# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
broadweb_netkeeper = {

  plugin_version = "1.0.1"

  info.1.manufacturer = "BroadWeb"
  info.1.device = "NetKeeper"
  info.1.version.1 = ""

  # 2007-05-03 - 1.0beta - KBB - Initial creation.
  # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy
  # 2010-10-18 - 1.0.1 - MSG - Edited info lines.

  # The name of the log format
  log.format.format_label = "BroadWeb NetKeeper Log Format"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "firewall"

  info.1.manufacturer = "Broadweb"
  info.1.device = "NetKeeper NK3128"
  info.1.version = ""
  
  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = " \\$deviceType=NetKeeper, \\$deviceName="
  log.format.autodetect_lines = "100"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    devicetype = ""
    devicename = ""
    desc = ""
    ifno = ""
    ruleid = ""
    rulename = ""
    ori = ""
    cat = ""
    srcip.type = "host"
    dstip = ""
    srcport = ""
    dstport = ""
    btime = ""
    etime = ""
    cnt = ""
    action = ""
    duration = ""

  } # log.fields

  # Log Parsing Filters
  #2007-03-23	14:14:48	User.Warning	172.31.3.32	ar 23 14:15:11 177.37.7.37 BroadWeb:2007-03-23 14:15:11, $deviceType=NetKeeper, $deviceName=IDP (177.37.7.27), $IfNo=0, $ruleId=1052291, $ruleName=P2P Thunder HTTP File Download, $ori=Built-In, $cat=P2P, $srcIp=77.77.77.77, $dstIp=88.88.88.88, $srcPort=64243, $dstPort=80, $bTime=2007-03-23 14:15:11, $eTime=2007-03-23 14:15:11, $cnt=1, $action=Monitor|Drop|Log Event
  log.parsing_filters.parse = `
  
# Strip extra syslog header, or partial syslog header (Unix syslog logged by Kiwi syslog)
#if (matches_regular_expression(v.syslog_message, "^[A-Za-z]{23} [0-9 ]{1,2} [0-9:]+ [0-9.]+ BroadWeb: ?(.*)$")) then (
if (matches_regular_expression(v.syslog_message, "^.* BroadWeb: ?(.*)$")) then (
  v.syslog_message = $1;
);

# Get replace syslog date and time
if (matches_regular_expression(v.syslog_message, "^([0-9-]+) ([0-9:]+), \\\\$(.*)$")) then (
  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  v.syslog_message = $3;
);
  
# $ is escaped internally, so can't be used in pair separator
v.syslog_message = replace_all(v.syslog_message, '$', '');
collect_listed_fields('', v.syslog_message, ', ', '=', '');

# Calculate the duration from the eTime and bTime fields
v.etime = get_collected_field('', 'etime');
v.btime = get_collected_field('', 'btime');
if (v.btime ne '(empty)' and v.etime ne '(empty)') then (
  v.btime_epoc = date_time_to_epoc((normalize_date(substr(v.btime, 0, 9), 'auto')) . ' ' . normalize_time(substr(v.btime, 12), 'auto'));
  v.etime_epoc = date_time_to_epoc((normalize_date(substr(v.etime, 0, 9), 'auto')) . ' ' . normalize_time(substr(v.etime, 12), 'auto'));
  if (v.etime_epoc ne '0' and v.btime_epoc ne '0') then (
    set_collected_field('', 'duration', v.etime_epoc - v.btime_epoc);
  );
  else (
    set_collected_field('', 'duration', 0);
  );
);

accept_collected_entry('', false);

`

  # Database fields
  database.fields = {

    devicetype = ""
    devicename = ""
    desc = ""
    ifno = ""
    ruleid = ""
    rulename = ""
    ori = ""
    cat = ""
    srcip = ""
    dstip = ""
    srcport = ""
    dstport = ""
    #btime = ""
    #etime = ""
    cnt = ""
    action = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

##    rcvd = {
##      type = "float"
##      display_format_type = "bandwidth"
##    } # rcvd
##
##    sent = {
##      type = "float"
##      display_format_type = "bandwidth"
##    } # sent
##    
##    bytes = {
##      requires_log_field = false
##      type = "float"
##      display_format_type = "bandwidth"
##    } # bytes

    duration = {
      type = "float"
      display_format_type = "duration_compact"
    } # duration

  } # database.numerical_fields

  log.filters = {
  
##    calc_total_bandwidth = {
##      label = "$lang_stats.field_labels.bytes"
##      comment = "$lang_stats.field_labels.bytes"
##      value = "bytes = 0.0 + sent + rcvd;"
##      position = "0"
##    } # calc_total_bandwidth

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
      position = "1"
    } # mark_entry
    
  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # broadweb_netkeeper