# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
citrix_netscaler = {

  plugin_version = "1.3.3"

  info.1.manufacturer = "Citrix"
  info.1.device = "NetScaler"
  info.1.version.1 = "8.0"
  info.1.version.2 = "9.0" # build 67.7

  # 2007-10-22 - 1.0 - KBB - Initial creation
  # 2008-04-07 - 1.1 - KBB - Added support for new line format (Context lines)
  # 2008-09-19 - 1.2 - GMF - Added support for variant with an integer before the :
  # 2009-06-12 - 1.2.1 - GMF - Added support for extracting CMD_EXECUTED lines
  # 2009-06-18 - 1.2.2 - KBB - Added support for variant with an integer before the second :
  # 2009-07-16 - 1.2.3 - GMF - Fixed bug with tracking of "command" field
  # 2009-07-29 - 1.2.4 - GMF - Added support for Device...State lines
  # 2009-08-24 - 1.3 - KBB - Added support for Citrix 9.0. Also fixed duration calculation for
  # Context lines, added support for more Context lines, and added support for commands with
  # quotes in them. Grouped reports since there are so many fields now. Grouping could be better.
  # 2009-08-26 - 1.3.1 - KBB - Removed logging of end and delink times. Added duration calculation
  # for start_time and end_time. (end_time and delink_time seem always the same as date_time.)
  # 2009-08-27 - 1.3.2 - KBB - Added support for Monitor...State lines
  # 2010-12-20 - 1.3.3 - gas - added new variant (session id field)

  # The name of the log format
  log.format.format_label = "Citrix NetScaler Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "network_device"

  # The log is in this format if any of the first ten lines match this regular expression
  #Oct 10 22:39:13 <local0.warn> 66.36.236.66 10/10/2007:14:39:13 GMT ns : APPFW APPFW_STARTURL :  220.133.110.194 fetpoc Disallow Illegal URL: http://61.31.230.67/board/ <not blocked>
  #2007-11-09	11:25:35	Local0.Info	10.2.66.226	 11/09/2007:03:25:05 GMT agee : SSLVPN TCPCONNSTAT : Context user01@10.2.66.226 - User user01 - Client_ip 10.2.66.226 - Nat_ip 10.2.66.226 - Vserver 10.2.66.236:443 - Source 10.2.66.226:1404 - Destination 127.0.0.1:80 - Start_time "11/09/2007:03:25:04 GMT" - End_time "11/09/2007:03:25:05 GMT" - Duration 00:00:01  - Total_bytes_send 463 - Total_bytes_recv 2379 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "accounting"
  #2009-06-17 17:08:41	Local0.Info	172.16.55.55	06/18/2009:01:07:20 GMT access : UI CMD_EXECUTED 8454 :  User poweruser - Remote_ip 172.16.54.54 - Command "login" - Status "Success"
  #Aug 17 15:00:00 155.155.155.55 08/17/2009:19:00:00 GMT  : TCP CONN_DELINK 170566 :  Source 10.5.55.55:2567 - Vserver 155.155.155.54:443 - NatIP 155.155.155.56:49734 - Destination 155.155.155.57:9212 - Delink Time 08/17/2009:19:00:00 GMT - Total_bytes_send 0 - Total_bytes_recv 12918
  log.format.autodetect_regular_expression = "[0-9]{2}/[0-9]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} [^ ]+ ([^ ]+)? ([A-Z0-9-]+ )?: [A-Z_]+ [A-Z_]+ ([0-9]+ )?: "
  log.format.autodetect_lines = 20000

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  log.fields = {

    host_name = ""
    application_type = ""
    validation_type = ""
    client_ip = ""
    application = ""
    url.type = "page"
    message = ""
    result = ""

    context = ""
    user = ""
    nat_ip = ""
    vserver = ""
    source_ip = ""
    source_port = ""
    destination_ip = ""
    destination_port = ""
    groups = ""

    remote_ip = ""
    command = ""
    status = ""

    device = ""
    monitor = ""
    state = ""

    browser_type.type = "agent"
    sslvpn_client_type = ""

    start_time = ""
#    end_time = ""
#    delink_time = ""

    duration = ""
    total_bytes_send = ""
    total_bytes_recv = ""

    http_resources_accessed = ""
    nonhttp_resources_accessed = ""
    total_tcp_connections = ""
    total_udp_flows = ""
    total_policies_allowed = ""
    total_policies_denied = ""

