# Copyright (c) 2012 Flowerfire, Inc.  All Rights Reserved.
citrix_netscaler = {

  plugin_version = "1.5.4"

  info.1.manufacturer = "Citrix"
  info.1.device = "NetScaler"
  info.1.version.1 = "8.0"
  info.1.version.2 = "9.0" # build 67.7

  # 2007-10-22 - 1.0 - KBB - Initial creation
  # 2008-04-07 - 1.1 - KBB - Added support for new line format (Context lines)
  # 2008-09-19 - 1.2 - GMF - Added support for variant with an integer before the :
  # 2009-06-12 - 1.2.1 - GMF - Added support for extracting CMD_EXECUTED lines
  # 2009-06-18 - 1.2.2 - KBB - Added support for variant with an integer before the second :
  # 2009-07-16 - 1.2.3 - GMF - Fixed bug with tracking of "command" field
  # 2009-07-29 - 1.2.4 - GMF - Added support for Device...State lines
  # 2009-08-24 - 1.3 - KBB - Added support for Citrix 9.0. Also fixed duration calculation for
  # Context lines, added support for more Context lines, and added support for commands with
  # quotes in them. Grouped reports since there are so many fields now. Grouping could be better.
  # 2009-08-26 - 1.3.1 - KBB - Removed logging of end and delink times. Added duration calculation
  # for start_time and end_time. (end_time and delink_time seem always the same as date_time.)
  # 2009-08-27 - 1.3.2 - KBB - Added support for Monitor...State lines
  # 2010-12-20 - 1.3.3 - gas - added new variant (session id field)
  # 2012-07-14 - 1.4 - XYZ - Contributed changes by XYZ [ThreadID:1272067]
  # 2013-03-15 - 1.4.1 - GMF - Added support for an extra number field before the colon
  # 2013-09-17 - 1.4.2 - GMF - Added failure_reason.  Added discarding of extra IP field at beginning of line.  ThreadID:1295345.
  # 2013-09-20 - 1.5 - GMF - Added field-by-field parsing of log entries.  Added concurrent connection analysis.
  # 2013-09-25 - 1.5.1 - GMF - Added parsing of additional fields in CLISEC_EXP_EVAL and CLISEC_CHECK
  # 2013-09-25 - 1.5.2 - GMF - Added parsing of full message from CLISEC_EXP_EVAL and CLISEC_CHECK
  # 2013-09-25 - 1.5.3 - GMF - Extended the maximum table value length, so the whole message appears.
  # 2014-05-22 - 1.5.4 - GMF - Added trimming of leading <N>

  # The name of the log format
  log.format.format_label = "Citrix NetScaler Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "network_device"

  # Allow very long cell values (for the "message" field).
  statistics.sizes.table_cell.maximum_text_length = "1000"

  # The log is in this format if any of the first ten lines match this regular expression
  #Oct 10 22:39:13 <local0.warn> 66.36.236.66 10/10/2007:14:39:13 GMT ns : APPFW APPFW_STARTURL :  220.133.110.194 fetpoc Disallow Illegal URL: http://61.31.230.67/board/ <not blocked>
  #2007-11-09	11:25:35	Local0.Info	10.2.66.226	 11/09/2007:03:25:05 GMT agee : SSLVPN TCPCONNSTAT : Context user01@10.2.66.226 - User user01 - Client_ip 10.2.66.226 - Nat_ip 10.2.66.226 - Vserver 10.2.66.236:443 - Source 10.2.66.226:1404 - Destination 127.0.0.1:80 - Start_time "11/09/2007:03:25:04 GMT" - End_time "11/09/2007:03:25:05 GMT" - Duration 00:00:01  - Total_bytes_send 463 - Total_bytes_recv 2379 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "accounting"
  #2009-06-17 17:08:41	Local0.Info	172.16.55.55	06/18/2009:01:07:20 GMT access : UI CMD_EXECUTED 8454 :  User poweruser - Remote_ip 172.16.54.54 - Command "login" - Status "Success"
  #Aug 17 15:00:00 155.155.155.55 08/17/2009:19:00:00 GMT  : TCP CONN_DELINK 170566 :  Source 10.5.55.55:2567 - Vserver 155.155.155.54:443 - NatIP 155.155.155.56:49734 - Destination 155.155.155.57:9212 - Delink Time 08/17/2009:19:00:00 GMT - Total_bytes_send 0 - Total_bytes_recv 12918
  #Feb  7 03:01:01 <local0.info> 10.116.218.93 02/07/2013:08:01:01 GMT NetScaler 0-PPE-0 : SSLVPN UDPFLOWSTAT 184746 0 : Context ABC1234@somewhere.com@12.34.56.78 - SessionId: 142- User ABC1234@somewhere.com - Client_ip 23.45.67.89 - Nat_ip 11.22.33.44 - Vserver 22.33.44.55:443 - Source 127.100.0.142:55035 - Destination 33.44.55.66:53 - Start_time "02/07/2013:07:58:53 GMT" - End_time "02/07/2013:08:01:01 GMT" - Duration 00:02:08  - Total_bytes_send 48 - Total_bytes_recv 101 - Access Allowed - Group(s) "VPN IS Access"

#  log.format.autodetect_regular_expression = "[0-9]{2}/[0-9]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} [^ ]+ ([^ ]*) ([A-Z0-9-]+ )?: [A-Z_]+ [A-Z_]+ ([0-9]+ )?([0-9]+ )?: "
  log.format.autodetect_regular_expression = "[0-9]{2}/[0-9]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} [^ ]* [^ ]+ ([^ ]*) ([A-Z0-9-]+ )?: [A-Z_]+ [A-Z_]+ ([0-9]+ )?([0-9]+ )?: "
  log.format.autodetect_lines = 20000

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  log.fields = {

    host_name = ""
    application_type = ""
    validation_type = ""
    client_ip = ""
    application = ""
    url.type = "page"
    message = ""
    result = ""

    context = ""
    user = ""
    nat_ip = ""
    vserver = ""
    source_ip = ""
    source_port = ""
    destination_ip = ""
    destination_port = ""
    groups = ""

    remote_ip = ""
    command = ""
    status = ""

    device = ""
    monitor = ""
    state = ""

    browser_type.type = "agent"
    sslvpn_client_type = ""

    start_time = ""
#    end_time = ""
#    delink_time = ""

    duration = ""
    total_bytes_send = ""
    total_bytes_recv = ""

    http_resources_accessed = ""
    nonhttp_resources_accessed = ""
    total_tcp_connections = ""
    total_udp_flows = ""
    total_policies_allowed = ""
    total_policies_denied = ""

# XYZ for Login and failed logins

	login = ""
	failed_login = ""
        failure_reason = ""

  } # log.fields

  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  log.parsing_filters.parse = `

# If there's an IP before the date, ignore it
#Sep  5 11:00:01 <local0.info> 10.68.52.21 09/05/2013:11:00:01 GMT ns PPE-1 : SSLVPN TCPCONNSTAT 3750850 : Context 012977@67.186.176.149 - SessionId: 5067- User 012977 - Client_ip 67.186.176.149 - Nat_ip 10.68.232.185 - Vserver 170.88.180.230:47873 - Source 67.186.176.149:2020 - Destination 10.78.118.35:139 - Start_time "09/05/2013:10:59:32 GMT" - End_time "09/05/2013:11:00:01 GMT" - Duration 00:00:29  - Total_bytes_send 1 - Total_bytes_recv 1 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 20 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "CAG Migration"
if (matches_regular_expression(v.syslog_message, '^[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ (.*)$')) then
  v.syslog_message = $1;

# CHop off leading <N>
#00:00.4,172.21.120.112,<134> 02/05/2014:08:00:00 GMT ns PPE-0 : SSLVPN HTTPREQUEST 5320169 : Context abc@12.34.56.78 - SessionId: 18110- 23.45.67.89 User abc : Group(s) ctxNS_NavUI : Vserver 98.76.54.32:47873 - 02/05/2014:08:00:00 GMT GET /Citrix/AGEE/auth/silentDetection.aspx - -
if (matches_regular_expression(v.syslog_message, '^<[0-9]+> +(.*)$')) then
  v.syslog_message = $1;

