# Copyright (c) 2012 Flowerfire, Inc.  All Rights Reserved.
cellopoint_email_firewall = {

  plugin_version = "1.0"

  info.1.manufacturer = "Cellopoint"
  info.1.device = "Email Firewalll"
  info.1.version.1 = "3.9.8 Build 0810" 

  # 2012-08-15 - 1.0 - Benson - Iintial creation.

  # The name of the log format
  log.format.format_label = "Cellopoint Email Firewall Log Format"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "mail_server"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "Cellopoint E-mail Firewall"
  log.format.autodetect_lines = "500"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # This is used because an email address may have an = in it. If it causes
  # other problems, explicit parsing will have to be used.
  log.format.allow_spaces_in_listed_field_values = "false"

  # Expire collected entries after they're not used for 1000 lines
  log.format.collected_entry_lifespan = 1000
  log.format.discard_expired_entries = true

  # Log fields
  log.fields = {

    remote_ip.type = "host"
    status_code = ""
    response_code = ""
    message_id = ""

    sender = {
      type = "hierarchical"
      hierarchy_dividers = "@"
      left_to_right = false
      leading_divider = "false"
    } # from

    recipient = {
      type = "hierarchical"
      hierarchy_dividers = "@"
      left_to_right = false
      leading_divider = "false"
    } # to

    message = ""

    bytes = ""
    events = ""

  } # log.fields


  # Log Parsing Filters
  log.parsing_filters.parse = `
#[S] 250 Sender <member@edm.1net.com.tw> Ok
if (matches_regular_expression(v.syslog_message, '^\\\\[([0-9:]+)\\\\] \\\\[([0-9.]+):([0-9]+)\\\\] \\\\[S\\\\] ([0-9]+) Sender <([^>]+)>')) then (
  set_collected_field($3, 'sender', $5);
);
#[S] 250 Recipient <service@2net.com.tw> Ok
else if (matches_regular_expression(v.syslog_message, '^\\\\[([0-9:]+)\\\\] \\\\[([0-9.]+):([0-9]+)\\\\] \\\\[S\\\\] ([0-9]+) Recipient <([^>]+)>')) then (
  set_collected_field($3, 'status_code', $4);
  set_collected_field($3, 'recipient', $5);
);
#[S] 550 5.1.1 <service@3net.com.tw>: Recipient address rejected: 3net.com.tw
else if (matches_regular_expression(v.syslog_message, '^\\\\[([0-9:]+)\\\\] \\\\[([0-9.]+):([0-9]+)\\\\] \\\\[S\\\\] ([0-9]+) ([0-9.]*) <([^>]+)>: ([^:]+)')) then (
  set_collected_field($3, 'status_code', $4);
  set_collected_field($3, 'response_code', $5);
  set_collected_field($3, 'recipient', $6);
  set_collected_field($3, 'message', $7);
);
#[S] 250 31931 bytes received: 135000172
else if (matches_regular_expression(v.syslog_message, '^\\\\[([0-9:]+)\\\\] \\\\[([0-9.]+):([0-9]+)\\\\] \\\\[S\\\\] ([0-9]+) ([0-9]+) bytes (received): ([0-9]+)')) then (
  set_collected_field($3, 'bytes', $5);
  set_collected_field($3, 'message', $6);
  set_collected_field($3, 'message_id', $7);
);
#[S] 221 Cellopoint E-mail Firewall v3.9.8 Build 0810 closing connection
else if (matches_regular_expression(v.syslog_message, '^\\\\[([0-9:]+)\\\\] \\\\[([0-9.]+):([0-9]+)\\\\] \\\\[S\\\\] ([0-9]+) Cellopoint E-mail Firewall v([0-9.]+) Build ([0-9]+) closing connection')) then (
  set_collected_field($3, 'date', get_collected_field('', 'date'));
  set_collected_field($3, 'time', get_collected_field('', 'time'));
  set_collected_field($3, 'logging_device', get_collected_field('', 'logging_device'));
  set_collected_field($3, 'syslog_priority', get_collected_field('', 'syslog_priority'));
  set_collected_field($3, 'syslog_message_type', get_collected_field('', 'syslog_message_type'));
  set_collected_field($3, 'remote_ip', $2);

  accept_collected_entry($3, false);
);

`

  # Database fields
  database.fields = {

    sender = {
      itemnums_hash_function = "mult_sum_c_i_8"
    }
    recipient = {
      itemnums_hash_function = "mult_sum_c_i_8"
    }
    remote_ip = ""
    location = ""
    status_code = ""
    response_code = ""
    message_id = ""
    message = ""

  } # database.fields

  database.numerical_fields = {

    bytes = {
      default = true
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    } # bytes

    events = {
      default = true
      type = "int"
      integer_bits = 64
    } # events

  } # database.numerical_fields

  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

    suppress_message_id = {
      label = "$lang_admin.log_filters.suppress_message_id_label"
      comment = "$lang_admin.log_filters.suppress_message_id_comment"
      value = `message_id = "[omitted]"`
    } # suppress_message_id

    reject_incomplete_message = {
      label = "Drop event without complete messages"
      value = `if (status_code eq '(empty)') then "reject"`
    } # reject_uncomplete_message

  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # cellopoint_email_firewall