  } # log.fields

  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  log.parsing_filters.parse = `
#Aug 29 11:54:32 <local0.warn> 66.66.236.66 08/29/2007:03:54:32 GMT ns : APPFW APPFW_FIELDFORMAT :  216.66.216.66 znet_hello http://hello.znet.goodbye.tw/book.jsp?id=2G024132&status=1&searchFunction=&searchContent=&searchStatus=-1&searchSO=&searchUserID=&searchStage=0&year=2007&month=08&day=29&year2=2007&month2=08&day2=29&setupyear=null&setupmonth=n Field format check failed for field searchfunction="" <not blocked>
if (matches_regular_expression(v.syslog_message, '^ *([0-9]{2}/[0-9]{2}/[0-9]{4}):([0-9]{2}:[0-9]{2}:[0-9]{2}) [^ ]+ ([^ ]+)? ([A-Z0-9-]+ )?: ([^ ]+) ([^ ]+) ([0-9]+ )?: (.*)$')) then (

  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  set_collected_field('', 'host_name', $3);
  set_collected_field('', 'application_type', $5);
  set_collected_field('', 'validation_type', $6);
  v.message = $8;

  # e.g. #Oct 11 02:28:30 <local0.warn> 66.36.236.66 10/10/2007:18:28:30 GMT ns : APPFW APPFW_XSS :  226.166.116.166 falcon http://falcon.hawk.com/prey/?search=<script>alert(document.cookie)</script> Cross-site script check failed for search="<script>alert(document.cookie)<" <blocked>
  if (matches_regular_expression(v.message, '^ *([0-9.]+) ([^ ]+) ([^ ]+) (.*)$')) then (

    set_collected_field('', 'client_ip', $1);
    set_collected_field('', 'application', $2);
    set_collected_field('', 'url', $3);
    v.message = $4;
    if (matches_regular_expression(v.message, '^(.*) <([^>]+)>$')) then (
      v.message = $1;
      set_collected_field('', 'result', $2);
    );
    set_collected_field('', 'message', v.message);

  ); # if content message


  ## IF CONTEXT START ##
  ## match 1
  # 2007-11-09	11:25:35	Local0.Info	1.2.3.4	 11/09/2007:03:25:05 GMT abcd : SSLVPN TCPCONNSTAT : Context user01@4.3.2.1 - User user01 - Client_ip 5.6.7.8 - Nat_ip 9.8.7.6 - Vserver 2.3.4.5 - Source 3.4.5.6:1234 - Destination 4.5.6.7:80 - Start_time "11/09/2007:03:25:04 GMT" - End_time "11/09/2007:03:25:05 GMT" - Duration 00:00:01  - Total_bytes_send 463 - Total_bytes_recv 2379 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "accounting"
  else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Source ([0-9.]+):([0-9]+) - Destination ([0-9.]+):([0-9]+) - Start_time "([^"]+)" - End_time "([^"]+)" - Duration ([0-9:]+)  - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - Total_compressedbytes_send ([0-9]+) - Total_compressedbytes_recv ([0-9]+) - Compression_ratio_send ([0-9.%]+) - Compression_ratio_recv ([0-9.%]+) - ([^-]+) - Group[(]s[)] "([^"]+)"')) then (

    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'source_ip', $6);
    set_collected_field('', 'source_port', $7);
    set_collected_field('', 'destination_ip', $8);
    set_collected_field('', 'destination_port', $9);
    set_collected_field('', 'start_time', $10);
#    set_collected_field('', 'end_time', $11);
    v.duration = $12;
    set_collected_field('', 'total_bytes_sent', $13);
    set_collected_field('', 'total_bytes_recv', $14);
#    set_collected_field('', 'total_compressedbytes_send', $15);
#    set_collected_field('', 'total_compressedbytes_recv', $16);
#    set_collected_field('', 'compression_ratio_send', $17);
#    set_collected_field('', 'compression_ratio_recv', $18);
    set_collected_field('', 'result', $19);
    set_collected_field('', 'groups', $20);

    if (matches_regular_expression(v.duration, '(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
      v.duration = $5;
      if ($4 ne '') then v.duration += 60 * $4;
      if ($2 ne '') then v.duration += 60 * 60 * $2;
    );
    set_collected_field('', 'duration', v.duration);

