# Copyright (c) 2011 Flowerfire, Inc.  All Rights Reserved.
arbor_eseries = {

  plugin_version = "1.0"

  info.1.manfacturer = "ARBOR Networks"
  info.1.device = "eSeries Broadband Traffic Management"
  info.1.version = "1"

  # 2011-01-03 - 1.0. - Benson - Initial implementation.

  # The name of the log format
  log.format.format_label = "ARBOR Networks eSeriese"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # flow[tNetTask]: Flow add status duplicate add (1) returned for (sip,dip)  180.177.118.222 222.84.176.66

  log.format.autodetect_regular_expression = "[^[]+\\[[a-zA-Z]+\\]: [a-zA-Z]+"
  log.format.autodetect_lines = 1000

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    log_type = ""
    daemon = ""
    action = ""
    protocol = ""
    source_ip = ""
    source_port = ""
    destination_ip = ""
    destination_port = ""
    vid = ""
    policy = ""
    event = ""
    
    events = ""
    
  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

if (matches_regular_expression(v.syslog_message, '([a-z]+)\\[([a-zA-Z]+)\\]: (.*)')) then (
  set_collected_field('', 'log_type', $1);
  set_collected_field('', 'daemon', $2);
  v.message = $3;
  set_collected_field('', 'event', $3);
  # flow[tNetTask]: Deny tcp flow from 0.0.0.0:0 to 123.193.19.41:445 vid 1 by policy Deny_All_IN
  # flow[tNetTask]: Deny tcp flow from 112.140.25.197:22786 to 123.193.3.54:0 vid 1 by policy HTTP_Deny_IN
  # flow[tNetTask]: Deny tcp flow from 123.193.72.116:0 to 95.211.10.39:2710 vid 1 by policy HTTP_Deny_OUT
  if (matches_regular_expression(v.message, '(Deny|Allow) ([^ ]+) flow from ([0-9.]+):([0-9]+) to ([0-9.]+):([0-9]+) vid ([0-9]+) by policy (.*)$')) then (
    set_collected_field('', 'action', $1);
    set_collected_field('', 'protocol', $2);
    set_collected_field('', 'source_ip', $3);
    set_collected_field('', 'source_port', $4);
    set_collected_field('', 'destination_ip', $5);
    set_collected_field('', 'destination_port', $6);
    set_collected_field('', 'vid', $7);
    set_collected_field('', 'policy', $8);
    set_collected_field('', 'event', 'Flow');
  );
  # flow[tNetTask]: Deny icmp flow from 192.168.75.20 to 10.85.240.0 vid 1 by policy Deny_All_IN
  else if (matches_regular_expression(v.message, '(Deny|Allow) ([^ ]+) flow from ([0-9.]+) to ([0-9.]+) vid ([0-9]+) by policy (.*)$')) then (
    set_collected_field('', 'action', $1);
    set_collected_field('', 'protocol', $2);
    set_collected_field('', 'source_ip', $3);
    set_collected_field('', 'destination_ip', $4);
    set_collected_field('', 'vid', $5);
    set_collected_field('', 'policy', $6);
    set_collected_field('', 'event', 'Flow');
  );
  # ldap[delta]: Delta event, modify rate pool 1798
  # system[CONSOLE]: Login attempt failed
  # system[TELNETD]: Login attempt successful
  else if (matches_regular_expression(v.message, '(Login attempt )(.*)$')) then (
    set_collected_field('', 'event', $1 . $2);
  );
  else if (matches_regular_expression(v.message, 'Delta event, (.*) [0-9]+$')) then (
    set_collected_field('', 'event', $1);
  );
    else if (matches_regular_expression(v.message, 'Delta event, (.*) ([0-9a-f:]+)$')) then (
    set_collected_field('', 'event', $1);
    set_collected_field('', 'source_ip', $2);
  );
  # system[tFtpdTas]: FTPD - accepted a new client connection from 172.16.250.71
  # system[tFtpdSer]: FTPD - Login successful for 172.16.250.71 usage
  # system[tFtpdSer]: FTPD - session timeout, or closed unexpectedly 172.16.250.71
  # system[?]: Telnet CLI session ended from 172.16.250.73
  else if (matches_regular_expression(v.message, '(.*) (from|for) ([0-9.]+)(.*)$')) then (
    set_collected_field('', 'event', $1);
    set_collected_field('', 'source_ip', $3);
  );
  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);
);
`

  # Database fields
  database.fields = {

    log_type = ""
    daemon = ""
    action = ""
    protocol = ""
    source_ip = ""
    source_port = ""
    destination_ip = ""
    destination_port = ""
    vid = ""
    policy = ""
    event = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
    }

  } # database.numerical_fields

    date_time_group = ""

    report_groups = {

      log_type = ""
      daemon = ""
      action = ""
      protocol = ""
      source_ip = ""
      source_port = ""
      destination_ip = ""
      destination_port = ""
      vid = ""
      policy = ""
      event = ""

    } # report_groups

} # arbor_eseries