#Aug 29 11:54:32 <local0.warn> 66.66.236.66 08/29/2007:03:54:32 GMT ns : APPFW APPFW_FIELDFORMAT :  216.66.216.66 znet_hello http://hello.znet.goodbye.tw/book.jsp?id=2G024132&status=1&searchFunction=&searchContent=&searchStatus=-1&searchSO=&searchUserID=&searchStage=0&year=2007&month=08&day=29&year2=2007&month2=08&day2=29&setupyear=null&setupmonth=n Field format check failed for field searchfunction="" <not blocked>
# 2013-03-15 - GMF - Added support for another numerical field before the colon:
  #Feb  7 03:01:01 <local0.info> 10.116.218.93 02/07/2013:08:01:01 GMT NetScaler 0-PPE-0 : SSLVPN UDPFLOWSTAT 184746 0 : Context ABC1234@somewhere.com@12.34.56.78 - SessionId: 142- User ABC1234@somewhere.com - Client_ip 23.45.67.89 - Nat_ip 11.22.33.44 - Vserver 22.33.44.55:443 - Source 127.100.0.142:55035 - Destination 33.44.55.66:53 - Start_time "02/07/2013:07:58:53 GMT" - End_time "02/07/2013:08:01:01 GMT" - Duration 00:02:08  - Total_bytes_send 48 - Total_bytes_recv 101 - Access Allowed - Group(s) "VPN IS Access"
if (matches_regular_expression(v.syslog_message, '^ *([0-9]{2}/[0-9]{2}/[0-9]{4}): ?([0-9]{2}:[0-9]{2}:[0-9]{2}) [^ ]* [^ ]+ ([^ ]+)? ([A-Z0-9-]+ )?: ([^ ]+) ([^ ]+) ([0-9]+ )?([0-9]+ )?: (.*)$')) then (

  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  set_collected_field('', 'host_name', $3);
  set_collected_field('', 'application_type', $5);
  set_collected_field('', 'validation_type', $6);
  v.message = $9;

  # e.g. #Oct 11 02:28:30 <local0.warn> 66.36.236.66 10/10/2007:18:28:30 GMT ns : APPFW APPFW_XSS :  226.166.116.166 falcon http://falcon.hawk.com/prey/?search=<script>alert(document.cookie)</script> Cross-site script check failed for search="<script>alert(document.cookie)<" <blocked>
  if (matches_regular_expression(v.message, '^ *([0-9.]+) ([^ ]+) ([^ ]+) (.*)$')) then (

    set_collected_field('', 'client_ip', $1);
    set_collected_field('', 'application', $2);
    set_collected_field('', 'url', $3);
    v.message = $4;
    if (matches_regular_expression(v.message, '^(.*) <([^>]+)>$')) then (
      v.message = $1;
      set_collected_field('', 'result', $2);
    );
    set_collected_field('', 'message', v.message);

  ); # if content message


  ## IF CONTEXT START ##
  ## match 1
  # 2007-11-09	11:25:35	Local0.Info	1.2.3.4	 11/09/2007:03:25:05 GMT abcd : SSLVPN TCPCONNSTAT : Context user01@4.3.2.1 - User user01 - Client_ip 5.6.7.8 - Nat_ip 9.8.7.6 - Vserver 2.3.4.5 - Source 3.4.5.6:1234 - Destination 4.5.6.7:80 - Start_time "11/09/2007:03:25:04 GMT" - End_time "11/09/2007:03:25:05 GMT" - Duration 00:00:01  - Total_bytes_send 463 - Total_bytes_recv 2379 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "accounting"
  else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Source ([0-9.]+):([0-9]+) - Destination ([0-9.]+):([0-9]+) - Start_time "([^"]+)" - End_time "([^"]+)" - Duration ([0-9:]+)  - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - Total_compressedbytes_send ([0-9]+) - Total_compressedbytes_recv ([0-9]+) - Compression_ratio_send ([0-9.%]+) - Compression_ratio_recv ([0-9.%]+) - ([^-]+) - Group[(]s[)] "([^"]+)"')) then (