  );

  ## Match 2
  #2007-11-09	11:25:16	Local0.Info	10.2.2.2	 11/09/2007:03:24:45 GMT agee : SSLVPN LOGIN : Context user01@10.2.2.1 - User user01 - Client_ip 10.2.2.1 - Nat_ip "Mapped Ip" - Vserver 10.2.2.3:443 - Browser_type "Mozilla/4.0 (Compatible; MSIE 5.5; NetScaler 5.1)" - SSLVPN_client_type ActiveX - Group(s) "accounting"
   else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Browser_type "([^"]+)" - SSLVPN_client_type ([^ ]+) - Group\\\\(s\\\\) "([^"]+)"')) then (
#   else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "Mapped Ip" - Vserver ([^ ]+) - Browser_type "([^"]+)" - SSLVPN_client_type ([^ ]+) - Group\\\\(s\\\\) "([^"]+)"
 
    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'browser_type', $6);
    set_collected_field('', 'sslvpn_client_type', $7);
    set_collected_field('', 'groups', $8);

  );
  ## match 3
  #2007-11-09	11:26:15	Local0.Info	10.2.2.2	 11/09/2007:03:25:45 GMT agee : SSLVPN LOGOUT : Context user01@10.2.2.21 - User user01 - Client_ip 10.2.2.22 - Nat_ip "Mapped Ip" - Vserver 10.2.2.23:443 - Start_time "11/09/2007:03:24:12 GMT" - End_time "11/09/2007:03:25:45 GMT" - Duration 00:01:33  - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 61 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 29008 - Total_bytes_recv 1292093 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "Explicit" - Group(s) "accounting"
  else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Start_time "([^"]+)" - End_time "([^"]+)" - Duration ([0-9:]+) *- Http_resources_accessed ([0-9]+) - NonHttp_services_accessed ([0-9]+) - Total_TCP_connections ([0-9]+) - Total_UDP_flows ([0-9]+) - Total_policies_allowed ([0-9]+) - Total_policies_denied ([0-9]+) - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - Total_compressedbytes_send ([0-9]+) - Total_compressedbytes_recv ([0-9]+) - Compression_ratio_send ([0-9.%]+) - Compression_ratio_recv ([0-9.%]+) - LogoutMethod "([^"]+)" - Group\\\\(s\\\\) "([^"]+)"')) then (

    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'start_time', $6);
#    set_collected_field('', 'end_time', $7);
    v.duration = $8;
    set_collected_field('', 'http_resources_accessed', $9);
    set_collected_field('', 'nonhttp_resources_accessed', $10);
    set_collected_field('', 'total_tcp_connections', $11);
    set_collected_field('', 'total_udp_flows', $12);
    set_collected_field('', 'total_policies_allowed', $13);
    set_collected_field('', 'total_policies_denied', $14);
    set_collected_field('', 'total_bytes_sent', $15);
    set_collected_field('', 'total_bytes_recv', $16);
#    set_collected_field('', 'total_compressedbytes_send', $17);
#    set_collected_field('', 'total_compressedbytes_recv', $18);
#    set_collected_field('', 'compression_ratio_send', $19);
#    set_collected_field('', 'compression_ratio_recv', $20);
    set_collected_field('', 'logout_method', $21);
    set_collected_field('', 'groups', $22);

    if (matches_regular_expression(v.duration, '(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
      v.duration = $5;
      if ($4 ne '') then v.duration += 60 * $4;
      if ($2 ne '') then v.duration += 60 * 60 * $2;
    );
    set_collected_field('', 'duration', v.duration);

  ); # 

  ## match 4 (v1.3.3 - gas)
  ## Nov 28 23:00:17 10.73.98.118 11/29/2010:10:00:17 GMT UAPP-CTX PPE-0 : SSLVPN TCPCONNSTAT 2505477 : Context 123@123.123.123.123 - SessionId: 3490- User U123 - Client_ip 123.123.123.123 - Nat_ip 123.123.123.123 - Vserver 123.123.123.123:443 - Source 123.123.123.123:52556 - Destination 123.123.123.123:1361 - Start_time "11/29/2010:09:59:46 GMT" - End_time "11/29/2010:10:00:17 GMT" - Duration 00:00:31 - Total_bytes_send 2563 - Total_bytes_recv 461 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "GG-VPNSSL-xxx-VIPUsers"
  else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - SessionId: [^ ]+- User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Source ([0-9.]+):([0-9]+) - Destination ([0-9.]+):([0-9]+) - Start_time "([^"]+)" - End_time "([^"]+)" - Duration ([0-9:]+) *- Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - Total_compressedbytes_send ([0-9]+) - Total_compressedbytes_recv ([0-9]+) - Compression_ratio_send ([0-9.%]+) - Compression_ratio_recv ([0-9.%]+) - ([^-]+) - Group[(]s[)] "([^"]+)"')) then (

