# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
isa_2004_iis = {

  plugin_version = "1.0.3"

  info.1.manufacturer = "Microsoft"
  info.1.device = "ISA 2004 CSV"
  info.1.version.1 = ""

  # ????-??-?? - 1.0 - ??? - Initial implementation
  # 2009-01-30 - GMF - 1.0.1 - Changed int fields to float, to eliminate overflow
  # 2010-10-01 - MSG - 1.0.2 - Edited info lines
  # 2011-09-08 - MSG - 1.0.3 - Changed session_id to isa_session_id, and session page field to destination_hostname, so it works with 8.5 sessions snapon.

  # The name of the log format
  log.format.format_label = "Microsoft ISA 2004 IIS Log Format"
  log.miscellaneous.log_data_type = "firewall"
  log.miscellaneous.log_format_type = "firewall"


  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^[^,]+, [0-9]+/[0-9]+/[0-9][0-9][0-9][0-9], [0-9]+:[0-9][0-9]:[0-9][0-9], [^,]+, [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+:*[0-9]*, [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+:*[0-9]*, [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+, [^,]+, [^,]+, [^,]+, 0x[0-9a-f]+, [^,]+, [^,]+, [^,]+, [0-9-]+, [0-9-]+, [0-9-]+, [0-9-]+, [0-9-]+, [0-9-]+, [^,]+, [^,]+, [^,]+, [^,]+, [^,]+, [^,]+, [0-9]+, [0-9]+, [^,]+, [^,]+, [^,]+"

  #e.g. KFIREWALL, 7/7/2005, 15:49:36, TCP, 71.240.237.220:4617, 10.0.1.122:110, 71.240.237.220, External, Internal, Terminate, 0x80076e24, some pop POP3 Server, POP3 Server, N, 227, 227, 39, 39, 471, 471, -, -, -, -, -, -, 2, 14, -, -, -
  log.format.parsing_regular_expression = "^([^,]+), ([0-9]+/[0-9]+/[0-9][0-9][0-9][0-9]), ([0-9]+:[0-9][0-9]:[0-9][0-9]), ([^,]+), ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+):*([0-9]*), ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+):*([0-9]*), ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+), ([^,]+), ([^,]+), ([^,]+), (0x[0-9a-f]+), ([^,]+), ([^,]+), ([^,]+), ([0-9-]+), ([0-9-]+), ([0-9-]+), ([0-9-]+), ([0-9-]+), ([0-9-]+), ([^,]+), ([^,]+), ([^,]+), ([^,]+), ([^,]+), ([^,]+), ([0-9]+), ([0-9]+), ([^,]+), ([^,]+), ([^,]+)"

  # The format of dates and times in this log
  log.format.date_format = "auto"
  log.format.time_format = "auto"

  # Logs fields are separated by a comma
  log.format.field_separator = ", "

  # Log fields
  log.fields = {

    server_name = ""
    date = ""
    time = ""
    transport = ""
    client_ip.type = "host"
    client_port = ""
    destination_ip = ""
    destination_port = ""
    original_client_ip = ""
    source_network = ""
    destination_network = ""
    action = ""
    result_code = ""
    rule = ""
    protocol = ""
    bidirectional = ""
    bytes_sent = ""
    bytes_sent_delta = ""
    bytes_received = ""
    bytes_received_delta = ""
    processing_time = ""
    processing_time_delta = ""
    source_proxy = ""
    destination_proxy = ""
    client_host_name = ""
    destination_host_name = ""
    client_username = ""
    client_agent.type = "agent"
    isa_session_id = ""
    connection_id = ""
    network_interface = ""
    raw_ip_header = ""
    raw_payload = ""

  } # log.fields


  # Database fields
  database.fields = {

    server_name = ""
    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    transport = ""
    client_ip = ""
    location = ""
    client_port = ""
    destination_ip = ""
    destination_port = ""
    original_client_ip = ""
    source_network = ""
    destination_network = ""
    action = ""
    result_code = ""
    rule = ""
    protocol = ""
    bidirectional = ""
    source_proxy = ""
    destination_proxy = ""
    client_host_name = ""
    destination_host_name = ""
    client_username = ""
    operating_system = ""
    web_browser = ""
    spider = ""
    isa_session_id = ""
    connection_id = ""
    network_interface = ""
#    raw_ip_header = ""
#    raw_payload = ""

  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  log.field_options = {

    sessions_page_field = "destination_host_name"
    sessions_visitor_id_field = "client_ip"
    sessions_event_field = "events"

  } # log.field_options


  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = false
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # events

    unique_client_ips = {
      label = "$lang_stats.field_labels.unique_client_ips"
      default = false
      requires_log_field = true
      log_field = "client_ip"
      type = "unique"
      display_format_type = "integer"
    } # unique_client_ips

    bytes_sent = {
      label = "$lang_stats.field_labels.bytes_sent"
      default = true
      requires_log_field = true
      log_field = "bytes_sent"
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # bytes_sent

    bytes_sent_delta = {
      label = "$lang_stats.field_labels.bytes_sent_delta"
      default = false
      requires_log_field = true
      log_field = "bytes_sent_delta"
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # bytes_sent_delta

    bytes_received = {
      label = "$lang_stats.field_labels.bytes_received"
      default = true
      requires_log_field = true
      log_field = "bytes_received"
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # bytes_received

    bytes_received_delta = {
      label = "$lang_stats.field_labels.bytes_received_delta"
      default = false
      requires_log_field = true
      log_field = "bytes_received_delta"
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # bytes_received_delta

    processing_time = {
      label = $lang_stats.field_labels.processing_time
      default = false
      requires_log_field = true
      type = float
      display_format_type = duration_milliseconds
    } # processing_time

    processing_time_delta = {
      label = $lang_stats.field_labels.processing_time_delta
      default = false
      requires_log_field = true
      type = float
      display_format_type = duration_milliseconds
    } # processing_time_delta

  } # database.numerical_fields


  create_profile_wizard_options = {
    date_time_tracking = true
    host_tracking = true

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      source_group = {
        client_ip = true
        location = true
        client_port = true
        original_client_ip = true
        source_network = true
        source_proxy = true
        client_host_name = true
        client_username = true
        operating_system = ""
        web_browser = ""
        spider = ""
      }
      destination_group = {
        destination_ip = true
        destination_port = true
        destination_network = true
        destination_proxy = true
        destination_host_name = true
      }
      other_group = {
        server_name = true
        transport = true
        action = true
        result_code = true
        rule = true
        protocol = true
        bidirectional = true
        isa_session_id = true
        connection_id = true
        network_interface = true
        raw_ip_header = true
        raw_payload = true
      }

    } # report_groups

  } # create_profile_wizard_options

} # isa_2004_iis