    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'source_ip', $6);
    set_collected_field('', 'source_port', $7);
    set_collected_field('', 'destination_ip', $8);
    set_collected_field('', 'destination_port', $9);
    set_collected_field('', 'start_time', $10);
#    set_collected_field('', 'end_time', $11);
    v.duration = $12;
    set_collected_field('', 'total_bytes_send', $13);
    set_collected_field('', 'total_bytes_recv', $14);
#    set_collected_field('', 'total_compressedbytes_send', $15);
#    set_collected_field('', 'total_compressedbytes_recv', $16);
#    set_collected_field('', 'compression_ratio_send', $17);
#    set_collected_field('', 'compression_ratio_recv', $18);
    set_collected_field('', 'result', $19);
    set_collected_field('', 'groups', $20);

    if (matches_regular_expression(v.duration, '(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
      v.duration = $5;
      if ($4 ne '') then v.duration += 60 * $4;
      if ($2 ne '') then v.duration += 60 * 60 * $2;
    );
# XYZ	removed Duration as it was being added to the total duration from the log out
#    set_collected_field('', 'duration', v.duration);

  );

### XYZ 
#:2012-03-21T19:18:30.459211+00:00  03/21/2012: 19:18:30 GMT  PPE-6 : SSLVPN HTTPREQUEST 54 : Context dominic.catanzariti@121.45.194.148 - SessionId: 4- 203.6.68.2 User dominic.catanzariti : Group(s) N/A : Vserver 172.24.150.4:47873 - 03/21/2012:19:18:30 GMT GET /citrix/default - -

  else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - SessionId: [^ ]+- [0-9.]+ User ([^ ]+) : Group[(]s[)] (.+) : Vserver ([^ ]+) - [0-9]{2}/[0-9]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3} ([^-]+) - .*')) then (
    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'vserver', $4);
    set_collected_field('', 'groups', $3);
    set_collected_field('', 'command', $5);


  );


  ## Match 2
  #2007-11-09	11:25:16	Local0.Info	10.2.2.2	 11/09/2007:03:24:45 GMT agee : SSLVPN LOGIN : Context user01@10.2.2.1 - User user01 - Client_ip 10.2.2.1 - Nat_ip "Mapped Ip" - Vserver 10.2.2.3:443 - Browser_type "Mozilla/4.0 (Compatible; MSIE 5.5; NetScaler 5.1)" - SSLVPN_client_type ActiveX - Group(s) "accounting"
   else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - SessionId: [^ ]+- User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Browser_type "([^"]+)" - SSLVPN_client_type ([^ ]+) - Group\\\\(s\\\\) "([^"]+)"')) then (
#   else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "Mapped Ip" - Vserver ([^ ]+) - Browser_type "([^"]+)" - SSLVPN_client_type ([^ ]+) - Group\\\\(s\\\\) "([^"]+)"
 
    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'browser_type', $6);
    set_collected_field('', 'sslvpn_client_type', $7);
    set_collected_field('', 'groups', $8);
# XYZ
	set_collected_field('', 'login', 1);

  );
  ## match 3
  #2007-11-09	11:26:15	Local0.Info	10.2.2.2	 11/09/2007:03:25:45 GMT agee : SSLVPN LOGOUT : Context user01@10.2.2.21 - User user01 - Client_ip 10.2.2.22 - Nat_ip "Mapped Ip" - Vserver 10.2.2.23:443 - Start_time "11/09/2007:03:24:12 GMT" - End_time "11/09/2007:03:25:45 GMT" - Duration 00:01:33  - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 61 - Total_UDP_flows 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 29008 - Total_bytes_recv 1292093 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "Explicit" - Group(s) "accounting"
  else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - SessionId: [^ ]+- User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Start_time "([^"]+)" - End_time "([^"]+)" - Duration ([0-9:]+) *- Http_resources_accessed ([0-9]+) - NonHttp_services_accessed ([0-9]+) - Total_TCP_connections ([0-9]+) - Total_UDP_flows ([0-9]+) - Total_policies_allowed ([0-9]+) - Total_policies_denied ([0-9]+) - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - Total_compressedbytes_send ([0-9]+) - Total_compressedbytes_recv ([0-9]+) - Compression_ratio_send ([0-9.%]+) - Compression_ratio_recv ([0-9.%]+) - LogoutMethod "([^"]+)" - Group\\\\(s\\\\) "([^"]+)"')) then (

