# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
fortimail_event = {

  plugin_version = "2.0"

  info.1.manufacturer = "Fortinet"
  info.1.device = "FortiMail"
  info.1.version.1 = ""

  # 2012-07-11 - 1.0 - MSG - Initial creation.
  # 2012-07-27 - 1.01 - MSG - Fixed typo in log data type
  # 2014-05-26 - 2.0 - GMF - Made syslog_optional; added support for many additional fields; made into try mail server analysis; added mail_server_reports

  # The name of the log format
  log.format.format_label = "FortiMail Log Format"
  log.miscellaneous.log_data_type = "syslog_optional"
  log.miscellaneous.log_format_type = "mail_server"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_expression = `
matches_regular_expression(volatile.log_data_line, "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][, ][0-9][0-9]:[0-9][0-9]:[0-9][0-9][, ]log_id=[^ ]+ log_part") or

#May 26 15:11:32 fortimail date=2014-05-26 time=15:11:23 device_id=FE400C3M12000301 log_id=0200001022 type=statistics pri=information session_id="s4QDBMog001021-s4QDBMoh001021" client_name="abc.def.com [12.34.56.78]" dst_ip="23.45.67.89" from="someone@somewhere.com" to="other@there.com" polid="0:1:1" domain="there.com" subject="Test email" mailer="mta" resolved="OK" direction="in" virus="" disposition="Accept" classifier="Not Spam" message_length="16716"
matches_regular_expression(volatile.log_data_line, "date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9] device_id=.*log_id=")
`


  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Don't try to process this as CSV, even if the file name ends in .csv
  log.format.ignore_format_lines = "true"

  # Log fields
  log.fields = {

    device_id = ""
    log_id = ""
    log_part = ""
    type = ""
    subtype = ""
    pri = ""
    user = ""
    ui = ""
    action = ""
    status = ""
    msg = ""    
    session_id = ""
    client_name = ""
    dst_ip = ""
    from = ""
    to = ""
    polid = ""
    domain = ""
    subject = ""
    mailer = ""
    resolved = ""
    direction = ""
    virus = ""
    disposition = ""
    classifier = ""
    message_length = ""

  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

if (matches_regular_expression(v.syslog_message, '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])[ ,]([0-9][0-9]:[0-9][0-9]:[0-9][0-9])([ ,])(.*)')) then (

  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  v.separator = $3;
  v.line = $4;

  collect_listed_fields('', v.line, v.separator, '=', '');

  accept_collected_entry('', false);
);

#May 26 15:11:32 fortimail date=2014-05-26 time=15:11:23 device_id=FE400C3M12000301 log_id=0200001022 type=statistics pri=information session_id="s4QDBMog001021-s4QDBMoh001021" client_name="abc.def.com [12.34.56.78]" dst_ip="23.45.67.89" from="someone@somewhere.com" to="other@there.com" polid="0:1:1" domain="there.com" subject="Test email" mailer="mta" resolved="OK" direction="in" virus="" disposition="Accept" classifier="Not Spam" message_length="16716"
else if (matches_regular_expression(v.syslog_message, '^(date=[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] time=[0-9][0-9]:[0-9][0-9]:[0-9][0-9] .*)$')) then (
   collect_listed_fields('', $1, ' ', '=', '');
  accept_collected_entry('', false);
);

`

  # Database fields
  database.fields = {

    device_id = ""
    log_id = ""
    log_part = ""
    type = ""
    subtype = ""
    pri = ""
    user = ""
    ui = ""
    action = ""
    status = ""
    msg = ""    
    session_id = ""
    client_name = ""
    dst_ip = ""
    from = ""
    to = ""
    polid = ""
    domain = ""
    subject = ""
    mailer = ""
    resolved = ""
    direction = ""
    virus = ""
    disposition = ""
    classifier = ""
    message_length = ""

  } # database.fields

  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      entries_field = "true"
      value = 'events = 1;'
    } # mark_entry

  } # Log Filters

  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # events

    message_length = {
      integer_bits = 64
      display_format_type = "bandwidth"
    } # message_length

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {

    } # report_groups

    snapons = {

      # Attach a mail_server_reports snapon
      mail_server_reports = {
	snapon = "mail_server_reports"
	name = "mail_server_reports"
	label = "$lang_admin.snapons.mail_server_reports.label"
        parameters = {
          sender_field.parameter_value = "from"
          recipient_field.parameter_value = "to"
          messages_processed_field.parameter_value = "events"
          messages_delivered_field.parameter_value = "events"
        } # parameters
  
      } # mail_server_reports

      # Add the standard reports
      add_standard_reports = {
        name = "add_standard_reports"
	label = "add_standard_reports"
	snapon = "add_standard_reports"
      } # add_standard_reports

    } # snapons

  } # create_profile_wizard_options

} # fortimail_event