zyxel_firewall_welf = {

  # The name of the log format
  log.format.format_label = "Zyxel Firewall WELF Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "src=.*dst=.*msg=.*note="

  # Log fields
  log.fields = {

    src.type = "host"
    src_port = ""
    dst = ""
    dst_port = ""
    devid = ""
    cat = ""
#   protocol = ""
    rule = ""
#   direction = ""
    note = ""
    msg = ""
    dir = ""
    protoid = ""
    proto = ""
    trans = ""

    duration = ""
    send = ""
    rcvd = ""

  } # log.fields


  #          
  # Log Parsing Filters
  log.parsing_filters.parse = `

# Strip off date/time header
if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] +[0-9]+ [0-9:]+ [^ ]+ (.*)$')) then
  v.syslog_message = $1;

collect_listed_fields('', v.syslog_message, ' ', '=', '');
if (matches_regular_expression(get_collected_field('', 'src'), '^([^:]+):(.*)$')) then (
  set_collected_field('', 'src', $1);
  set_collected_field('', 'src_port', $2);
);
if (matches_regular_expression(get_collected_field('', 'dst'), '^([^:]+):(.*)$')) then (
  set_collected_field('', 'dst', $1);
  set_collected_field('', 'dst_port', $2);
);
accept_collected_entry('', false);
`

  # Database fields
  database.fields = {

    src = ""
    src_port = ""
    location = ""
    dst = ""
    dst_port = ""
    devid = ""
    cat = ""
#   protocol = ""
    rule = ""
#   direction = ""
    note = ""
    msg = {
      itemnums_hash_function = "mult_sum_c_i_8"
    }
    dir = ""
    protoid = ""
    proto = ""
    trans = ""

  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # events

    unique_source_ips = {
      label = "$lang_stats.field_labels.unique_source_ips"
      default = false
      requires_log_field = true
      log_field = "src"
      type = "unique"
      display_format_type = "integer"
    } # unique_source_ips

    send = {
      default = false
      type = "float"
      display_format_type = "bandwidth"
    } # send

    rcvd = {
      default = false
      type = "float"
      display_format_type = "bandwidth"
    } # rcvd

    duration = {
      default = false
      type = "float"
      display_format_type = "duration_compact"
    } # duration

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # zyxel_firewall_welf