    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'start_time', $6);
#    set_collected_field('', 'end_time', $7);
    v.duration = $8;
    set_collected_field('', 'http_resources_accessed', $9);
    set_collected_field('', 'nonhttp_resources_accessed', $10);
    set_collected_field('', 'total_tcp_connections', $11);
    set_collected_field('', 'total_udp_flows', $12);
    set_collected_field('', 'total_policies_allowed', $13);
    set_collected_field('', 'total_policies_denied', $14);
    set_collected_field('', 'total_bytes_sent', $15);
    set_collected_field('', 'total_bytes_recv', $16);
#    set_collected_field('', 'total_compressedbytes_send', $17);
#    set_collected_field('', 'total_compressedbytes_recv', $18);
#    set_collected_field('', 'compression_ratio_send', $19);
#    set_collected_field('', 'compression_ratio_recv', $20);
    set_collected_field('', 'logout_method', $21);
    set_collected_field('', 'groups', $22);

    if (matches_regular_expression(v.duration, '(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
      v.duration = $5;
      if ($4 ne '') then v.duration += 60 * $4;
      if ($2 ne '') then v.duration += 60 * 60 * $2;
    );
    set_collected_field('', 'duration', v.duration);

  ); # 

  ## match 4 (v1.3.3 - gas)
  ## Nov 28 23:00:17 10.73.98.118 11/29/2010:10:00:17 GMT UAPP-CTX PPE-0 : SSLVPN TCPCONNSTAT 2505477 : Context 123@123.123.123.123 - SessionId: 3490- User U123 - Client_ip 123.123.123.123 - Nat_ip 123.123.123.123 - Vserver 123.123.123.123:443 - Source 123.123.123.123:52556 - Destination 123.123.123.123:1361 - Start_time "11/29/2010:09:59:46 GMT" - End_time "11/29/2010:10:00:17 GMT" - Duration 00:00:31 - Total_bytes_send 2563 - Total_bytes_recv 461 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "GG-VPNSSL-xxx-VIPUsers"
  else if (matches_regular_expression(v.message, '^ *Context ([^ ]+) - SessionId: [^ ]+- User ([^ ]+) - Client_ip ([^ ]+) - Nat_ip "?([^ "]+|Mapped I[pP])"? - Vserver ([^ ]+) - Source ([0-9.]+):([0-9]+) - Destination ([0-9.]+):([0-9]+) - Start_time "([^"]+)" - End_time "([^"]+)" - Duration ([0-9:]+) *- Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - Total_compressedbytes_send ([0-9]+) - Total_compressedbytes_recv ([0-9]+) - Compression_ratio_send ([0-9.%]+) - Compression_ratio_recv ([0-9.%]+) - ([^-]+) - Group[(]s[)] "([^"]+)"')) then (

    set_collected_field('', 'context', $1);
    set_collected_field('', 'user', $2);
    set_collected_field('', 'client_ip', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'vserver', $5);
    set_collected_field('', 'source_ip', $6);
    set_collected_field('', 'source_port', $7);
    set_collected_field('', 'destination_ip', $8);
    set_collected_field('', 'destination_port', $9);
    set_collected_field('', 'start_time', $10);
#    set_collected_field('', 'end_time', $11);
    v.duration = $12;
    set_collected_field('', 'total_bytes_send', $13);
    set_collected_field('', 'total_bytes_recv', $14);
    set_collected_field('', 'total_compressedbytes_send', $15);
    set_collected_field('', 'total_compressedbytes_recv', $16);
    set_collected_field('', 'compression_ratio_send', $17);
    set_collected_field('', 'compression_ratio_recv', $18);
    set_collected_field('', 'result', $19);
    set_collected_field('', 'groups', $20);

    if (matches_regular_expression(v.duration, '(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
      v.duration = $5;
      if ($4 ne '') then v.duration += 60 * $4;
      if ($2 ne '') then v.duration += 60 * 60 * $2;
    );
# XYZ remove duration 
#    set_collected_field('', 'duration', v.duration);

  ); # if Context (four variations)
  ## IF CONTEXT END

  # 2009-05-19        18:25:31        Local0.Info     192.168.1.1      05/19/2009:10:25:34 GMT ns 233 : UI CMD_EXECUTED :  User nsroot - Remote_ip 127.0.0.1 - Command "show ns runningConfig" - Status "Success"
#  else if (matches_regular_expression(v.message, '^ *User ([^ ]+) - Remote_ip ([^ ]+) - Command "([^"]+)" - Status "([^"]+)"')) then (
  else if (matches_regular_expression(v.message, '^ *User ([^ ]+) - Remote_ip ([^ ]+) - Command "(.*)')) then (
    set_collected_field('', 'user', $1);
    set_collected_field('', 'remote_ip', $2);

