Count" + "title": "Subsciption Oldest Unacked Message" }, "gridData": { - "h": 15, - "i": "aefce32f-71e4-4770-9a4b-bedb2c608abd", - "w": 24, - "x": 24, - "y": 13 + "h": 13, + "i": "b822a795-7086-4559-b7c0-176dfcc7380e", + "w": 16, + "x": 0, + "y": 19 }, - "panelIndex": "aefce32f-71e4-4770-9a4b-bedb2c608abd", + "panelIndex": "b822a795-7086-4559-b7c0-176dfcc7380e", "panelRefName": "panel_4", - "title": "Subscription Pull Request Count", - "version": "7.6.1" + "title": "Subsciption Oldest Unacked Message", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Topic Message Size" + "title": "Subscription Number of Undelivered Messages" }, "gridData": { - "h": 15, - "i": "ca4cce89-0d1d-4d96-b35f-443a05d1b410", - "w": 24, - "x": 0, - "y": 28 + "h": 13, + "i": "9c99d7bb-88f0-415c-abc1-c12ec1295236", + "w": 16, + "x": 16, + "y": 19 }, - "panelIndex": "ca4cce89-0d1d-4d96-b35f-443a05d1b410", + "panelIndex": "9c99d7bb-88f0-415c-abc1-c12ec1295236", "panelRefName": "panel_5", - "title": "Topic Message Size", - "version": "7.6.1" + "title": "Subscription Number of Undelivered Messages", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Undelivered Messages" + "title": "Snapshot Oldest Message" }, "gridData": { - "h": 15, - "i": "95c5c1f6-194c-4814-8281-02fecf7a81a5", - "w": 24, - "x": 24, - "y": 28 + "h": 13, + "i": "8cc0ccbd-5798-4d68-a519-07ef1d9693fd", + "w": 16, + "x": 32, + "y": 32 }, - "panelIndex": "95c5c1f6-194c-4814-8281-02fecf7a81a5", + "panelIndex": "8cc0ccbd-5798-4d68-a519-07ef1d9693fd", "panelRefName": "panel_6", - "title": "Subscription Undelivered Messages", - "version": "7.6.1" + "title": "Snapshot Oldest Message", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Pull Message Operation Count" + "title": "Snapshot Number of Messages" }, "gridData": { - "h": 15, - "i": "ab2fad6a-f888-4b49-92c4-c220f3b8669c", - "w": 24, + "h": 13, + "i": "f9e45ec1-72e5-4f49-82cf-2132162d642c", + "w": 16, "x": 0, - "y": 43 + "y": 32 }, - "panelIndex": "ab2fad6a-f888-4b49-92c4-c220f3b8669c", + "panelIndex": "f9e45ec1-72e5-4f49-82cf-2132162d642c", "panelRefName": "panel_7", - "title": "Subscription Pull Message Operation Count", - "version": "7.6.1" + "title": "Snapshot Number of Messages", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Subscription Sent Message Count" + "title": "Snapshot Backlog Bytes" }, "gridData": { - "h": 15, - "i": "2121bde6-3a01-4339-8508-a20c107c62c9", - "w": 24, - "x": 24, - "y": 43 + "h": 13, + "i": "d8876e62-daf0-4654-8618-8746d5da43e0", + "w": 16, + "x": 16, + "y": 32 }, - "panelIndex": "2121bde6-3a01-4339-8508-a20c107c62c9", + "panelIndex": "d8876e62-daf0-4654-8618-8746d5da43e0", "panelRefName": "panel_8", - "title": "Subscription Sent Message Count", - "version": "7.6.1" + "title": "Snapshot Backlog Bytes", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Subscription Backlog Bytes" + }, + "gridData": { + "h": 13, + "i": "6079e9ed-da9f-4457-bb3a-7ed20f98605e", + "w": 16, + "x": 32, + "y": 19 + }, + "panelIndex": "6079e9ed-da9f-4457-bb3a-7ed20f98605e", + "panelRefName": "panel_9", + "title": "Subscription Backlog Bytes", + "version": "7.9.0" } ], "timeRestore": false, - "title": "[Metricbeat Googlecloud] Pubsub Overview", + "title": "[Metricbeat Googlecloud] PubSub Overview", "version": 1 }, - "id": "ac97c2f0-6ac5-11ea-b657-e57ec854315f", + "id": "2b0fd7b0-feac-11ea-b032-d59f894a5072", "migrationVersion": { "dashboard": "7.3.0" }, + "namespaces": [ + "default" + ], "references": [ { - "id": "8897e920-6ac5-11ea-b657-e57ec854315f", + "id": "f6e33a00-feaf-11ea-b032-d59f894a5072", "name": "panel_0", "type": "visualization" }, { - "id": "1a83ede0-6ab5-11ea-b657-e57ec854315f", + "id": "bd399790-01a2-11eb-b032-d59f894a5072", "name": "panel_1", - "type": "visualization" + "type": "lens" }, { - "id": "fddf3a50-6ac8-11ea-b657-e57ec854315f", + "id": "25b76dc0-01a2-11eb-b032-d59f894a5072", "name": "panel_2", - "type": "visualization" + "type": "lens" }, { - "id": "5067cf60-6a2b-11ea-b657-e57ec854315f", + "id": "5f97d300-01a1-11eb-b032-d59f894a5072", "name": "panel_3", - "type": "visualization" + "type": "lens" }, { - "id": "8e4a1d50-6ab8-11ea-b657-e57ec854315f", + "id": "403d81e0-01a0-11eb-b032-d59f894a5072", "name": "panel_4", - "type": "visualization" + "type": "lens" }, { - "id": "0cb2b3f0-6abe-11ea-b657-e57ec854315f", + "id": "11d06fc0-01a0-11eb-b032-d59f894a5072", "name": "panel_5", - "type": "visualization" + "type": "lens" }, { - "id": "afe5e1b0-6ab3-11ea-b657-e57ec854315f", + "id": "f3e92c10-019d-11eb-b032-d59f894a5072", "name": "panel_6", - "type": "visualization" + "type": "lens" }, { - "id": "8355dab0-6ab8-11ea-b657-e57ec854315f", + "id": "6de1f430-019d-11eb-b032-d59f894a5072", "name": "panel_7", - "type": "visualization" + "type": "lens" }, { - "id": "97ee1230-6ab8-11ea-b657-e57ec854315f", + "id": "0776dbf0-019f-11eb-b032-d59f894a5072", "name": "panel_8", - "type": "visualization" + "type": "lens" + }, + { + "id": "79d80f10-01a0-11eb-b032-d59f894a5072", + "name": "panel_9", + "type": "lens" } ], "type": "dashboard", - "updated_at": "2020-03-20T16:52:13.023Z", - "version": "WzEwMDUsM10=" + "updated_at": "2020-09-28T16:57:22.839Z", + "version": "WzY5MDQsMV0=" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { - "searchSourceJSON": {} + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, - "title": "Pubsub Filters [Metricbeat Googlecloud]", + "title": "PubSub Filter [Metricbeat Googlecloud]", "uiStateJSON": {}, "version": 1, "visState": { @@ -237,7 +267,7 @@ "controls": [ { "fieldName": "googlecloud.labels.resource.subscription_id", - "id": "1584720667458", + "id": "1600984143264", "indexPatternRefName": "control_0_index_pattern", "label": "Subscription ID", "options": { @@ -252,7 +282,7 @@ }, { "fieldName": "googlecloud.labels.resource.topic_id", - "id": "1584720684072", + "id": "1600984164459", "indexPatternRefName": "control_1_index_pattern", "label": "Topic ID", "options": { @@ -264,20 +294,53 @@ }, "parent": "", "type": "list" + }, + { + "fieldName": "googlecloud.labels.resource.snapshot_id", + "id": "1601305675297", + "indexPatternRefName": "control_2_index_pattern", + "label": "Snapshot ID", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "googlecloud.labels.metrics.region", + "id": "1601307561260", + "indexPatternRefName": "control_3_index_pattern", + "label": "Region", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" } ], - "pinFilters": true, - "updateFiltersOnChange": true, - "useTimeFilter": true + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false }, - "title": "Pubsub Filters [Metricbeat Googlecloud]", + "title": "PubSub Filter [Metricbeat Googlecloud]", "type": "input_control_vis" } }, - "id": "8897e920-6ac5-11ea-b657-e57ec854315f", + "id": "f6e33a00-feaf-11ea-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "metricbeat-*", @@ -288,640 +351,1038 @@ "id": "metricbeat-*", "name": "control_1_index_pattern", "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_3_index_pattern", + "type": "index-pattern" } ], "type": "visualization", - "updated_at": "2020-03-20T16:34:17.599Z", - "version": "Wzk5MywzXQ==" + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNjcsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Oldest Unacked Message [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" - } - ], - "bar_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"4f8dae5f-b49c-4a10-8f94-a29039f93919\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.topic_id\\\",\\\"orderBy\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.topic.send_request_count.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-4f8dae5f-b49c-4a10-8f94-a29039f93919\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.topic_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.topic_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"4f8dae5f-b49c-4a10-8f94-a29039f93919\\\"},\\\"col-2-f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\"},\\\"col-3-27a71166-d245-471d-b550-ee0b1899ea88\\\":{\\\"label\\\":\\\"Topic Send Request Count\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.topic.send_request_count.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Topic Send Request Count\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"4f8dae5f-b49c-4a10-8f94-a29039f93919\" seriesType=\"line\" accessors=\"27a71166-d245-471d-b550-ee0b1899ea88\" columnToLabel=\"{\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\":\\\"Topic Send Request Count\\\",\\\"4f8dae5f-b49c-4a10-8f94-a29039f93919\\\":\\\"Top values of googlecloud.labels.resource.topic_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "8a3465a0-6ac6-11ea-a262-61aa6533c46b" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "4f8dae5f-b49c-4a10-8f94-a29039f93919", + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4", + "27a71166-d245-471d-b550-ee0b1899ea88" + ], + "columns": { + "27a71166-d245-471d-b550-ee0b1899ea88": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Topic Send Request Count", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.topic.send_request_count.value", + "suggestedPriority": 0 + }, + "4f8dae5f-b49c-4a10-8f94-a29039f93919": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.topic_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27a71166-d245-471d-b550-ee0b1899ea88", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.topic_id" + }, + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "filter": { - "language": "kuery", - "query": "event.dataset: \"googlecloud.pubsub\" " - }, - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Oldest Unacknowledged Message(s)", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.oldest_unacked_message_age.