# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
dovecot_pop_imap = {

  plugin_version = "1.1"

  # 2007-05-30 - 1.0beta - KBB - Initial creation.
  # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy
  # 2010-10-06 - 1.1 - MSG - Edited info lines.

  info.1.manfacturer = "Dovecot"
  info.1.device = "Secure IMAP server"
  info.1.version = ""

  # The name of this format
  log.format.format_label = "Dovecot Secure IMAP/POP3 Server Log Format"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "mail_server"

  # if there are square brackets around some fields (date/time)
  # you can specify to have this treated as one field
  log.format.treat_brackets_as_quotes = "false"

  # The format of dates and times in this log
  log.format.date_format = "auto"
  log.format.time_format = "auto"

  # The log is in this format if any of the first ten lines match this regular expression
  #dovecot: Mar 13 14:01:26 Error: IMAP(otuareg): mbox sync: UID inserted in the middle of mailbox /home/amitsh/mail/.inbox (245 > 5, seq=2, idx_msgs=6)
  log.format.autodetect_regular_expression = 'dovecot: [A-Z][a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] (Error|Info): (IMAP|imap-login|POP3|pop3-login)'

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    events = ""
    protocol = ""
    operation = ""
    user = ""
    method = ""
    rip = ""
    lip = ""
    status = ""
    top = ""
    retrieve = "" # this is for RETR (POP3 command), retr is already in lang_stats.cfg as retries
    del = ""
    size = ""
    log_level = ""
    error_message = ""

  } # log.fields


  # Log Parsing Filters
  log.parsing_filters.parse = `

# Handle the possibility that there is no syslog or no year in the syslog.
# Find the correct year.
v.date = get_collected_field('', 'date');
v.year = '';
if (matches_regular_expression(v.date, '/([0-9]{4})$')) then (
  v.year = $1;
);

v.now = epoc_to_date_time(now());
v.this_year = '';
if (matches_regular_expression(v.now, '/([0-9]{4}) ')) then (
  v.this_year = $1;
);

#dovecot: Mar 13 04:15:23 Info: pop3-login: Login: user=<janabanana>, method=PLAIN, rip=::ffff:233.123.43.33, lip=::ffff:233.122.38.130
if (matches_regular_expression(v.syslog_message, 'dovecot: ([A-Z][a-z][a-z]) ([0-9 ][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ')) then (

  v.month = $1;
  v.day = $2;
  v.time = $3;

  if (v.year eq v.this_year) then (
    v.date_time_epoc = date_time_to_epoc(v.day . '/' . v.month . '/' . v.year . ' ' . v.time);
    v.syslog_date_time_epoc = date_time_to_epoc(v.date . ' ' . v.time);
    # Only the month and date will be different, so if the date is in the future,
    # assume the log is from last year. Any log might be from years ago, no way to tell.
    if (v.syslog_date_time_epoc < v.date_time_epoc) then (
      v.year -= 1;
    );
  );

  v.date = v.day . '/' . v.month . '/' . v.year;

  set_collected_field('', 'date', v.date);
  set_collected_field('', 'time', v.time);
);

#dovecot: Mar 13 04:15:23 Info: pop3-login: Login: user=<janabanana>, method=PLAIN, rip=::ffff:203.122.44.33, lip=::ffff:222.122.22.122
#dovecot: Mar 13 14:01:30 Info: imap-login: Aborted login: user=<tigerlily>, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
#dovecot: Mar 13 09:18:59 Info: imap-login: Aborted login: method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
#dovecot: Mar 13 09:19:50 Info: pop3-login: Disconnected: user=<lotecha>, method=PLAIN, rip=::ffff:62.22.252.26, lip=::ffff:202.222.28.152
#if (matches_regular_expression(v.syslog_message, 'Info: (imap|pop3)-login: (Login|Aborted login): user=<([^>]+)>, method=([^,]+), rip=([^,]+), lip=([^,]+)(, (.*))?$')) then (
if (matches_regular_expression(v.syslog_message, 'Info: (imap|pop3)-login: (Login|Aborted login|Disconnected): (.*)$')) then (

  set_collected_field('', 'log_level', 'Info');
  set_collected_field('', 'protocol', uppercase($1));
  set_collected_field('', 'operation', $2);
  v.rest = $3;

  if (matches_regular_expression(v.rest, '^(.*), ([^=]+)$')) then (
    v.rest = $1;
    set_collected_field('', 'status', $2);
  );

  collect_listed_fields('', v.rest, ', ', '=', '');

  v.user = get_collected_field('', 'user');

  if (matches_regular_expression(v.user, '<([^>]+)>')) then (
    set_collected_field('', 'user', $1);
  );

);

#dovecot: Mar 13 04:15:26 Info: POP3(janabanana): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
#dovecot: Mar 13 14:02:24 Info: IMAP(lowriesalt): Disconnected: Logged out
#dovecot: Mar 13 14:02:06 Info: IMAP(crazyjane): Disconnected in IDLE
#dovecot: Mar 13 08:53:50 Info: IMAP(otuareg): Disconnected
else if (matches_regular_expression(v.syslog_message, 'Info: (IMAP)[(]([^)]+)[)]: (Disconnected.*)$') or
         matches_regular_expression(v.syslog_message, 'Info: (POP3)[(]([^)]+)[)]: (Disconnected[^=]*) ([a-z]+=.*)$')) then (

  set_collected_field('', 'log_level', 'Info');
  set_collected_field('', 'protocol', $1);
  set_collected_field('', 'user', $2);
  set_collected_field('', 'operation', $3);
  v.rest = $4;

  if (v.rest ne '') then (
    collect_listed_fields('', v.rest, ', ', '=', 'retr=retrieve');
  );
);

#dovecot: Aug 13 14:01:26 Error: IMAP(claudia): mbox sync: UID inserted in the middle of mailbox /home/amitsh/mail/.inbox (245 > 5, seq=2, idx_msgs=6)
else if (matches_regular_expression(v.syslog_message, 'Error: (IMAP|POP3)[(]([^)]+)[)]: (.*)$')) then (

  set_collected_field('', 'log_level', 'Error');
  set_collected_field('', 'protocol', $1);
  set_collected_field('', 'user', $2);
  set_collected_field('', 'error_message', $3);
);

# Debug
#else (
#  echo("unmatched line " . v.syslog_message);
#);

accept_collected_entry('', false);
`

  # Database fields
  database.fields = {

    day_of_week = ""
    hour_of_day = ""
    log_level = ""
    error_message = ""
    protocol = ""
    operation = ""
    user = ""
    method = ""
    rip = ""
    lip = ""
    status = ""
    top = ""
    retrieve = ""
    del = ""

  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters


  # Database numerical fields
  database.numerical_fields = {

    events = {
      default = true
      entries_field = true
    } # events

    size = {
      type = "float"
      display_format_type = "bandwidth"
    } # size

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # dovecot_pop_imap