    # Unfortunately, the command may have " in it.
    #Sep 12 11:41:51 192.168.2.2 09/12/2008:06:26:07 GMT ns 35922 : UI CMD_EXECUTED :  User someone - Remote_ip 127.0.0.1 - Command "scp -f "/var/log/ns.log"" - Status "Success"
    v.remainder = $3;
    if (matches_regular_expression(v.remainder, '(.*)" - Status "([^"]+)"')) then (
      set_collected_field('', 'command', $1);
      set_collected_field('', 'status', $2);
    );
  );

  #...User 020126: - Client IP 173.62.1.208 - Vserver 80.170.180.230:443 - Client security expression CLIENT.OS(win7).SP == 1 evaluated to FALSE(3)
  else if (matches_regular_expression(v.message, ' *User ([^ ]+) - Client IP ([^ ]+) - Vserver ([^ ]+) - (.*)$')) then (
    set_collected_field('', 'user', $1);
    set_collected_field('', 'client_ip', $2);
    set_collected_field('', 'vserver', $3);
    set_collected_field('', 'message', $4);
    v.message = $4;
  );

  # from Citrix 9.0
  #Aug 17 15:00:00 150.198.164.55 08/17/2009:19:00:00 GMT  : TCP CONN_TERMINATE 170567 :  Source 66.166.160.166:1619 - Destination 155.155.155.55:443 - Start Time 08/17/2009:18:58:21 GMT - End Time 08/17/2009:19:00:00 GMT - Total_bytes_send 126 - Total_bytes_recv 0
  else if (matches_regular_expression(v.message, '^ *Source ([0-9.]+):([0-9]+) - Destination ([0-9.]+):([0-9]+) - Start Time (([0-9]{2}/[0-9]{2}/[0-9]{4}):([0-9]{2}:[0-9]{2}:[0-9]{2}) [^ ]+) - End Time ([0-9]{2}/[0-9]{2}/[0-9]{4}):([0-9]{2}:[0-9]{2}:[0-9]{2}) [^ ]+ - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+)')) then (

    set_collected_field('', 'source_ip', $1);
    set_collected_field('', 'source_port', $2);
    set_collected_field('', 'destination_ip', $3);
    set_collected_field('', 'destination_port', $4);
    set_collected_field('', 'start_time', $5);
    v.start_date = normalize_date($6, "mm/dd/yyyy");
    v.start_time = $7;
    v.end_date = normalize_date($8, "mm/dd/yyyy");
    v.end_time = $9;
    set_collected_field('', 'total_bytes_send', $10);
    set_collected_field('', 'total_bytes_recv', $11);

    # Calculate duration
    int start_time_epoc = date_time_to_epoc(v.start_date . " " . v.start_time);
    int end_time_epoc = date_time_to_epoc(v.end_date . " " . v.end_time);
# XYZ 
#    set_collected_field('', 'duration', end_time_epoc - start_time_epoc);

  );

  # from Citrix 9.0
  #Aug 17 15:00:00 155.155.155.55 08/17/2009:19:00:00 GMT  : TCP CONN_DELINK 170566 :  Source 10.5.55.55:2567 - Vserver 155.155.155.54:443 - NatIP 155.155.155.56:49734 - Destination 155.155.155.57:9212 - Delink Time 08/17/2009:19:00:00 GMT - Total_bytes_send 0 - Total_bytes_recv 12918
  else if (matches_regular_expression(v.message, '^ *Source ([0-9.]+):([0-9]+) - Vserver ([^ ]+) - NatIP ([^ ]+) - Destination ([0-9.]+):([0-9]+) - Delink Time ([0-9]{2}/[0-9]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} [^ ]+) - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+)')) then (

    set_collected_field('', 'source_ip', $1);
    set_collected_field('', 'source_port', $2);
    set_collected_field('', 'vserver', $3);
    set_collected_field('', 'nat_ip', $4);
    set_collected_field('', 'destination_ip', $5);
    set_collected_field('', 'destination_port', $6);
    set_collected_field('', 'delink_time', $7);
    set_collected_field('', 'total_bytes_send', $8);
    set_collected_field('', 'total_bytes_recv', $9);

  );

