# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
mc_afee_web_shield_xml = {

  plugin_version = "1.0.1"

  # 2007-09-11 - 1.0 - KBB - added version number and changed file name from
  #                          beta_mc_afee_web_shield_xml.cfg
  # 2011-06-22 - 1.0.1 - MSG - Edited info lines.

  info.1.manufacturer = "McAfee"
  info.1.device = "Webshield XML"
  info.1.version.1 = ""

  # The name of the log format
  log.format.format_label = "McAfee Webshield XML Log Format"
  log.miscellaneous.log_data_type = "generic"  
  log.miscellaneous.log_format_type = "internet_device"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^<Event id='[0-9]+' utc-time='[0-9]+'"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    id = ""
    utc_time = ""
    local_time = ""
    date = ""
    time = ""
    tz = ""
    tz_offset = ""
    pid = ""
    os_name = ""
    os_version = ""
    host_name = ""
    host_ip = ""
    host_domain_name = ""
    mac_address = ""
    app = ""
    reason = ""
    sev_type = ""
    client_request = ""
    client_request_line = ""
    audit_id = ""
    connection_type = ""
    conversation_id = ""
    conversation_policy = ""
    neat_delta = ""
    neat_starttime = ""
    source_hostname = ""
    source_ip = ""
    source_port = ""

    events = ""

  } # log.fields


  log.parsing_filters.parse = `
if (matches_regular_expression(current_log_line(), "^<Event ([^>]*) >(.*)$")) then (
  v.listed_event_fields = $1;
  v.remainder = $2;
  v.listed_event_fields = replace_all(v.listed_event_fields, "'", '"');
  collect_listed_fields('', v.listed_event_fields, ' ', '=', '');

  # Handle Sev
  if (matches_regular_expression(v.remainder, "^<Sev type='([^']*)' />(.*)$")) then (
    set_collected_field('', 'sev_type', $1);
    v.remainder = $2;
  );

  # Discard Loc
  if (matches_regular_expression(v.remainder, '^<Loc[^>]*/>(.*)$')) then
    v.remainder = $1;

  # Get the info fields
  while (matches_regular_expression(v.remainder, "<Info name='([^']*)'[^>]*>([^<]*)</Info>(.*)$")) (
    v.name = replace_all($1, '-', '_');
    set_collected_field('', v.name, $2);
    v.remainder = $3;
  );

  # Parse date/time out of local_time
  if (matches_regular_expression(get_collected_field('', 'local_time'), '^([0-9-]+)_([0-9:]+)')) then (
    set_collected_field('', 'date', $1);
    set_collected_field('', 'time', $2);
  );

  set_collected_field('', 'events', 1);

  accept_collected_entry('', false);

);
`


  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    id = ""
    utc_time = ""
    local_time = ""
    tz = ""
    tz_offset = ""
    pid = ""
    os_name = ""
    os_version = ""
    host_name = ""
    host_ip = ""
    host_domain_name = ""
    mac_address = ""
    app = ""
    reason = ""
    sev_type = ""
    client_request = ""
    client_request_line = ""
    audit_id = ""
    connection_type = ""
    conversation_id = ""
    conversation_policy = ""
    neat_delta = ""
    neat_starttime = ""
    source_hostname = ""
    source_ip = ""
    source_port = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      entries_field = true
    } # events

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # mc_afee_web_shield_xml