######################################################################
# Log Adapter  | sshd2
# LA Version   | 1.2.0
# Tmpl Version | 1.0 
# Company      | SenSage, Inc.
# Date         | 4-30-2007
# Update       | 6-12-2021
# --------------------------------------------------------------------
# Description  | This log adapter is designed to parse and load the  
#              | transaction log files generated by the SenSage collector.
######################################################################
# Copyright © 2001-2021 SenSage, Inc.
# All Rights Reserved.
######################################################################

######################################################################
# REGEX LEGEND
# (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})      -- timestamp YYYY-MM-DD HH:MM:SS 
# ([^\s\.]+)\.([^\s\.]+)                     -- facility + '.' + priority
# (\S+)\s+                                   -- hostname (rptr_host)
# ([^\s\(\[:]+)                              -- process name (proc_name)
# (?:\(([^\s\)]+)\))?                        -- optional process user name in parentheses
# (?:\[(\d+)\])?:                            -- optional pid in [] , mandatory colon ':'
# (.*)                                       -- message payload msg_payload
# (^$)|(.*)                                  -- catchall for s_rawmsg | f_rawmsg
#
######################################################################
#(^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) ([^\s\.]+)\.([^\s\.]+) (\S+)\s+([^\s\(\[:]+)(?:\(([^\s\)]+)\))?(?:\[(\d+)\])?:(.*)$)|(.*)
(^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) ([^\s\.]+)\.([^\s\.]+) (?:[^\s]+\s\w+\[\d+\]\s\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[-+]\d{2}:\d{2}\s)?(\S+)\s+([^\s\(\[:]+)(?:\(([^\s\)]+)\))?(?:\[(\d+)\])?:?(.*)$)|(.*)
s_rawmsg:VARCHAR,timestamp:VARCHAR,facility:VARCHAR,pri:VARCHAR,rptr_host:VARCHAR,proc_name:VARCHAR,proc_uname:VARCHAR,proc_pid:VARCHAR,msg_payload:VARCHAR,f_rawmsg:VARCHAR


-------------------------------------------------------
-- Additional Log Adapter Variables
-------------------------------------------------------

-------------------------------------------------------
-- Mandatory: SenSage PTL base setup
-- ALL variables in the following section should exist
-- in every valid SenSage PTL
-------------------------------------------------------

WITH $ADAPTER_VER                       AS '1.1.0'		-- ADAPTER VERSION
WITH $TZ                                AS 'GMT'		-- SET SERVER TIMEZONE. DEFAULT = GMT
WITH $YEAR	                            AS _timeformat("%Y",_now(),$TZ)	-- dynamically calculate year

--WITH $STORE_RAW_PARSE_SUCCESS           AS 'Y'			-- VALID OPTIONS: [Y|N]
WITH $STORE_RAW_PARSE_SUCCESS           AS 'Y'			-- VALID OPTIONS: [Y|N]
WITH $STORE_RAW_PARSE_FAILURE           AS 'Y'			-- VALID OPTIONS: [Y|N]


WITH $APP_VENDOR                        AS 'StandardUnix' -- Vendor of the APP
WITH $APP_NAME                          AS 'sshd'	-- Application Name
WITH $APP_VERSION                       AS 'n/a'		-- APP VERSION


-------------------------------------------------------
-- Optional: SenSage PTL extended Setup
-- Variables which may be useful if needed
-- NOTES: no extended setup used
-------------------------------------------------------


-------------------------------------------------------
-- User_Defined Functions
-------------------------------------------------------

WITH parse_message AS BUILTIN 'perl5' FUNCTION <<EOF

# parse_message culled from sys_syslog_app_sshd adapter
# should handle redhat and solaris messages.

sub parse_message {
	#Adding a small delay to avoid fragmentation due to the use of the current time as TS
	#use Time::HiRes 'usleep';
        #usleep(1);

	my ($message) = @_;

  # ---- SUSE ----
  # Server listening on :: port 22.
  # Received signal 15; terminating.
  # error: Bind to port 22 on :: failed: Address already in use.
  # error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
  # fatal: Cannot bind any address.
  # Illegal user wang0081 from ::ffff:152.16.189.126
  # error: PAM: User not known to the underlying authentication module
  # Failed keyboard-interactive/pam for illegal user wang0081 from ::ffff:152.16.189.126 port 34165 ssh2
  # Accepted keyboard-interactive/pam for wang0081 from ::ffff:152.16.189.126 port 34556 ssh2
  # fatal: Timeout before authentication for ::ffff:152.16.9.22
  # error: PAM: Authentication failure

  # it was requested to generate time in Perl instead of SQL
  use Time::HiRes qw(time);
  use POSIX qw(strftime);
  # get current time
  my $t = time;
  # convert $t to timestamp of desired format (this will drop miliseconds)
  my $loadTs = strftime "%Y-%m-%dT%H:%M:%S", gmtime $t;
  # add missing miliseconds
  $loadTs .= sprintf ".%05d", ($t-int($t))*100000;

  addamark::setInto(10,$loadTs);          # