# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
windows2008_syslog = {

  plugin_version = "1.1.4"

  info.1.manufacturer = "Microsoft"
  info.1.device = "Windows 7/2008 Eventlog via Syslog"
  info.1.version.1 = "Datagram SyslogAgent 3.5"

  # 2010-05-24 - Benson - 1.0 - Modified from datagram_syslog.cfg for Windows Server 2008 and simpilifed.
  # 2010-12-08 - Benson - 1.1 - Compatible with non DATE HOST syslog header.
  # 2011-01-06 - GMF - 1.1.1 - Fixed extra closing parenthesis
  # 2011-05-04 - GMF - 1.1.2 - Added v.message='' so it doesn't fail when it comes across a corrupt line
  # 2011-10-26 - KBB - 1.1.3 - Restored missing parenthesis to right location. Removed setting of
  # 2012-06-21 - Benson - 1.1.4 - Fix for account_name and account_domain parsing in event_description field.
  # 2013-06-28 - Benson - 1.1.5 - Fixed mojibake that caused by ASCII 127 in the original message by replace_all them to general space before stored.

  # v.message, because it will be set to something at all points that it is accessed if the
  # parenthesis is in the right place (end of parsing filter).

  # The name of the log format
  log.format.format_label = "Windows 7/Server 2008 Eventlog via Syslog"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "other"

  log.format.autodetect_expression = `
matches_regular_expression(volatile.log_data_line, "[^[]+\\[[a-z]+\\] [0-9]+ ")
`

  # Log fields
  log.fields = {

    event_code = ""
    event_description = ""
    process = ""
    priority = ""
    message = ""

    # Fields for windows descriptions
    account_name = ""
    account_domain = ""
    logon_id = ""
    process_name = ""
    workstation_name = ""
    source_network_address = ""
    source_port = ""
    #source_address = ""
    #destination_address = ""
    #destination_port = ""
    #protocol = ""
    #client_address = ""
    #client_port = ""
    #share_name = ""
    #object_name = ""

  } # log.fields

  log.filter_initialization = `
string last_fieldname = "";
`

# e.g. May 18 09:01:02 GC02 microsoft-windows-security-auditing[success] 4624 帳戶成功登入。主旨:安全性識別碼:S-1-0-0帳戶名稱:-帳戶網域:-登入識別碼:0x0登入類型:3新登入:安全性識別碼:S-1-5-21-861567501-2139871995-1417001333-6060帳戶名稱:hikizume帳戶網域:BAPHIQ登入識別碼:0xc4161ff登入 GUID:{00000000-0000-0000-0000-000000000000}處理程序資訊:處理程序識別碼:0x0處理程序名稱:-網路資訊:工作站名稱:HIKIZUME來源網路位址:-來源連接埠:-詳細驗證資訊:登入處理程序:NtLmSsp 驗證封裝:NTLM轉送的服務:-封裝名稱 (僅限 NTLM):NTLM V1金鑰長度:128當建立登入工作階段的時候，就會產生這個事件。它在被存取的電腦上產生。主旨欄位顯示要求登入的本機系統上的帳戶。這通常是發生在服務 (例如伺服器服務) 或是本機處理程序 (例如Winlogon.exe 或 Services.exe)。登錄類型欄位顯示發生的登入類型。最常見的類型是 2 (互動式) 與 3 (網路)。新登入欄位顯示是哪個帳戶建立新登入，例如登入的帳戶。網路欄位顯示遠端登入要求的來源。工作站名稱不是每次都有，並可能在某些狀況是空白。驗證資訊欄位提供關於此次特定登入要求的詳細資訊。- 登入
# e.g. May 18 09:01:02 GC02 microsoft-windows-security-auditing[success] 5156 Windows 篩選平台已經允許一個連線。應用程式資訊:處理程序識別碼:576應用程式名稱:\device\harddiskvolume1\windows\system32\lsass.exe網路資訊:方向:%14592來源位址:172.17.1.100來源連接埠:49158目的地位址:192.168.15.43目的地連接埠:1110通訊協定:6篩選器資訊:篩選器執行階段識別碼:0階層名稱:%14610階層執行階段識別碼:44
  log.parsing_filters.parse = `