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "max" - } + "accessors": [ + "27a71166-d245-471d-b550-ee0b1899ea88" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "filter", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "seriesType": "line", + "splitAccessor": "4f8dae5f-b49c-4a10-8f94-a29039f93919", + "xAccessor": "f0d11f8d-e2f9-408a-9114-a0b9b18142d4" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "metric" - }, - "title": "Pubsub Subscription Oldest Unacked Message [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Topic Send Request [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "1a83ede0-6ab5-11ea-b657-e57ec854315f", + "id": "bd399790-01a2-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:22:19.360Z", - "version": "Wzk4OCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNjgsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Number of Undelivered Messages [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"89c8d41d-6896-470d-8318-c0a691fa638e\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"orderBy\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.topic.oldest_retained_acked_message_age_by_region.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"id\\\":\\\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\\\"},\\\"col-2-89c8d41d-6896-470d-8318-c0a691fa638e\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.metrics.region\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"89c8d41d-6896-470d-8318-c0a691fa638e\\\"},\\\"col-3-27a71166-d245-471d-b550-ee0b1899ea88\\\":{\\\"label\\\":\\\"Topic Oldest Retained Acked Message Age By Region\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.topic.oldest_retained_acked_message_age_by_region.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Topic Oldest Retained Acked Message Age By Region\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"f0d11f8d-e2f9-408a-9114-a0b9b18142d4\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"89c8d41d-6896-470d-8318-c0a691fa638e\" seriesType=\"line\" accessors=\"27a71166-d245-471d-b550-ee0b1899ea88\" columnToLabel=\"{\\\"27a71166-d245-471d-b550-ee0b1899ea88\\\":\\\"Topic Oldest Retained Acked Message Age By Region\\\",\\\"89c8d41d-6896-470d-8318-c0a691fa638e\\\":\\\"Top values of googlecloud.labels.metrics.region\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "eed2b050-6ac8-11ea-a765-0512a055c04c" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4", + "89c8d41d-6896-470d-8318-c0a691fa638e", + "27a71166-d245-471d-b550-ee0b1899ea88" + ], + "columns": { + "27a71166-d245-471d-b550-ee0b1899ea88": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Topic Oldest Retained Acked Message Age By Region", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.topic.oldest_retained_acked_message_age_by_region.value", + "suggestedPriority": 0 + }, + "89c8d41d-6896-470d-8318-c0a691fa638e": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.metrics.region", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27a71166-d245-471d-b550-ee0b1899ea88", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.metrics.region" + }, + "f0d11f8d-e2f9-408a-9114-a0b9b18142d4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "Number of Undelivered Messages", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.num_undelivered_messages.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "27a71166-d245-471d-b550-ee0b1899ea88" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "everything", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "seriesType": "line", + "splitAccessor": "89c8d41d-6896-470d-8318-c0a691fa638e", + "xAccessor": "f0d11f8d-e2f9-408a-9114-a0b9b18142d4" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "metric" - }, - "title": "Pubsub Subscription Number of Undelivered Messages [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Topic Oldest Retained Acked Message Age By Region [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "fddf3a50-6ac8-11ea-b657-e57ec854315f", + "id": "25b76dc0-01a2-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:36:54.809Z", - "version": "Wzk5NywzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNjksMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Backlog Size [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"ed36f31e-ed2a-460a-a881-18e191f75d04\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.topic.oldest_unacked_message_age_by_region.