# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
cyberguard_firewall = {

  plugin_version = "1.1"

  # 2007-09-17 - 1.0 - KBB - Initial creation. Note: I haven't found any information about
  # non-WELF CyberGuard logs. Is it possible this isn't really CyberGuard??
  # 2010-10-04 - 1.1 - MSG - Edited info lines.

  info.1.manufacturer = "CyberGuard"
  info.1.device = "Firewall Audit(non-WELF)"
  info.1.version = ""

  # The name of the log format
  log.format.format_label = "Cyberguard Firewall (non-WELF) Audit Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  #Aug  2 14:30:31 fpx-fw1 auditlogd: Activity: permit 2007/08/02 14:25:31: P lo0        dec1       10.0.99.99                  172.16.99.199               udp    1034       syslog    
  log.format.autodetect_regular_expression = "auditlogd: Activity: (permit|deny) [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}: (P|D)"

  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {
    action = ""
    protocol = ""
    icmp_type = ""
    src_host = "" # using instead of src and dst per customer request
    dst_host = ""
    # these names are used by the cyberguard welf format
    #src = ""
    #dst = ""
    srcport = ""
    dstport = ""
    srcintfc = ""
    dstintfc = ""
  } # log.fields


  # Log Parsing Filters
#Aug  2 14:30:31 fpx-fw1 auditlogd: Activity: permit 2007/08/02 14:25:31: P lo0        dec1       10.0.99.99                  172.16.99.199               udp    1034       syslog    
#Aug  2 14:30:31 fpx-fw1 auditlogd: Activity: deny 2007/08/02 14:26:07: D dec1       dec0       172.16.99.199               192.168.199.199            tcp    3853       www-http  
#Aug  2 14:30:31 fpx-fw1 auditlogd: Activity: deny 2007/08/02 14:27:02: D dec0       dec1       199.99.99.99             10.0.99.199                 icmp   ECHO
  log.parsing_filters.parse = `

if (matches_regular_expression(v.syslog_message, 'auditlogd: Activity: ([a-z]+) ([0-9]+/[0-9]+/[0-9]+) ([0-9]+:[0-9]+:[0-9]+): (D|P) ([^ ]+) +([^ ]+) +([0-9.]+) +([0-9.]+) +([a-z]+) +([^ ].*)$')) then (
  set_collected_field('', 'action', $1);
  set_collected_field('', 'date', $2);
  set_collected_field('', 'time', $3);
  set_collected_field('', 'srcintfc', $5);
  set_collected_field('', 'dstintfc', $6);
  set_collected_field('', 'src_host', $7);
  set_collected_field('', 'dst_host', $8);
  set_collected_field('', 'protocol', $9);
  v.protocol = $9;
  v.rest = $10;

  if (v.protocol eq 'icmp') then (
    set_collected_field('', 'icmp_type', v.rest);
  );
  else if (matches_regular_expression(v.rest, '^([^ ]+) +([^ ]+)$')) then (
    set_collected_field('', 'srcport', $1);
    set_collected_field('', 'dstport', $2);
  );

  accept_collected_entry('', false);
);

`


  # Database fields
  database.fields = {
    action = ""
    protocol = ""
    icmp_type = ""
    src_host = ""
    dst_host = ""
    srcport = ""
    dstport = ""
    srcintfc = ""
    dstintfc = ""
  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters


  database.numerical_fields = {

    events = {
      default = true;
      requires_log_field = false;
      entries_field = true
    } # events

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # cyberguard_firewall