#==============================================================================
#
# Module:	welf.pm
#
# Author:	Peter Sundstrom (peter@ginini.com)
#
# Purpose:	Converts WELF FW logs to FW1 logexport format.  The WELF specs
#		are taken from http://www.webtrends.com/library/prtnr_welf.doc
#
# Version:	1.0.2
#
# Source:	http://www.ginini.com/software/fwlogsum/converters/
#
#==============================================================================

use strict;

sub Convert {
	my $input = shift;

	open INPUT, $input or die "Can not open $input $!\n";
	#
	# Output FW1 logexport header
	#
	print "num;date;time;orig;type;action;i/f_name;proto;src;dst;service;rule;bytes;\n";
	
	my $count=0;

	while (<INPUT>) {
		next unless (/id=firewall/);

		Linecount($count) if $verbose;

		my (%record,$rule);
	
		#
		# Remove syslog stamp if it exists
		#
		s/(^.*\] )?//;

		foreach (split(/ (?=[a-z]+=)/)) {
			my ($field,$value) = split(/=/);
			$record{$field}="$value";
		}

		my ($yyyy,$mm,$dd,$time) = $record{'time'} =~ /(\d+)-(\d+)-(\d+) (\d+:\d+:\d+)/;
		$count++;
		print "$count;$dd$mon{$mm}$yyyy;$time;$record{'fw'};account;";

		#
		# Action type is possibly recorded in the rule field.
		# If there is no rule, or an actual rule number, the
		# action is assumed to be accepted.
		#
		if ($record{'rule'} =~ /\d+/) {
			print "accept;";
			$rule=$record{'rule'}
		}
		elsif ($record{'rule'} =~ /deny|reject|drop|disallow/) {
			print "drop;";
			$rule='n/a';
		}
		elsif ($record{'rule'} =~ /allow|accept|permit/) {
			print "accept;";
			$rule='n/a';
		}
		elsif ($record{'rule'} =~ /w+/) {
			die "Unknown rule entry: $record{'rule'}\n";
		}
		else {
			print "accept;";
			$rule='n/a';
		}
			
		print "unknown;";

		#
		# If there is a resolved src/dst name use that, otherwise
		# use the IP address
		#
		print "tcp;";

		if ($record{'srcname'}) {
			print "$record{'srcname'};";
		}
		else {
			print "$record{'src'};";
		}

		if ($record{'dstname'}) {
			print "$record{'dstname'};";
		}
		else {
			print "$record{'dst'};";
		}

		print "$record{'proto'};$rule;";
	
		#
		# Byte counter is the total of bytes
		# send and received
		#
		my $bytes;
		$bytes += $record{'sent'} if ($record{'sent'});
		$bytes += $record{'rcvd'} if ($record{'rcvd'});
		print "$bytes\n";
	}
}

1;