This is the sample reptor.cfg file as included in the distribution.
#
# reptor.cfg
#
#
# This file contains site specific settings that will determine what logfile
# entries Reptor selects for reporting, what types of reports are generated,
# and how those reports are formatted. By creating multiple configuration files
# and using the --config command line option to select one at runtime, you may
# create reporting scenarios for different firewalls, or different reporting
# scenarios for the same firewall.
#
# For example, you may want to generate an alert report that is emailed to the
# firewall administrator, and a separate summary report that is posted to an
# intranet web server. Create one configuration file called alerts.cfg that
# generates alerts only and outputs to email, and create one configuration file
# called summary.cfg that generates summaries only and outputs to an ftp
# server. Then, run Reptor once with each configuration file:
#
#   perl reptor.pl --config alerts.cfg
#   perl reptor.pl --config summary.cfg
#
# Options in this file must be listed one per line. A line beginning with a
# pound sign indicates a comment. Keywords are not case sensitive, but just
# about everything else is.
#
# For example, these two lines are identical:
#
#   directory /var/adm/sg/oldlogs
#   DIRECTORY /var/adm/sg/oldlogs
#
# but these two lines are not:
#
#   directory /var/adm/sg/oldlogs
#   directory /VAR/ADM/SG/OLDLOGS
#
# If it's not obvious to you where it makes a difference, stick to lowercase.
#
# Text in <angle brackets> denotes a required field. Text in [square brackets]
# denotes an optional field. The pipe character | is used to denote the concept
# of "OR". For example, <one|two> indicates that either "one" or "two" is
# required.
#
# If you wish to specify a string that contains spaces, you must enclose it in
# double quotes. For example:
#
#   alias http "Web Access"
#
# Unless otherwise stated, each option may only be specified once.
#


#
# basedir <directory>
#
# Indicates the directory in which Reptor is installed. This is not required,
# but is useful to avoid problems when Reptor is run from a command scheduler.
#
# Examples:
#
# basedir /usr/local/reptor
# basedir c:\raptor\logs\reptor
#


#
# remotelog <host> [path to remotelogfile executable]
#
# If specified, Reptor will use the remotelog utility provided with the
# firewall to obtain the logfile to process. The remotelog utilities are
# initiated from the client side, so no server side scripting is necessary to
# transfer logfiles. The data stream is also encrypted, so possible
# eavesdropping from packet sniffers is deterred. Use of this option requires
# previous setup of the remotelog utilities. Refer to your firewall
# documentation for further details on this process. Before attempting to
# utilize this feature, verify that the remotelogfile command works when
# manually invoked from a command prompt.
#
# Specify the name or IP address of the firewall server for the <host>
# parameter. If you are not going to use this feature, make sure this option is
# deleted or commented out -- it has precedence over the other options.
#
# Depending on how you have installed the remotelog utilities, you may also
# have to specify the full path to the remotelogfile executable.
#
# Examples:
#
# remotelog firewall.domain.com
# remotelog 10.1.1.7 c:\utilities\remotelog
#


#
# save_logfile [directory]
#
# If specified, Reptor will save a local copy of the logfile that was retrieved
# with remotelog. This is useful if you want to have a local copy of the
# logfile for further analysis or backup. The logfile will be written to the
# current directory if none is specified. If you haven't specified the
# remotelog option, specifying this option is meaningless.
#
# Example:
#
# save_logfile /usr/local/backup
#


#
# compress <command>
#
# If save_logfile is also specified, Reptor will compress logfiles after
# saving them. The command string is the full path name to the compression
# program, plus any options. If there are any spaces in the command string, it
# must be double quoted. This feature only works with compression programs
# that can work with just the name of the file to compress as an argument. For
# example, "gzip file" or "bzip2 file". It will not work with programs that
# require archive names like "pkzip file.zip file".
#
# Examples:
#
# compress "/bin/gzip -9"
# compress "/bin/bzip2 -9"
#


