# Copyright (c) 2014 Flowerfire, Inc.  All Rights Reserved.
winsshd_xml = {

  plugin_version = "1.0"

  info.1.manufacturer = "Bitvise"
  info.1.device = "WinSSHD"
  info.1.version.1 = "6" # 6.0.3

  # 2014-01-29 - 1.0 - GMF - Initial creation

  # The name of the log format
  log.format.format_label = "Bitvise WinSSHD Log Format"
  log.miscellaneous.log_data_type = "generic"
  log.miscellaneous.log_format_type = "other"

  # The log is in this format if any of the first ten lines match this regular expression
  #<start time="2013-12-20 10:57:23.825462 -0600" appName="BvSshServer-APP01" appVersion="6.03" thisFile="C:\Program Files\Bitvise SSH Server - APP01\Logs\BvSshServer-APP0120131220-105723793-M0600.log"/>
  log.format.autodetect_regular_expression = "BvSshServer"

  log.format.date_format = "auto"
  log.format.time_format = "auto"

  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    date = ""
    time = ""

    # <start>
    appname = ""
    appversion = ""
    thisfile = ""

    # <event>
    seq = ""
    app = ""
    name = ""
    desc = ""
    
    # <keypair>
    algorithm = ""
    size = ""
    md5 = ""
    babble = ""
    
    # <parameters>
    listenaddress = ""
    port = ""
    scope = ""
    serviceaccount = ""
    sessionid = ""
    exepath = ""
    computername = ""
    computerdomain = ""
    windowsversion = ""
    servicepack = ""
    isdomaincontroller = ""
    addressrule = ""
    clientversion = ""
    kexalg = ""
    cipheralgin = ""
    cipheralgout = ""
    macalgin = ""
    macalgout = ""
    compralgin = ""
    compalgout = ""

    # <session>
    id = ""
    remoteaddress = ""
  
    # <authentication>
    attemptnr = ""
    username = ""
    method = ""
    failurereason = ""
    
    # <error>
    type = ""
    message = ""


    events = ""

  } # log.fields


  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""

    # <start>
#    appname = ""
#    appversion = ""
#    thisfile = ""

    # <event>
#    seq = ""
#    app = ""
    name = ""
    desc = ""
    
    # <keypair>
    algorithm = ""
    size = ""
#    md5 = ""
#    babble = ""
    
    # <parameters>
    listenaddress = ""
    port = ""
    scope = ""
    serviceaccount = ""
    sessionid = ""
    exepath = ""
    computername = ""
    computerdomain = ""
    windowsversion = ""
    servicepack = ""
    isdomaincontroller = ""
    addressrule = ""
    clientversion = ""
    kexalg = ""
    cipheralgin = ""
    cipheralgout = ""
    macalgin = ""
    macalgout = ""
    compralgin = ""
    compalgout = ""

    # <session>
    id = ""
    remoteaddress = ""
  
    # <authentication>
    attemptnr = ""
    username = ""
    method = ""
    failurereason = ""
    
    # <error>
    type = ""
    message = {
      type = "unnormalized_string"
      index = false
      add_default_xref_table = false
    } # message

  } # database.fields


  log.parsing_filters.parse = `

#  <event seq="13" time="2013-12-20 11:09:58.407107 -0600" app="BvSshServer-APP01 6.03" name="I_CONNECT_ACCEPTED" desc="Connection accepted.">
if (matches_regular_expression(current_log_line(), '^  <event (.*)>$')) then (
  collect_listed_fields('', $1, ' ', '=', '');
);

#    <session id="1002" remoteAddress="222.186.34.140:2909"/>
else if (matches_regular_expression(current_log_line(), '^    <session (.*)>$')) then (
  collect_listed_fields('', $1, ' ', '=', '');
);

#    <keypair algorithm="ssh-dss" size="1024" md5="18:d6:e0:8b:1e:77:44:41:65:97:a1:34:40:1b:fa:7b" babble="xizoc-nizup-facis-tasir-bupab-nidos-buzym-vekig-tihod-nynud-sixox"/>
else if (matches_regular_expression(current_log_line(), '^    <keypair (.*)>$')) then (
  collect_listed_fields('', $1, ' ', '=', '');
);

#    <parameters kexAlg="diffie-hellman-group14-sha1" cipherAlgIn="aes128-ctr" cipherAlgOut="aes128-ctr" macAlgIn="hmac-sha1" macAlgOut="hmac-sha1" comprAlgIn="none" comprAlgOut="none"/>
else if (matches_regular_expression(current_log_line(), '^    <parameters (.*)>$')) then (
  collect_listed_fields('', $1, ' ', '=', '');
);

#    <error type="Exception"
#      message="...
else if (matches_regular_expression(current_log_line(), '^    <error type="([^"]+)"')) then (
  set_collected_field('', 'type', $1);
);
else if (matches_regular_expression(current_log_line(), '^      message="(.*)$')) then (
  set_collected_field('', 'message', $1);
);

else if (matches_regular_expression(current_log_line(), '^  </event>')) then (

  if (matches_regular_expression(get_collected_field('', 'time'), '^([0-9-]+) ([0-9:]+)[.]')) then (
    set_collected_field('', 'date', $1);
    set_collected_field('', 'time', $2);
  );

  set_collected_field('', 'events', 1);

  accept_collected_entry('', false);

); # </event>

` # parsing_filters

  database.numerical_fields = {
    
    events = {
      default = true
      entries_field = true
    } # events

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        pathname = true
      }
      event_group = {
        seq = ""
        app = ""
        name = ""
        desc = ""
      } # event_group
      keypair_group = {
        algorithm = ""
        size = ""
        md5 = ""
        babble = ""
      } # keypair_group
      parameters_group = {
        listenaddress = ""
        port = ""
        scope = ""
        serviceaccount = ""
        sessionid = ""
        exepath = ""
        computername = ""
        computerdomain = ""
        windowsversion = ""
        servicepack = ""
        isdomaincontroller = ""
        addressrule = ""
        clientversion = ""
        kexalg = ""
        cipheralgin = ""
        cipheralgout = ""
        macalgin = ""
        macalgout = ""
        compralgin = ""
        compalgout = ""
      } # parameters_group
      session_group = {
        id = ""
        remoteaddress = ""
      } # session_group
      authentication_group = {
        attemptnr = ""
        username = ""
        method = ""
        failurereason = ""
      } # authentication_group
      error_group = {
        type = ""
        message = ""
      } # error_group
    } # report_groups

  } # create_profile_wizard_options

} # winsshd_xml