# Copyright (c) 2012 Flowerfire, Inc.  All Rights Reserved.
winsshd = {

  plugin_version = "3.0.1"

  info.1.manufacturer = "Bitvise"
  info.1.device = "Winsshd"
  info.1.version.1 = ""

  # 2012-07-26 - 1.0 - MSG - Initial creation
  # 2012-08-20 - 2.0 - GMF - Extracts many additional fields from the message field
  # 2012-08-22 - 2.0.1 - GMF - Fixed aggregation_method
  # 2012-09-07 - 3.0 - GMF - Changed upload and download bytes fields to report in MB.  Added Source IPs by Users report.  Added warning_messages report.
  # 2012-09-20 - 3.0.1 - GMF - Fixed add_report parameters

  # The name of the log format
  log.format.format_label = "Winsshd Log Format"
  log.miscellaneous.log_data_type = "generic"  
  log.miscellaneous.log_format_type = "other"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^[0-9]+,[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9][.][0-9]+,[A-Za-z]+,[0-9.]+,[0-9]+,[A-Za-z]+,"

  log.format.date_format = "auto"
  log.format.time_format = "auto"

  # Use comma as the field separator
  log.format.field_separator = ","

  # Log fields
  log.fields = {

    session_id.index = 1
    timestamp.index = 2
    application.index = 3
    version.index = 4
    port.index = 5
    priority_level.index = 6
    message.index = 7
    date = ""
    time = ""

    # Fields extracted from message field
    operation = ""
    windows_account = ""
    source_ip = ""
    source_port = ""
    pathname = ""
    warning_message = ""

    events = ""
    uploads = ""
    downloads = ""
    bytes_uploaded = ""
    bytes_downloaded = ""

  } # log.fields


  # Database fields
  database.fields = {

    session_id = {
      type = "int"
      aggregation_method = "none"
    }
    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    application = ""
    version = ""

    port = {
      type = "int"
      aggregation_method = "none"
    }

    priority_level = ""
    message = {
      sql_field_length = "300"
    }

    operation = ""
    windows_account = ""
    source_ip = ""
    source_port = {
      type = "int"
      aggregation_method = "none"
    }
    warning_message = ""

    pathname = ""

  } # database.fields


  log.parsing_filters.parse = `

# Parse date and time from timestamp
if (matches_regular_expression(timestamp, '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[.][0-9]+')) then (
  date = $1;
  time = $2;
);

# Handle 'Session thread ... for Windows account' lines
# 109206,2012-05-24 00:00:13.415091,WinSSHD,5.22,111,Info,"Session thread 43145 for Windows account 'SFTP\USER1' from 192.168.1.12:17873:   Session channel 1: FlowSfsWin: Closed directory '\\File_Location\Shared\sftpUSER1\Exports'. Registered 6 successful operations. Listed 255 entries in 6 operations."                    
if (matches_regular_expression(message, "^Session thread [0-9]+ for Windows account '([^']+)' from ([^:]+):([0-9]+):	(.*)$")) then (
  windows_account = $1;
  source_ip = $2;
  source_port = $3;
  v.remainder = $4;

  if (matches_regular_expression(v.remainder, "^Session channel [0-9]: [^:]+: (.*)$")) then (
    v.remainder = $1;

    # Handle operations with a single filename
    if (matches_regular_expression(v.remainder, "^(Opened directory|Closed directory|Opened new file|Closed file|Read attributes for|Moved) '([^']+)'(.*)$")) then (
      operation = $1;
      pathname = $2;
      v.remainder = $3;

      # Handle upload/download events
      if (matches_regular_expression(v.remainder, "^[.] Registered [0-9]+ successful operation[^.]*[.] (Uploaded|Downloaded) ([0-9]+) bytes")) then (
        if ($1 eq "Uploaded") then (
          uploads = 1;
          bytes_uploaded = $2;
        );
        else (
          downloads = 1;
          bytes_downloaded = $2;
        );
      ); # if upload/download

    ); # if single-file operation

  ); # if Session channel

  # Keep the whole message for all Warning messages
  else if (priority_level eq "Warning") then (
    warning_message = v.remainder;
  );

); # if Session thread

` # parsing_filters

  # Log Filters
  log.filters = {

   mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {
    
    events = {
      default = true
      entries_field = true
    } # events

    uploads = {
      default = true
    } # uploads

    downloads = {
      default = true
    } # downloads

    bytes_uploaded = {
      integer_bits = 64
#      display_format_type = "bandwidth"
      display_format_type = "megabytes"
    }

    bytes_downloaded = {
      integer_bits = 64
#      display_format_type = "bandwidth"
      display_format_type = "megabytes"
    }

  } # database.numerical_fields

  create_profile_wizard_options = {
    date_time_tracking = true

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        pathname = true
      }
      source_group = {
        source_ip = true
        windows_account = true
      }
    } # report_groups

    snapons = {

      # Add the standard reports
      add_standard_reports = {
        name = "add_standard_reports"
	label = "add_standard_reports"
	snapon = "add_standard_reports"
      } # add_standard_reports

      # Attach a File Type snapon
      file_type = {
        snapon = "file_type"
        name = "file_type"
        label = "$lang_admin.snapons.file_type.label"
        parameters = {
         url_field.parameter_value = "{= @parameters{'pathname'}{'parameter_value'} =}"
          file_type_field_name = {
            parameter_value = "$lang_admin.field_labels.file_type"
            final_node_name = "wsp_file_type"
          }
        } # parameters
      } # file_type

      source_ips_by_user = {

        name = "source_ips_by_user"
        label = "Source IPs by User"
        snapon = "add_report"

        parameters = {
          main_field.parameter_value = "$lang_stats.field_labels.source_ip"
          main_field.final_node_name = "source_ip"
          have_minor_field.parameter_value = true
          minor_field.parameter_value = "$lang_stats.field_labels.windows_account"
          minor_field.final_node_name = "windows_account"
          report_name.parameter_value = "Source IPs by User"
          report_name.final_node_name = "source_ips_by_user"
          report_group.final_node_name = "source_group"
        } # parameters
               
      } # source_ips_by_user

      omit_message = {

        name = "Omit message"
        label = "Omit message"
        snapon = "omit_field"

        parameters = {
          field.final_node_name = "message"
        } # parameters
               
      } # omit_message

        # Add all default xref reports.  This was called in add_standard_reports, too, but we've added fields since then.
        create_default_xref_groups = {
          name = "create_default_xref_groups"
          label = "create_default_xref_groups"
          snapon = "create_default_xref_groups"
          parameters = {
          } # parameters
        } # create_default_xref_groups

        # Recreate Single-Page Summary with all reports we've added
        single_page_summary = {
          name = "single_page_summary"
          label = "single_page_summary"
          snapon = "single_page_summary"
          parameters = {
          } # parameters
        } # single_page_summary
 
    } # snapons

  } # create_profile_wizard_options

} # winsshd