# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
zone_alarm = {

  plugin_version = "1.0.2"

  # Initial creation - 1.0
  # 2006-06-30 - 1.0.1 - GMF - Enhanced plug-in to track all line types
  # 2011-07-27 - 1.0.2 - MSG - Edited info lines.

  info.1.manufacturer = "Check Point Software Technologies"
  info.1.device = "Zone Alarm"
  info.1.version.1 = ""

  # The name of the log format
  log.format.format_label = "Zone Alarm Log Format"
  log.miscellaneous.log_data_type = "firewall"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "ZoneAlarm Logging Client"

  # Log fields
  log.fields = {

    type = ""
    date = ""
    time = ""
    source_description = ""
    destination_description = ""
    source_ip.type = "host"
    source_port = ""
    destination_ip = ""
    destination_port = ""
#    transport = ""

  } # log.fields


  log.parsing_filters.parse = `
#if (matches_regular_expression(current_log_line(), "^([A-Z]*),([0-9/]*),([0-9:]*) [+-][0-9]*:[0-9][0-9][^,]*,([0-9]*\\\\.[0-9]*\\\\.[0-9]*\\\\.[0-9]*):([0-9]*),([0-9]*\\\\.[0-9]*\\\\.[0-9]*\\\\.[0-9]*):([0-9]*),([^,]*)$")) then (
if (matches_regular_expression(current_log_line(), "^([A-Z]*),([0-9/]*),([0-9:]*) [+-][0-9]*:[0-9][0-9][^,]*,(.*)$")) then (
  type = $1;
  date = $2;
  time = $3;
  v.remainder = $4;
  if (matches_regular_expression(v.remainder, "([^,]*),([^,]*),([^,]*)$")) then (
     source_description = $1;
     destination_description = $2;
     if (matches_regular_expression(source_description, "^([0-9.]+):([0-9]+)$")) then (
       source_description = "IP:port";
       source_ip = $1;
       source_port = $2;
     );
     else if (matches_regular_expression(source_description, "^(.*) \\\\(([^:]+):([^)]+)\\\\)\\\\.$")) then (
       source_description = $1;
       source_ip = $2;
       source_port = $3;
     );
     if (matches_regular_expression(destination_description, "^([0-9.]+):([0-9]+)$")) then (
       destination_description = "IP:port";
       destination_ip = $1;
       destination_port = $2;
     );
  );

);
`


  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    type = ""
    source_description = ""
    source_ip = ""
    location = ""
    source_port = ""
    destination_description = ""
    destination_ip = ""
    destination_port = ""
#   transport = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

  } # database.numerical_fields


  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    } # report_groups

  } # create_profile_wizard_options

} # zone_alarm