# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
symantec_gateway_security_using_syslog = {

  plugin_version = "1.1"

  info.1.manfacturer = "Symantec"
  info.1.device = "Gateway Security"
  info.1.version.1 = "5400"

  # 2008-04-11 - 1.0 - GMF - Initial implementation
  # 2008-04-18 - 1.1 - GMF - Fixed extraction of hostname and component fields

  # Format log_file_format value 
  log.format.format_label = "Symantec Gateway Security Log Format (via syslog)"

  # This log is the following type
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "firewall"

  log.format.autodetect_expression = `
matches_regular_expression(volatile.log_data_line, "[A-Z]?[a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]  [^ ]+ [^ ]+ [^ ]+ [[][0-9]+[]] [0-9]+: .*,")
`

  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    hostname = ""
    component = ""
    event_type = ""
    source_ip.type = "host"
    source_name = ""
    source_port = ""
    source_interface = ""
    destination_ip = ""
    destination_name = ""
    destination_port = ""
    destination_interface = ""
    detail = ""
    protocol = ""
    rule = ""
    id = ""
    server_source = ""
    string_value = ""
    server_source_port = ""
    operation = ""
    revision = ""
    setting = ""
    target = ""

    duration = ""
    bytes = ""

    message_count = ""
    
  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

#e.g. 2008-04-09	10:51:25	Daemon.Notice	12.34.56.78	pr  9 10:51:06  B17SGS01.abc.xyz GWControl Service [1481] 20002: Access denied by rule, Source Name=98.76.54.32, Destination Name=23.45.67.89, Detail= [no rules found], Protocol=53/udp, Rule=default rule

# Chop off leading datetime
if (matches_regular_expression(v.syslog_message, '^[A-Z]?[a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]  (.*)$')) then (
  v.syslog_message = $1;
);

#e.g. 2008-04-09	10:51:25	Daemon.Notice	12.34.56.78	pr  9 10:51:06  B17SGS01.abc.xyz GWControl Service [1481] 20002: Access denied by rule, Source Name=98.76.54.32, Destination Name=23.45.67.89, Detail= [no rules found], Protocol=53/udp, Rule=default rule
if (matches_regular_expression(v.syslog_message, '^([^ ]+) ([^[]+) [[][0-9]+[]] [0-9]+: ([^,]+), (.*)$')) then (
  set_collected_field('', 'hostname', $1);
  set_collected_field('', 'component', $2);
  set_collected_field('', 'event_type', $3);
  collect_listed_fields('', $4, ', ', '=', '');
  v.message_count = get_collected_field('', 'message_count');
  accept_collected_entry('', false);

  # If there message was repeated, inject copies into the log data stream
  if (v.message_count > 0) then (
    v.line_without_message_count = replace_all(current_log_line(), "Message Count", "Removed-Message-Count");
    for (int i = 0; i < v.message_count; i++) (
      set_subnode_value('volatile.log_line_insertions', i, v.line_without_message_count);
    )
  ); # if message repeated

);
`

  # Database fields
  database.fields = {

    hostname = ""
    component = ""
    event_type = ""
    source_ip = ""
    location = ""
    source_name = ""
    source_port = ""
    source_interface = ""
    destination_ip = ""
    destination_name = ""
    destination_port = ""
    destination_interface = ""
    detail = ""
    protocol = ""
    rule = ""
    id = ""
    server_source = ""
    string_value = ""
    server_source_port = ""
    operation = ""
    revision = ""
    setting = ""
    target = ""

  } # database.fields


   # Log Filters
  log.filters = {
  
    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

    bytes = {
      type = "float"
      display_format_type = "bandwidth"
    } # bytes

    duration = {
      type = "float"
      display_format_type = "duration_compact"
    } # duration

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {

      hostname = ""
      component = ""
      event_type = ""

      source_group = {
        source_ip = true
        location = ""
        source_port = true
        source_name = true
        source_interface = true
      } # destination_group
 
      destination_group = {
        destination_ip = true
        destination_port = true
        destination_name = true
        destination_interface = true
      } # destination_group

      server_group = {
        server_source = ""
        server_source_port = ""
      } # server_group

      other_group = {
        detail = ""
        protocol = ""
        rule = ""
        id = ""
        string_value = ""
        operation = ""
        revision = ""
        setting = ""
        target = ""
      } # other_group

    } # report_groups

  } # create_profile_wizard_options

} # symantec_gateway_security