# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
windows2003_syslog = {

  plugin_version = "1.1simp"

  info.1.manufacturer = "Microsoft"
  info.1.device = "Windows 2000/XP/2003 Eventlog via Syslog"
  info.1.version.1 = "1.1simp"

  # 2010-05-31 - Benson - 1.0simp - Simplified many useless fields from datagram_syslog_agent.cfg
  # 2010-12-22 - Benson - 1.1simp - Compatible with non DATE HOST format

  # The name of the log format
  log.format.format_label = "Windows 2000/XP/2003 Eventlog via Syslog"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "other"
  
  log.format.autodetect_expression = `
matches_regular_expression(volatile.log_data_line, "[^[]+\\[[a-z]+\\] [0-9]+ ")
`

  # Log fields
  log.fields = {

    event_code = ""
    #computer_name = ""
    event = ""
    process = ""
    priority = ""
    message = ""

    # Fields for windows descriptions, include windows 2000 / xp and 2003 log fields
	user_name = ""
	#primary_user_name = ""
	#client_user_name = ""
	domain = ""
	#primary_domain = ""
	#client_domain = ""
	logon_id = ""
	#primary_logon_id = ""
	#client_logon_id = ""
	#logon_type = ""
	#logon_process = ""
	#authentication_package = ""
	#workstation_name = ""
	#logon_guid = ""
	#caller_user_name = ""
	#caller_domain = ""
	#caller_logon_id = ""
	#caller_process_id = ""
	#transited_services = ""
	source_network_address = ""
	#source_port = ""
	#object_server = ""
	object_name = ""
	#object_type = ""
	#handle_id = ""
	#new_handle_id = ""
	#process_id = ""
	image_file_name = ""
	#new_process_id = ""
	#creator_process_id = ""
	#server = ""
	#service = ""
	#privileges = ""
	#accesses = ""
	#access_mask = ""
	#restricted_sid_count = ""
	#operation_id = ""
	logon_account = ""
	source_workstation = ""
	error_code = ""

    #print_filename = ""
    #print_file_owner = ""
    #print_method = ""
    #print_bytes = ""
    #print_pages = ""

  } # log.fields

  log.filter_initialization = `
string last_fieldname = "";
`

  log.parsing_filters.parse = `

# 2008-12-20 - GMF - Added support for Win2003 format, where there is a tab after the time field
if (matches_regular_expression(v.syslog_message, "^[A-Z]?[a-z]+ [ 0-9]+ [0-9:]+[ 	][^ ]+ ([^[]+)\\[([^]]+)\\] ([0-9]+) (.*)$") or
   (matches_regular_expression(v.syslog_message, "([^[]+)\\[([^]]+)\\] ([0-9]+) (.*)$"))) then (
  v.process = $1;
  set_collected_field('', 'process', v.process);
  set_collected_field('', 'priority', $2);
  v.event_code = $3;
  set_collected_field('', 'event_code', v.event_code);
  v.message = $4;
  set_collected_field('', 'message', v.message);

  # Handle print messages
  #if ((v.process eq 'print') and matches_regular_expression(v.message, '^[^,]+, ([^(]+) [(]([^)]+)[)] (.+): ([0-9]+), [^:]+: ([0-9]+)')) then (
  #  set_collected_field('', 'print_filename', $1);
  #  set_collected_field('', 'print_file_owner', $2);
  #  set_collected_field('', 'print_method', $3);
  #  set_collected_field('', 'print_bytes', $4);
  #  set_collected_field('', 'print_pages', $5);
  #);

  # Extract event from message.  event is separated from message by a '' (ASCII 127) character.
  if (matches_regular_expression(v.message, '^([^]*) (.*)$')) then (
    set_collected_field('', 'event', $1);
    v.message = $2;
    set_collected_field('', 'message', v.message);
  );
  
  # 2008-12-20 - GMF - Switched to a single While loop which looks for all variants, for simplicity (separate while loops are probably a bit faster)
  while (
         # 2008-12-19 - Filla - For windows 2000 with logger version 5.0
         matches_regular_expression(v.message, '^[ 	]*([^ 	][^:]+)(:)	([^]+)(.*)$') or

         # 2008-12-19 - Filla - For windows xp / 2003 with logger version 5.2
  	 matches_regular_expression(v.message, '^[ 	]*([^ 	][^:]+)(:)([^]*)(.*)$') or

	 # 2009-1-5 - Filla - For windows xp / 2003 with logger version 5.2
  	 matches_regular_expression(v.message, '^[  ]*([^ ][^:]+)(:)([^]*)(.*)$') or

	 # 2009-1-5 - GMF - Added support for skipping value-only section like "^?NT Local Security Authority / Authentication Service^?"
  	 matches_regular_expression(v.message, '^[  ]*()()([^]+)(.*)$') or

	 # 2009-1-5 - GMF - Added support for final field
  	 matches_regular_expression(v.message, '^[  ]*([^ ][^:^?]+)(:)([^^?]*)$') or
	 
	 # 2008-12-20 - GMF - Added support for empty field values, and no leading tabs
#         matches_regular_expression(v.message, '^[ 	]*([^ 	][^:]+):()(.*)$')) (
      ) (

    # If there was no : divider in this section, treat it as part of the previous field value
    if ($2 eq '') then (
      if (last_fieldname ne '') then (
        v.current_value = get_collected_field('', last_fieldname);
        if (v.current_value eq '(empty)') then
          v.current_value = "";
        set_collected_field('', last_fieldname, v.current_value . ";" . $3);
      );
    );

    # If there was a : divider in this section, use the name/value directly.
    else (
      v.internal_fieldname = node_value(subnode_by_name('rewrite_rules.windows_event_field_names', $1));
      set_collected_field('', v.internal_fieldname, $3);
      last_fieldname = v.internal_fieldname;
    );

    v.message = $4;

  ); # while found name/value pair

  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);
  last_fieldname = "";
);
`


  # Database fields
  database.fields = {

    event_code = ""
    #computer_name = ""
    event = ""
    process = ""
    priority = ""
    message = {
      sql_field_length = 512
    }

    # Fields for windows , include windows 2000 , xp , and 2003 
	user_name = ""
	#primary_user_name = ""
	#client_user_name = ""
	domain = ""
	#primary_domain = ""
	#client_domain = ""
	logon_id = ""
	#primary_logon_id = ""
	#client_logon_id = ""
	#logon_type = ""
	#logon_process = ""
	#authentication_package = ""
	#workstation_name = ""
	#logon_guid = ""
	#caller_user_name = ""
	#caller_domain = ""
	#caller_logon_id = ""
	#caller_process_id = ""
	#transited_services = ""
	source_network_address = ""
	#source_port = ""
	#object_server = ""
	object_name = ""
	#object_type = ""
	#handle_id = ""
	#new_handle_id = ""
	#process_id = ""
	image_file_name = ""
	#new_process_id = ""
	#creator_process_id = ""
	#server = ""
	#service = ""
	#privileges = ""
	#accesses = ""
	#access_mask = ""
	#restricted_sid_count = ""
	#operation_id = ""
	logon_account = ""
	source_workstation = ""
	error_code = ""
	
    #print_filename = ""
    #print_file_owner = ""
    #print_method = ""

  } # database.fields


  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

    #print_pages = ""

    #print_bytes = {
    #  default = false
    #  type = "float"
    #  display_format_type = "bandwidth"
    #}

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    } # report_groups

  } # create_profile_wizard_options

} # windows2003_syslog