# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
sun_one_directory_server_audit = {

  plugin_version = "1.2"

  # 2007-06-20 - 1.0beta - KBB - Initial creation.
  # 2007-09-14 - 1.0 - KBB - Renumbered per new beta policy.
  # 2008-07-29 - 1.1 - KBB - Added more fields related to identity for better filtering.
  # 2010-10-05 - 1.2 - MSG - Edited info lines.

  info.1.manfacturer = "Sun Microsystems"
  info.1.device = "Sun ONE Directory Server Audit"
  info.1.version = "5.2"

  # The name of the log format
  log.format.format_label = "Sun ONE Directory Server Audit Log Format"
  log.miscellaneous.log_data_type = "generic"  
  log.miscellaneous.log_format_type = "application"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = '^changetype: (modify|add|delete|modrdn)$'
  log.format.autodetect_lines = "100"

  # The format of dates and times in this log
  #time: 20060524123957
  log.format.date_format = "yyyymmddhhmmss"
  log.format.time_format = "yyyymmddhhmmss"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    date_time = ""
    dn = ""
    newrdn = ""
    deleteoldrdn = ""
    changetype = ""
    operation = ""
    operand = ""
    changed_value = ""
    sn = ""
#    given_name = ""
#    mail = ""
    uid = ""

  } # log.fields

  log.filter_initialization = `
bool found_modify = false;
bool found_value = false;
`

  # Log Parsing Filters
  log.parsing_filters.parse = `
#time: 20060524123957
#dn: cn=config
#changetype: modify
#replace: nsslapd-auditlog-logging-enabled
#nsslapd-auditlog-logging-enabled: on
#-
#replace: modifiersname
#modifiersname: cn=directory manager
#-
#replace: modifytimestamp
#modifytimestamp: 20060524163956Z
#-
#
#time: 20060524133038
#dn: uid=rhondasmith,o=frb.org
#changetype: add
#uid: rhondasmith
#givenName: Rhonda Smith
#objectClass: top
#objectClass: person
#objectClass: organizationalPerson
#objectClass: inetorgperson
#sn: rhondasmith
#cn: rhondasmith
#userPassword: {SSHA}luc1SPgjAgPxqB5Ki83IZcacm0oVX+BzCBNvZQ==
#creatorsName: cn=directory manager
#modifiersName: cn=directory manager
#createTimestamp: 20060524173037Z
#modifyTimestamp: 20060524173037Z
#parentid: 25407
#entryid: 52234
#entrydn: uid=rhondasmith,o=frb.org
#
#time: 20061004111633
#dn: cn=osdunix,o=frb.org
#changetype: modrdn
#newrdn: cn=315
#deleteoldrdn: 1
#-
#replace: modifiersname
#modifiersname: cn=directory manager
#-
#replace: modifytimestamp
#modifytimestamp: 20061004151633Z
#-
#

v.line = current_log_line();

# Handle continuation lines.
# Accept of <operand>: <changed_value> line delayed to check
# for multi-line value. If there is one, append it.
# If not, accept before processing current line.
if (found_value) then (
  if (matches_regular_expression(v.line, "^ (.+)$")) then ( # continations begin with space
    set_collected_field('', 'changed_value', get_collected_field('', 'changed_value') . $1);
  );
  else (
    accept_collected_entry('', true); # preserve time, dn, changetype, operation, etc
    found_value = false;
  );
);

if (!found_value) then (
  # a blank line separates sections - clear all values
  if (v.line eq '') then (
    set_collected_field('', 'date_time', '{corrupt}');
    accept_collected_entry('', false);
    found_modify = false;
  );

  # sn, uid, givenName, newrdn, deleteoldrdn, dn, and date_time are exceptions to the pattern below.
  # This section must be first.
  else if (matches_regular_expression(v.line, '^time: (.*)$')) then (
    set_collected_field('', 'date_time', $1);
  );
  else if (matches_regular_expression(v.line, '^dn: (.*)$')) then (
    set_collected_field('', 'dn', $1);
  );
  else if (matches_regular_expression(v.line, '^newrdn: (.*)$')) then (
    set_collected_field('', 'newrdn', $1);
  );
  else if (matches_regular_expression(v.line, '^uid: (.*)$')) then (
    set_collected_field('', 'uid', $1);
  );
  else if (matches_regular_expression(v.line, '^sn: (.*)$')) then (
    set_collected_field('', 'sn', $1);
  );
#  else if (matches_regular_expression(v.line, '^givenName: (.*)$')) then (
#    set_collected_field('', 'given_name', $1);
#  );
#  else if (matches_regular_expression(v.line, '^mail: (.*)$')) then (
#    set_collected_field('', 'mail', $1);
#  );
  else if (matches_regular_expression(v.line, '^deleteoldrdn: (.*)$')) then (
    set_collected_field('', 'deleteoldrdn', $1);
    accept_collected_entry('', true); # this appears to be the end of the modrdn event
  );

  # Here is the pattern of changetype: <changetype>, (replace|add|delete): <operand>, <operand>: <value>.
  # Using found_modify allows for the possibility of operations other than replace, add and delete.
  else if (v.line eq '-') then ( # multiple modify or modrdn sections separated by '-'
    found_modify = true;
  );
  else if (matches_regular_expression(v.line, '^changetype: (.*)$')) then (
    set_collected_field('', 'changetype', $1);
    if ($1 eq "modify") then (
      found_modify = true;
    );
    else ( # this is not a multipart event (add, delete), or is an exception to the pattern (modrdn)
      set_collected_field('', 'operation', $1);
      found_modify = false;
    );
  );
  else if (found_modify and matches_regular_expression(v.line, '^([^:]+): (.*)$')) then (

    v.operation = $1;
    v.operand = $2;
    set_collected_field('', 'operation', v.operation);
    set_collected_field('', 'operand', v.operand);

    # delete, as part of a multipart modify, is not followed by <operand>: <value>.
    if (v.operation eq 'delete') then (
      accept_collected_entry('', true); # preserve time, dn, changetype, operation, etc
    );

    found_modify = false;
  );
  else if (matches_regular_expression(v.line, '^([^:]+): (.*)$')) then (
    set_collected_field('', 'operand', $1);
    set_collected_field('', 'changed_value', $2);
    found_value = true;
  );
);
`

  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    dn = ""
    newrdn = ""
    deleteoldrdn = ""
    changetype = ""
    operation = ""
    operand = ""
    changed_value = ""
    sn = ""
#    given_name = ""
#    mail = ""
    uid = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

  } # database.numerical_fields

  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      dn = true
      newrdn = true
      deleteoldrdn = true
      changes_group = {
        changetype = true
        operation = true
        operand = true
        changed_value = true
        changed_value_by_operand = true
      }
      users_group = {
        sn = true
        uid = true
#        given_name = true
#        mail = true
      }
    } # report_groups

  } # create_profile_wizard_options

} # sun_one_directory_server_audit