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-ed36f31e-ed2a-460a-a881-18e191f75d04\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.metrics.region\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.metrics.region\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"ed36f31e-ed2a-460a-a881-18e191f75d04\\\"},\\\"col-2-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Topic Oldest Unacked Message Age By Region\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.topic.oldest_unacked_message_age_by_region.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Topic Oldest Unacked Message Age By Region\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"ed36f31e-ed2a-460a-a881-18e191f75d04\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Topic Oldest Unacked Message Age By Region\\\",\\\"ed36f31e-ed2a-460a-a881-18e191f75d04\\\":\\\"Top values of googlecloud.labels.metrics.region\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "cb6bee00-6a1f-11ea-b594-a5f826db7e0b" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "bar_color_rules": [ + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "ed36f31e-ed2a-460a-a881-18e191f75d04", + "6be62612-437b-448d-9631-c6cc0938225d", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "0888bf93-1ecf-467a-b0b5-9e0deee6545c": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.topic_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.topic_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Topic Oldest Unacked Message Age By Region", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.topic.oldest_unacked_message_age_by_region.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ed36f31e-ed2a-460a-a881-18e191f75d04": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.metrics.region", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.metrics.region" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "id": "cc54ee70-6a1f-11ea-b594-a5f826db7e0b" + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "ed36f31e-ed2a-460a-a881-18e191f75d04", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Topic Oldest Unacked Message Age By Region [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" + }, + "id": "5f97d300-01a1-11eb-b032-d59f894a5072", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzAsMV0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.subscription.oldest_unacked_message_age.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"dataType\\\":\\\"date\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"@timestamp\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"scale\\\":\\\"interval\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-2251f8b6-6091-4386-890b-4d0d33e79a96\\\":{\\\"dataType\\\":\\\"string\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\",\\\"operationType\\\":\\\"terms\\\",\\\"params\\\":{\\\"orderBy\\\":{\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\",\\\"size\\\":3},\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"customLabel\\\":true,\\\"dataType\\\":\\\"number\\\",\\\"isBucketed\\\":false,\\\"label\\\":\\\"Subscription Oldest Unacked Message Age\\\",\\\"operationType\\\":\\\"avg\\\",\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.pubsub.subscription.oldest_unacked_message_age.value\\\",\\\"suggestedPriority\\\":0,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Subscription Oldest Unacked Message Age\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"2251f8b6-6091-4386-890b-4d0d33e79a96\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Subscription Oldest Unacked Message Age\\\",\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "cce19e10-6a1f-11ea-b594-a5f826db7e0b" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "2251f8b6-6091-4386-890b-4d0d33e79a96", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "2251f8b6-6091-4386-890b-4d0d33e79a96": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.subscription_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.subscription_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Subscription Oldest Unacked Message Age", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.subscription.oldest_unacked_message_age.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "filter": { - "language": "kuery", - "query": "" - }, - "formatter": "bytes", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.backlog_bytes.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2251f8b6-6091-4386-890b-4d0d33e79a96", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Backlog Size [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Subscription Oldest Unacked Message [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "5067cf60-6a2b-11ea-b657-e57ec854315f", + "id": "403d81e0-01a0-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-19T21:48:05.334Z", - "version": "Wzk1NiwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:53:54.651Z", + "version": "WzY4NDIsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Pull Request Count [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.subscription.num_undelivered_messages.