# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
watchguard_firebox_syslog = {

  plugin_version = "1.5"

  info.1.manufacturer = "Watchguard"
  info.1.device = "Firebox XTM"
  info.1.version.1 = "firmware v14"

  # 2009-07-24 - 1.0 - GMF - Initial implementation.  Note: I am hoping this plug-in can iteratively become a
  # generic "Firebox to syslog" plug-in.
  # 2009-08-18 - 1.1 - GMF - Changed names to manufacturer's; added fields with previously unknown names.
  # 2009-08-21 - 1.2 - GMF - Added reporting of tcp lines
  # 2010-04-16 - 1.4 - Benson - Added reporting of igmp lines.
  # 2010-12-13 - 1.5 - Benson - Added support for applaction log format and fixed detection rule, for
  # firewall message only.
  # 2011-02-08 - 1.6 - MSG - Added support for optional source and destination interface fields.

  # The name of the log format
  log.format.format_label = "Watchguard Firebox XTM Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  # 2009-07-20	11:00:21	Local1.Warning	220.135.24.12	Jul 20 10:51:29 edge_12345 (2009-07-20T02:51:29) firewall: Allow 1-Trusted eth0 96 udp 20 127 12.34.56.78 98.76.54.32 137 137  (TCP-UDP-proxy-00)
  # Dec  7 23:01:32 192.168.1.252 XTM_810 80B502845D24E (2010-12-07T23:01:32) firewall: Allow 1-Trusted 0-External 369 tcp 20 127 192.168.1.170 65.55.12.249 3896 80 offset 5 A 564850448 win 65535  app_name="Web File Transfer" app_cat_name="File Transfer" app_id="5" app_cat_id="3" app_beh_id="3" app_beh_name="transfer" (Outgoing-00)
  # Dec  7 23:01:34 192.168.1.252 XTM_810 80B502845D24E (2010-12-07T23:01:34) firewall: Deny 1-Trusted 0-External 1420 tcp 20 243 192.168.1.170 207.46.59.170 3898 80 offset 5 A 4067509123 win 65055  app_name="HTTP" app_cat_name="Web / Web 2.0" app_id="222" app_cat_id="13" app_beh_id="6" app_beh_name="access" (Outgoing-00)
  #log.format.autodetect_expression = `
#matches_regular_expression(volatile.log_data_line, "[^ ]+ [0-9A-Z]+ [(][0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9][)] firewall: ") or
#matches_regular_expression(volatile.log_data_line, "[^ ]+ [(][0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9][)] firewall: ")
#`
  
  log.format.autodetect_regular_expression = '[^ ]+ [0-9A-Z]* [(][0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9][)] firewall: '

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"
  
  log.fields = {

    device_name = ""    
    #process_name = ""
    action = ""
    source_interface = ""
    destination_interface = ""
    request_id = ""
    protocol = ""
    size = ""
    ttl = ""
    source_ip.type = "host"
    destination_ip = ""
    source_port = ""
    destination_port = ""
    policy_name = ""
    app_name = ""
    app_type = ""
    app_beh_name = ""
    events = ""

  } # log.fields


  log.parsing_filters.parse = `

v.message = v.syslog_message;

# Chop off leading date (without year)
#if (matches_regular_expression(v.message, '^[A-Z]?[a-z]+ [ 0-9]+ [0-9:]+ (.*)$')) then
#  v.message = $1;

# edge_12345 (2009-07-20T02:51:29) firewall: Allow 1-Trusted eth0 96 udp 20 127 12.34.56.78 98.76.54.32 137 137  (TCP-UDP-proxy-00)
if (matches_regular_expression(v.message, '([^ ]+) [0-9A-Z]+ [(]([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])T([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[)] firewall: (.*)$') or
    matches_regular_expression(v.message, '([^ ]+) [(]([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])T([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[)] firewall: (.*)$')) then (
  set_collected_field('', 'device_name', $1);
  set_collected_field('', 'date', $2);
  set_collected_field('', 'time', $3);
  v.message = $4;