    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'source_ip', $6);
    set_collected_field('', 'source_port', $7);
    set_collected_field('', 'destination_ip', $8);
    set_collected_field('', 'destination_port', $9);
    set_collected_field('', 'start_time', $10);
#    set_collected_field('', 'end_time', $11);
    v.duration = $12;
    set_collected_field('', 'total_bytes_send', $13);
    set_collected_field('', 'total_bytes_recv', $14);
    set_collected_field('', 'total_compressedbytes_send', $15);
    set_collected_field('', 'total_compressedbytes_recv', $16);
    set_collected_field('', 'compression_ratio_send', $17);
    set_collected_field('', 'compression_ratio_recv', $18);
    set_collected_field('', 'result', $19);
    set_collected_field('', 'groups', $20);

    if (matches_regular_expression(v.duration, '(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
      v.duration = $5;
      if ($4 ne '') then v.duration += 60 * $4;
      if ($2 ne '') then v.duration += 60 * 60 * $2;
    );
    set_collected_field('', 'duration', v.duration);

  ); # if Context (four variations)
  ## IF CONTEXT END

  # 2009-05-19        18:25:31        Local0.Info     192.168.1.1      05/19/2009:10:25:34 GMT ns 233 : UI CMD_EXECUTED :  User nsroot - Remote_ip 127.0.0.1 - Command "show ns runningConfig" - Status "Success"
#  else if (matches_regular_expression(v.message, '^ *User ([^ ]+) - Remote_ip ([^ ]+) - Command "([^"]+)" - Status "([^"]+)"')) then (
  else if (matches_regular_expression(v.message, '^ *User ([^ ]+) - Remote_ip ([^ ]+) - Command "(.*)')) then (
    set_collected_field('', 'user', $1);
    set_collected_field('', 'remote_ip', $2);

    # Unfortunately, the command may have " in it.
    #Sep 12 11:41:51 192.168.2.2 09/12/2008:06:26:07 GMT ns 35922 : UI CMD_EXECUTED :  User someone - Remote_ip 127.0.0.1 - Command "scp -f "/var/log/ns.log"" - Status "Success"
    v.remainder = $3;
    if (matches_regular_expression(v.remainder, '(.*)" - Status "([^"]+)"')) then (
      set_collected_field('', 'command', $1);
      set_collected_field('', 'status', $2);
    );
  );

  # from Citrix 9.0
  #Aug 17 15:00:00 150.198.164.55 08/17/2009:19:00:00 GMT  : TCP CONN_TERMINATE 170567 :  Source 66.166.160.166:1619 - Destination 155.155.155.55:443 - Start Time 08/17/2009:18:58:21 GMT - End Time 08/17/2009:19:00:00 GMT - Total_bytes_send 126 - Total_bytes_recv 0
  else if (matches_regular_expression(v.message, '^ *Source ([0-9.]+):([0-9]+) - Destination ([0-9.]+):([0-9]+) - Start Time (([0-9]{2}/[0-9]{2}/[0-9]{4}):([0-9]{2}:[0-9]{2}:[0-9]{2}) [^ ]+) - End Time ([0-9]{2}/[0-9]{2}/[0-9]{4}):([0-9]{2}:[0-9]{2}:[0-9]{2}) [^ ]+ - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+)')) then (

    set_collected_field('', 'source_ip', $1);
    set_collected_field('', 'source_port', $2);
    set_collected_field('', 'destination_ip', $3);
    set_collected_field('', 'destination_port', $4);
    set_collected_field('', 'start_time', $5);
    v.start_date = normalize_date($6, "mm/dd/yyyy");
    v.start_time = $7;
    v.end_date = normalize_date($8, "mm/dd/yyyy");
    v.end_time = $9;
    set_collected_field('', 'total_bytes_sent', $10);
    set_collected_field('', 'total_bytes_recv', $11);

