# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
email_gateway = {

  plugin_version = "1.2.1"

  # 2012-06-16 - GMF - 1.0 - Initial creation
  # 2012-06-17 - GMF - 1.1 - Added messages_delivered, messages_bounced, and messages_deferred fields.
  # 2012-06-18 - GMF - 1.2 - Added carryover of subject from previous lines, using fileId and McafeeEmailgatewayOriginalMessageId; added tracking of fileId.
  # 2012-06-18 - GMF - 1.2.1 - Added carryover of McafeeEmailgatewayOriginalMessageId

  # log file format info, latest changes
  info.1.manufacturer = "McAfee"
  info.1.device = "Email Gateway"
  info.1.version.1 = "7.0"

  # The name of the log format
  log.format.format_label = "McAfee Email Gateway"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "mail_server"

  # The log is in this format if there is a match this regular expression
  log.format.autodetect_regular_expression = "McAfee[|]Email Gateway"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    act = ""
    app = ""
    msg = ""
    dvc = ""
    dst = ""
    dvc = ""
    dst = ""
    dhost = ""
    src = ""
    shost = ""
    suser = ""
    duser = ""
    deviceDirection = ""
    sourceServiceName = ""
    filePath = ""
    fileId = ""
    fsize = ""
    rt = ""
    flexNumber1 = ""
    flexNumber1Label = ""
    cs4Label = ""
    cs4 = ""
    cs5Label = ""
    cs5 = ""
    cs6Label = ""
    cs6 = ""
    McafeeEmailgatewayOriginalSubject = ""
    McafeeEmailgatewayOriginalSender = ""
    McafeeEmailgatewayOriginalMessageId = ""
    McafeeEmailgatewayEmailEncryptionType = ""
    cn1Label = ""
    cn1 = ""
    cn2Label = ""
    cn2 = ""
    cn3Label = ""
    cn3 = ""

    email_attachments = "" # from cs4
    master_scan_type = "" # from cs5
    email_subject = "" # from cs6
    is_primary_action = "" # from cn1
    num_email_attachments = "" # from cn2
    number_email_recipients = "" # from cn3

    # 
    new_McafeeEmailgatewayOriginalMessageId = ""

    messages_delivered = ""
    messages_bounced = ""
    messages_deferred = ""
    
  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] +[0-9]+ [0-9:]+ [^ ]+ : CEF:[0-9]+[|]McAfee[|]Email Gateway[|][^|]+[|][0-9]+[|][^|]+[|][0-9]+[|](.*)$')) then (

  collect_listed_fields('', $1, ' ', '=', '');

  # Get the key.  This is fileId, unless McafeeEmailgatewayOriginalMessageId, in which case we copy that to fileId and use it as the key.
  if (matches_regular_expression(get_collected_field('', 'McafeeEmailgatewayOriginalMessageId'), '^[0-9a-f_]+$')) then
    set_collected_field('', 'fileId', get_collected_field('', 'McafeeEmailgatewayOriginalMessageId'));
  v.key = get_collected_field('', 'fileId');

  # Copy over the cs fields, as specified by McAfee in ThreadID:1273057.  We could check cn1Label, etc, to make sure the field names match, but these seem to be fixed.
  set_collected_field('', 'email_attachments', get_collected_field('', 'cs4'));
  set_collected_field('', 'master_scan_type', get_collected_field('', 'cs5'));
  set_collected_field('', 'email_subject', get_collected_field('', 'cs6'));
  set_collected_field('', 'is_primary_action', get_collected_field('', 'cn1'));
  set_collected_field('', 'num_email_attachments', get_collected_field('', 'cn2'));
  set_collected_field('', 'number_email_recipients', get_collected_field('', 'cn3'));

  # If this entry has an email_subject, save it in under v.key
  if ((get_collected_field('', 'email_subject') ne '') and (get_collected_field('', 'email_subject') ne '(empty)')) then (
    set_collected_field(v.key, 'email_subject', get_collected_field('', 'email_subject'));
#    echo("saved email_subject for [" . v.key . "]: " . get_collected_field('', 'email_subject'));
  );

  # If we saved an email_subject from an earlier line, recover it
  else if ((get_collected_field(v.key, 'email_subject') ne '') and (get_collected_field(v.key, 'email_subject') ne '(empty)')) then (
    set_collected_field('', 'email_subject', get_collected_field(v.key, 'email_subject'));
#    echo("restored email_subject for [" . v.key . "]: " . get_collected_field('', 'email_subject'));
  );