  # firewall: Deny eth0 Firebox 40 tcp 20 102 12.34.56.78 98.76.54.32 6000 135 offset 5 S 172556288 win 16384  (Unhandled External Packet-00)
  # firewall: Deny 0-External Firebox 28 igmp 20 1 172.16.202.239 224.0.0.1  (Internal Policy)
  # firewall: Allow 1-Trusted 0-External 369 tcp 20 127 192.168.1.170 65.55.12.249 3896 80 offset 5 A 564850448 win 65535  app_name="Web File Transfer" app_cat_name="File Transfer" app_id="5" app_cat_id="3" app_beh_id="3" app_beh_name="transfer" (Outgoing-00)
  # firewall: Deny 1-Trusted 0-External 1420 tcp 20 243 192.168.1.170 207.46.59.170 3898 80 offset 5 A 4067509123 win 65055  app_name="HTTP" app_cat_name="Web / Web 2.0" app_id="222" app_cat_id="13" app_beh_id="6" app_beh_name="access" (Outgoing-00)

  # 2011-02-08 - 1.6 - MSG - Added support for optional source and destination interface fields, for lines like the following.
  # Feb  3 12:29:55 Presto-X550e 9086519516105 (2011-02-03T14:29:55) firewall: Allow  1-Trusted 106 udp 20 125 192.168.0.62 172.16.0.140 1037 161  (BOVPN-Allow.in-00)
  if (matches_regular_expression(v.message, "([^ ]+) ([^ ]*) ([^ ]*) ([0-9]+) ([^ ]+) ([0-9]+) ([0-9]+) ([0-9.]+) ([0-9.]+) (.*)")) then (
    #set_collected_field('', 'process_name', $1);
    set_collected_field('', 'action', $1);
    set_collected_field('', 'source_interface', $2);
    set_collected_field('', 'destination_interface', $3);
    set_collected_field('', 'request_id', $4);
    set_collected_field('', 'protocol', $5);
    set_collected_field('', 'size', $6);
    set_collected_field('', 'ttl', $7);
    set_collected_field('', 'source_ip', $8);
    set_collected_field('', 'destination_ip', $9);
    v.message = $10;

  # 3898 80 offset 5 A 4067509123 win 65055  app_name="HTTP" app_cat_name="Web / Web 2.0" app_id="222" app_cat_id="13" app_beh_id="6" app_beh_name="access" (Outgoing-00)
    if (matches_regular_expression(v.message, "[(]([^)]+)[)]$")) then
      set_collected_field('', 'policy_name', $1);

    if (matches_regular_expression(v.message, "([0-9]+) ([0-9]+) (.*)")) then (
      set_collected_field('', 'source_port', $1);
      set_collected_field('', 'destination_port', $2);
      v.message = $3;
    );
    if (matches_regular_expression(v.message, "^  [(]([^)]+)[)]")) then (
      set_collected_field('', 'policy_name', $1);
    );

    # offset 5 A 4067509123 win 65055  app_name="HTTP" app_cat_name="Web / Web 2.0" app_id="222" app_cat_id="13" app_beh_id="6" app_beh_name="access" (Outgoing-00)
    # offset 5 S 172556288 win 16384  (Unhandled External Packet-00)
    else if (matches_regular_expression(v.message, "^offset [0-9]+ [^ ]+ [0-9]+ win [0-9]+  (.*)$")) then
      v.message = $1;
      if (matches_regular_expression(v.message, "^[(]([^)]+)[)]$")) then (
        set_collected_field('', 'policy_name', $1);
      );
      else if (matches_regular_expression(v.message, "(app_name=.*)$")) then (
        v.message = $1;
        collect_listed_fields('', v.message, ' ', '=', 'app_name=app_name|app_cat_name=app_type|app_beh_name=app_beh_name');
        #set_collected_field('', 'policy_name', $1);
      );
  );

  set_collected_field('', 'events', 1);

  accept_collected_entry('', false);

);
`  

  # Database fields
  database.fields = {

    device_name = ""
    #process_name = ""
    action = ""
    source_interface = ""
    destination_interface = ""
#    request_id = ""
    protocol = ""
    ttl = ""
    source_ip = ""
    location = ""
    destination_ip = ""
    source_port = ""
    destination_port = ""
    policy_name = ""
    app_name = ""
    app_type = ""
    app_beh_name = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      entries_field = true
    } # events

    size = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # watchguard_firebox_syslog