# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
barracuda_waf_audit = {

  plugin_version = "1.0.1"

  info.1.manufacturer = "Barracuda"
  info.1.device = "Web Application Firewall (Audit)"
  info.1.version = "7.4.0.022"

  # 2010-08-10 - 1.0.0 - Benson - Initial implementation.
  # 2010-08-19 - 1.0.1 - Benson - Supports obj_name field.
  # 2010-10-01 - 1.0.2 - Edited info lines.

  # The name of the log format
  log.format.format_label = "Barracuda WAF Audit Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression

  log.format.autodetect_regular_expression = "  [^ ]+ AUDIT "

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    #time_stamp = ""
    obj_name = ""
    log_type = ""
    admin_name = ""
    client_type = ""
    login_ip = ""
    login_port = ""
    transaction_type = ""
    transaction_id = ""
    command_name = ""
    changetype = ""
    object_type = ""
    object_name = ""
    variable = ""
    old_value = ""
    new_value = ""
    additional_data  = ""

    events = ""
    
  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

#2010-08-06	12:12:25	Local2.Info	192.168.172.201	2010-08-06 12:12:33.377 +0800  Barracuda AUDIT admin GUI 192.168.172.121 0 TRANSPARENT_MODE 0 -  global - - "" "" [] 
#2010-08-06	12:12:28	Local2.Info	192.168.172.201	2010-08-06 12:12:36.798 +0800  Barracuda AUDIT admin GUI 192.168.172.121 0 LOGIN 0 -  global - - "" "" [] 
#2010-08-06	12:12:43	Local2.Info	192.168.172.201	2010-08-06 12:12:51.950 +0800  Barracuda AUDIT admin GUI 192.168.172.121 0 CONFIG 35 - SET global - mgmt_netmask "255.0.0.0" "255.255.255.0" [] 
if (matches_regular_expression(v.syslog_message, '  ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9.]+) ([0-9]+) ([^ ]+) ([0-9]+) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) \"([^"]*)\" \"([^"]*)\" (.*)$')) then (
  set_collected_field('', 'obj_name', $1);
  set_collected_field('', 'log_type', $2);
  set_collected_field('', 'admin_name', $3);
  set_collected_field('', 'client_type', $4);
  set_collected_field('', 'login_ip', $5);
  set_collected_field('', 'login_port', $6);
  set_collected_field('', 'transaction_type', $7);
  set_collected_field('', 'transaction_id', $8);
  set_collected_field('', 'command_name', $9);
  set_collected_field('', 'changetype', $10);
  set_collected_field('', 'object_type', $11);
  set_collected_field('', 'object_name', $12);
  set_collected_field('', 'variable', $13);
  set_collected_field('', 'old_value', $14);
  set_collected_field('', 'new_value', $15);
  set_collected_field('', 'additional_data', $16);
);
#2010-08-04	14:54:20	Local2.Info	192.168.172.201	2010-08-04 14:54:05.635 +0800  Barracuda AUDIT admin GUI 192.168.172.121 0 CONFIG 27 - SET global   web_firewall_log_facility "16" "20" [] 
else if (matches_regular_expression(v.syslog_message, '  ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9.]+) ([0-9]+) ([^ ]+) ([0-9]+) ([^ ]*) ([^ ]*) ([^ ]*)   ([^ ]*) \"([^"]*)\" \"([^"]*)\" (.*)$')) then (
  set_collected_field('', 'obj_name', $1);
  set_collected_field('', 'log_type', $2);
  set_collected_field('', 'admin_name', $3);
  set_collected_field('', 'client_type', $4);
  set_collected_field('', 'login_ip', $5);
  set_collected_field('', 'login_port', $6);
  set_collected_field('', 'transaction_type', $7);
  set_collected_field('', 'transaction_id', $8);
  set_collected_field('', 'command_name', $9);
  set_collected_field('', 'changetype', $10);
  set_collected_field('', 'object_type', $11);
  #set_collected_field('', 'object_name', $11);
  set_collected_field('', 'variable', $12);
  set_collected_field('', 'old_value', $13);
  set_collected_field('', 'new_value', $14);
  set_collected_field('', 'additional_data', $15);
);
  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);

`

  # Database fields
  database.fields = {

    #time_stamp = ""
    obj_name = ""
    log_type = ""
    admin_name = ""
    client_type = ""
    login_ip = ""
    login_port = ""
    transaction_type = ""
    transaction_id = ""
    command_name = ""
    changetype = ""
    object_type = ""
    object_name = ""
    variable = ""
    old_value = ""
    new_value = ""
    additional_data  = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    } # report_groups

  } # create_profile_wizard_options

} # barracuda_audit