{
Name = "juniper-ps-kv-vpn-logout-success-firewall-1"
Vendor = "Ivanti"
Product = "Ivanti Pulse Secure"
TimeFormat = "yyyy-MM-dd HH:mm:ss"
Conditions = [
"""Session timed out for"""
""" (session:"""
"""id=firewall"""
]
Fields = [
"""time="({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)"""
"""vpn=({host}[^\s]+)"""
"""\suser=(\\+)?(({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.\-])*[A-Za-z0-9]+@({email_domain}[^\]\s"\\,;\|]+\.[^\]\s"\\,;\|]+))|(({domain}[^\\]+)\\+)?({user}[\w\.\-]+))(\s+\w+=|\s*$)"""
"""realm="({realm}[^"]+)"""
"""roles="({role}[^"]+)?"""
"""src=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))"""
"""msg="({event_code}\w+):"""
]
DupFields = [
"host->dest_host"
]
ParserVersion = "v1.0.0"
}