#
# directory <directory>
#
# If you are not using remotelog, this option specifies the directory where the
# firewall logfiles are located on the local machine. This should be an
# absolute path name, and should include the drive letter for Windows NT
# installations. There should be no trailing (back)slash. If Reptor is being
# run on the firewall server and this option is omitted, Reptor will probably
# be able to guess where the logfiles are located. If the "remotelog" option is
# used to retrieve logfiles, this option should not be specified.
#
# Examples:
#
# directory c:\raptor\eagle\sg\oldlogs
# directory /var/adm/sg/oldlogs
#
directory c:\raptor\eagle\sg\oldlogs


#
# uncompress <command> <extension>
#
# If specified, Reptor will assume the logfile is compressed. The command
# string should contain the command to uncompress to stdout, with the full path
# name and any options. The extension string is the filename extension that the
# compression program uses. Strings with spaces should be double quoted.
#
# Examples:
#
# uncompress /bin/zcat Z
# uncompress "/bin/gunzip -c" gz
# uncompress "/bin/bunzip2 -c" bz2
#


#
# split
#
# If specified, Reptor will automatically attempt to handle log files that have
# been split by the firewall. These logs are named:
#
# logfile.date
# logfile.date-1
# logfile.date-2
# logfile.date-3
# [...]
#
# The split option may be combined with either the remotelog or uncompress
# options.
#
# When combined with remotelog, you may receive an error message from the
# remotelogfile program. Since Reptor has no way of knowing ahead of time
# how many chunks there will be, it just keeps trying to open new chunks
# until a failure occurs. The resulting error message can be safely
# ignored.
#
# If you've specified the save_logfile option, the local copy that will be
# created will consist of the concatenation of all the chunks.
#


#
# interface <interface> [alias]
#
# Properly specifying the interface parameters is crucial! The defaults
# set here are probably not correct. If these values are not properly set,
# filtering will not work and most of the report sections will be inaccurate.
#
# This option identifies the network interfaces that are installed in the
# firewall server. The firewall uses identifiers such as "Vpn1" to designate
# these interfaces. If you wish to use a more easily understandable identifier,
# you may also specify an alias for the interface. Interface aliases are case
# sensitive.
#
# You'll probably have to manually browse a logfile to determine which
# identifier refers to which interface. Refer to the FAQ for more details. For
# a Windows NT installation, you may be able to use a program that is available
# at the Raptor public ftp site:
#   ftp://ftp.raptor.com/pub/unsupported/istat5.exe
#
# One "interface" option must be specified for each interface in your
# firewall.
#
# Examples:
#
# interface Vpn1 Inside
# interface Vpn2 Outside
# interface Vpn3 DMZ
#
interface Vpn1 Inside
interface Vpn2 Outside
interface Vpn3 DMZ


#
# filter <source interface> <destination interface>
#
# Instructs Reptor to process only connections made from the specified source
# interface to the specified destination interface. This option is useful if
# you wish to process traffic in only one direction or if your firewall has
# more than two network interfaces and you want to ignore traffic on one of
# them.
#
# If you specified an alias for an interface, use the alias instead of the
# interface identifier. The special keyword "any" may be used to match any
# interface. More than one "filter" option may be specified.
#
# For example, assuming a network structure where the internal interface is
# called Vpn1, the external interface is called Vpn2, and the DMZ interface
# is called Vpn3:
#
# filter any Vpn2
#   Processes traffic from the inside to the outside.
#
# filter Vpn1 Vpn2
# filter Vpn2 Vpn1
#   Processes traffic from the inside out and from the outside in.
#
# filter Vpn3 Vpn2
#   Processes traffic from the DMZ to the outside.
#
# If you have used the "interface" option to specify interface aliases like
# this:
#
# interface Vpn1 Inside
# interface Vpn2 Outside
# interface Vpn3 DMZ
#
# then you must use those aliases in the filter specification like this:
#
# filter Inside Outside
#
filter any any


