ironport_sseries_w3c = {

  plugin_version = "1.0.1"

  info.1.manfacturer = "Cisco"
  info.1.device = "IronPort Web Services Appliance (WSA S-Series) (W3C)"
  info.1.version.1 = ""

  # 2009-03-26 - 1.0 - GMF - Initial implementation.
  # 2009-04-01 - 1.0.1 - GMF - Categorized reports.

  # The name of the log format
  log.format.format_label = "Cisco IronPort Web Services Appliance (WSA S-Series) (W3C)"
  log.miscellaneous.log_data_type = "generic_w3c"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  # 2009-03-26 - GMF - There is no #Software line, so we'll just have to autodetect based on #Version.
  log.format.autodetect_regular_expression = `#Version`

  # The format of dates and times in this log
  log.format.date_format = "yyyy-mm-dd"
  log.format.time_format = "hh:mm:ss"

  # Treat fields surrounded by square brackets (e.g. the date/time field) as a single quoted field.
  log.format.treat_brackets_as_quotes = "true"

  # Get search engine and search phrase information from the referrer field (before it gets simplified).
  log.parsing_filters.compute_se_sp = {
    value = `if (get_search_engine_info(referrer)) then (
  search_engine = volatile.search_engine;
  search_phrase = volatile.search_phrase;
);
`
    requires_fields = {
      referrer = true
    }
  }

  # Get web browser, operating system, web browser, and spider information from the user-agent field.
  log.parsing_filters.derive_from_user_agent = {
    value = `get_user_agent_info(replace_all(cs_user_agent, '+', ' '));
web_browser = volatile.web_browser;
operating_system = volatile.operating_system;
spider = volatile.spider;
`
    requires_fields = {
      cs_user_agent = true
    }
  }

  # Log Filters
  log.filters = {

    set_page_for_worm = {
      label = "$lang_admin.log_filters.set_page_for_worm_label"
      comment = "$lang_admin.log_filters.set_page_for_worm_comment"
      value = "if (starts_with(worm, '(')) then '' else cs_uri_stem = '(worm)';"
      requires_fields = {
        worm = true
        cs_uri_stem = true
      }
    } # set_page_for_worm

    # This filter tacks the page parameters ("URL query") onto the end of the page field
    empty_uri_query = {
      label = "$lang_admin.log_filters.empty_uri_query_label"
      comment = "$lang_admin.log_filters.empty_uri_query_comment"
      value = "if (cs_uri_query eq '-') then cs_uri_query = '(empty)';"
      disabled = true
      requires_fields = {
        cs_uri_query = true
      }
    } # empty_uri_query

    detect_page_views = {
      label = '$lang_admin.log_filters.detect_page_views_label'
      comment = '$lang_admin.log_filters.detect_page_views_comment'
      value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;"
      requires_fields = {
        file_type = true
      }
    } # detect_page_views

    strip_non_page_views = {
      label = '$lang_admin.log_filters.strip_non_page_views_label'
      comment = '$lang_admin.log_filters.strip_non_page_views_comment'
      value = "if (page_views == 0) then cs_uri_stem = substr(cs_uri_stem, 0, last_index(cs_uri_stem, '/') + 1) . '(nonpage)';"
      requires_fields = {
        cs_uri_stem = true
      }
    } # strip_non_page_views

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'accesses = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    accesses = {
      requires_log_field = false
      default = true
      entries_field = true
    } # accesses

    page_views = {
      requires_log_field = false
    } # page_views

    sc_response_size = {
      type = "float"
      display_format_type = "bandwidth"
    }

    unique_client_ips = {
      log_field = "c_ip"
      type = "unique"
    } # unique_client_ips

    x_elapsed_time = {
      type = "float"
      display_format_type = duration_milliseconds
    } # x_elapsed_time


  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        cs_url = true
        cs_mime_type = true
      } # content_group
      source_group = {
        c_ip = true
        location = true
        domain_description = true
        organization = true
        domain = true
        isp = true
      } # source_group
      other_group = {
        x_resultcode_httpstatus = true
        cs_method = true
        cs_username = true
        x_hierarchy_origin = true
        x_acltag = true
        x_result_code = true
        x_suspect_user_agent = true
      } # other_group
    } # report_groups

  } # create_profile_wizard_options

} # ironport_sseries_w3c