  # Jun  4 14:51:37 <local0.notice> 192.168.1.1 06/04/2009:06:50:38 GMT ns : EVENT DEVICEUP 3 :  Device "server_ABCDE_AAA_127.0.0.1:8777(internal)" - State UP
  else if (matches_regular_expression(v.message, '^ *Device "([^"]+)" - State (.*)$')) then (
    set_collected_field('', 'device', $1);
    set_collected_field('', 'state', $2);
  );

  #2009-06-14 22:34:39	Local0.Info	165.16.16.66	06/15/2009:06:33:21 GMT access : EVENT MONITORUP 8448 :  Monitor Name_of_Monitor-more_about_monitor(165.16.16.65:80) - State UP
  else if (matches_regular_expression(v.message, '^ *Monitor ([^ ]+) - State (.*)$')) then (
    set_collected_field('', 'monitor', $1);
    set_collected_field('', 'state', $2);
  );

  else if (matches_regular_expression(v.message, '^ User ([^ ]+) - Client_ip ([0-9.]+) - Failure_reason (.*)$')) then (
     set_collected_field('', 'user', $1);
     set_collected_field('', 'client_ip', $2);
     set_collected_field('', 'failure_reason', $3);
     set_collected_field('', 'failed_login', 1);
  );

  else if (matches_regular_expression(v.message, '^ Source ([0-9.]+):[0-9]+ - Destination ([0-9.]+):[0-9]+ - username:domainname ([^:]+):[^ ]+ - applicationName ([^ ]+) - startTime [^-]+- connectionId [0-9abcdef]+')) then (
      set_collected_field('', 'user', $3);
      set_collected_field('', 'source_ip', $1);
      set_collected_field('', 'destination_ip', $2);
      set_collected_field('', 'application', $4);
   );
   else if (matches_regular_expression(v.message, '^ Source ([0-9.]+):[0-9]+ - Destination ([0-9.]+):[0-9]+ - username:domain_name ([^:]+):[^ ]+ - Start_time "[^"]+" - End_time "[^"]+" - Duration ([0-9:]+)  - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - Total_compressedbytes_send ([0-9]+) - Total_compressedbytes_recv ([0-9]+) - Compression_ratio_send ([0-9.%]+) - Compression_ratio_recv ([0-9.%]+) - connectionId [0-9abcdef]+')) then (
#   else if (matches_regular_expression(v.message, '^ Source ([0-9.]+):[0-9]+ - Destination ([0-9.]+):[0-9]+ - username:domain_name ([^:]+):[^ ]+ - Start_time "[^"]+" .*')) then (
#   else if (matches_regular_expression(v.message, '^ Source ([0-9.]+):[0-9]+ - Destination ([0-9.]+):[0-9]+ - username:domain_name ([^:]+):[^ ]+ - Start_time "[^"]+" - End_time "[^"]+" - Duration ([0-9:]+) .*')) then (
#   else if (matches_regular_expression(v.message, '^ Source ([0-9.]+):[0-9]+ - Destination ([0-9.]+):[0-9]+ - username:domain_name ([^:]+):[^ ]+ - Start_time "[^"]+" - End_time "[^"]+" - Duration ([0-9:]+)  - Total_bytes_send ([0-9]+) - Total_bytes_recv ([0-9]+) - .*')) then (
      set_collected_field('', 'user', $3);
      set_collected_field('', 'source_ip', $1);
      set_collected_field('', 'destination_ip', $2);
      v.duration = $4;
    set_collected_field('', 'total_bytes_send', $5);
    set_collected_field('', 'total_bytes_recv', $6);
#    set_collected_field('', 'total_compressedbytes_send', $17);
#    set_collected_field('', 'total_compressedbytes_recv', $18);
#    set_collected_field('', 'compression_ratio_send', $19);
    if (matches_regular_expression(v.duration, '(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
      v.duration = $5;
      if ($4 ne '') then v.duration += 60 * $4;
      if ($2 ne '') then v.duration += 60 * 60 * $2;
    );
    set_collected_field('', 'duration', v.duration);
    );