#
# alias <protocol> <alias>
#
# Protocol aliases allow Reptor to use a more easily understandable string to
# represent protocols that may have confusing identifiers. For example, you
# may wish to use the phrase "Web Access" to represent the HTTP protocol.
# Protocol aliases are case sensitive, and may not refer to other aliases.
#
# The protocol string is the value that actually appears in the firewall log
# file following the "proto=" tag. The alias string is the value that Reptor
# will use to refer to this protocol.
#
# Protocol aliases are often dependent on any GSP services that you may have
# created in your firewall configuration. In this case, the protocol string
# is usually constructed of the port number that the protocol utilizes,
# followed by a forward slash, followed by the transport protocol, which
# is usually tcp or udp.
#
# Examples:
#
# alias 110/tcp pop3
# alias 143/tcp imap
# alias http "Web Browsing"
# alias http-https "Secure Web Browsing"
#
# Two or more similar protocols may be combined into a single reporting group
# by giving them the same alias. For example:
#
# alias http "Web Browsing"
# alias http-https "Web Browsing"
# alias ftp "File Transfer"
# alias ftp-data "File Transfer"
# alias 110/tcp "Email"
# alias 143/tcp "Email"
# alias smtp "Email"
#
# This option may be specified more than once.
#
alias http-https http
alias ftp-data ftp
alias 22/tcp ssh
alias 110/tcp pop3
alias 119/tcp nntp
alias 143/tcp imap


#
# totals
#
# If specified, Reptor will generate a table of statistics summarizing the
# total amount of traffic detailed in the logfile.
#
totals


#
# alerts
#
# If specified, Reptor will generate a table of details about individual
# logfile entries that have triggered alert conditions. At least one of the
# "time", "duration", "volume", "user", or "word" options must also be
# specified in order to define the alert conditions.
#
alerts


#
# show_reason
#
# If specified, the reason for the alert will be included in the alert section.
# If this option is specified, the "alerts" option must be also.
#
show_reason


#
# show_interface
#
# If specified, the source and destination interface will be included in the
# alert section of the report. If this option is specified, the "alerts" option
# must be also.
#
#show_interface


#
# show_user
#
# If specified, the logfile "user" field will be included in the alert section
# of the report. This field contains the user name for authenticated
# connections or the email address of the sender for SMTP connections. If this
# option is specified, the "alerts" option must be also.
#
#show_user


#
# show_auth
#
# If specified, the logfile "auth" field will be included in the alert section
# of the report. This field contains the type of authentication used for
# authenticated connections. If this option is specified, the "alerts" option
# must be also.
#
#show_auth


#
# show_rule
#
# If specified, the rule number that allows a connection to pass through the
# firewall will be included in the alert section of the report. If this option
# is specified, the "alerts" option must be also.
#
#show_rule


#
# show_op
#
# If specified, the logfile "op" field will be included in the alert section of
# the report. If this option is specified, the "alerts" option must be also.
#
#show_op


#
# show_id
#
# If specified, the logfile "id" field will be included in the alert section of
# the report. I have no idea what the id field contains, but if you do, there
# it is. If this option is specified, the "alerts" option must be also.
#
#show_id


#
# show_result
#
# If specified, the logfile "result" field will be included in the alert
# section of the report. If this option is specified, the "alerts" option must
# be also.
#
#show_result


#
# show_arg
#
# If specified, the logfile "arg" field will be included in the alert section
# of the report. This field typically contains the URL for the connection. If
# this option is specified, the "alerts" option must be also.
#
show_arg


#
# all
#
# If specified, all logfile entries will be reported in the alert section,
# regardless of the alert settings. If not specified, only logfile entries that
# trigger alerts will be reported. Use of this option will result in a huge
# amount of output. If this option is specified, the "alerts" option must be
# also.
#
# You really don't want to use this. I don't even know why it's here.
#


#
# time <protocol> <period begin> <period end>
#
# Specifies a condition that will trigger an alert if there is any traffic of
# the specified protocol within the specified time period. If you have
# specified an alias for the protocol, use the alias instead of the protocol
# name. The format of the time period string is HHMM. Use "0000" for midnight
# at the beginning of a period, and "2400" for midnight at the end of a period.
# If this option is specified, the "alerts" option must be also. This option
# may be specified more than once.
#
# Examples:
#
# time telnet 0000 0800
#    Report all telnet activity between midnight and 8am.
#
# time ftp 1830 2400
#    Report all ftp activity between 6:30pm and midnight.
#
time telnet 0000 0800
time telnet 2000 2400
time ftp 0000 0800
time ftp 2000 2400


