# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
windows_2008_alt_dns = {

  plugin_version = "1.1"

  info.1.manufacturer = "Microsoft"
  info.1.device = "DNS Server"
  info.1.version = "Windows 2008" # OS version

  #       2016-08-05 - 1.0 - ILD - Initial creation based on windows_2003_dns.cfg

  # The name of the log format
  log.format.format_label = "Windows 2008 DNS Log Format"
  log.miscellaneous.log_data_type = "generic"  
  log.miscellaneous.log_format_type = "network_device"

  # The log is in this format if any of the first ten lines match this regular expression
  
  log.format.autodetect_regular_expression = "DNS Server log file creation at"
  log.format.autodetect_lines = "100"

  # This regular expression is used to parse the log fields out of the log entry
  #log.format.parsing_regular_expression = "^([0-9]+/[0-9]+/[0-9]+) ([0-9:]+) [AM|PM]+ (....) ([A-Z]+)  ([^ ]+) +(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f])(.*)$"

  #log.format.date_format = "dd/mmm/yyyy"
  #log.format.date_format = "yyyymmdd"
  log.format.date_format = "auto"
  log.format.time_format = "auto"

  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    date = ""
    time = ""
	thread_id = ""
	context = ""
    packet_id = ""
    protocol = ""
    direction = ""
    remote_ip = ""
    xid = ""
    type = ""
    opcode = ""
    flags_hex = "" 
        flags = ""
    response_code = ""
    question_name = ""
	question_type = ""

  } # log.fields

  log.parsing_filters.parse = `

#if (matches_regular_expression(current_log_line(), '^([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) (...) ([^ ]+) +(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\\\[(....) (....)  ([^]]*)\\\\] (.*)$')) then (

v.line = current_log_line();
if (matches_regular_expression(v.line, '^([0-9]+/[0-9]+/[0-9]{4}) ([0-9]*[0-9]:.*)')) then (
  set_collected_field('', 'date', $1);
  v.date = $1;
  v.line = $2;
);

## Windows 2008 alt format
 if (matches_regular_expression(v.line, '^([0-9:]+) [AM|PM]+ (....) ([A-Z]+)  ([^ ]+) +(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (R| ) ([A-Z]) .(....) (....) +([^]]*). ([A-Z]+) +(.*)$')) then (
	set_collected_field('', 'time', $1);
	set_collected_field('', 'thread_id', $2);
  	set_collected_field('', 'context', $3);
  	set_collected_field('', 'packet_id', $4);
   	set_collected_field('', 'protocol', $5);
 	set_collected_field('', 'direction', $6);
	set_collected_field('', 'remote_ip', $7);
  	set_collected_field('', 'xid', $8);
  	set_collected_field('', 'query_response', $9);
  	set_collected_field('', 'opcode', $10);
  	set_collected_field('', 'flags_hex', $11);
  		v.flags = $12;
  	set_collected_field('', 'response_code', $13);
  	set_collected_field('', 'question_type', $14);
  	set_collected_field('', 'question_name', $15);
  if (!matches_regular_expression(v.flags, '^ *$')) then (
    set_collected_field('', 'flags', v.flags);
  );

  accept_collected_entry('', false);
);
`

  log.filters = {

    fix_question_name = {
      label = "fix_question_name"
      comment = ""
      value = "
# Convert (N) sections to dots for legibility
while (matches_regular_expression(question_name, '^(.*)\\\\([0-9]+\\\\)(.*)$'))
  question_name = $1 . '.' . $2;
if (starts_with(question_name, '.')) then
  question_name = substr(question_name, 1);
if (ends_with(question_name, '.')) then
  question_name = substr(question_name, 0, length(question_name) - 1);
"
    } # fix_question_name

 mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'lookups = 1;'
    } # mark_entry

  } # log filters

  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
thread_id = ""
	context = ""
    packet_id = ""
    protocol = ""
    direction = ""
    remote_ip = ""
    xid = ""
    type = ""
    opcode = ""
    flags_hex = "" 
        flags = ""
    response_code = ""
    question_name = ""
	question_type = ""
  } # database.fields

  database.numerical_fields = {

    lookups = {
      label = "$lang_stats.field_labels.lookups"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # lookups

    unique_remote_ips = {
      label = "$lang_stats.field_labels.unique_remote_ips"
      default = false
      requires_log_field = true
      log_field = "client"
      type = "unique"
      display_format_type = "integer"
    } # unique_remote_ips

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups
    
    snapons = {
      # Add the standard reports
    add_standard_reports = {
    name = "add_standard_reports"
	label = "add_standard_reports"
	snapon = "add_standard_reports"
      } # add_standard_reports
    } # snapons
  } # create_profile_wizard_options
} # windows_2003_dns