# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
exchange_via_syslog = {

  plugin_version = "1.0"

  info.0.manfacturer = "Microsoft"
  info.0.device = "Exchange 2007 (via syslog)"
  info.0.version = "2007"

  # 2010-04-01 - 1.0   - GMF - Initial implementation
  # 2010-11-04 - 1.0.1 - MSG - Edited info lines.

  # The name of the log format
  log.format.format_label = "Microsoft Exchange Server Log Format (via syslog)"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "mail_server"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "#Log-type: Message Tracking Log"
  log.format.autodetect_lines = "10000"

  log.format.treat_apostrophes_as_quotes = false

  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

#    client_ip.type = "host"
#    client_hostname = ""
#    partner_name = ""
#    server_hostname = ""
#    server_ip = ""
#
#    recipient_address = {
#      type = "hierarchical"
#      hierarchy_dividers = "@"
#      left_to_right = false
#      leading_divider = false
#    }
#    recipient_domain = ""
#
#    event_id = ""
#    msgid = ""
#    priority = ""
#    recipient_report_status = ""
#    total_bytes = ""
#    number_recipients = ""
#    origination_time = ""
#    encryption = ""
#    service_version = ""
#    linked_msgid = ""
#    message_subject = ""
#
#    sender_address = {
#      type = "hierarchical"
#      hierarchy_dividers = "@"
#      left_to_right = false
#      leading_divider = false
#    }
#    sender_domain = ""
#    alias = ""

  } # log.fields

  # Parse W3C header when we find it (during profile creation).
  log.filter_preprocessor = `

#echo("line: " . current_log_line());
if (!node_exists('v.initialized')) then (

v.initialized = true;
include 'util.parse_w3c';

); # if not initialized

if (matches_regular_expression(current_log_line(), '.#Fields: (.*)$')) then (

  string fields = $1;
  fields = replace_all(fields, ',', ' ');
#echo("fields: " . fields);
  parse_w3c_fields(fields);

  # Build a regular expression to parse these lines
  node field;
  string regexp = "^";
  string field_setting_code = "";
  string date_time_field_setting_code = "";
  int field_number = 1;
  v.fields_node = '';
  split(fields, ' ', 'v.fields_node');
  foreach field 'v.fields_node' (
    string field_name = replace_all(node_value(field), '-', '_');
    if (regexp ne "^") then
      regexp .= ",";
    regexp .= "([^,]*)";

    # date_time is in a combined format which needs to be parsed with a regular expression; do that parsing at the end so it doesn't interfere with the current $N.
    if (field_name eq "date_time") then
      date_time_field_setting_code = "  if (matches_regular_expression($" . field_number . ", '([0-9-]+)T([0-9][0-9]:[0-9][0-9]:[0-9][0-9])')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); );\n";

    else
      field_setting_code .= "  set_collected_field('', '" . field_name . "', $" . field_number . ");\n";

    field_number++;

  );
  field_setting_code .= date_time_field_setting_code;
#  echo("regexp: " . regexp);

  # Build the parsing filter to extract this data
  string filter_code = "
if (matches_regular_expression(v.syslog_message, '" . regexp . "')) then (
" . field_setting_code . "
  accept_collected_entry('', false);
);
";

  # Install the filter in the new profile, if we're creating one, or the current profile, if we're building a database
#debug  echo("filter_code: " . filter_code);
  if (node_exists('volatile.new_profile_name')) then
    ('profiles.' . volatile.new_profile_name . '.log.parsing_filters.parse_data_line') = filter_code;
  else
    ('profiles.' . internal.profile_name . '.log.parsing_filters.parse_data_line') = filter_code;

  'reject';

); # if #Fields

# Don't parse any other # lines as data lines
else if (starts_with(current_log_line(), '#')) then (
  'reject';
);
`


  log.parsing_filters.remove_date_time = `
if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] [0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+ [^[]+[[][^]]+[]] (.*)$')) then 
  v.syslog_message = $1;
`

  log.parsing_filters.parse_data_line = `
error("No #Fields line detected in syslog data--cannot parse log data without a #Fields line");
`

  # Database fields
  database.fields = {

#    date_time = ""
#    day_of_week = ""
#    hour_of_day = ""
#    client_ip = ""
#    partner_name = ""
#    server_hostname = ""
#    recipient_address = ""
#    recipient_domain = ""
#    priority = ""
#    recipient_report_status = ""
#    encryption = ""
#    service_version = ""
#    sender_address = ""
#    sender_domain = ""
#    event_id = ""
#    alias = ""

  } # database.fields

  # Log Filters
  log.filters = {

#    # Reject this entry if the value of the event_ID field is not equal to 1021,1026,1028,1029,1030,1031
#    # Removed 1023 from the list, because it is always follwed by 1028.  --GMF 2006-02-20
#    1 = {
#      label = "1"
#      comment = ""
#      value = "if (matches_regular_expression(event_id, '(1021|1026|1028|1030|1031)')) then '' else 'reject';"
#    } # 1

    suppress_message_id = {
      label = "$lang_admin.log_filters.suppress_message_id_label"
      comment = "$lang_admin.log_filters.suppress_message_id_comment"
      value = `message_id = "[omitted]"`
    } # suppress_message_id

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'messages = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    messages = {
      default = true
      requires_log_field = false
      entries_field = true
    } # messages

    total_bytes = {
      type = "float"
      display_format_type = "bandwidth"
    } # total_bytes

    unique_client_ips = {
      log_field = "client_ip"
      type = "unique"
    } # unique_client_ips

    unique_message_ids = {
      default = true
      log_field = "message_id"
      type = "unique"
    } # unique_message_ids

    recipients = {
      log_field = "recipient_address"
      type = "unique"
    } # unique_message_ids

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      sender_group = {
        sender_address = true
        sender_domain = true
      }
      recipient_group = {
        recipient_address = true
        recipient_domain = true
        recipient_report_status = true
        number_recipients = true
        alias = true
      }
      server_group = {
        server_ip = true
        server_hostname = true
        service_version = true
      }
      client_group = {
        client_ip = true
        client_hostname = true
      }
      message_group = {
        message_subject = true
        message_id = true
        linked_msg_id = true
      }
      other_group = {
        partner_name = true
        priority = true
        encryption = true
        event_id = true
        origination_time = true
      }
    } # report_groups

  } # create_profile_wizard_options

} # exchange_via_syslog