# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
windows_event_log_mdyyyy = {

  plugin_version = "1.2.2"

  info.1.manufacturer = "Microsoft"
  info.1.device = "Windows (Server 2008/Vista) Event Log (CSV Export, m/d/yyyy dates)"
  info.1.version.1 = "Vista"
  info.1.version.2 = "Server 2008"

  # 2010-02-25 - 1.0 - KBB - Initial implementation. Format is similar to the format supported
  # by windows_event_log24_hour_dmyyyy.cfg, but the fields are different.
  # 2010-03-12 - 1.1 - KBB - Combined 24h and AM/PM times, so renamed from
  # windows_event_log_mdyyyy_24h.cfg. This version was tested with Vista logs with 24 hour times and
  # Server 2008 with AM/PM times.
  # 2010-10-01 - 1.2 - MSG - Edited info lines.
  # 2011-07-26 - 1.2.1 - MSG - Re-Edited info lines.
  # 2012-10-17 - 1.2.2 - MSG - Added support for dashes in the date.

  # The name of the log format
  log.format.format_label = "Windows (Server 2008/Vista) Event Log Format (CSV Export, m/d/yyyy dates)"
  log.miscellaneous.log_data_type = "generic"  
  log.miscellaneous.log_format_type = "other"

  # The log is in this format if any of the first ten lines match this regular expression
  #Information,9/16/2009 8:54,Microsoft-Windows-User Profiles Service,1532,None,"The User Profile Service has stopped."
  #Information,9/16/2009 8:13,System Restore,8194,None,"Successfully created restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint)."
  #Error,2/24/2010 8:07:05 AM,Application Error,1000,(100),"Faulting application sawmill.exe, version 0.0.0.0, time stamp 0x4b759869, faulting module sawmill.exe, version 0.0.0.0, time stamp 0x4b759869, exception code 0xc0000005, fault offset 0x0000000000238e26, process id 0x125c, application start time 0x01cab56b1f5bcdde."
  log.format.autodetect_regular_expression = "^(Audit[^,]*|Information|Error|Warning),[0-9]+[/-][0-9]+[/-][0-9][0-9][0-9][0-9] [0-9 ]?[0-9]:[0-9][0-9](:[0-9][0-9] [AP]M)?,[^,]*,[^,]*,[^,]*,.*$"

  # This regular expression is used to parse the log fields out of the log entry
  log.format.parsing_regular_expression = "^([^,]+),([0-9]+[/-][0-9]+[/-][0-9][0-9][0-9][0-9]) ([0-9]+:[0-9][0-9][^,]*),([^,]*),([^,]*),([^,]*),(.*)$"

  # The format of dates and times in this log
  log.format.date_format = "m/d/yyyy"
  log.format.time_format = "auto"
  # Auto should handle both of these
  #log.format.time_format = "h:mm"
  #log.format.time_format = "h:mm:ss AM/PM"

  # There can be newlines inside quotes in CSV files. Use whole quoted string as field value.
  log.format.allow_newlines_inside_quotes = "true"

  # Don't try to process this as CSV, even if the file name ends in .csv
  log.format.ignore_format_lines = "true"

  #log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    level = ""
    date = ""
    time = ""
    source = ""
    event_id = ""
    category = ""
    message = ""

  } # log.fields

# This is the same as the parsing_regular_expression. Used for debugging.
# The parsing_regular_expression should be slightly faster.
##  # Log Parsing Filters
##  log.parsing_filters.parse = `
###Information,9/16/2009 8:16,VSS,8224,None,The VSS service is shutting down due to idle timeout. 
##if (matches_regular_expression(current_log_line(), "^([^,]+),([0-9]+/[0-9]+/[0-9][0-9][0-9][0-9]) ([0-9]+:[0-9][0-9][^,]*),([^,]*),([^,]*),([^,]*),(.*)$")) then (
##
##  set_collected_field('', 'level', $1);
##  set_collected_field('', 'date', $2);
##  set_collected_field('', 'time', $3);
##  set_collected_field('', 'source', $4);
##  set_collected_field('', 'event_id', $5);
##  set_collected_field('', 'category', $6);
##  set_collected_field('', 'message', $7);
##
##  accept_collected_entry('', false);
##);
##else
##  echo("unmatched line " . current_log_line());
##);
##`

  # Database fields
  database.fields = {

    level = ""
    date_time = ""
    hour_of_day = ""
    day_of_week = ""
    source = ""
    event_id = ""
    category = ""
    message = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = true
      requires_log_field = false
      entries_field = true
    } # hits

  } # database.numerical_fields

  log.filters = {

    strip_message = {
      label = '$lang_admin.log_filters.strip_message_label'
      comment = '$lang_admin.log_filters.strip_message_comment'
      value = "message = '[message removed]'"
    } # strip_message

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # windows_event_log_mdyyyy