# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
watchguard_firebox_xcore_eseries = {

  plugin_version = "1.5"

  info.1.manfacturer = "Watchguard"
  info.1.device = "Firebox X Core e-Series"
  info.1.version.1 = "x750e"

  # 2008-08-20 - GMF - 1.0 - Initial plug-in creation
  # 2008-08-25 - GMF - 1.5 - Enhanced to handle a variant format

  # The name of the log format
  log.format.format_label = "Watchguard Firebox X Core e-Series Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  # 2008-06-19	22:43:40	Local3.Error	12.34.56.78	2008-06-19 22:59:25 WG_X750e   cfm[1981]: pri="3" msg_id="0F03-0053" msg="[cfm] processing ABORT: [w4c0r0h0] 98.76.54.43:36825 -> 87.65.43.21:21 [A r]"
  # 2008-06-19	22:43:40	Local3.Debug	12.34.56.78	2008-06-19 22:59:25 WG_X750e    pri="2" msg="sm_cmd:241 B:0:0 Initiated abort"
  # 2008-06-19	16:29:13	Local1.Debug	12.34.56.78	2008-06-19 16:44:58 WG_X750e disp="Deny"   pri="1" policy="Outgoing-00" src_ip="11.11.11.11" dst_ip="22.22.22.22" pr="80/udp" src_port="1181" dst_port="80" src_intf="3-ToFortinet" dst_intf="0-External"  rc="105" msg="denied (send reset)" pckt_len="1022" ttl="127"
  log.format.autodetect_regular_expression = '[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+( disp=[^ ]+)?   '

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"
  
  # Log fields - id,time,fw,pri,rule,src,dst,proto,sport,dport,indev,inport,rc,msg
  log.fields = {

    device_name = ""
    pri = ""
    msg_id = ""
    event_type = ""
    operation = ""
    interface = ""
    src_ip = ""
    src_port = ""
    src_intf = ""
    dst_ip = ""
    dst_port = ""
    dst_intf = ""
    policy = ""
    pr = ""
    rc = ""
    pckt_len = ""
    ttl = ""
    msg = ""

  } # log.fields


  # Log Parsing Filters
  log.parsing_filters.parse = `
if (matches_regular_expression(v.syslog_message, '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([^ ]+)( disp=[^ ]+)? +[^ ]* ?pri="([^"]+)" (.*)')) then (

  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  set_collected_field('', 'device_name', $3);
  set_collected_field('', 'pri', $5);
  v.remainder = $6;

  collect_listed_fields('', v.remainder, ' ', '=', '');

  if (matches_regular_expression(v.remainder, '^msg_id="([^"]+)" (.*)')) then (
    set_collected_field('', 'msg_id', $1);
    v.remainder = $2;
  );

  if (matches_regular_expression(v.remainder, '^msg="([^"]+)"')) then (
    v.msg = $1;
    set_collected_field('', 'msg', $1);

    # [cfm] submitting READ: [w4c0r0h0] 12.34.56.78:26671 -> 23.45.67.89:21 [B]
    if (matches_regular_expression(v.msg, '^[[]([^]]+)[]] (submitting|processing|priority submitting) ([^:]+): [[]+([^]]+)[]] ([0-9.]+):([0-9]+) -> ([0-9.]+):([0-9]+)')) then (
      set_collected_field('', 'event_type', $2);
      set_collected_field('', 'operation', $3);
      set_collected_field('', 'interface', $4);
      set_collected_field('', 'src_ip', $5);
      set_collected_field('', 'src_port', $6);
      set_collected_field('', 'dst_ip', $7);
      set_collected_field('', 'dst_port', $8);

      # Simplify the message, now that we've extracted the complex values from it in to separate fields
      set_collected_field('', 'msg', '[' . $1 . '] ' . $2 . ' ' . $3 . ' [' . $4 . '] [remainder parsed to separate fields]');
  
      # Copy off anything after DATA in the operation (e.g., DATA(23) becomes DATA).    
      if (matches_regular_expression(get_collected_field('', 'operation'), '^DATA')) then
        set_collected_field('', 'operation', 'DATA');      	 

    ); # if src -> dest format    

  ); # if msg

  # Chop off the extra information from ICMP error messages.
  if (matches_regular_expression(get_collected_field('', 'msg'), "^(icmp error with data)") or
      matches_regular_expression(get_collected_field('', 'msg'), "^(dynamic connection)")) then
    set_collected_field('', 'msg', $1 . ' [remainder parsed to separate fields]');

  accept_collected_entry('', false);

); # if matches line format
`


  # Database fields
  database.fields = {

    device_name = ""
    pri = ""
    msg_id = ""
    event_type = ""
    operation = ""
    interface = ""
    src_ip = ""
    src_port = ""
    src_intf = ""
    dst_ip = ""
    dst_port = ""
    dst_intf = ""
    policy = ""
    pr = ""
    rc = ""
    ttl = ""
    msg = ""

  } # database.fields

  database.numerical_fields = {

    pckt_len = {
      type = "float"
      display_format_type = "bandwidth"
    }

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

  } # database.numerical_fields


  log.filters = {
  
    mark_entry = {     
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry
    
  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {

      device_name = true
      pri = true
      msg_id = true
      msg = true
      
    } # report_groups

  } # create_profile_wizard_options

} # watchguard_firebox_xcore_eseries