if (matches_regular_expression(v.syslog_message, "^[A-Z]?[a-z]+ [ 0-9]+ [0-9:]+[ 	][^ ]+ ([^[]+)\\[([^]]+)\\] ([0-9]+) (.*)$") or
   (matches_regular_expression(v.syslog_message, "([^[]+)\\[([^]]+)\\] ([0-9]+) (.*)$"))) then (
  v.process = $1;
  set_collected_field('', 'process', v.process);
  set_collected_field('', 'priority', $2);
  v.event_code = $3;
  set_collected_field('', 'event_code', v.event_code);
  v.message = $4;
  if (matches_regular_expression(v.message, "^([^]*)[ ](.*)$")) then (
    set_collected_field('', 'event_description', replace_all($1, '',' '));
    v.account = $1;
    v.message = $2;
    set_collected_field('', 'message', replace_all(v.message, '',' '));
    if (matches_regular_expression(v.account, '([^\\\\\\\\]+)\\\\\\\\([^ ]+) ')) then (
       set_collected_field('', 'domain', $1);
       set_collected_field('', 'account_name', $2);
    );
  );

  # Handle print messages
  #if ((v.process eq 'print') and matches_regular_expression(v.message, '^[^,]+, ([^(]+) [(]([^)]+)[)] (.+): ([0-9]+), [^:]+: ([0-9]+)')) then (
  #  set_collected_field('', 'print_filename', $1);
  #  set_collected_field('', 'print_file_owner', $2);
  #  set_collected_field('', 'print_method', $3);
  #  set_collected_field('', 'print_bytes', $4);
  #  set_collected_field('', 'print_pages', $5);
  #);

  # 2008-12-20 - GMF - Switched to a single While loop which looks for all variants,
  # for simplicity (separate while loops are probably a bit faster)
  while (
    matches_regular_expression(v.message, '^[ 	]*([^ 	][^:]+)(:)	([^]+)(.*)$') or
    matches_regular_expression(v.message, '^[ 	]*([^ 	][^:]+)(:)([^]*)(.*)$') or
    matches_regular_expression(v.message, '^[  ]*([^ ][^:]+)(:)([^]*)(.*)$') or
    matches_regular_expression(v.message, '^[  ]*()()([^]+)(.*)$') or
    matches_regular_expression(v.message, '^[  ]*([^ ][^:^?]+)(:)([^^?]*)$') or
    ) (

    # If there was no : divider in this section, treat it as part of the previous field value
    if ($2 eq '') then (
      if (last_fieldname ne '') then (
        v.current_value = get_collected_field('', last_fieldname);
        if (v.current_value eq '(empty)') then
          v.current_value = "";
#        set_collected_field('', last_fieldname, v.current_value . ";" . $3);
        set_collected_field('', last_fieldname, v.current_value . $3);
      );
    );

    # If there was a : divider in this section, use the name/value directly.
    else (
      v.internal_fieldname = node_value(subnode_by_name('rewrite_rules.windows_event_field_names', $1));
      set_collected_field('', v.internal_fieldname, $3);
      last_fieldname = v.internal_fieldname;
    );

    v.message = $4;

  ); # while found name/value pair

  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);
  last_fieldname = "";
);
`

  # Database fields
  database.fields = {

    event_code = ""
    event_description = ""
    process = ""
    priority = ""
    message = {
      sql_field_length = 472
    }

    # Fields for Windows Server 2008
    account_name = ""
    account_domain = ""
    logon_id = ""
    process_name = ""
    workstation_name = ""
    source_network_address = ""
    source_port = ""
    #source_address = ""
    #destination_address = ""
    #destination_port = ""
    #protocol = ""
    #client_address = ""
    #client_port = ""
    #object_name = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
      integer_bits = 64
    } # events

#    print_pages = ""

#    print_bytes = {
#      default = false
#      type = "float"
#      display_format_type = "bandwidth"
#    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      source_group = {
        account_name = true
        account_domain = true
        logon_id = true
        workstation_name = true
        source_network_address = true
        source_port = true
        #source_address = true
        #client_address = true
        #client_port = true
      } # source_group
      #destination_group = {
        #destination_address = true
        #destination_port = true
        #object_name = true
      #} # destination_group
      #other_group = {
        event_code = true
        event_description = true
        process = true
        priority = true
        message = true
        process_name = true
        #protocol = true
      } # other_group

    } # report_groups

  } # create_profile_wizard_options

} # datagram_syslog_agent