# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
safesquid_standalone = {

  plugin_version = "1.0"

  # 23/May/2006 - 1.0beta - GMF - Initial plug-in implementation
  # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy

  # The name of the log format
  log.format.format_label = "SafeSquid Standalone Log Format"
  log.miscellaneous.log_data_type = "firewall"
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^[0-9][0-9][0-9][0-9] [0-9][0-9] [0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] \\[[0-9]+\\] network: allowed connect from"
  log.format.autodetect_lines = "100"

  # Log fields
  log.fields = {

    date = ""
    time = ""
    source_ip.type = "host"
    server_port = ""
    operation = ""
    url = {
      type = "page"
      hierarchy_dividers = "/?"
      left_to_right = true
      leading_divider = "true"
    } # url

    virus = ""
    user_agent.type = "agent"
    url_filter = ""

  } # log.fields


  log.parsing_filters.parse = `
if (matches_regular_expression(current_log_line(), '^([0-9]+ [0-9]+ [0-9]+) ([0-9:]+) \\\\[([0-9]+)\\\\] (.*)$')) then (

  v.key = $3;
  v.message = $4;

  # Copy the fields from the syslog header
  set_collected_field(v.key, 'date', $1);
  set_collected_field(v.key, 'time', $2);

  if (matches_regular_expression(v.message, '^header: removed from client: User-Agent: (.*)$')) then
    set_collected_field(v.key, 'user_agent', $1);
  else if (matches_regular_expression(v.message, '^network: allowed connect from ([0-9.]+) on port ([0-9]+)$')) then (
    set_collected_field(v.key, 'source_ip', $1);
    set_collected_field(v.key, 'server_port', $2);
  );
  else if (matches_regular_expression(v.message, '^request: ([A-Z]+) (.*)$')) then (
    set_collected_field(v.key, 'operation', $1);
    set_collected_field(v.key, 'url', $2);
  );
  else if (matches_regular_expression(v.message, '^antivirus: (.*)$')) then
    set_collected_field(v.key, 'virus', $1);
  else if (matches_regular_expression(v.message, '^url filter: (.*)$')) then
    set_collected_field(v.key, 'url_filter', $1);
  else if (matches_regular_expression(v.message, '^network: [0-9.]+ disconnected')) then (

    # Get web browser, operating system, web browser, and spider information from the user-agent field.
    get_user_agent_info(get_collected_field(v.key, 'agent')));
    set_collected_field(v.key, 'web_browser', volatile.web_browser);
    set_collected_field(v.key, 'operating_system', volatile.operating_system);
    set_collected_field(v.key, 'spider', volatile.spider);

    accept_collected_entry(v.key, false);
  );

);
`


  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = "" 
    hour_of_day = ""
    source_ip = ""
    domain_description = ""
    location = ""
    server_port = ""

    url = {
      suppress_top = 1
      suppress_bottom = 3
    } # url

    file_type = ""
    worm = ""
    web_browser = ""
    operating_system = ""
    spider = ""
    operation = ""
    virus = ""
    url_filter = ""

  } # database.fields


  # Log Filters
  log.filters = {

    remove_query = {
      label = "$lang_admin.log_filters.remove_query_label"
      comment = "$lang_admin.log_filters.remove_query_comment"
      value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';"
    } # remove_query

    detect_page_views = {
      label = '$lang_admin.log_filters.detect_page_views_label'
      comment = '$lang_admin.log_filters.detect_page_views_comment'
      value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;"
    } # detect_page_views

    simplify_url = {
      label = "$lang_admin.log_filters.simplify_url_label"
      comment = "$lang_admin.log_filters.simplify_url_comment"
      value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'"
    } # simplify_url

    strip_non_page_views = {
      label = '$lang_admin.log_filters.strip_non_page_views_label'
      comment = '$lang_admin.log_filters.strip_non_page_views_comment'
      value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';"
    } # strip_non_page_views

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  log.field_options = {

    sessions_page_field = "url"
    sessions_visitor_id_field = "source_ip"
    sessions_event_field = "page_views"

  } # log.field_options


  database.numerical_fields = {

    events = {
      requires_log_field = false
      entries_field = true
    } # events

    page_views = {
      default = true
      requires_log_field = false
    } # page_views

    unique_source_ips = {
      log_field = "source_ip"
      type = "unique"
    } # unique_source_ips

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""

      content_group = {
        url = true
        file_type = true
      }
      visitor_demographics_group = {
        source_ip = true
        domain_description = true
        location = true
      }
      visitor_systems_group = {
        web_browser = true
        operating_system = true
      }
      server_group = {
        operation = true
        server_port = true
      }
      other_group = {
        worm = true
        spider = true
        virus = true
        url_filter = true
      }

    } # report_groups

  } # create_profile_wizard_options

} # safesquid_standalone