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"dataType\\\":\\\"date\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"@timestamp\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"scale\\\":\\\"interval\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-2251f8b6-6091-4386-890b-4d0d33e79a96\\\":{\\\"dataType\\\":\\\"string\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\",\\\"operationType\\\":\\\"terms\\\",\\\"params\\\":{\\\"orderBy\\\":{\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\",\\\"size\\\":3},\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"customLabel\\\":true,\\\"dataType\\\":\\\"number\\\",\\\"isBucketed\\\":false,\\\"label\\\":\\\"Subscription Number of Undelivered Messages\\\",\\\"operationType\\\":\\\"avg\\\",\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.pubsub.subscription.num_undelivered_messages.value\\\",\\\"suggestedPriority\\\":0,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Subscription Number of Undelivered Messages\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"2251f8b6-6091-4386-890b-4d0d33e79a96\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Subscription Number of Undelivered Messages\\\",\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "2251f8b6-6091-4386-890b-4d0d33e79a96", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "2251f8b6-6091-4386-890b-4d0d33e79a96": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.subscription_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.subscription_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Subscription Number of Undelivered Messages", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "googlecloud.pubsub.subscription.num_undelivered_messages.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.pull_request_count.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2251f8b6-6091-4386-890b-4d0d33e79a96", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Pull Request Count [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Subscription Number of Undelivered Messages [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "8e4a1d50-6ab8-11ea-b657-e57ec854315f", + "id": "11d06fc0-01a0-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:10:38.696Z", - "version": "Wzk3OCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:55:54.581Z", + "version": "WzY4NzYsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Topic Message Size [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.snapshot.oldest_message_age.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-921ee447-0c37-4e9d-9f42-a491f412baef\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Snapshot Oldest Message\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.snapshot.oldest_message_age.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Snapshot Oldest Message\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"921ee447-0c37-4e9d-9f42-a491f412baef\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Snapshot Oldest Message\\\",\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "921ee447-0c37-4e9d-9f42-a491f412baef", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Snapshot Oldest Message", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.snapshot.oldest_message_age.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "921ee447-0c37-4e9d-9f42-a491f412baef": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.snapshot_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.snapshot_id" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.topic.message_sizes.bucket_options.Options.ExponentialBuckets.num_finite_buckets.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.topic_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "921ee447-0c37-4e9d-9f42-a491f412baef", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Topic Message Size [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Snapshot Oldest Message [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "0cb2b3f0-6abe-11ea-b657-e57ec854315f", + "id": "f3e92c10-019d-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T16:53:34.774Z", - "version": "WzEwMDcsM10=" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzMsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Undelivered Messages [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.snapshot.num_messages.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"id\\\":\\\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Snapshot Number of Messages\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.snapshot.num_messages.