# Copyright (c) 2013 Flowerfire, Inc.  All Rights Reserved.
moveit_dmz = {

  plugin_version = "1.0"

  info.1.manfacturer = "Ipswitch"
  info.1.device = "MOVEit DMZ"
  info.1.version.1 = ""

  # Plugin Version info
  # 2013-11-26 - 1.0 - GMF - Initial implementation

  # The name of the log format
  log.format.format_label = "Ipswitch MOVEit DMZ"
  log.miscellaneous.log_data_type = "ftp"
  log.miscellaneous.log_format_type = "ftp_server"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [a-z0-9]+ [0-9a-f]+: Sess [0-9]+ "
  log.format.autodetect_lines = 200

  log.format.parse_only_with_filters = "true"

  log.fields = {

    date_time = ""
    session_id = ""
    client_ip = ""
    user = ""
    pathname = ""
    events = ""
    uploads = ""
    downloads = ""

  } # log.fields

  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""

    session_id = ""
    client_ip = ""
    user = ""
    pathname = ""

  } # database.fields


#2013-09-21 03:30:48 z0 193c: Sess 18: Client connected from 10.173.10.11 on port 21 (from port 2252)
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 220-Welcome authorized users.
#2013-09-21 03:30:48 z4 193c: Sess 18 got cmd: AUTH TLS
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 234 SSL enabled start the negotiation
#2013-09-21 03:30:48 z4 193c: Sess 18 got cmd: USER svcmoveitsshmonitor
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 331 Password required for svcmoveitsshmonitor
#2013-09-21 03:30:48 z4 193c: Sess 18 got cmd: PASS (suppressed)
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 230-If you have errors using the MOVEit Wizard,  set the option in Internet
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 230-Explorer to use HTTP/1.1 through proxy connections. This setting is
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 230-accessible from the Tools / Internet Options dialog on the Advanced
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 230-tab. Check the "Use HTTP 1.1 through proxy
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 230-All time and date stamps displayed on this site are GMT -5, except time and date stamps recorded during standard time (GMT -6).
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 230 User svcmoveitsshmonitor logged in.
#2013-09-21 03:30:48 z4 193c: Sess 18 got cmd: PBSZ 0
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 200 PBSZ command successful
#2013-09-21 03:30:48 z4 193c: Sess 18 got cmd: PROT P
#2013-09-21 03:30:48 z4 193c: Sess 18 sent: 200 PROT command successful
#2013-09-21 03:30:49 z4 193c: Sess 18 got cmd: PWD
#2013-09-21 03:30:49 z4 193c: Sess 18 sent: 257 "/Home/svcmoveitsshmonitor" is current directory
#2013-09-21 03:30:49 z4 193c: Sess 18 got cmd: SYST
#2013-09-21 03:30:49 z4 193c: Sess 18 sent: 215 Windows_NT version 5.0 (MOVEit DMZ FTP 7.1.1.0)
#2013-09-21 03:30:49 z4 193c: Sess 18 got cmd: INTEGRITY L
#2013-09-21 03:30:49 z4 193c: Sess 18 sent: 200 Integrity mode selected
#2013-09-21 03:30:49 z0 247c: Sess 17 from 10.173.10.11 disconnected.
#2013-09-21 03:30:49 z4 193c: Sess 18 got cmd: CWD /Home/svcmoveitsshmonitor
#2013-09-21 03:30:49 z4 193c: Sess 18 sent: 250 CWD command successful
#2013-09-21 03:30:49 z4 193c: Sess 18 got cmd: PASV
#2013-09-21 03:30:49 z4 193c: Sess 18 sent: 227 Entering Passive Mode (10,76,1,22,11,184)
#2013-09-21 03:30:49 z4 193c: Sess 18 got cmd: LIST
#2013-09-21 03:30:49 z4 193c: Sess 18 sent: 150 Opening ASCII mode data connection
#2013-09-21 03:30:49 z4 193c: Sess 18 sent: 226 Transfer complete
#2013-09-21 03:31:20 z4 193c: Sess 18 got cmd: CWD /Home/svcmoveitsshmonitor
#2013-09-21 03:31:20 z4 193c: Sess 18 sent: 250 CWD command successful
#2013-09-21 03:31:33 z4 193c: Sess 18 got cmd: PASV
#2013-09-21 03:31:33 z4 193c: Sess 18 sent: 227 Entering Passive Mode (10,76,1,22,11,187)
#2013-09-21 03:31:33 z4 193c: Sess 18 got cmd: LIST
#2013-09-21 03:31:33 z4 193c: Sess 18 sent: 150 Opening ASCII mode data connection
#2013-09-21 03:31:33 z4 193c: Sess 18 sent: 226 Transfer complete
#2013-09-21 03:31:34 z4 193c: Sess 18 got cmd: CWD /Home/svcmoveitsshmonitor
#2013-09-21 03:31:34 z4 193c: Sess 18 sent: 250 CWD command successful
#2013-09-21 03:31:34 z4 193c: Sess 18 got cmd: TYPE I
#2013-09-21 03:31:34 z4 193c: Sess 18 sent: 200 TYPE command successful
#2013-09-21 03:31:35 z4 193c: Sess 18 got cmd: PASV
#2013-09-21 03:31:35 z4 193c: Sess 18 sent: 227 Entering Passive Mode (10,76,1,22,11,187)
#2013-09-21 03:31:35 z4 193c: Sess 18 got cmd: RETR MOVEit_DMZ_upload_test.txt_FTP
#2013-09-21 03:31:35 z3 193c: Downloading /Home/svcmoveitsshmonitor/MOVEit_DMZ_upload_test.txt_FTP
#2013-09-21 03:31:35 z4 193c: Searching for MOVEit_DMZ_upload_test.txt_FTP: Found file ID 935161782 from 2013-09-21 03:30:47
#2013-09-21 03:31:35 z4 193c: Sess 18 sent: 150 RETR command started
#2013-09-21 03:31:35 z4 193c: Sess 18 sent: 226 Transfer complete. Integrity check pending.
#2013-09-21 03:31:35 z0 193c: Sess 18 downloaded MOVEit_DMZ_upload_test.txt_FTP OK
#2013-09-21 03:31:35 z4 193c: Sess 18 got cmd: HASH OK
#2013-09-21 03:31:35 z4 193c: Sess 18 sent: 200 Downloaded file has passed integrity check.
#2013-09-21 03:31:35 z4 193c: Sess 18 got cmd: Quit
#2013-09-21 03:31:35 z4 193c: Sess 18 sent: 221 Goodbye

