# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
firewall1_fw_log_ftn_export = {

  plugin_version = "1.0.4"

  info.1.manufacturer = "Checkpoint"
  info.1.device = "Firewall-1 (fw log -ftn export)"
  info.1.version.1 = "-ftn export"

  # changelog
  # 2009-03-26 : 1.0.1 : gas : added support for dates at the start of lines
  # 2009-04-15 : 1.0.5 : gas : added support for more fields
  # 2009-04-15 : 1.1 : gas : added support for elapsed hh:mm:ss format & seconds
  # 2009-04-24 : 1.2 : gas : added fix if time format changed from hh:mm:ss to h:mm:ss during a log
  # 2009-04-29 - 1.0.2 - KBB - added support for getting the date from the file name
  # 2010-09-02 - 1.0.3 - MSG - added support for an extra space after the host IP field, an uppercase letter in the string after the [<>],
  #                            and removed the ^ anchor in the parsing filters to parse logs with a syslog header properly.
  # 2010-10-04 - 1.0.4 - MSG - Edited info lines.

  # The name of the log format
  log.format.format_label = "Firewall-1 (fw log -ftn export) Log Format"
  log.miscellaneous.log_data_type = "firewall"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
#  log.format.autodetect_regular_expression = "^[0-9][0-9]:[0-9][0-9]:[0-9][0-9] (drop|accept|reject) *[0-9\\.]+ >[a-z0-9]+ (product|src|s_port|dst|service|proto|rule): "
  # added support for dates at the start of lines - gas
  log.format.autodetect_regular_expression = "[0-9][0-9]:[0-9][0-9]:[0-9][0-9] (drop|accept|reject|authcrypt) *[0-9\\.]+ +[<>][A-Za-z0-9]* (product|src|s_port|dst|service|proto|rule): "

  # The format of dates and times in this log
  log.format.global_date_regular_expression = "Date: (.*)"
  log.format.date_format = "auto"
  log.format.time_format = "auto"

  # parse this log with parsing filters only
  log.format.parse_only_with_filters = "true"

  # the name of an entry in this log
  statistics.miscellaneous.entry_name = "accesses"

  # Log fields
  log.fields = {

    date = ""
    time = ""
    action = ""
    host = ""
    interface = ""
    product = ""
    source = ""
    source_port = ""
    destination = ""
    service = ""
    protocol = ""
    rule = ""
    rule_uid = ""
    message_info = ""
    smart_defense = ""
    bytes = ""
    client_inbound_bytes = ""
    client_inbound_packets = ""
    client_outbound_bytes = ""
    client_outbound_packets = ""
    elapsed = ""
    packets = ""
    segment_time = ""
    server_inbound_bytes = ""
    server_inbound_packets = ""
    server_outbound_bytes = ""
    server_outbound_interface = ""
    server_outbound_packets = ""
    service_id = ""
    start_time = ""
    user = ""

  } # log.fields

  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    action = ""
    host = ""
    interface = ""
    product = ""
    source = ""
    source_port = ""
    destination = ""
    protocol = ""
    service = ""
    rule = ""
    rule_uid = ""
    message_info = ""
    smart_defense = ""
    segment_time = ""
    service_id = ""
    start_time = ""
    server_outbound_interface = ""
    user = ""

  } # database.fields

  log.filter_initialization = `
v.dates_start_line = 0;
`

  # Log Parsing Filters
  log.parsing_filters = {

    # Parse date from log file name
    0 = {
      label = "0"
      comment = ""
      # o_2008-01-28_000000.log
      value = `
if (matches_regular_expression(current_log_pathname(), "_([0-9]{4}-[0-9]{2}-[0-9]{2})_")) then (
  set_collected_field('', 'date', $1);
);
`
    } # 0

    # Parse lines without a space at the start of line
    10 = {
      label = "1"
      comment = ""
      value = "collect_fields_using_regexp('()([0-9]*:[0-9]*:[0-9]*) *([a-z]*) *([0-9]*\\\\.[0-9]*\\\\.[0-9]*\\\\.[0-9]*) *>([A-Za-z0-9]*)', '*KEY*,time,action,host,interface')"
    } # 1

    # Parse line with a space at start of line
    20 = {
      label = "2"
      comment = ""
      value = "collect_fields_using_regexp('() ([0-9]*:[0-9]*:[0-9]*) *([a-z]*) *([0-9]*\\\\.[0-9]*\\\\.[0-9]*\\\\.[0-9]*) *>([A-Za-z0-9]*)', '*KEY*,time,action,host,interface')"
    } # 2

    # Parse out lines that start with dates
    25 = {
      label = "Lines that Start with Dates"
      comment = "This filter collects only log lines that start with a date"
      value = `if (matches_regular_expression(current_log_line(), '([0-9]+)([A-Za-z]+)([0-9]+) *([0-9]*:[0-9]*:[0-9]*) *([a-z]*) *([0-9]*\\.[0-9]*\\.[0-9]*\\.[0-9]*) *[<>]([A-Za-z0-9]*)')) then (
      set_collected_field('', 'date', $2 . '/' . $1 . '/' . $3);
      if (length($4) < 8) then set_collected_field('', 'time', '0' . $4) else set_collected_field('', 'time', '0' . $4);
      set_collected_field('', 'action', $5);
      set_collected_field('', 'host', $6);
      set_collected_field('', 'interface', $7);
      v.dates_start_line = 1;
    );`
    } # 25

    # Parse out the ;  devided, :  separated fields
    30 = {
      label = "3"
      comment = ""
      value = "collect_listed_fields_using_regexp('()[<>][A-Za-z0-9]*[ a-z]* (.*)$', '; ', ': ', 's_port=source_port|src=source|dst=destination|proto=protocol|SmartDefense profile=smart_defense|VPN internal source IP=vpn_internal_source_ip')"
    } # 3

    32 = {
     label = "32"
     comment = ""
     value = `if (matches_regular_expression(get_collected_field('', 'elapsed'), '^([0-9]+):([0-9]+):([0-9]+)$')) then set_collected_field('', 'elapsed', ($1*60*60)+($2*60)+$3);`
    } # 32

    # clean up the last field
    35 = {
    	label = "35"
    	comment = "35"
    	value = `if (v.dates_start_line) then (
    		       set_collected_field('', 'rule', replace_last(get_collected_field('', 'rule'), ';', ''));
    		       set_collected_field('', 'message_info', replace_last(get_collected_field('', 'message_info'), ';', ''));
    		       set_collected_field('', 'source_port', replace_last(get_collected_field('', 'source_port'), ';', ''));
    		      );`
    } # 35
    
    # Accept collected entry
    40 = {
      label = "4"
      comment = ""
      value = "accept_collected_entry_using_regexp('()', false);"
    } # 4

  } # log.parsing_filters

  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'accesses = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    accesses = {
      label = "$lang_stats.field_labels.accesses"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # accesses
    bytes = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }
    packets = {
      type = "int"
      display_format_type = "integer"
    }
    client_inbound_bytes = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }
    client_inbound_packets = {
      type = "int"
      display_format_type = "integer"
    }
    client_outbound_bytes = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }
    client_outbound_packets = {
      type = "int"
      display_format_type = "integer"
    }
    elapsed = {
      type = "int"
      integer_bits = 64
      display_format_type = "duration"
    }
    server_inbound_bytes = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }
    server_inbound_packets = {
      type = "int"
      display_format_type = "integer"
    }
    server_outbound_bytes = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }
    server_outbound_packets = {
      type = "int"
      display_format_type = "integer"
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # firewall1_fw_log_ftn_export