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Snapshot Number of Messages\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Snapshot Number of Messages\\\",\\\"ef2fc668-040b-4c82-9f65-5d3fb25c9536\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.num_undelivered_messages.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "ef2fc668-040b-4c82-9f65-5d3fb25c9536", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Snapshot Number of Messages", + "operationType": "avg", + "scale": "ratio", + "sourceField": "googlecloud.pubsub.snapshot.num_messages.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ef2fc668-040b-4c82-9f65-5d3fb25c9536": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.snapshot_id", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.snapshot_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "ef2fc668-040b-4c82-9f65-5d3fb25c9536", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Undelivered Messages [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Snapshot Number of Messages [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "afe5e1b0-6ab3-11ea-b657-e57ec854315f", + "id": "6de1f430-019d-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T14:04:17.099Z", - "version": "Wzk1OCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzQsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Pull Message Operation Count [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"auto\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.snapshot.backlog_bytes.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"auto\\\"},\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-921ee447-0c37-4e9d-9f42-a491f412baef\\\":{\\\"label\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.snapshot_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":3,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"label\\\":\\\"Snapshot Backlog Bytes\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"googlecloud.pubsub.snapshot.backlog_bytes.value\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"customLabel\\\":true,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Snapshot Backlog Bytes\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"921ee447-0c37-4e9d-9f42-a491f412baef\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Snapshot Backlog Bytes\\\",\\\"921ee447-0c37-4e9d-9f42-a491f412baef\\\":\\\"Top values of googlecloud.labels.resource.snapshot_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "921ee447-0c37-4e9d-9f42-a491f412baef", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Snapshot Backlog Bytes", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "googlecloud.pubsub.snapshot.backlog_bytes.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "921ee447-0c37-4e9d-9f42-a491f412baef": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.snapshot_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.snapshot_id" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.pull_message_operation_count.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "max" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "921ee447-0c37-4e9d-9f42-a491f412baef", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Pull Message Operation Count [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Snapshot Backlog Bytes [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "8355dab0-6ab8-11ea-b657-e57ec854315f", + "id": "0776dbf0-019f-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T14:38:49.818Z", - "version": "Wzk2MSwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:24:38.594Z", + "version": "WzYzNzUsMV0=" }, { "attributes": { "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": {} - }, - "title": "Pubsub Subscription Sent Message Count [Metricbeat Googlecloud]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"91e62734-6524-424c-b2b5-3974c835dd6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1m\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"orderBy\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":3,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.pubsub.subscription.backlog_bytes.value\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6be62612-437b-448d-9631-c6cc0938225d\\\":{\\\"dataType\\\":\\\"date\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"@timestamp\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"params\\\":{\\\"interval\\\":\\\"1m\\\"},\\\"scale\\\":\\\"interval\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"id\\\":\\\"6be62612-437b-448d-9631-c6cc0938225d\\\"},\\\"col-2-2251f8b6-6091-4386-890b-4d0d33e79a96\\\":{\\\"dataType\\\":\\\"string\\\",\\\"isBucketed\\\":true,\\\"label\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\",\\\"operationType\\\":\\\"terms\\\",\\\"params\\\":{\\\"orderBy\\\":{\\\"columnId\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\",\\\"size\\\":3},\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.labels.resource.subscription_id\\\",\\\"id\\\":\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\"},\\\"col-3-5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":{\\\"customLabel\\\":true,\\\"dataType\\\":\\\"number\\\",\\\"isBucketed\\\":false,\\\"label\\\":\\\"Subscription