# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
zyxel_firewall_welf = {

  plugin_version = "1.2"

  info.1.manfacturer = "Zyxel"
  info.1.device = "Zywall"
  info.1.version.1 = "5/7"

  # 2007-01-10 - GMF - 1.1 - Grouped reports; added Security reports
  # 2007-03-15 - KBB - 1.2 - Prevented newlines in msg field from causing loss of Anti Virus info.

  # The name of the log format
  log.format.format_label = "Zyxel Firewall WELF Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "src=.*dst=.*msg=.*note="

  # Prevent field with CR from truncating the line
  log.format.allow_newlines_inside_quotes = "true"

  # Log fields
  log.fields = {

    src.type = "host"
    src_port = ""
    dst = ""
    dst_port = ""
    devid = ""
    cat = ""
#   protocol = ""
    rule = ""
#   direction = ""
    note = ""
    msg = ""
    dir = ""
    protoid = ""
    proto = ""
    trans = ""

    duration = ""
    send = ""
    rcvd = ""

  } # log.fields


  #          
  # Log Parsing Filters
  log.parsing_filters.parse = `

# Strip off date/time header
if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] +[0-9]+ [0-9:]+ [^ ]+ (.*)$')) then
  v.syslog_message = $1;

collect_listed_fields('', v.syslog_message, ' ', '=', '');
if (matches_regular_expression(get_collected_field('', 'src'), '^([^:]+):(.*)$')) then (
  set_collected_field('', 'src', $1);
  set_collected_field('', 'src_port', $2);
);
if (matches_regular_expression(get_collected_field('', 'dst'), '^([^:]+):(.*)$')) then (
  set_collected_field('', 'dst', $1);
  set_collected_field('', 'dst_port', $2);
);
accept_collected_entry('', false);
`

  # Database fields
  database.fields = {

    src = ""
    src_port = ""
    location = ""
    dst = ""
    dst_port = ""
    devid = ""
    cat = ""
#   protocol = ""
    rule = ""
#   direction = ""
    note = ""
    msg = {
      itemnums_hash_function = "mult_sum_c_i_8"
    }
    dir = ""
    protoid = ""
    proto = ""
    trans = ""

  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # events

    unique_source_ips = {
      label = "$lang_stats.field_labels.unique_source_ips"
      default = false
      requires_log_field = true
      log_field = "src"
      type = "unique"
      display_format_type = "integer"
    } # unique_source_ips

    send = {
      default = false
      type = "float"
      display_format_type = "bandwidth"
    } # send

    rcvd = {
      default = false
      type = "float"
      display_format_type = "bandwidth"
    } # rcvd

    duration = {
      default = false
      type = "float"
      display_format_type = "duration_compact"
    } # duration

  } # database.numerical_fields


  create_profile_wizard_options = {

    # Specify the reports menu manually
    manual_reports_menu = true    

    # How the reports should be grouped in the report menu
    report_groups = {

      overview.type = "overview"

      date_time_group = {
        items = {
          date_time = {
            label = "$lang_stats.miscellaneous.years_months_days"
            only_bottom_level_items = false
          }
          days = {
            label = "$lang_stats.miscellaneous.days"
            database_field_name = "date_time"
          }
          day_of_week = ""
          hour_of_day = ""
        }
      } # date_time_group

      security_group = {
        items = {
#        firewall = ""
          idp = {
            type = "overview"
            filter = "cat within 'IDP'"
          }
          anti_virus = {
            type = "overview"
            filter = "cat within 'Anti Virus'"
          }
          anti_spam = {
            type = "overview"
            filter = "cat within 'Anti Spam'"
          }
          vpn = {
            type = "overview"
            filter = "(cat within 'IKE') or (cat within 'IPSec')"
          }
          web_block = {
            type = "overview"
            filter = "(note within 'WEB BLOCK')"
          }
#        anti_virus = ""
#        anti_spam = ""
#        content_filter = ""
#        vpn = ""
        } # items
      } # security_group

      source_group = {
        items = {
          src = ""
          src_port = ""
          location = ""
        } # items
      } # source_group

      destination_group = {
        items = {
          dst = ""
          dst_port = ""
        } # items
      } # destination_group

      other_group = {
        items = {
          devid = ""
          cat = ""
          rule = ""
          note = ""
          msg = ""
          dir = ""
          protoid = ""
          proto = ""
          trans = ""
        } # items
      } # other_group

      log_detail = true
      single_page_summary = true

    } # report_groups

  } # create_profile_wizard_options

} # zyxel_firewall_welf