# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
amavis = {

  plugin_version = "1.2.1"

  info.1.manfacturer = "Amavis"
  info.1.device = "Mail Virus Scaner"
  info.1.version.1 = ""

  # 1.0Beta - updated v6 plug-in
  # 1.1Beta Added spam detection (yes/no) to a specific format of log line in "stable Debian"
  # release of AMaViS
  # 2007/03/22 15:28 - 1.2beta - gas - corrected a bug in the sender/recipient tracking
  #                                  - corrected a bug in the duration collection
  # 2007/09/11 - 1.2 - KBB - renumbered per new beta policy and changed file name from beta_amavis.cfg
  # 2010-10-11 - 1.2.1 - MSG - Edited info lines.

  # The name of the log format
  log.format.format_label = "Amavis Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "mail_server"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_expression = `
  matches_regular_expression(volatile.log_data_line, "\\([0-9]+-[0-9-]+\\) (Passed|Blocked) (CLEAN|INFECTED|BAD-HEADER|SPAM), ") or
  matches_regular_expression(volatile.log_data_line, "\\([0-9]+-[0-9-]+\\) (Passed|ESMTP|Checking|spam_scan|SPAM-TAG|FWD|Passed|TIMING), ")  
  `
  log.format.autodetect_lines = 100
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    result = ""

    sender = {
      type = "hierarchical"
      hierarchy_dividers = "@"
      left_to_right = false
      leading_divider = "false"
    } # sender

    recipient = {
      type = "hierarchical"
      hierarchy_dividers = "@"
      left_to_right = false
      leading_divider = "false"
    } # recipient

    message_id = ""
    mail_id = ""
    duration = ""
    messages = ""

  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

# 1.0Beta Line type:
# Sep  3 19:29:14 newftp.anchovies.com /usr/sbin/amavisd[27292]: (27292-03) Passed CLEAN, [211.117.198.143] [211.117.198.143] <rick@nobody.fr> -> <bryan@anchovies.com>,<rawe@anchovies.com>, Message-ID: <GJGOFPNPCNMJLCFIELBGGINEAB.rick@nobody.fr>, mail_id: Yd3kwA9j62ZN, Hits: -0.734, 19550 ms
#
# 1.1Beta added support for this line type:
# Feb 27 12:43:48 smtp1 amavis[27470]: (27470-08) SPAM-TAG, <fr@yourdomain.com> -> <ben@mail.mydomain.com>, Yes, hits=13.7 tagged_above=-999.0 required=6.0 tests=ALL_TRUSTED, BAYES_50, DATE_IN_PAST_03_06, EXTRA_MPART_TYPE, FROM_LOCAL_NOVOWEL, HTML_IMAGE_ONLY_12, HTML_MESSAGE, HTML_SHORT_LINK_IMG_1, URIBL_SBL, URIBL_SC_SURBL, URIBL_WS_SURBL
# where the "Yes" on a SPAM-TAG line indicates spam (and "No" is not-spam) which gets tagged on the end of the result field
  
  if (matches_regular_expression(v.syslog_message, '\\\\(([0-9-]+)\\\\) ([^,]*), (.*)$')) then (
    v.key = $1;
    v.result = $2;
    v.remainder = $3;
#    echo('##### debug');
#    echo(v.syslog_message);
#    echo(v.remainder);

  # pull the non-keyed entries from the syslog plug-in into a keyed field
    set_collected_field(v.key, 'date', get_collected_field('', 'date'));
    set_collected_field(v.key, 'time', get_collected_field('', 'time'));
    set_collected_field(v.key, 'logging_device', get_collected_field('', 'logging_device'));
    set_collected_field(v.key, 'log_level', get_collected_field('', 'log_level'));

  # pull out the yes and no spam-tags
  if (matches_regular_expression(v.syslog_message, '\\\\(([0-9-]+)\\\\) SPAM-TAG, [^,]+, (Yes|No),')) then (
     v.key = $1;
     set_collected_field(v.key, 'result', v.result . ' - ' . $2)
  );
  else (set_collected_field(v.key, 'result', v.result));

  # pull oput the duration
  if (matches_regular_expression(v.result, 'TIMING \\\\[total ([0-9]+) ms\\\\]')) then (
    set_collected_field(v.key, 'duration', $1);
    accept_collected_entry(v.key, false);
  );

  # Ignore bracketed IPs
  if (matches_regular_expression(v.remainder, '^\\\\[([^]])*\\\\] \\\\[([^]])*\\\\] (.*)$')) then v.remainder = $3;

  # pull out the main from/to line
  if (matches_regular_expression(v.remainder, '<([^>]*)> -> <([^ ]*)>, (.*)$')) then (
    set_collected_field(v.key, 'sender', $1);
    set_collected_field(v.key, 'recipient', $2);
    v.remainder = $3;
    if (matches_regular_expression(v.remainder, '^Message-ID: <([^>]*)>, (.*)$')) then (
      set_collected_field(v.key, 'message_id', $1);
      v.remainder = $2;
      if (matches_regular_expression(v.remainder, '^mail_id: ([^,]*), (.*)$')) then (
        set_collected_field(v.key, 'mail_id', $1);
        v.remainder = $2;
        if (matches_regular_expression(v.remainder, '^Hits: [^,]+, (.*)$')) then (
          v.remainder = $1;
          if (matches_regular_expression(v.remainder, '^([0-9]+) ms')) then (
            set_collected_field(v.key, 'duration', $1);
            v.remainder = '';
          );
        );
      );
    );
    set_collected_field(v.key, 'messages', 1);
    accept_collected_entry(v.key, false);
  );
  
);
`


  # Database fields
  database.fields = {

    result = ""
    sender = ""
    recipient = ""
    message_id = ""
    mail_id = ""

  } # database.fields

  database.numerical_fields = {

    messages = {
      default = true
      requires_log_field = false
      entries_field = true
    } # messages

    duration = {
      default = false
      type = "float"
      display_format_type = "duration_milliseconds"
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # amavis