# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
forti_gate_traffic = {

  plugin_version = "1.1.2"

  info.1.manfacturer = "Fortinet"
  info.1.device = "Fortigate Traffic"
  info.1.version.1 = ""

  # ????-??-?? - 1.0 -     - Initial creation.
  # 2010-02-19 - 1.1 - KBB - Updated plug-in and added support comma separated variant.
  # 2010-03-08 - 1.1.1 - GMF - Updated collect_listed_fields call to use variable, now it works properly that way.
  # 2010-10-05 - 1..1.2 - MSG - Edited info lines.

  # The name of the log format
  log.format.format_label = "FortiGate Traffic Log Format"
  log.miscellaneous.log_data_type = "firewall"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][, ][0-9][0-9]:[0-9][0-9]:[0-9][0-9][, ]log_id=[^ ]+[, ]"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Don't try to process this as CSV, even if the file name ends in .csv
  log.format.ignore_format_lines = "true"

  # The format of dates and times in this log
  log.format.date_format = "auto"
  log.format.time_format = "auto"

  # Log fields
  log.fields = {

    date = ""
    time = ""
    log_id = ""
    type = ""
    subtype = ""
    pri = ""
    vd = ""
    sn = ""
    duration = ""
    rule = ""
    policyid = ""
    src.type = "host"
    srcname = ""
    src_port = ""
    src_int = ""
    dst = ""
    dstname = ""
    dst_port = ""
    dst_int = ""
    tran_ip = ""
    tran_port = ""
    dir_disp = ""
    tran_disp = ""
    status = ""
    proto = ""
    service = ""
    vpn = ""
#    message = ""
    sent.type = "size"
    rcvd = ""
    sent_pkt = ""
    rcvd_pkt = ""

  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

v.line = current_log_line();

if (matches_regular_expression(v.line, '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])[ ,]([0-9][0-9]:[0-9][0-9]:[0-9][0-9])([ ,])(.*)')) then (

  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  v.separator = $3;
  v.line = $4;

  collect_listed_fields('', v.line, v.separator, '=', '');

  accept_collected_entry('', false);
);
`

  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    log_id = ""
    type = ""
    subtype = ""
    pri = ""
    vd = ""
    sn = ""
    rule = ""
    policyid = ""
    src = ""
    srcname = ""
    src_port = ""
    src_int = ""
    dst = ""
    dstname = ""
    dst_port = ""
    dst_int = ""
    tran_ip = ""
    tran_port = ""
    dir_disp = ""
    tran_disp = ""
    status = ""
    proto = ""
    service = ""
    vpn = ""

  } # database.fields

  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      entries_field = "true"
      value = 'accesses = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    accesses = {
      label = "$lang_stats.field_labels.accesses"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # accesses

    visitors = {
      label = "$lang_stats.field_labels.visitors"
      default = false
      requires_log_field = true
      log_field = "src"
      type = "unique"
      display_format_type = "integer"
    } # visitors

    sent = {
      label = "$lang_stats.field_labels.sent"
      default = false
      requires_log_field = true
      log_field = "sent"
      type = "float"
      display_format_type = "bandwidth"
    } # sent

    rcvd = {
      label = "$lang_stats.field_labels.rcvd"
      default = false
      requires_log_field = true
      log_field = "rcvd"
      type = "float"
      display_format_type = "bandwidth"
    } # rcvd

    sent_pkt = {
      label = "$lang_stats.field_labels.sent_pkt"
      default = false
      requires_log_field = true
      log_field = "sent_pkt"
      type = "int"
      display_format_type = "integer"
    } # sent_pkt

    rcvd_pkt = {
      label = "$lang_stats.field_labels.rcvd_pkt"
      default = false
      requires_log_field = true
      log_field = "rcvd_pkt"
      type = "int"
      display_format_type = "integer"
    } # rcvd_pkt

    duration = {
      label = $lang_stats.field_labels.duration
      default = false
      requires_log_field = true
      type = int
      display_format_type = duration_milliseconds
    } # duration

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      actions_group = {
        type = true
        subtype = true
        pri = true
        status = true
      }
      source_group = {
        src = true
        srcname = true
        src_port = true
        src_int = true
      }
      destination_group = {
        dst = true
        dstname = true
        dst_port = true
        dst_int = true
        dir_disp = true
      }
      translated_group = {
        tran_ip = true
        tran_port = true
        tran_disp = true
      }
      other_group = {
        policyid = true
        status = true
        proto = true
        service = true
        log_id = true
        vd = true
        sn = true
        rule = true
        vpn = true
      }
    } # report_groups

  } # create_profile_wizard_options

} # forti_gate_traffic