#  else (
#    echo("Subject unknown for " . v.key);
#  );

  # If this entry has an McafeeEmailgatewayOriginalMessageId, save it in under v.key
  if ((get_collected_field('', 'McafeeEmailgatewayOriginalMessageId') ne '') and (get_collected_field('', 'McafeeEmailgatewayOriginalMessageId') ne '(empty)')) then (
    set_collected_field(v.key, 'McafeeEmailgatewayOriginalMessageId', get_collected_field('', 'McafeeEmailgatewayOriginalMessageId'));
#    echo("saved McafeeEmailgatewayOriginalMessageId for [" . v.key . "]: " . get_collected_field('', 'McafeeEmailgatewayOriginalMessageId'));
  );

  # If we saved an McafeeEmailgatewayOriginalMessageId from an earlier line, recover it
  else if ((get_collected_field(v.key, 'McafeeEmailgatewayOriginalMessageId') ne '') and (get_collected_field(v.key, 'McafeeEmailgatewayOriginalMessageId') ne '(empty)')) then (
    set_collected_field('', 'McafeeEmailgatewayOriginalMessageId', get_collected_field(v.key, 'McafeeEmailgatewayOriginalMessageId'));
#    echo("restored McafeeEmailgatewayOriginalMessageId for [" . v.key . "]: " . get_collected_field('', 'McafeeEmailgatewayOriginalMessageId'));
  );

#  else (
#    echo("Subject unknown for " . v.key);
#  );

  # Strip off <> from email addresses
  if (matches_regular_expression(get_collected_field('', 'suser'), '^<(.*)>$')) then
    set_collected_field('', 'suser', $1);
  if (matches_regular_expression(get_collected_field('', 'duser'), '^<(.*)>$')) then
    set_collected_field('', 'duser', $1);

  if (get_collected_field('', 'msg') eq 'Email Deferred') then
    set_collected_field('', 'messages_deferred', 1);
  else if (get_collected_field('', 'msg') eq 'Email Delivered') then
    set_collected_field('', 'messages_delivered', 1);
  else if (contains(get_collected_field('', 'msg'), 'bounced')) then
    set_collected_field('', 'messages_bounced', 1);

  accept_collected_entry('', false);

); # if matches line format

` # parse

  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'messages_sent = 1;'
    } # mark_entry

  } # log.filters
  
  # Database fields
  database.fields = {

    act = ""
    app = ""
    msg = ""
    dvc = ""
    dst = ""
    dvc = ""
    dst = ""
    dhost = ""
    src = ""
    shost = ""
    suser = ""
    duser = ""
    deviceDirection = ""
    sourceServiceName = ""
    filePath = ""

    # Large complex field; uncertain value; removing for performance reasons
    # 2012-06-18 - GMF - Restored at McAfee's request [ThreadID:1273057]
    fileId = ""

    fsize = ""

    # Large complex field; uncertain value; removing for performance reasons
#    rt = ""

    # Not sure what this field is for; omitting for now
#    flexNumber1 = ""
#    flexNumber1Label = ""

    McafeeEmailgatewayOriginalSubject = ""
    McafeeEmailgatewayOriginalSender = ""
    McafeeEmailgatewayOriginalMessageId = ""
    McafeeEmailgatewayEmailEncryptionType = ""

    email_attachments = ""
    master_scan_type = ""
    email_subject = ""
    is_primary_action = ""

  } # database.fields

  database.numerical_fields = {

    messages_delivered = {
      default = true
      entries_field = true
    } # messages_sent

    messages_bounced = ""
    messages_deferred = ""

    num_email_attachments = ""
    number_email_recipients = ""    

    fsize = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      source_group = {
        src = ""
        shost = ""
        suser = ""
        sourceServiceName = ""
      } # source_group
      destination_group = {
        dst = ""
        dhost = ""
        duser = ""
      } # destination_group
      message_group = {
        email_subject = ""
        filePath = ""
        fileId = ""
        McafeeEmailgatewayOriginalSubject = ""
        McafeeEmailgatewayOriginalSender = ""
        McafeeEmailgatewayOriginalMessageId = ""
        McafeeEmailgatewayEmailEncryptionType = ""
        email_attachments = ""
      } # message_group
      other_group = {
        act = ""
        app = ""
        msg = ""
        dvc = ""
        deviceDirection = ""
        rt = ""
        master_scan_type = ""
        is_primary_action = ""
      } # other_group
    } # report_groups


    snapons = {

      # Attach a mail_server_reports snapon
      mail_server_reports = {
	snapon = "mail_server_reports"
	name = "mail_server_reports"
	label = "$lang_admin.snapons.mail_server_reports.label"
        parameters = {
          sender_field.parameter_value = "suser"
          recipient_field.parameter_value = "duser"
          messages_processed_field.parameter_value = "messages_delivered"
          messages_delivered_field.parameter_value = "number_email_recipients"
        } # parameters
  
      } # mail_server_reports

      # Add the standard reports
      add_standard_reports = {
        name = "add_standard_reports"
	label = "add_standard_reports"
	snapon = "add_standard_reports"
      } # add_standard_reports

    } # snapons

  } # create_profile_wizard_options

} # email_gateway