# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
iscdhcp = {

  plugin_version = "2.3"

  info.1.manufacturer = "ISC"
  info.1.device = "DHCP"
  info.1.version.1 = ""

  # 02/Jun/2006 - 2.0 - GMF - Updated syntax to v7 style; changed parsing filters to make bracked section and dhcpd: optional; added support
  #                           for MAC addresses with something in parentheses; added support for lease IPs with something in parentheses;
  #                           added extraction of relay, lease_duration, network, message fields; added handling of DHCPNAK messages; more.
  # 2010-04-06 - 2.1 - GMF - Added automatic stripping of UNIX syslog style header
  # 2010-09-29 - 2.2 - MSG - Changed autodetect lines to 100
  # 2010-10-21 - 2.3 - MSG - Added parsing filter to extract CID field

  # The name of the log format
  log.format.format_label = "ISC DHCP Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "network_device"

  # DHCPDISCOVER doesn't always occur in the first ten lines, so use 100 lines
  log.format.autodetect_lines = "100"

  # The log is in this format if any of the first 100 lines match this regular expression
  log.format.autodetect_regular_expression = "(BOOTREQUEST|DHCPDISCOVER) from [0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]:[0-9a-f][0-9a-f]"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    id = ""
    cid  = ""
    priority = ""
    operation = ""
    mac_address = ""
    client_gateway = ""
    lease_ip = ""
    relay = ""
    lease_duration = ""
    network = ""
    message = ""

  } # log.fields


  # Log Parsing Filters
  log.parsing_filters.parse = `

# Chop off trailing spaces
while (ends_with(v.syslog_message, ' '))
  v.syslog_message = substr(v.syslog_message, 0, length(v.syslog_message) - 1);

# Extract ID section, if any
v.message = v.syslog_message;
if (matches_regular_expression(v.message, '^\\\\[ID ([0-9]+) ([^]]+)\\\\] (.*)$')) then (
  set_collected_field('', 'id', $1);
  set_collected_field('', 'priority', $2);
  v.message = $3;
);

# Chop off dhcpd:, if any
if (matches_regular_expression(v.message, '^dhcpd: (.*)$')) then (
  v.message = $1;
);

# Chop off UNIX syslog style header, if any.
# e.g. 2010-02-24 20:08:00       Daemon.Info     12.34.56.78    Feb 24 20:07:51 98.76.54.32 dhcpd[2305]: DHCPINFORM from 23.45.67.89 via 13.24.35.46: not authoritative for subnet 23.45.67.0
if (matches_regular_expression(v.message, '^[A-Z][a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ [^[]+[[][^]]+[]]: (.*)$')) then
  v.message = $1;

v.mac_address = "";
v.accept_this_message = false;
# e.g., "DHCPREQUEST for 172.19.59.43 from 01:1g:44:23:45:77 (1XYD01452) via eth1"
# e.g., "DHCPREQUEST for 172.19.20.106 (172.18.241.11) from 00:0d:60:b0:c3:2e via 172.19.20.2: unknown lease 172.19.20.106."
if (matches_regular_expression(v.message, '^(DHCPREQUEST) for (.*) from (.*) via (.*)$')) then (
  set_collected_field('', 'operation', $1);
  v.for = $2;
  if (matches_regular_expression(v.for, '^([0-9.]+) \\\\([0-9.]+\\\\)$')) then
    set_collected_field('', 'lease_ip', $1);
  else
    set_collected_field('', 'lease_ip', v.for);
  v.mac_address = $3;
  set_collected_field('', 'client_gateway', $4);
  v.accept_this_message = true;
);

else if (matches_regular_expression(v.message, '^(no free leases on subnet .*)$')) then (
  set_collected_field('', 'operation', $1);
  v.accept_this_message = true;
);

# Extract CID 
else if (matches_regular_expression(v.message, '^CID: ([0-9.]+ - .*$)')) then (
  set_collected_field('', 'cid', $1);
  v.accept_this_message = true;
);

else if (matches_regular_expression(v.message, '^(BOOTREQUEST) from ([0-9a-f:]+) via ([0-9.]+) ')) then (
  set_collected_field('', 'operation', $1);
  v.mac_address = $2;
  set_collected_field('', 'client_gateway', $3);
  v.accept_this_message = true;
);

else if (matches_regular_expression(v.message, '^(DHCPDISCOVER) from (.*) via (.*)$')) then (

  set_collected_field('', 'operation', $1);
  v.mac_address = $2;
  v.remainder = $3;

  # e.g. "eth1: network 10.241.35.0/24: no free leases"
  if (matches_regular_expression(v.remainder, '^([^:]+): network ([^:]+): (.*)$')) then (
    set_collected_field('', 'client_gateway', $1);
    set_collected_field('', 'network', $2);
    set_collected_field('', 'message', $3);
  );

  else
    set_collected_field('', 'client_gateway', v.remainder);
   
  v.accept_this_message = true;

); # DHCPDISCOVER

# e.g. "DHCPACK to 172.19.43.236"
else if (matches_regular_expression(v.message, '^(DHCPACK) to ([0-9.]+)$')) then (
  set_collected_field('', 'operation', $1);
  set_collected_field('', 'lease_ip', $2);
  v.accept_this_message = true;
);

# e.g. "DHCPNAK on 172.18.79.100 to 00:11:25:81:50:7a via eth1"
else if (matches_regular_expression(v.message, '^(DHCPNAK) on ([0-9.]+) to (.*) via (.*)$')) then (
  set_collected_field('', 'operation', $1);
  set_collected_field('', 'lease_ip', $2);
  v.mac_address = $3;
  v.client_gateway = $4;
  v.accept_this_message = true;
);

# e.g. "DHCPOFFER on 172.19.60.123 to 00:0d:60:37:da:3e (1USL01705) via eth1 relay 172.19.60.2 lease-duration 120"
else if (matches_regular_expression(v.message, '^(DHCPOFFER|DHCPACK) on ([^ ]+) to (.*) via (.*)$')) then (
  set_collected_field('', 'operation', $1);
  set_collected_field('', 'lease_ip', $2);
  v.mac_address = $3;
  v.remainder = $4;
  if (matches_regular_expression(v.remainder, '^([^ ]+) relay ([0-9.]+) lease-duration ([0-9]+)$')) then (
    set_collected_field('', 'client_gateway', $1);
    set_collected_field('', 'relay', $2);
    set_collected_field('', 'lease_duration', $3);
  );
  else
    set_collected_field('', 'client_gateway', v.remainder);
  v.accept_this_message = true;
);

# e.g. "DHCPINFORM from 17.19.41.236 via eth1"
else if (matches_regular_expression(v.message, '^(DHCPINFORM) from (.*) via (.*)$')) then (
  set_collected_field('', 'operation', $1);
  set_collected_field('', 'lease_ip', $2);
  set_collected_field('', 'client_gateway', $3);
  v.accept_this_message = true;
);

# Handle MAC addresses like "00:1d:60:37:df:3e (1XYL01705)"; strip off the parenthesized bit
if (matches_regular_expression(v.mac_address, '^([0-9a-z:]+) \\\\([^)]*\\\\)')) then
  set_collected_field('', 'mac_address', $1);
else
  set_collected_field('', 'mac_address', v.mac_address);

if (v.accept_this_message) then
  accept_collected_entry('', false);

`


  # Database fields
  database.fields = {

    priority = ""
    operation = ""
    mac_address = ""
    client_gateway = ""
    lease_ip = ""
    relay = ""
    lease_duration = ""
    network = ""
    message = ""
    cid = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

  } # database.numerical_fields


  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # iscdhcp