# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
pfsssyslog = {

  plugin_version = "1.1.1"

  # 2007-08-27 - 1.1 - KBB - Combined support for formats with and without year in the timestamp.
  #                          Added support for finding the year in a Cisco default log file name.
  # 2011-07-11 - 1.1.1 - MSG - Edited info lines.

  info.1.manufacturer = "Cisco"
  info.1.device = "PIX Firewall Syslog Server"
  info.1.version.1 = ""

  # The name of the log format
  log.format.format_label = "PIX Firewall Syslog Server Format"
  log.miscellaneous.log_data_type = "syslog"  
  log.miscellaneous.log_format_type = "syslog_server"

  # The log is in this format if any of the first ten lines match this regular expression
  #<166>Jul 01 2007 10:56:11: %PIX-6-113012: AAA user authentication Successful : local database : user = jasmine
  #<166>:Jul 01 10:55:58 CST: %PIX-vpn-6-713172: Group = SCN_Dflt, IP = 216.197.177.45, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT device
  log.format.autodetect_regular_expression = "^<[0-9]+>:?[A-Za-z][A-Za-z][A-Za-z] [0-9 ][0-9]( | [0-9]{4} )[0-9][0-9]:[0-9][0-9]:[0-9][0-9]( [A-Z]{3})?:? "

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # The format of dates and times in this log
  log.format.date_format = "auto"
  log.format.time_format = "auto"

  # Log fields
  log.fields = {

    date = ""
    time = ""
    syslog_message = ""

  } # log.fields

  log.filter_initialization_syslog = `
string year = '';
string month_for_year = '';
string path_year = '';
string current_path = '';
`

  # Log Parsing Filters
  log.parsing_filters.syslog_parse = `
v.syslog_message = '';
if (matches_regular_expression(current_log_line(), '^<[0-9]+>:?(([A-Za-z][A-Za-z][A-Za-z]) [0-9 ][0-9]) ([0-9]*) *([0-9][0-9]:[0-9][0-9]:[0-9][0-9]):? (.*)$')) then (

  v.date = $1;
  v.month = lowercase($2);
  v.year = $3;
  v.time = $4;
  v.syslog_message = $5;

  set_collected_field('', 'time', v.time);

  # Use date from header
  if (v.year ne '') then (
    set_collected_field('', 'date', v.date . " " . v.year);
    year = v.year;
    month_for_year = v.month;
  ); # (v.year ne '')

  else (

    v.path = current_log_pathname();

    # New file. Look for year in path of this format LOG-YYYY-MM-DD-HHMMSS.TXT, a Cisco default.
    if ((current_path ne v.path) and matches_regular_expression(v.path, '(LOG|log)-((20|19)[0-9][0-9])-')) then (
      current_path = v.path;
      path_year = $2;
      set_collected_field('', 'date', v.date . " " . path_year);
    );

    # Use year saved from path
    else if (path_year ne '') then (
      set_collected_field('', 'date', v.date . " " . path_year);
    ); # (path_year ne '')

    # Use year saved from header
    else if (year ne '') then (
      if (v.month eq 'jan' and month_for_year ne 'jan') then (
        year += 1;
        month_for_year = 'jan';
      );
      set_collected_field('', 'date', v.date . " " . year);
    ); # (year ne '')

    # Use this year
    else (
      set_collected_field('', 'date', normalize_date(v.date, 'mmm/dd'));
    );

  ); # Year not in header
);
`

  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""

  } # database.fields


  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'hits = 1;page_views = 1;'
    } # mark_entry

  } # log.filters


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # pfsssyslog