beta_tipping_point_ips = {

  plugin_version = "1.0beta"

  # The name of the log format
  log.format.format_label = "Tipping Point IPS Log Format (BETA)"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "[A-Z][a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ [A-Z]+,v[0-9]+,[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]T[0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9],"

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    log_type = ""
    message_version = ""
    iso_start_time = ""
#    alert_hostname_ip.label = "alert hostname/IP"
    alert_hostname = ""
    alert_ip = ""
    sequence_id = ""
#    reserved = ""
    action = ""
    severity = ""
    policy_uuid = ""
    policy_name = ""
    signature_name = ""
    protocol_name = ""
    source_address.type = "host"
    source_port = ""
    destination_address = ""
    destination_port = ""
    iso_end_time = ""
    events = ""
    traffic_threshold_parameters = ""
    traffic_capture_available = ""
    slot_and_segment = ""

  } # log.fields


# e.g. Dec 12 15:11:12 10.1.1.105 (ALT|BLK|P2P),v4,20051212T151112-0480,"IPS1200"/10.1.1.105,526,1,Permit,Low,00000002-0002-0002-0002-000000007112,"7112: IP: Fragment Expired","7112: IP: Fragment Expired",,192.168.150.107:0,192.168.150.106:0,20051212T150102-0480,1," ",0,3:1


  # Log Parsing Filters
  log.parsing_filters.parse = `
if (matches_regular_expression(v.syslog_message, '^[A-Za-z]+ [0-9 ][0-9] [0-9:]+ [0-9.]+ ([^,]*),([^,]*),([0-9T+-]*),([^,]*),([0-9]*),([0-9]*),([^,]*),([^,]*),([0-9-]*),([^,]*),([^,]*),([^,]*),([0-9.]+):([0-9]+),([0-9.]+):([0-9]+),([0-9T+-]*),([0-9]*),([^,]*),([0-9]*),([0-9:]*)')) then (
  
  set_collected_field('', 'log_type', $1);
  set_collected_field('', 'message_version', $2);
  v.iso_start_time = $3;
  v.alert_hostname_ip = $4;
  set_collected_field('', 'sequence_id', $6);
#  set_collected_field('', 'reserved', $7);
  set_collected_field('', 'action', $7);
  set_collected_field('', 'severity', $8);
  set_collected_field('', 'policy_uuid', $9);
  set_collected_field('', 'policy_name', $10);
  set_collected_field('', 'signature_name', $11);
  set_collected_field('', 'protocol_name', $12);
  set_collected_field('', 'source_address', $13);
  set_collected_field('', 'source_port', $14);
  set_collected_field('', 'destination_address', $15);
  set_collected_field('', 'destination_port', $16);
#  set_collected_field('', 'iso_end_time', $17);
  set_collected_field('', 'events', $18);
  set_collected_field('', 'traffic_threshold_parameters', $19);
  set_collected_field('', 'traffic_capture_available', $20);
  set_collected_field('', 'slot_and_segment', $21);

  # Extract date/time from iso_start_time
  if (matches_regular_expression(v.iso_start_time, '^([0-9][0-9][0-9][0-9])([0-9][0-9])([0-9][0-9])T([0-9][0-9])([0-9][0-9])([0-9][0-9])[+-][0-9][0-9][0-9][0-9]')) then (
    set_collected_field('', 'date', $2 . '/' . $3 . '/' . $1);
    set_collected_field('', 'time', $4 . ':' . $5 . ':' . $6);
  );

  # Extract alert hostname and alert ip
  if (matches_regular_expression(v.alert_hostname_ip, '^([^/]*)/(.*)$')) then (
    v.alert_hostname = $1;
    set_collected_field('', 'alert_ip', $2);
    if (matches_regular_expression(v.alert_hostname, '^"([^"]*)"$')) then
      v.alert_hostname = $1;
    set_collected_field('', 'alert_hostname', v.alert_hostname);
  );

  accept_collected_entry('', false);
#  events = 1;

);
`

  # Database fields
  database.fields = {

    log_type = ""
    message_version = ""
#    iso_start_time = ""
    alert_hostname = ""
    alert_ip = ""
#    sequence_id = ""
#    reserved = ""
    action = ""
    severity = ""
    policy_uuid = ""
    policy_name = ""
    signature_name = ""
    protocol_name = ""
    source_address = ""
    source_port = ""
    location = ""
    destination_address = ""
    destination_port = ""
#    iso_end_time = ""
    events = ""
    traffic_threshold_parameters = ""
    traffic_capture_available = ""
    slot_and_segment = ""

  } # database.fields


  database.numerical_fields = {

    events = {
      default = true
      entries_field = true
    } # events

    unique_source_addresses = {
      log_field = "source_address"
      type = "unique"
    } # unique_source_ips

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    } # report_groups

  } # create_profile_wizard_options

} # beta_tipping_point_ips