# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
array_apv = {

  plugin_version = "1.0.0"

#  info.1.manfacturer = "Array Networks"
#  info.1.device.1 = "Application Firewall"
#  info.1.device.2 = "Array Networks TM Series 3520B"
#  info.1.version = "ArrayOS Rel.TM.8.1.0.4"

  info.1.manfacturer = "Array Networks"
  info.1.device = "APV Application Delivery Controller"
  info.1.version.1 = "Array Networks TM Series 3520B"
  info.1.version.2 = "ArrayOS Rel.TM.8.1.0.4"

  # 2010-08-10 - 1.0 - Benson - Initial implementation.

  # The name of the log format
  log.format.format_label = "Array Networks APV Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression

  log.format.autodetect_regular_expression = "[A-Z][a-z][a-z] [0-3][0-9] [0-9:]+ (CLI|SNMP|Diskfree|SSL|WebUI|WebWall|Proxy|Cache|SLB): "

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    log_type = ""
    user_name = ""
    action = ""
    command = ""
    client = ""
    status = ""
    code = ""
    message  = ""

    events = ""
    
  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

if (matches_regular_expression(v.syslog_message, '[0-9:]+ ([^:]+): (.*)$')) then (
  set_collected_field('', 'log_type', $1);
  set_collected_field('', 'message', $2);
  v.message = $2;
#2010-08-07	16:03:01	Local0.Info	10.3.54.223	Aug 07 16:21:23 CLI: User "webui_agent" executed cmd "show interface" 
  if ($1 eq 'CLI') then (
    if (matches_regular_expression($2, 'User \"([^\"]+)\" executed cmd \"([^\"]+)\"')) then (
      set_collected_field('', 'user_name', $1);
      set_collected_field('', 'action', "Execute command");
      set_collected_field('', 'command', $2);
    );
    else if (matches_regular_expression($2, 'Enable access denied, bad password, user (.*)$')) then (
      set_collected_field('', 'user_name', $1);
      set_collected_field('', 'action', "Enable access denied");
      set_collected_field('', 'status', "Bad password");
    );
    else if (matches_regular_expression($2, 'User \"([^\"]+)\" failed to execute cmd \"([^\"]+)\", code ([0-9]+)')) then (
      set_collected_field('', 'user_name', $1);
      set_collected_field('', 'action', "Failed to execute command");
      set_collected_field('', 'command', $2);
      set_collected_field('', 'code', "Code: " . $3);
    );
    else if (matches_regular_expression($2, 'Engineering mode access ([^ ]+) at (.*)$')) then (
      set_collected_field('', 'command', "Engineering mode access");
      set_collected_field('', 'status', $1);
      set_collected_field('', 'client', $2);
    );
    else if (matches_regular_expression($2, 'Cannot get info of SSL hardware ([0-9]+)')) then (
      set_collected_field('', 'status', "Cannot get info of SSL hardware");
      set_collected_field('', 'code', $1);
    );
  );
  else if ($1 eq 'SNMP') then (
    if (matches_regular_expression($2, '([0-9.]+) is ([^ ]+) to access SNMP agent of system')) then (
      set_collected_field('', 'client', $1);
      set_collected_field('', 'action', $2);
      set_collected_field('', 'command', "SNMP Trap");
    );
  );
);

#if (matches_regular_expression(v.syslog_message, 'CLI: User \"([^\"]+)\" executed cmd \"([^\"]+)\"')) then (
#  set_collected_field('', 'log_type', "CLI");
#  set_collected_field('', 'user_name', $1);
#  set_collected_field('', 'action', "Execute Command");
#  set_collected_field('', 'command', $2);
#  set_collected_field('', 'message', "User" . $1 . "executed cmd" . 
#);
#2010-08-07	16:02:59	Local0.Info	10.3.54.223	Aug 07 16:21:21 SNMP: 10.3.47.99 is permited to access SNMP agent of system
#2010-08-07	12:38:34	Local0.Info	10.3.54.223	Aug 07 12:56:58 Diskfree: Disk has already been checked 
#2010-08-09	12:39:23	Local0.Info	10.3.54.223	Aug 09 12:57:19 SSL: certm failed to check cert.
#2010-08-06	13:21:51	Local0.Info	10.3.54.223	Aug 06 13:40:27  timeout
#else if (matches_regular_expression(v.syslog_message, 'SNMP: ([0-9.]+) is ([^ ]+) to access SNMP agent of system')) then (
#    set_collected_field('', 'log_type', "SNMP");
#    set_collected_field('', 'client', $1);
#    set_collected_field('', 'action', $2);
#    set_collected_field('', 'command', "SNMP Trap");
#);
#else if (matches_regular_expression(v.syslog_message, 'SSL: (.*)$')) then (
#    set_collected_field('', 'log_type', "SSL");
#    set_collected_field('', 'message', $1);
#);
  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);

`

  # Database fields
  database.fields = {

    log_type = ""
    user_name = ""
    action = ""
    command = ""
    client = ""
    status = ""
    code = ""
    message  = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    } # report_groups

  } # create_profile_wizard_options

} # array_apv