  log.parsing_filters.parse = `

if (matches_regular_expression(current_log_line(), '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) [^ ]+ ([^:]+): (.*)$')) then (
  session_id = $3;
  set_collected_field(session_id, 'date', $1);
  set_collected_field(session_id, 'time', $2);
  set_collected_field(session_id, 'session_id', session_id);
  v.remainder = $4;

  if (matches_regular_expression(v.remainder, "^Sess [0-9]+:? (.*)$")) then
    v.remainder = $1;
    
  # 2013-09-21 03:31:35 z0 23a4: Sess 19: Client connected from 12.34.56.78 on port 21 (from port 2289)
  if (matches_regular_expression(v.remainder, "^Client connected from ([^ ]+) ")) then
    set_collected_field(session_id, 'client_ip', $1);

  else if (matches_regular_expression(v.remainder, "^got cmd: USER (.*)$")) then
    set_collected_field(session_id, 'user', $1);

  else if (matches_regular_expression(v.remainder, "^Downloading (.*)$")) then (
    set_collected_field(session_id, "pathname", $1);
    set_collected_field(session_id, "downloads", 1);
    set_collected_field(session_id, "events", 1);
    accept_collected_entry(session_id, true);
    set_collected_field(session_id, "downloads", 0);
    set_collected_field(session_id, "events", 0);
  );

  else if (matches_regular_expression(v.remainder, "^Uploading (.*)$")) then (
    set_collected_field(session_id, "pathname", $1);
    set_collected_field(session_id, "uploads", 1);
    set_collected_field(session_id, "events", 1);
    accept_collected_entry(session_id, true);
    set_collected_field(session_id, "uploads", 0);
    set_collected_field(session_id, "events", 0);
  );

); # if matches headers
`

  database.numerical_fields = {

    events = {
      default = true
      entries_field = true
    } # events

    downloads.default = true
    uploads.default = true

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

    snapons = {

      # Add the standard reports
      add_standard_reports = {
        name = "add_standard_reports"
	label = "add_standard_reports"
	snapon = "add_standard_reports"
      } # add_standard_reports

      geo_location = {
	snapon = "geo_location"
	name = "geo_location"
	  label = "$lang_admin.snapons.geo_location.label"
          parameters = {
           ip_address_field.parameter_value = "client_ip"
          } # parameters

      } # geo_location

    } # snapons    


  } # create_profile_wizard_options

} # moveit_dmz