beta_nortel_contivity = {

  # The name of the log format
  log.format.format_label = "Nortel Contivity Log Format (BETA)"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "network_device"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "[0-9]+ [0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] ([^ ]+) [0-9]+ : [^ ]+ \\[[0-9]+\\] "

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    event_type = ""
    protocol = ""
    user = ""
    rule = ""
    source_ip.type = "host"
    source_port = ""
    destination_ip = ""
    destination_port = ""
    action = ""
    operation = ""
    page.type = "page"
    sessions = ""
    connections = ""
    http_accesses = ""

  } # log.fields

  # Declare filter variables
  log.filter_initialization = `
v.source_ip_to_username = '';
v.user = '[unknown]';
v.last_authentication_source_ip = 'unknown';
`

  # Log Parsing Filters
  log.parsing_filters.parse = `
if (matches_regular_expression(v.syslog_message, '^[0-9]+ ([0-9/]+) ([0-9:]+) [^ ]+ [0-9]+ : (.*)$')) then (
  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  v.message = $3;

  # Handle Security lines
  if (matches_regular_expression(v.message, '^Security \\\\[[0-9]+\\\\] Session[^:]*: ([^ ]+) (.*)$')) then (
    v.daemon = $1;
    v.message = $2;

    # Extract protocol[user]
    if (matches_regular_expression(v.daemon, '^([^[]+)\\\\[([^]]+)\\\\]')) then (
      set_collected_field('', 'protocol', $1);
      set_collected_field('', 'user', $2);
      v.user = $2;
    );

    # Mark sessions when we see the login
    if (v.message eq 'authorized') then (
      set_collected_field('', 'sessions', '1');
      set_collected_field('', 'event_type', 'login');
      accept_collected_entry('', false);

      # Remember the IP address of the last authentication packet, and tie it to this username
      v.converted_source_ip = replace_all(v.last_authentication_source_ip, '.', '_');
      set_subnode_value('v.source_ip_to_username', v.converted_source_ip, v.user);
#      echo("@@@@@@ Built map " . v.last_authentication_source_ip . "->" . v.user . "\\n");
    );
      
  ) # if Security

  # Extract firewall events
  else if (matches_regular_expression(v.message, '^CSFW \\\\[[0-9]+\\\\] Rule\\\\[([^]]+)\\\\] Firewall:  \\\\[([0-9.]+):([0-9]+)-([0-9.]+):([0-9]+), proto:([a-z]+)\\\\], action: (.*)$')) then (
    set_collected_field('', 'connections', 1);
    set_collected_field('', 'event_type', 'connection');
    set_collected_field('', 'rule', $1);
    set_collected_field('', 'source_ip', $2);
    set_collected_field('', 'source_port', $3);
    set_collected_field('', 'destination_ip', $4);
    v.destination_port = $5;
    set_collected_field('', 'destination_port', $5);
    set_collected_field('', 'protocol', $6);
    v.action = $7;
    set_collected_field('', 'action', $7);
    accept_collected_entry('', false);

#    echo("@@@@@@ action=" . v.action . "\\n");
#    echo("@@@@@@ destination_port=" . v.destination_port . "\\n");

    # If this is an authentication access event (port 80), remember the IP address so we can tie it in with the username later
    if ((v.action eq 'Allow') and (v.destination_port == 8000)) then (
      v.last_authentication_source_ip = $2;
#      echo("@@@@@@ Got v.last_authentication_source_ip=" . $2 . "\\n");
    )

  ) # Firewall

  # e.g., 2005-05-31 01:29:00     Kernel.Notice   10.0.110.5      18164 05/31/2005 01:28:31 tEvtLgMgr 0 : CSFW [12] conn_id[26100351]:(10.0.225.38:1064-65.55.206.28:80) HTTP GET /r/hladOfficeUpdateFromClient?CTT=1&Origin=EC010230401032 HTTP/1.1
  else if (matches_regular_expression(v.message, '^CSFW \\\\[[0-9]+\\\\] conn_id\\\\[[^]]+\\\\]:\\\\(([0-9.]+):([0-9]+)-([0-9.]+):([0-9]+)\\\\) HTTP ([A-Z]+) ([^ ]+) ([^ ]+)$')) then (

    set_collected_field('', 'http_accesses', 1);
    set_collected_field('', 'source_ip', $1);
    set_collected_field('', 'source_port', $2);
    set_collected_field('', 'destination_ip', $3);
    set_collected_field('', 'destination_port', $4);
    set_collected_field('', 'event_type', 'HTTP');
    set_collected_field('', 'operation', $5);
    set_collected_field('', 'page', $6);
    set_collected_field('', 'protocol', $7);

    # Get the username from the source IP
    v.converted_source_ip = replace_all($1, '.', '_');
    v.user = node_value(subnode_by_name('v.source_ip_to_username', v.converted_source_ip));
#    echo("@@@@@@ Mapped " . $1 . "->" . v.user . "\\n");
    set_collected_field('', 'user', v.user);

    accept_collected_entry('', false);

  ) # HTTP

) # if headers match

#collect_fields_using_regexp('()(Security \\\\[[0-9]+\\\\]) Session: (IPSEC)\\\\[([^]]+)\\\\]:[0-9]+ logged out', '*KEY*,event_type,protocol,client');
#collect_fields_using_regexp('()(Security \\\\[[0-9]+\\\\]) Session: (IPSEC)\\\\[([^]]+)\\\\]:[0-9]+ physical addresses: remote ([^ ]+) local ([^ ]+)', '*KEY*,event_type,protocol,client,remote_address,local_address');
#accept_collected_entry_using_regexp('()Security \\\\[[0-9]+\\\\] Session: IPSEC\\\\[[^]]+\\\\]:[0-9]+ logged out', false);
`


  # Database fields
  database.fields = {

    event_type = ""
    protocol = ""
    user = ""
    rule = ""
    source_ip = ""
    location = ""
    source_port = ""
    destination_ip = ""
    destination_port = ""
    action = ""
    operation = ""
    page = ""
    file_type = ""
    worm = ""

  } # database.fields

  database.numerical_fields = {

    connections = {
      label = "$lang_stats.field_labels.connections"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
    } # connections
    
    sessions = {
      label = "$lang_stats.field_labels.sessions"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # sessions
    
    http_accesses = {
      label = "$lang_stats.field_labels.http_accesses"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
    } # http_accesses

  } # database.numerical_fields


#  log.filters = {
#
#    mark_entry = {
#      label = '$lang_admin.log_filters.mark_entry_label'
#      comment = '$lang_admin.log_filters.mark_entry_comment'
#      value = 'sessions = 1;'
#    } # mark_entry
#
#  } # log.filters

  create_profile_wizard_options = {
    date_time_tracking = true

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        operation = true
        page = true
        file_type = true
        worm = true
      }
      source_group = {
        source_ip = true
        location = true
        source_port = true
        user = true
      }
      destination_group = {
        destination_ip = true
        destination_port = true
      }
      other_group = {
        event_type = true
        protocol = true
        rule = true
        action = true
      }
    } # report_groups

  } # create_profile_wizard_options

} # beta_nortel_contivity