windows_2003_dns = {

  # The name of the log format
  log.format.format_label = "Windows 2003 DNS Log Format"
  log.miscellaneous.log_data_type = "generic"  
  log.miscellaneous.log_format_type = "network_device"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^[0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9A-F][0-9A-F][0-9A-F] EVENT   "
  log.format.autodetect_lines = "100"

  # This regular expression is used to parse the log fields out of the log entry
#  log.format.parsing_regular_expression = "^([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) (...) ([^ ]+) +(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\[(....) (....)  ([^]]*)\\] (.*)$"

  log.format.date_format = "dd/mmm/yyyy"
  log.format.time_format = "auto"

  log.format.parse_only_with_filters = "true"


  # Log fields
  log.fields = {

    date = {
      label = "$lang_stats.field_labels.date"
      type = "date"
    } # date

    time = {
      label = "$lang_stats.field_labels.time"
      type = "time"
    } # time

    protocol = {
      label = "$lang_stats.field_labels.protocol"
      type = "flat"
    } # protocol

    direction = {
      label = "$lang_stats.field_labels.direction"
      type = "flat"
    } # direction

    remote_ip = {
      label = "$lang_stats.field_labels.remote_ip"
      type = "host"
      hierarchy_dividers = "."
      left_to_right = false
      leading_divider = "false"
    } # remote_ip

    xid = {
      label = "$lang_stats.field_labels.xid"
      type = "flat"
    } # xid

    type = {
      label = "$lang_stats.field_labels.type"
      type = "flat"
    } # type

    opcode = {
      label = "$lang_stats.field_labels.opcode"
      type = "flat"
    } # opcode

    flags_hex = {
      label = "$lang_stats.field_labels.flags_hex"
      type = "flat"
    } # flags_hex

    flags = {
      label = "$lang_stats.field_labels.flags"
      type = "flat"
    } # flags

    response_code = {
      label = "$lang_stats.field_labels.response_code"
      type = "flat"
    } # response_code

    question_name = {
      label = "$lang_stats.field_labels.question_name"
      type = "flat"
    } # question_name

  } # log.fields

  log.parsing_filters = {

    parse = {
      label = "parse"
      comment = ""
      value = "
if (matches_regular_expression(current_log_line(), '^([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) (...) ([^ ]+) +(TCP|UDP) (Rcv|Snd) ([0-9.]+) +([0-9a-f][0-9a-f][0-9a-f][0-9a-f]) (.) (.) \\[(....) (....)  ([^]]*)\\] (.*)$')) then (
  set_collected_field('', 'time', $1);
  set_collected_field('', 'date', substr(epoc_to_date_time(now()), 0, 11));
  set_collected_field('', 'protocol', $4);
  set_collected_field('', 'direction', $5);
  set_collected_field('', 'remote_ip', $6);
  set_collected_field('', 'xid', $7);
  set_collected_field('', 'type', $8);
  set_collected_field('', 'opcode', $9);
  set_collected_field('', 'flags_hex', $10);
  set_collected_field('', 'flags', $11);
  set_collected_field('', 'response_code', $12);
  set_collected_field('', 'question_name', $13);
  accept_collected_entry('', false);
)
"
    } # parse

  } # parsing_filters

  log.filters = {

    fix_question_name = {
      label = "fix_question_name"
      comment = ""
      value = "
# Convert (N) sections to dots for legibility
while (matches_regular_expression(question_name, '^(.*)\\\\([0-9]+\\\\)(.*)$'))
  question_name = $1 . '.' . $2;
if (starts_with(question_name, '.')) then
  question_name = substr(question_name, 1);
if (ends_with(question_name, '.')) then
  question_name = substr(question_name, 0, length(question_name) - 1);
"
    } # fix_question_name

  } # log filters

  # Database fields
  database.fields = {

    date_time = {
      label = "$lang_stats.field_labels.date_time"
      log_field = "date_time"
      type = "string"
      suppress_top = 0
      suppress_bottom = 3
      display_format_type = "date_time"
    } # date_time

    day_of_week = {
      label = "$lang_stats.field_labels.day_of_week"
      log_field = "day_of_week"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
      display_format_type = "day_of_week"
    } # day_of_week

    hour_of_day = {
      label = "$lang_stats.field_labels.hour_of_day"
      log_field = "hour_of_day"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
      display_format_type = "hour_of_day"
    } # hour_of_day

    remote_ip = {
      label = "$lang_stats.field_labels.remote_ip"
      log_field = "remote_ip"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # remote_ip

    domain_description = {
      label = "$lang_stats.field_labels.domain_description"
      log_field = "domain_description"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # domain_description

    location = {
      label = "$lang_stats.field_labels.location"
      log_field = "location"
      type = "string"
      suppress_top = 0
      suppress_bottom = 3
    } # location

    type = {
      label = "$lang_stats.field_labels.type"
      log_field = "type"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # type

    protocol = {
      label = "$lang_stats.field_labels.protocol"
      log_field = "protocol"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # protocol

    direction = {
      label = "$lang_stats.field_labels.direction"
      log_field = "direction"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # direction

    opcode = {
      label = "$lang_stats.field_labels.opcode"
      log_field = "opcode"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # opcode

    flags = {
      label = "$lang_stats.field_labels.flags"
      log_field = "flags"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # flags

    response_code = {
      label = "$lang_stats.field_labels.response_code"
      log_field = "response_code"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # response_code

    question_name = {
      label = "$lang_stats.field_labels.question_name"
      log_field = "question_name"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # question_name

  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'lookups = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    lookups = {
      label = "$lang_stats.field_labels.lookups"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # lookups

    unique_remote_ips = {
      label = "$lang_stats.field_labels.unique_remote_ips"
      default = false
      requires_log_field = true
      log_field = "client"
      type = "unique"
      display_format_type = "integer"
    } # unique_remote_ips

  } # database.numerical_fields


  create_profile_wizard_options = {

    date_time_tracking = true
    host_tracking = true

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      remote_ip = true
      domain_description = true
      location = true
      type = true
      protocol = true
      direction = true
      opcode = true
      flags = true
      response_code = true
      question_name = true
    } # report_groups

  } # create_profile_wizard_options

  not_supported = {
    daybyday = true
    individualhosts = true
    bandwidth = true
    sessions = true
    pageviews = true
  } # not_supported

} # windows_2003_dns