  # 2013-09-20 - GMF - Try decomposing a message into field.  It might actually be possible to get rid of everything above, and just do this.
  while (v.message ne '') (
#echo("Decomposing v.message=" . v.message);
    if (false) then ( )
    else if (matches_regular_expression(v.message, '^Access Allowed - (.*)$')) then (
      v.message = $1;
    );
    else if (matches_regular_expression(v.message, '^([A-Z][a-z_()]+) ([^ ]+) +- (.*)$')) then (
      set_collected_field('', lowercase($1), $2);
      v.message = $3;
    );
    else if (matches_regular_expression(v.message, '^(SessionId): ([^-]+)- (.*)$')) then (
      set_collected_field('', lowercase($1), $2);
      v.message = $3;
    );
    else if (matches_regular_expression(v.message, '^([A-Z][a-z_]+) "([^"]+)" - (.*)$')) then (
      set_collected_field('', lowercase($1), $2);
      v.message = $3;
    );
    else if (matches_regular_expression(v.message, '^([A-Z][a-z_()]+) ([^ ]+)$')) then (
      set_collected_field('', lowercase($1), $2);
      v.message = '';
    );
    else if (matches_regular_expression(v.message, '^([A-Z][a-z_()]+) "([^"]+)"$')) then (
      set_collected_field('', lowercase($1), $2);
      v.message = '';
    );
    else
      v.message = '';
  );

  if (matches_regular_expression(get_collected_field('', 'duration'), '^(([0-9]+):)?(([0-9]+):)?([0-9]+)')) then (
    set_collected_field('', 'duration', $5 + 60 * $4 + 60 * 60 * $2);
#    if ($4 ne '') then v.duration += 60 * $4;
#    if ($2 ne '') then v.duration += 60 * 60 * $2;
  );

  accept_collected_entry('', false);
);

`

  database.fields = {

    day_of_week = ""
    hour_of_day = ""
    host_name = ""
    application_type = ""
    validation_type = ""
    context = ""
    user = ""
    client_ip = ""
    nat_ip = ""
    vserver = ""
    source_ip = ""
    source_port = ""
    destination_ip = ""
    destination_port = ""
    application = ""
    url = ""
    message = ""
    result = ""
    groups = ""

    remote_ip = ""
    command = ""
    status = ""

    device = ""
    monitor = ""
    state = ""

    sslvpn_client_type = ""

    browser_type = ""
    operating_system = ""
#    spider = ""

    failure_reason = ""

#    start_time = ""
#    end_time = ""
#    delink_time = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

# XYZ
	login = {
	default = true
	entries_field = true
	log_field = "login"
	}

	failed_login = {
	default = true
	entries_field = true
	log_field = "failed_login"
	}

    duration = {
      type = int
      display_format_type = duration_compact
    } # duration

    total_bytes_send = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # total_bytes_send

    total_bytes_recv = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # total_bytes_recv

    http_resources_accessed = ""
    nonhttp_resources_accessed = ""
    total_tcp_connections = ""
    total_udp_flows = ""
    total_policies_allowed = ""
    total_policies_denied = ""

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        url = true
      }
      source_group = {
        source_ip = true
        source_port = true
        client_ip = true
      }
      destination_group = {
        remote_ip = true
        destination_ip = true
        destination_port = true
      }
      users_group = {
        context = true
        user = true
        groups = true
        browser_type = true
        operating_system = true
        failure_reason = true
      }
      other_group = {
        host_name = true
        application_type = true
        application = true
        validation_type = true
        message = true
        result = true
        nat_ip = true
        vserver = true
        command = true
        status = true
    	device = true
		monitor = true
    	state = true
        sslvpn_client_type = true
        start_time = true
#        end_time = true
#        delink_time = true
      }
    } # report_groups

    snapons = {

      # Add the standard reports
      add_standard_reports = {
        name = "add_standard_reports"
        label = "add_standard_reports"
        snapon = "add_standard_reports"
      } # add_standard_reports

      # Attach a concurrent_events snapon to compute concurrent connections
      concurrent_connections = {
        snapon = "concurrent_events"
        name = "concurrent_connections"
        label = "$lang_admin.snapons.plugins.flash_media_server.concurrent_connections"
        parameters = {
          date_time_field.parameter_value = "date_time"
          duration_field.parameter_value = "duration"
          concurrent_events_name = {
            parameter_value = "$lang_stats.field_labels.concurrent_connections"
            final_node_name = "concurrent_connections"
          }
        } # parameters

        requires_database_fields = {  
          date_time = true
          duration = true
        }

      } # concurrent_connections
  
    } # snapons

  } # create_profile_wizard_options

} # citrix_netscaler