# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
gta_welf_syslog_required = {

  plugin_version = "1.0"

  # 26/01/2015 - gas - Initial creation
	
	# CPW name: "GTA GB Firewall WELF (sylog required)"
  info.1.manufacturer = "GTA"
  info.1.device = "GB Firewall WELF (sylog required)"
  info.1.version.1 = "GB820"
  
  # The name of the log format
  log.format.format_label = "GTA Firewall WELF Log Format (Syslog Required)"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "(id|fw|pri|msg)=[^ ]+ (id|fw|pri|msg)=[^ ]+ (id|fw|pri|msg)=[^ ]+ "

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

		date = ""
		time = ""
		id = ""
		attribute = ""
		cat_action = ""
		count = ""
		country = ""
		dst = ""
		dstname = ""
		dstport = ""
		duration = ""
		fw = ""
		interface = ""
		msg = ""
		nat = ""
		natport = ""
		op = ""
		pkts_rcvd = ""
		pkts_sent = ""
		pol_action = ""
		pol_type = ""
		pri = ""
		proto = ""
		rcvd = ""
		rule = ""
		sent = ""
		src = ""
		srcport = ""
		type = ""
		arg = ""

  } # log.fields
    
  # Log Parsing Filters
  log.parsing_filters = {

    # Parse the line
    parse = {
      label = "Parser"
      comment = "This parser reads each line"
      value = `
#				# If count
#  			if (matches_regular_expression(current_log_line(), 'count=([0-9]+)')) then (
#  				for (int i = 0; i < $1; i++) (
#  					set_subnode_value('volatile.log_line_insertions', i, current_log_line());
#  				);
#				); # if count
      	# read the line from v.syslog_message not current_log_line()
      	if (matches_regular_expression(v.syslog_message, '^[A-Za-z]+ [0-9]+ [0-9:]+ (.*)time=.([^ ]+) ([^"]+). (.*)$')) then (
      		set_collected_field('', 'date', $2);
      		set_collected_field('', 'time', $3);
      		# get the time= section out and reconstruct the line
      		v.line = $1 . $4;
      		# loop through the fields
      		while (matches_regular_expression(v.line, '^([^=]+)=(\"[^"]+\"|[^ ]+) (.*)$')) (
      			set_collected_field('', $1, replace_all($2, '"', ''));
      			v.line = $3;
      		);
      		# catch the last field
      		if (matches_regular_expression(v.line, '^([^=]*)=(.*)$')) then (
      			set_collected_field('', $1, replace_all($2, '"', ''));
      			v.line = '';
      		);
      		# finish
      		set_collected_field('', 'accesses', 1);
      		accept_collected_entry('', false);
      	);
      `
    } # parse

  } # log.parsing_filters

  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
		id = ""
		attribute = ""
		cat_action = ""
		country = ""
		dst = ""
		dstname = ""
		dstport = ""
		fw = ""
		interface = ""
		msg = ""
		nat = ""
		natport = ""
		op = ""
		pol_action = ""
		pol_type = ""
		pri = ""
		proto = ""
		rule = ""
		src = ""
		srcport = ""
		type = ""
		arg = ""
  } # database.fields

  database.numerical_fields = {

    accesses = {
      label = "$lang_stats.field_labels.accesses"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # accesses
		sent = {
			display_format_type = "bandwidth"
			default = true
		}
		rcvd = {
			display_format_type = "bandwidth"
			default = true
		}
		duration = {
			display_format_type = "duration_compact"
			default = true
		}
    unique_source_ips = {
      label = "$lang_stats.field_labels.unique_source_ips"
      default = true
      requires_log_field = true
      log_field = "src"
      type = "unique"
      display_format_type = "integer"
    } # unique_source_ips

  } # database.numerical_fields

	# log filters
	log.filters = {
		get_country_code_name = {
      label = "$lang_admin.log_filters.get_country_code_name_label"
      comment = "$lang_admin.log_filters.get_country_code_name_comment"
      value = "country = lowercase(country); if ?'rewrite_rules.iso_3166_alpha2' then country = @'rewrite_rules.iso_3166_alpha2'{country};"
      disabled = false
      requires_fields = {
        country = true
      } # requires_fields
		} # get_country_code_name
	} #log.filters

  create_profile_wizard_options = {
    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      syslog_header_group = {
		    logging_device = true
		    log_level = true
   			syslog_priority = true
    		logging_device = true
    		syslog_message = true
    		syslog_message_type = true
      }
      content_group = {
      	op = true
      	msg = true
      	proto = true
      	pol_action = true
      	pol_type = true
      	rule = true
      	type = true
      	arg = true
      }
      source_group = {
      	src = true
				srcport = true
				interface = true
				rules = true
      }
      destination_group = {
				dst = true
				dstname = true
				dstport = true
      }
    } # report_groups
  } # create_profile_wizard_options
} # gta_welf_syslog_required