#
# duration <protocol> <duration> [modifier]
#
# Specifies a condition that will trigger an alert if the duration of the
# connection is greater than or equal to the specified duration. The duration
# is understood as number of seconds unless followed by a modifier of "M" for
# minutes or "H" for hours. If you have specified an alias for the protocol,
# use the alias instead of the protocol name. If this option is specified, the
# "alerts" option must be also. This option may be specified more than once.
#
# Examples:
# 
# duration telnet 1 H
#   Report all telnet activity that lasts longer than 1 hour.
#
# duration ftp 15 M
#   Report all ftp activity that lasts longer than 15 minutes.
#
# duration smtp 30
#   Report all smtp activity that lasts longer than 30 seconds.
#
duration ftp 5 M
duration http 2 M
duration pop3 5 M
duration smtp 5 M
duration telnet 30 M


#
# volume <protocol> <volume> [modifier]
#
# Specifies a condition that will trigger an alert if the amount of traffic
# transferred (sent + received) during a connection is greater than or equal to
# the specified number of bytes. The volume is understood as number of bytes
# unless followed by a modifier of "K" for kilobytes or "M" for megabytes. If
# you have specified an alias for the protocol, use the alias instead of the
# protocol name. If this option is specified, the "alerts" option must be also.
# This option may be specified more than once.
#
# Examples:
#
# volume ftp 2 M
#   Report all ftp transfers that are greater than 2 megabytes.
#
# volume smtp 200 K
#   Report all smtp transfers that are greater than 200 kilobytes.
#
# volume telnet 500
#   Report all telnet transfers that are greater than 500 bytes.
#
volume ftp 5 M
volume http 1 M
volume pop3 1 M
volume smtp 1 M
volume telnet 1 M


#
# user <protocol> <user>
#
# Specifies a condition that will trigger an alert if the connection is
# authenticated to the specified user. If you have specified an alias for the
# protocol, use the alias instead of the protocol name. If this option is
# specified, the "alerts" option must be also. This option may be specified
# more than once.
#
# Examples:
#
# user telnet joe
#   Report all telnet activity attributed to authenticated user joe.
#
# user smtp fred@domain.com
#   Report all emails sent from fred@domain.com.
#


#
# ratings
#
# If specified, connections that trigger WebNOT ratings settings will be
# reported in the alert section.
#
ratings


#
# word <word>
#
# Specifies a condition that will trigger an alert if the specified regular
# expression is matched to the search string. The content of the search string
# is determined by the setting of the "search_source", "search_destination",
# and "search_arg" options. If this option is specified, the "alerts" option
# must be also. This option may be specified more than once.
#
# Note: A large number of word alerts will significantly slow the reporting
# process.
#
word casino
word gamble
word playboy
word nude
word naked
word sex
word [^x]xxx[^x]


#
# search_source
#
# If specified, Reptor will include the name of the source host in the search
# for the indicated alert words.
#
#search_source


#
# search_destination
#
# If specified, Reptor will include the name of the destination host in the
# search for the indicated alert words.
#
search_destination


#
# search_arg
#
# If specified, Reptor will include the "arg" field in the search for the
# indicated alert words. This typically contains the full URL for the
# connection, and is usually where the search words will be found.
#
search_arg


#
# alert_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of the hosts that have triggered
# alerts. The summary will be grouped by source host and sorted by the field
# indicated in <sort>. Valid values for <sort> are:
#
#   "host" to sort by the name or address of the source host
#   "alerts" to sort by the number of alerts generated
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify
# a value for [limit].
#
# If this option is specified, the "alerts" option must be also.
#
# Example:
#
# alert_summary -alerts 10
#   Generate a summary of the top ten hosts that generated alerts, sorted by
#   number of alerts descending.
#
alert_summary -alerts 5


#
# protocol_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic grouped by protocol
# and sorted by the field indicated in <sort>. Valid values for <sort> are:
# 
#   "protocol" to sort by the protocol
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify
# a value for [limit].
#
# Example:
#
# protocol_summary -total
#   Generate a summary of all protocols, sorted by total traffic volume
#   descending.
#
protocol_summary -total


#
# protocol_user_detail <protocol> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified protocol, grouped by user and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# If you have specified an alias for the protocol desired, use the alias name.
# For example, if you have specified:
#
# alias 143/tcp imap
#
# then use imap here, and not 143/tcp.
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# protocol_user_detail ftp -total 10
# protocol_user_detail http -total 10
# protocol_user_detail imap -total 10
#   Generate a report of the top ten users using ftp, http, and imap.
#


