[[[ momentum syslog integration configuration ]]]

[[ version ]]
  version	: "momentum SYSLOG integration v4.07.01"

[[ device ]]
[device id : 1]
  [device info]
    device type : "non_filter"
    log format  : "ssv" (space-separated variables)
  [pcap download params]

[device id : 2]
  [device info]
    device type : "palo_alto_5tuple"
    log format  : "csv" (comma-separated variables)
    time format : "%Y/%m/%d %H:%M:%S"
  [pcap download params]
    time	: "1"
    protocol	: "29"
    ipsrc	: "7"
    ipdst	: "8"
    portsrc	: "24"
    portdst	: "25"

[device id : 3]
  [device info]
    device type : "palo_alto_iponly"
    log format  : "csv" (comma-separated variables)
    time format : "%Y/%m/%d %H:%M:%S"
  [pcap download params]
    time	: "1"
    ipsrc	: "7"
    ipdst	: "8"

[device id : 4]
  [device info]
    device type : "tippintpoint_4tuple"
    log format  : "cef" (CEF variables)
    time format : "msec"
  [pcap download params]
    time	: "2_rt"
    ipsrc	: "2_src"
    ipdst	: "2_dst"
    portsrc	: "2_spt"
    portdst	: "2_dpt"

[device id : 5]
  [device info]
    device type : "lastline_iponly"
    log format  : "cef" (CEF variables)
    time format : "%b %e %Y %H:%M:%S UTC"
  [pcap download params]
    start	: "2_start"
    end	: "2_end"
    ipsrc	: "2_src"
    ipdst	: "2_dst"

[device id : 6]
  [device info]
    device type : "fortigate_4tuple"
    log format  : "cef" (CEF variables)
    time format : "%Y-%m-%d %H:%M:%S"
  [pcap download params]
    time	: "2_date,time"
    ipsrc	: "2_srcip"
    ipdst	: "2_dstip"
    portsrc	: "2_srcport"
    portdst	: "2_dstport"

[device id : 7]
  [device info]
    device type : "fortiweb_4tuple"
    log format  : "cef" (CEF variables)
    time format : "%Y-%m-%d %H:%M:%S"
  [pcap download params]
    time	: "2_date,time"
    ipsrc	: "2_src"
    ipdst	: "2_dst"
    portsrc	: "2_src_port"
    portdst	: "2_dst_port"

[device id : 8]
  [device info]
    device type : "trendmicro_ddi_4tuple"
    log format  : "cef" (CEF variables)
    time format : "%b %e %Y %H:%M:%S"
  [pcap download params]
    time	: "2_rt"
    ipsrc	: "2_src"
    ipdst	: "2_dst"
    portsrc	: "2_spt"
    portdst	: "2_dpt"

[device id : 9]
  [device info]
    device type : "defensepro_4tuple"
    log format  : "ssv" (space-separated variables)
    time format : "%d-%m-%Y %H:%M:%S"
  [pcap download params]
    time	: "6,7"
    ipsrc	: "13"
    portsrc	: "14"
    ipdst	: "15"
    portdst	: "16"

[[ pcap timing ]]
  sleep time	: "15" (sec)
  diff time	: "60" (sec)
  duration	: "65" (sec)

  # [ image of pcap timing ]
  # default: [sleeptime: 15; diff_time: 60; duration: 65;]
  #    sleeptime : Time to wait for processing of present packet
  #                (If it's received in 9:10:11, it begins at 9:10:26.)
  #
  #    diff_time(x - diff_time)            syslog receive timing(x)
  #    |(ex: 09:09:11)                     |(ex: 09:10:11)
  #    v                                   v
  #    ############################################
  #    ^                                          ^
  #    |<-----------   duration   --------------->|
  #    start(x - diff_time)                       end(x - diff_time + duration)
  #    (ex: 09:09:11)                             (ex: 09:10:16)

[[ pcap cleaner ]]
  clean time	: "30" (day)

[[ disk check ]]
  facility	: "local6"
  threshold	: "90" (%)

[[ debug output ]]
  facility	: "local6"
  state		: "off"

[[ pss check ]]
  facility	: "local6"

[[ pgq ]]
 [ pgqd ]
  pgq_ip		: "localhost"
  pgq_port		: "5111"
  log_info		: "0"
  log_queue		: "0"
  log_pscli		: "0"
  log_pscli_detail	: "0"
 [ pscli ]
  pscli_path		: "/usr/bin/ruby /opt/momentum_client/pscli/pscli.rb "
  glblhd_path		: "/opt/momentum_client/pscli/glblhd.pcap"
  pss_retry		: "3"

[[ swatch config ]]

[ /opt/momentum_client/conf/local0.conf ]
# logfile /var/log/local0.txt
watchfor /Trend Micro.+Deep Discovery Inspector.+ (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+)/
	threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60
	pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 172.30.255.178 8"

