# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
microsoft_exchange2000 = {

  info.1.manufacturer = "Microsoft"
  info.1.device = "Exchange Server 2000/2003"
  info.1.version.1 = "2000"

  info.2.manufacturer = "Microsoft"
  info.2.device = "Exchange Server 2000/2003"
  info.2.version.1 = "2003"

  #ref: http://support.microsoft.com/kb/821905

  plugin_version = "1.1.5"

  # 2006-04-12 - 1.1   - GMF - cleaned up to use v7 defaults, added sender and recipient domains,
  #                            grouped reports
  # 2007-01-10 - 1.1.1 - MSG - added support for single digit minutes in date format
  # 2007-01-16 - 1.1.2 - ooo - added support 2003 format where client_ip and client_hostname are replaced
  #                            by dashes on significant lines
  # 2008-04-11 - 1.1.3 - gas - added some experimental code to track alias domains,
  #                            where the 1019 lines and final collect lines have different
  #                            recipient_domain values
  # 2008-04-11 - 1.1.4 - gas - added filter_initialization to declare v.alias_test 
  # 2008-07-01 - 1.1.5 - GMF - Set treat_apostrophes_as_quotes to false, for email addresses containing '.
  # 2008-10-24           KBB - 1.1.5 also fixes problems caused by message subjects with '.
  # 2011-06-23 - 1.0.1 - MSG - Edited info lines.

  # The name of the log format
  log.format.format_label = "Microsoft Exchange Server 2000/2003 Log Format"
  log.miscellaneous.log_data_type = "mail_server"  
  log.miscellaneous.log_format_type = "mail_server"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^# Message Tracking Log File"

  log.format.treat_apostrophes_as_quotes = false

  # Log fields
  log.fields = {

    date = ""
    time = ""
    client_ip.type = "host"
    client_hostname = ""
    partner_name = ""
    server_hostname = ""
    server_ip = ""

    recipient_address = {
      type = "hierarchical"
      hierarchy_dividers = "@"
      left_to_right = false
      leading_divider = false
    }
    recipient_domain = ""

    event_id = ""
    msgid = ""
    priority = ""
    recipient_report_status = ""
    total_bytes = ""
    number_recipients = ""
    origination_time = ""
    encryption = ""
    service_version = ""
    linked_msgid = ""
    message_subject = ""

    sender_address = {
      type = "hierarchical"
      hierarchy_dividers = "@"
      left_to_right = false
      leading_divider = false
    }
    sender_domain = ""
    alias = ""

  } # log.fields

  # Declare filter variables
  log.filter_initialization = `
v.alias_test = "";
  `

  log.parsing_filters.parse = `
if (matches_regular_expression(recipient_address, '@(.*)$')) then
  recipient_domain = $1;
if (matches_regular_expression(sender_address, '@(.*)$')) then
  sender_domain = $1;
if (matches_regular_expression(time, '^([0-9][0-9]:)([0-9]:[0-9][0-9].*)$')) then
  time = $1 . '0' . $2;

# store client_ip and client_host name in case they are missing on significant lines
#2006-12-27	19:2:27 GMT	10.10.10.10	here.there.com	-	CINSHREXC02	10.10.10.11	someone@somewhere.com	1019	152E0634E3F46F4F8E9505ED9069E311677BCA@jfdkaslr.jfdksl.com	0	0	7145	1	2006-12-27 19:2:27 GMT	0	Version: 6.0.3790.1830	-	 RE: document	someone@domain.com	-
if (client_ip ne '-') then (
  set_collected_field(msgid, 'client_ip', client_ip);
);
if (client_hostname ne '-') then (
  set_collected_field(msgid, 'client_hostname', client_hostname);
);

# 2008-3-23	0:26:39 GMT	10.10.10.10	here.there.com	-	ABCDEF08	10.10.10.11	someone@alias.com	1024	32407574.1206231937696.JavaMail.SYSTEM@abc-abc-abc	0	0	6360	1	2008-3-23 0:26:38 GMT	0	Version: 6.0.3790.3959	-	 IRC - AMT Result	someone@domain.com	-
# collect recipient from 1019 lines and if the domain is different when we get to the event_id match below it is an alias so track it
 if (matches_regular_expression(current_log_line(), '	([0-9a-zA-Z.-]+@[0-9a-zA-Z.-]+)	1019	')) then set_collected_field(msgid, 'alias', $1);

if (matches_regular_expression(event_id, '(1021|1026|1028|1030|1031)')) then (

  # restore client_ip and client_host name if the line looks like this
  #2006-12-27	19:2:27 GMT	-	-	-	CINSHREXC02	-	here.there.com	1028	152E0634E3F46F4F8E9505ED9069E311677BCA@jfdksl.jfkdsl.com	0	0	7145	1	2006-12-27 19:2:27 GMT	0	-	-	 RE: document	someone@domain.com	-
  if (client_ip eq '-') then (
    client_ip = get_collected_field(msgid, 'client_ip');
  );
  if (client_hostname eq '-') then (
    client_hostname = get_collected_field(msgid, 'client_hostname');
  );
  
  ## check that the alias is different, or ignore it
  if (matches_regular_expression(get_collected_field(msgid, 'alias'), '@(.*)$')) then v.alias_test = $1;
  if (v.alias_test ne recipient_domain) then alias = get_collected_field(msgid, 'alias');
);
else
  'reject';
`

  # Database fields
  database.fields = {

#    date_time = ""
#    day_of_week = ""
#    hour_of_day = ""
#    client_ip = ""
#    partner_name = ""
#    server_hostname = ""
#    recipient_address = ""
    recipient_domain = ""
#    priority = ""
#    recipient_report_status = ""
#    encryption = ""
#    service_version = ""
#    sender_address = ""
    sender_domain = ""
#    event_id = ""
    alias = ""

  } # database.fields

  # Log Filters
  log.filters = {

#    # Reject this entry if the value of the event_ID field is not equal to 1021,1026,1028,1029,1030,1031
#    # Removed 1023 from the list, because it is always follwed by 1028.  --GMF 2006-02-20
#    1 = {
#      label = "1"
#      comment = ""
#      value = "if (matches_regular_expression(event_id, '(1021|1026|1028|1030|1031)')) then '' else 'reject';"
#    } # 1

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'messages = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    messages = {
      default = true
      requires_log_field = false
      entries_field = true
    } # messages

    total_bytes = {
      type = "float"
      display_format_type = "bandwidth"
    } # total_bytes

    unique_client_ips = {
      log_field = "client_ip"
      type = "unique"
    } # unique_client_ips

    unique_message_ids = {
      default = true
      log_field = "msgid"
      type = "unique"
    } # unique_message_ids

    recipients = {
      log_field = "recipient_address"
      type = "unique"
    } # unique_message_ids

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      sender_group = {
        sender_address = true
        sender_domain = true
      }
      recipient_group = {
        recipient_address = true
        recipient_domain = true
        recipient_report_status = true
        number_recipients = true
        alias = true
      }
      server_group = {
        server_ip = true
        server_hostname = true
        service_version = true
      }
      client_group = {
        client_ip = true
        client_hostname = true
      }
      message_group = {
        message_subject = true
        msgid = true
        linked_msg_id = true
      }
      other_group = {
        partner_name = true
        priority = true
        encryption = true
        event_id = true
        origination_time = true
      }
    } # report_groups

  } # create_profile_wizard_options

} # microsoft_exchange2000