Backlog Bytes\\\",\\\"operationType\\\":\\\"avg\\\",\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"bytes\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.pubsub.subscription.backlog_bytes.value\\\",\\\"suggestedPriority\\\":0,\\\"id\\\":\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\"}}\" | lens_format_column format=\"bytes\" columnId=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Subscription Backlog Bytes\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"91e62734-6524-424c-b2b5-3974c835dd6c\" hide=false xAccessor=\"6be62612-437b-448d-9631-c6cc0938225d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"2251f8b6-6091-4386-890b-4d0d33e79a96\" seriesType=\"line\" accessors=\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\" columnToLabel=\"{\\\"5424865c-c988-4e26-b00b-b3cf90e1e4cf\\\":\\\"Subscription Backlog Bytes\\\",\\\"2251f8b6-6091-4386-890b-4d0d33e79a96\\\":\\\"Top values of googlecloud.labels.resource.subscription_id\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ { - "id": "e0957450-6ab4-11ea-b946-0f4b813ed42e" + "id": "metricbeat-*", + "title": "metricbeat-*" } - ], - "default_index_pattern": "metricbeat-*", - "default_timefield": "@timestamp", - "drop_last_bucket": 0, - "gauge_color_rules": [ - { - "id": "df2ac0c0-6ab4-11ea-b946-0f4b813ed42e" + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "91e62734-6524-424c-b2b5-3974c835dd6c": { + "columnOrder": [ + "6be62612-437b-448d-9631-c6cc0938225d", + "2251f8b6-6091-4386-890b-4d0d33e79a96", + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" + ], + "columns": { + "2251f8b6-6091-4386-890b-4d0d33e79a96": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of googlecloud.labels.resource.subscription_id", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5424865c-c988-4e26-b00b-b3cf90e1e4cf", + "type": "column" + }, + "orderDirection": "desc", + "size": 3 + }, + "scale": "ordinal", + "sourceField": "googlecloud.labels.resource.subscription_id" + }, + "5424865c-c988-4e26-b00b-b3cf90e1e4cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Subscription Backlog Bytes", + "operationType": "avg", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "googlecloud.pubsub.subscription.backlog_bytes.value", + "suggestedPriority": 0 + }, + "6be62612-437b-448d-9631-c6cc0938225d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": "0", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "", - "line_width": "2", - "metrics": [ - { - "field": "googlecloud.pubsub.subscription.sent_message_count.value", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } + "accessors": [ + "5424865c-c988-4e26-b00b-b3cf90e1e4cf" ], - "point_size": "3", - "separate_axis": 0, - "split_mode": "terms", - "stacked": "none", - "terms_field": "googlecloud.labels.resource.subscription_id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "timeseries" + "layerId": "91e62734-6524-424c-b2b5-3974c835dd6c", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "2251f8b6-6091-4386-890b-4d0d33e79a96", + "xAccessor": "6be62612-437b-448d-9631-c6cc0938225d" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "type": "timeseries" - }, - "title": "Pubsub Subscription Sent Message Count [Metricbeat Googlecloud]", - "type": "metrics" - } + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Subscription Backlog [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" }, - "id": "97ee1230-6ab8-11ea-b657-e57ec854315f", + "id": "79d80f10-01a0-11eb-b032-d59f894a5072", "migrationVersion": { - "visualization": "7.4.2" + "lens": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], - "type": "visualization", - "updated_at": "2020-03-20T15:12:11.523Z", - "version": "Wzk2NCwzXQ==" + "type": "lens", + "updated_at": "2020-09-28T16:56:57.481Z", + "version": "WzY4OTYsMV0=" } ], - "version": "7.6.1" + "version": "7.9.0" } diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 9a117a42f6f..9a0899165b9 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -1479,11 +1479,12 @@ var security = (function () { fields: [ {from: "winlog.event_data.AccountName", to: "user.name"}, {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, + {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, {from: "winlog.event_data.ClientName", to: "source.domain"}, {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, ], ignore_missing: true, + fail_on_error: false, }) .Add(function(evt) { var user = evt.Get("winlog.event_data.AccountName");