# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
applied_identity = {

  plugin_version = "1.1.1"

  info.1.manfacturer = "Applied Identity"
  info.1.device = "WELF"
  info.1.version.1 = ""

  # Initial creation - 1.0
  # 2006-05-06 - 1.1 - GMF - added tracking of user, ruleid, result, ath_type, authsource, and dn
  # 2010-10-11 - 1.1.1 - MSG - Edited info lines.


  # The name of the log format
  log.format.format_label = "Applied Identity WELF Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "id=[^ ]* time=\"[0-9-]* [0-9:]*\" fw=[^ ]*.*msgid=[0-9][0-9][0-9][0-9] "

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    id = ""
    fw = ""
    pri = ""
    src.type = "host"
    dst = ""
    src_port = ""
    dst_port = ""
    proto = ""
    service = ""
    msgid = ""
    type = ""
    ruleid = ""
    result = ""
    user = ""
    auth_type = ""
    authsource = ""
    dn = ""
    msg = ""

    wttime.label = "wttime"

    accesses = ""

  } # log.fields


  # Log Parsing Filters
  log.parsing_filters.parse = `
if (matches_regular_expression(v.syslog_message, '(id=.*)$')) then (
  collect_listed_fields('', $1, ' ', '=', 'time=wttime');
  if (matches_regular_expression(get_collected_field('', 'wttime'), '^([0-9-]+) ([0-9:]+)$')) then (
    set_collected_field('', 'date', $1);
    set_collected_field('', 'time', $2);
  );
  if (matches_regular_expression(get_collected_field('', 'msg'), '^Bytes transferred for connection: ([0-9]+) Src [0-9]+ Dst')) then (
    set_collected_field('', 'rcvd', $1);
    set_collected_field('', 'sent', $2);
  );
  set_collected_field('', 'accesses', 1);
  accept_collected_entry('', false);
)
`


  # Database fields
  database.fields = {

    id = ""
    fw = ""
    pri = ""
    src = "host"
    dst = ""
    src_port = ""
    dst_port = ""
    proto = ""
    service = ""
    msgid = ""
    type = ""
    ruleid = ""
    result = ""
    user = ""
    auth_type = ""
    authsource = ""
    dn = ""
    msg = ""

  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'accesses = 1;'
    } # mark_entry

  } # log.filters

  log.field_options = {

    sessions_page_field = "url"
    sessions_visitor_id_field = "src"
    sessions_event_field = "page_views"

  } # log.field_options


  database.numerical_fields = {

    accesses = {
      default = true
      entries_field = true
    } # accesses

    unique_source_ips = {
      log_field = "src"
      type = "unique"
    } # unique_source_ips

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # applied_identity