#
# protocol_host_detail <protocol> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified protocol, grouped by host and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "host" to sort by the host
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# If you have specified an alias for the protocol desired, use the alias name.
# For example, if you have specified:
#
# alias 143/tcp imap
#
# then use imap here, and not 143/tcp.
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# protocol_host_detail ftp -total 10
# protocol_host_detail http -total 10
# protocol_host_detail imap -total 10
#   Generate a report of the top ten hosts using ftp, http, and imap.
#
protocol_host_detail http -total 10
protocol_host_detail ftp -total 10


#
# interface_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic for each interface
# specified with the "interface" option, grouped by interface and sorted by the
# field indicated in <sort>. Valid values for <sort> are:
# 
#   "interface" to sort by the interface
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# interface_summary -total
#   Generate a summary of all interfaces, sorted by total traffic volume
#   descending.
#
interface_summary -total


#
# host_summary <interface> <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic for hosts on the
# specified interface, grouped by host and sorted by the field indicated in
# <sort>. If you have specified an alias for the interface, use the alias
# instead of the interface identifier. Valid values for <sort> are:
# 
#   "host" to sort by the name or address of the source host
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# One "host_summary" option may be specified for each interface.
#
# Example:
#
# host_summary Vpn1 -total 10
#   Generate a summary of the top ten hosts on interface Vpn1, sorted by total
#   traffic volume descending.
#
host_summary Inside -total 10
host_summary Outside -total 10


#
# host_user_detail <host> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified host machine, grouped by user and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify
# a value for [limit].
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# host_user_detail 192.168.1.7 -total 10
#   Generate a report of the top ten users for 192.168.1.7.
#


#
# host_protocol_detail <host> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified host machine, grouped by protocol and sorted by the field indicated
# in <sort>. Valid values for <sort> are:
#
#   "protocol" to sort by the protocol
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# host_protocol_detail 192.168.1.7 -total 10
#   Generate a report of the top ten protocols for 192.168.1.7.
#


#
# user_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic grouped by user and
# sorted by the field indicated in <sort>. This option is only useful if users
# authenticate with the firewall. Valid values for <sort> are:
#
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# user_summary -total 10
#   Generate a summary of the top ten users sorted by total volume descending.
#
user_summary -total 10


#
# user_www_summary <sort> [limit]
#
# If specified, Reptor will generate a report of per-user WWW traffic grouped
# by user and sorted by the field indicated in <sort>. For each user, the most
# popular web sites they have visited will be displayed. The site name will be
# displayed as the top-level domain only, not the entire URL. So, hits to
# different pages within the www.wankwood.com site will be summarized on one
# report line as "www.wankwood.com". This option is only useful if users
# authenticate with the firewall. Both the user list and the sites visited by
# that user will be sorted by the field indicated in <sort>. If "user" is
# specified for the sort value, the user list will be sorted by user and the
# per-user site lists will be sorted by domain name. Valid values for <sort>
# are:
# 
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit]. If a limit is specified, it will limit both the number of
# users reported, and the number of sites reported for each user.
#
# Example:
#
# user_www_summary -hits 10
#   Generate a report listing the top ten users, and the top ten sites that
#   each of those users visited.
#
user_www_summary -hits 10


#
# user_protocol_detail <user> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified user, grouped by protocol and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "protocol" to sort by the protocol
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# Note: User information is not available in the logfile unless you are
# performing authentication at the firewall.
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# user_protocol_detail fred -total 10
# user_protocol_detail stan -total 10
#   Generate a report of the top ten protocols for users fred and stan.
#


#
# user_host_detail <user> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified user, grouped by host and sorted by the field indicated in <sort>.
# Valid values for <sort> are:
#
#   "host" to sort by the host
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# Note: User information is not available in the logfile unless you are
# performing authentication at the firewall.
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# user_host_detail fred -total 10
# user_host_detail stan -total 10
#   Generate a report of the top ten hosts hosts for users fred and stan.
#


