# Copyright (c) 2012 Flowerfire, Inc.  All Rights Reserved.
web_gateway = {

  plugin_version = "1.1"

  # 2012-08-15 - 1.0 - GMF - Initial creation
  # 2012-10-05 - 1.1 - GMF - Categorized reports

  info.1.manufacturer = "McAfee"
  info.1.device = "Web Gateway"
  info.1.version.1 = ""

  # The name of the log format
  log.format.format_label = "McAfee Web Gateway"
  log.miscellaneous.log_data_type = "firewall"  
  log.miscellaneous.log_format_type = "proxy_server"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = `^#time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res"`

  # Treat fields surrounded by square brackets (e.g. the date/time field) as a single quoted field.
  log.format.treat_brackets_as_quotes = "true"
#  log.format.common_log_format = "true"

  # The format of dates and times in this log
  log.format.date_format = "dd/mmm/yyyy:hh:mm:ss"
  log.format.time_format = "dd/mmm/yyyy:hh:mm:ss"

  # Log fields
  log.fields = {

    date_time = {
      index = 1
      subindex = 1
    } # date_time

    auth_user.index = 2

    src_ip = {
      type = "host"
      index = 3
    } # src_ip

    status_code.index = 4

    operation = {
      type = "flat"
      index = 5
      subindex = 1
    } # operation

    url = {
      type = "page"
      index = 5
      subindex = 2
      hierarchy_dividers = "/?"
      left_to_right = true
      leading_divider = "true"
    } # url

    protocol = {
      index = 5
      subindex = 3
    } # protocol

    categories.index = 6
    rep_level.index = 7
    media_type.index = 8
    bytes_to_client.index = 9
    user_agent = {
      type = "agent"
      index = 10
    }
    virus_name.index = 11
    block_res.index = 12

  } # log.fields


  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""

    auth_user = ""
    src_ip = ""
    location = ""
    status_code = ""
    operation = ""

    url = {
      suppress_top = 1
      suppress_bottom = 3
    } # url
    file_type = ""
    worm = ""

    protocol = ""
    categories = ""
    rep_level = ""
    media_type = ""
 
    web_browser = ""
    operating_system = ""

    virus_name = ""
    block_res = ""

  } # database.fields


  # Log Filters
  log.filters = {

    remove_query = {
      label = "$lang_admin.log_filters.remove_query_label"
      comment = "$lang_admin.log_filters.remove_query_comment"
      value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';"
    } # remove_query

    detect_page_views = {
      label = '$lang_admin.log_filters.detect_page_views_label'
      comment = '$lang_admin.log_filters.detect_page_views_comment'
      value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;"
    } # detect_page_views

    simplify_url = {
      label = "$lang_admin.log_filters.simplify_url_label"
      comment = "$lang_admin.log_filters.simplify_url_comment"
      value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'"
    } # simplify_url

    strip_non_page_views = {
      label = '$lang_admin.log_filters.strip_non_page_views_label'
      comment = '$lang_admin.log_filters.strip_non_page_views_comment'
      value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';"
    } # strip_non_page_views

    not_authenticated = {
      label = "$lang_admin.log_filters.not_authenticated_label"
      comment = "$lang_admin.log_filters.not_authenticated_comment"
      value = "if (auth_user eq '-') then auth_user = '(not authenticated)';"
    } # not_authenticated

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  log.field_options = {

    sessions_page_field = "url"
    sessions_visitor_id_field = "src_ip"
    sessions_event_field = "page_views"

  } # log.field_options


  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = false
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # events

    page_views = {
      label = "$lang_stats.field_labels.page_views"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
    } # page_views

    unique_source_ips = {
      requires_log_field = true
      log_field = "src_ip"
      type = "unique"
    } # unique_source_ips

    bytes_to_client = {
      requires_log_field = true
      integer_bits = 64
      display_format_type = "bandwidth"
    } # bytes_to_client

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        url = true
        file_type = true
        media_type = true
      }
      source_group = {
        src_ip = true
        auth_user = true
        location = true
      } # source_group
      visitor_systems_group = {
        web_browser = true
        operating_system = true
      } # visitor_systems_group
      other_group = {
        block_res = true
        virus_name = true
        status_code = true
        operation = true
        worm = true
        protocol = true
        categories = true
        rep_level = true
      } # visitor_systems_group
    } # report_groups

    snapons = {
  
      # Attach a top_level_domain snapon
      top_level_domain = {
	snapon = "top_level_domain"
	name = "top_level_domain"
	label = "$lang_admin.snapons.top_level_domain.label"
        parameters = {
          url_field.parameter_value = "url"
          field_name = {
            parameter_value = "$lang_admin.field_labels.top_level_domain"
            final_node_name = "top_level_domain"
          }
        } # parameters
      } # top_level_domain

      # Attach a gateway_reports snapon
      gateway_reports = {
	snapon = "gateway_reports"
	name = "gateway_reports"
	label = "$lang_admin.snapons.gateway_reports.label"
        parameters = {
#          user_field.parameter_value = "auth_user"
          user_field.parameter_value = "src_ip"
          have_client_ip.parameter_value = false
#          client_ip_field.parameter_value = "src_ip"
          have_category_field.parameter_value = true
          category_field.parameter_value = "categories"
          host_field.parameter_value = "top_level_domain"
#          have_additional_field.parameter_value = true
#          additional_field.parameter_value = "virtual_ip"
          page_views_field.parameter_value = "page_views"
          have_bytes_in_field.parameter_value = true
          bytes_in_field.parameter_value = "bytes_to_client"
          have_bytes_out_field.parameter_value = false
#          bytes_out_field.parameter_value = "bytes_out"
          have_duration_field.parameter_value = false
#          duration_field.parameter_value = "tunnel_duration"
          sort_by_field.parameter_value = "page_views"
        } # parameters
  
      } # gateway_reports

# 2013-02-06 - GMF - Now added in gateway_reports
#      # Add the standard reports
#      add_standard_reports = {
#        name = "add_standard_reports"
#	label = "add_standard_reports"
#	snapon = "add_standard_reports"
#      } # add_standard_reports

    } # snapons

  } # create_profile_wizard_options

} # web_gateway