# Author: Wes Lambert
# Updated by: Doug Burks

filter {
  if [type] == "filterlog" {
    dissect {
      mapping => {
        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
      }
    }
    if [ip_version] == "4" {
      dissect {
      	mapping => {
        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
      	}
      }
    }
    if [ip_version] == "6" {
      dissect {
      	mapping => {
        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
      	}
      }
    }
    if [protocol] == "tcp" {
      dissect {
      	mapping => {
        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
      	}
      }
    }
    if [protocol] == "udp" {
      dissect {
      	mapping => {
        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
      	}
      }
    }
    if [protocol] == "Options" {
      mutate {
	  copy => { "ip_sub_msg" => "options" }
        }
      mutate {
          split => { "options" => "," }
        }
    }
    mutate {
      convert 		=> [ "destination_port", "integer" ]
      convert 		=> [ "source_port", "integer" ]    
      convert 		=> [ "ip_version", "integer" ]
      replace 		=> { "type" => "firewall" }
      add_tag		=> [ "pfsense","firewall" ]
      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
    }
  }
}