# hour_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic grouped by time of
# day (in one hour periods) and sorted by the field indicated in <sort>. Valid
# values for <sort> are:
# 
#   "hour" to sort by time of day
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# hour_summary hour 12
#   Generate a summary of the first twelve hours of the day.
#
hour_summary hour


#
# domain_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of top-level domains. The
# summary will be grouped by domain and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "domain" to sort by the name of the top-level domain
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Note: In order for this summary to be useful, either the "dns all" option
# must be specified, or DNS resolution at the firewall must be enabled. Also,
# the sum of all traffic reported by the this summary will probably not reach
# 100% because not all logfile entries can be resolved.
#
# Example:
#
# domain_summary -total 10
#   Generate a summary of the top ten domains, sorted by number of bytes
#   descending.
#
domain_summary -total 5


#
# mobile_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of Raptor Mobile connections.
# The summary will be grouped by source host and sorted by the field indicated
# in <sort>. Valid values for <sort> are:
#
#   "host" to sort by the name or address of the source host
#   "hits" to sort by the number of connections made
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# mobile_summary -count 10
#   Generate a summary of the top ten hosts that connected via Raptor Mobile,
#   sorted by number of connections descending.
#
mobile_summary -count


#
# ooba_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of OOBA activity. The summary
# will be sorted by the field indicated in <sort>. Valid values for <sort>
# are:
#
#   "time" to sort by the time of day
#   "user" to sort by the user
#   "host" to sort by the name or address of the source host
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# ooba_summary time
#   Generate a summary of OOBA activity, sorted by time ascending.
#


#


#
# message_summary <sort> [severity]
#
# If specified, Reptor will generate a summary of all logfile messages. The
# summary will be grouped by message type and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#  "hits" to sort by the number of messages
#  "message" to sort by the message number
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To only show messages "more severe" than a certain value, specify a value for
# [severity]. The message severity values are as follows:
#
#   100-199 Information
#   200-299 Notice
#   300-399 Warning
#   400-499 Error
#   500-599 Alert
#   600-699 Critical
#   700-799 Emergency
#
# Example:
#
# message_summary message
#   Generate a summary of all messages, sorted by message.
#
# message_summary -hits 400
#   Generate a summary of messages that are severity "Error" and above, sorted
#   by the number of messages descending.
#
message_summary message


#
# history_summary <value> <limit>
#
# Reptor can accumulate a file that contains historical traffic summary
# statistics for each day that is processed. If this option is specified, this
# file will be used to generate a simple historical summary graph of recent
# traffic. In order to generate the history file, you must specify the
# history_file option. In order for the summary to show anything, you must also
# specify the graphs option. The value of <value> determines what the graph
# graphs. Valid values are:
#
#   "hits" to graph the total number of hits for each day
#   "total" to graph the total number of bytes for each day
#   "duration" to graph the total connection duration for each day
#
# The history summary (but not the history file) will be limited to <limit>
# days. This option may be specified more than once if you want to graph
# multiple values.
#
# Example:
#
# history_summary total 30
#   Graph the total number of bytes for each day over the past 30 days.
#
history_summary total 30
history_summary hits 30


#
# history_file <file>
#
# If specified, Reptor will accumulate a file that contains historical traffic
# summary statistics. The file will only be updated if the logfile being
# processed is yesterday's log. This is to prevent duplicate entries in the
# case of using the --date or --log command line options.
#
# Note: If you are running Reptor from within a shell script or batch file, you
# may not be changing to the Reptor directory before running it. If this is the
# case, you will have to specify a full path name here, so that Reptor can
# properly find the file.
#
# The history file contains four comma separated fields per line. The fields
# (from left to right) are:
#
# date (in YYYYMMDD format)
# total number of hits for that day
# total number of bytes transferred for that day
# total duration of connections for that day
#
# Examples:
#   history_file /usr/local/reptor/history
#   history_file c:\reptor\history
#
history_file history


#
# fetcher_message
#
# If specified, Reptor will generate a small table reporting the status of the
# WebNOT fetcher process.
#
#fetcher_message


#
# links
#
# If specified, Reptor will make hyperlinks in the output where appropriate. If
# the "alerts" and "show_arg" options are also specified, the report will
# include links that will allow you to click on and visit the exact offending
# URL. Of course, doing so will cause an alert in tomorrow's report...
#
links