    # Calculate duration
    int start_time_epoc = date_time_to_epoc(v.start_date . " " . v.start_time);
    int end_time_epoc = date_time_to_epoc(v.end_date . " " . v.end_time);
    set_collected_field('', 'duration', end_time_epoc - start_time_epoc);

  );

  # from Citrix 9.0
  #Aug 17 15:00:00 155.155.155.55 08/17/2009:19:00:00 GMT  : TCP CONN_DELINK 170566 :  Source 10.5.55.55:2567 - Vserver 155.155.155.54:443 - NatIP 155.155.155.56:49734 - Destination 155.155.155.57:9212 - Delink Time 08/17/2009:19:00:00 GMT - Total_bytes_send 0 - Total_bytes_recv 12918
  else if (matches_regular_expression(v.message, '^ *Source ([0-9.]+):([0-9]+) - Vserver ([^ ]+) - NatIP ([^ ]+) - Destination ([0-9.]+):([0-9]+) - Delink Time ([0-9]{2}/[0-9]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} [^ ]+) - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+)')) then (

    set_collected_field('', 'source_ip', $1);
    set_collected_field('', 'source_port', $2);
    set_collected_field('', 'vserver', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'destination_ip', $5);
    set_collected_field('', 'destination_port', $6);
    set_collected_field('', 'delink_time', $7);
    set_collected_field('', 'total_bytes_sent', $8);
    set_collected_field('', 'total_bytes_recv', $9);

  );

  # Jun  4 14:51:37 <local0.notice> 192.168.1.1 06/04/2009:06:50:38 GMT ns : EVENT DEVICEUP 3 :  Device "server_ABCDE_AAA_127.0.0.1:8777(internal)" - State UP
  else if (matches_regular_expression(v.message, '^ *Device "([^"]+)" - State (.*)$')) then (
    set_collected_field('', 'device', $1);
    set_collected_field('', 'state', $2);
  );

  #2009-06-14 22:34:39	Local0.Info	165.16.16.66	06/15/2009:06:33:21 GMT access : EVENT MONITORUP 8448 :  Monitor Name_of_Monitor-more_about_monitor(165.16.16.65:80) - State UP
  else if (matches_regular_expression(v.message, '^ *Monitor ([^ ]+) - State (.*)$')) then (
    set_collected_field('', 'monitor', $1);
    set_collected_field('', 'state', $2);
  );

  accept_collected_entry('', false);
);

`

  database.fields = {

    day_of_week = ""
    hour_of_day = ""
    host_name = ""
    application_type = ""
    validation_type = ""
    context = ""
    user = ""
    client_ip = ""
    nat_ip = ""
    vserver = ""
    source_ip = ""
    source_port = ""
    destination_ip = ""
    destination_port = ""
    application = ""
    url = ""
    message = ""
    result = ""
    groups = ""

    remote_ip = ""
    command = ""
    status = ""

    device = ""
    monitor = ""
    state = ""

    sslvpn_client_type = ""

    web_browser = ""
    operating_system = ""
#    spider = ""

    start_time = ""
#    end_time = ""
#    delink_time = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

    duration = {
      type = int
      display_format_type = duration_compact
    } # duration

    total_bytes_send = {
      type = "float"
      display_format_type = "bandwidth"
    } # total_bytes_send

    total_bytes_recv = {
      type = "float"
      display_format_type = "bandwidth"
    } # total_bytes_recv

    http_resources_accessed = ""
    nonhttp_resources_accessed = ""
    total_tcp_connections = ""
    total_udp_flows = ""
    total_policies_allowed = ""
    total_policies_denied = ""

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        url = true
      }
      source_group = {
        source_ip = true
        source_port = true
        client_ip = true
      }
      destination_group = {
        remote_ip = true
        destination_ip = true
        destination_port = true
      }
      users_group = {
        context = true
        user = true
        groups = true
        web_browser = true
        operating_system = true
      }
      other_group = {
        host_name = true
        application_type = true
        application = true
        validation_type = true
        message = true
        result = true
        nat_ip = true
        vserver = true
        command = true
        status = true
    	device = true
		monitor = true
    	state = true
        sslvpn_client_type = true
        start_time = true
#        end_time = true
#        delink_time = true
      }
    } # report_groups

  } # create_profile_wizard_options

} # citrix_netscaler