# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
guardix = {

  plugin_version = "1.0"

  # 2008-01-30 - GMF - Initial plug-in

  info.1.manufacturer = "HCTech"
  info.1.device = "Guardix"
  info.1.version.1 = ""

  # The name of the log format
  log.format.format_label = "Guardix Log Format (IPFW)"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "internet_device"

  # The log is in this format if any of the first ten lines match this regular expression
  # e.g. 2007-12-21      10:00:52        Local6.Alert    192.12.199.111 Dec 21 10:00:52 2007 ccguardix gaidp: 6218|GENUDP|P2P Bitcomet udp request|Detected|low|policy-violation|UDP|29.13.70.17|43335|110.81.132.24|9130|payload = d1:ad3:id20: 7D & E4 + C9D7 q E4C1 BA81 F61C DF4B 823D }6.9:info_hash20: CFA8 ' A123 719F 810F BAAD EB { 8F " 15F6 C0DE DE e1:q9:get_peers1:t8: 94 pR AC . 1D 8 DC 1:y1:qe|1|IN|ccguardix|
  log.format.autodetect_regular_expression = "(ipfw|iplog|gaidp|httpfw): [^|]+[|]([^|]*)[|]"
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    event_type = ""

    # ipfw
    action = ""
    rule_number = ""
    source.type = "host"
    source_port = ""
    destination = ""
    destination_port = ""
    proto = ""
    type = ""
    interface = ""
    direction = ""
    count = ""
    len = ""
#    ttl = ""
    comment = ""

  } # log.fields


  log.parsing_filters.parse = `

# Strip of UNIX syslog head, if any
if (matches_regular_expression(v.syslog_message, "^[A-Z]?[a-z][a-z] [ 0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9][0-9][0-9][0-9] [^ ]+ (.*)$")) then
  v.syslog_message = $1;

# Handle ipfw lines
# ipfw: TCP|110.71.162.123|3108|78.17.136.63|12803|*.*|1|Allow|14|ToWAN|1|48|127|info=|ccguardix|
if (matches_regular_expression(v.syslog_message, "^ipfw: ([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]([^|]*)[|]")) then (

  set_collected_field('', 'proto', $1);
  set_collected_field('', 'source', $2);
  set_collected_field('', 'source_port', $3);
  set_collected_field('', 'destination', $4);
  set_collected_field('', 'destination_port', $5);
  set_collected_field('', 'type', $6);
  set_collected_field('', 'interface', $7);
  set_collected_field('', 'action', $8);
  set_collected_field('', 'rule_number', $9);
  set_collected_field('', 'direction', $10);
  set_collected_field('', 'count', $11);
  set_collected_field('', 'len', $12);

); # if ipfw

accept_collected_entry('', false);

`


  # Database fields
  database.fields = {

    event_type = ""

    # ipfw
    action = ""
    rule_number = ""
    source = ""
    location = ""
    source_port = ""
    destination = ""
    destination_port = ""
    proto = ""
    type = ""
    interface = ""
    direction = ""
#    ttl = ""
    comment = ""

  } # database.fields


  database.numerical_fields = {

    count = {
      default = true
      requires_log_field = false
      entries_field = true
    } # count

#    count = {
#      default = true
#      requires_log_field = false
#    } # count

    len = {
      default = true
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # len

  } # database.numerical_fields

} # guardix