#
# output <
#   stdout |
#   file [>]directory/[filename] |
#   ftp username,password,address,directory/[filename] |
#   mail user@domain[,user@domain[...]]
# >
#
# Specifies the desired destination for the output. If "stdout" is specified,
# the output will be sent to the screen if not otherwise piped or redirected.
# If "file" is specified, you must also specify the desired target directory,
# and optionally, the desired file name. If specified without a filename, the
# directory should include a trailing (back)slash. If the filename is omitted,
# Reptor will automatically generate it based on the date of the logfile
# processed. If the string begins with ">", the output will be appended to the
# file if it already exists. Otherwise, it will overwrite an existing file of
# the same name. If "ftp" is specified, Reptor will upload the output to an ftp
# server using the specified settings. If "mail" is specified, Reptor will
# email the output to the list of addresses specified.
#
# Examples:
#
# output file /reports/
#   Save the output to the file /reports/<date>.html.
#
# output file /reports/output.html
#   Save the output to the file /reports/output.html, overwriting it if it
#   already exists.
#
# output file >/reports/output.html
#   Save the output to the file /reports/output.html, appending to it if it
#   already exists.
#
# output ftp anonymous,reptor,ftpsrv,/pub/incoming/reptor.html
#   Upload the output to the ftp server named ftpsrv. Log in with the userid
#   anonymous and the password reptor. Upload the file to the directory
#   /pub/incoming and name it reptor.html.
#
# output ftp apache,george,websrv,/apache/htdocs/reptor/
#   Upload the output to the ftp server named websrv. Log in with the userid
#   apache and the password george. Upload the file to the directory
#   /apache/htdocs/reptor and name it <date>.html.
#
# output mail joe@domain1.com,fred@domain2.com
#   Email the output to joe@domain1.com and fred@domain2.com.
#
output file ./


#
# mail_server <address>
#
# If you have indicated email output, this option specifies an SMTP server to
# relay mail through. If not specified, it will default to the local host.
#
# Example:
#
# mail_server 1.2.3.4
#


#
# mail_from <address>
#
# Indicates what to use for a From address when sending email output. This is
# not always required, but you may discover that your mail server has an
# anti-spam feature that rejects Reptor's output because the message does not
# have a valid From address.
#
# Example:
#
# mail_from root@domain.com
#


#
# dns <all|print>
#
# If specified, Reptor will perform reverse DNS lookups on unresolved IP
# addresses. If the "all" option is specified, Reptor will lookup all
# unresolved IP addresses, whether or not the logfile entry is selected to
# print. If the "print" option is specified, Reptor will only lookup unresolved
# IP addresses that are selected to be printed. Choosing "all" will
# significantly increase the amount of time required to process a logfile.
# However, in order to utilize the word search feature on a hostname, sort a
# summary by hostname, or specify the domain_summary option, full DNS
# resolution at the firewall is required. If these features are important to
# you, consider instead using a specially modified version of jdresolve, a high
# speed asynchronous resolver, specifically tweaked to handle Raptor logfiles.
# It can be downloaded from http://www.wankwood.com/reptor/jdresolve.html.
#
dns print


#
# nice_format
#
# If specified, large byte values will be represented in Kb or Mb, as
# appropriate. In addition, other large values will be printed with commas.
#
nice_format


#
# title
#
# If specified, will be used as a report title. It may include simple HTML
# tags, but don't get silly with it.
#
title "Company<br>Firewall Activity"


#
# theme <theme>
#
# If specified, Reptor will utilize the named theme to generate the HTML
# output. The theme determines the fonts, colors, and formatting used. This
# allows for easy customization of the output. Theme names are case sensitive.
# Browse the themes directory for the names of the available themes.
#
# Example:
#
# theme Classic
#
theme Kuro5hin


#
# graphs <scale>
#
# If specified, Reptor will include graphs in summary tables. Reduce the scale
# to make the graphs narrower, increase the scale to make the graphs wider.
#
graphs 0.75


#
# smtp_bugfix
#
# If specified, Reptor will work around a Raptor bug that occasionally produces
# impossibly huge values for the number of bytes received in some logfile
# entries for the SMTP protocol.
#


# End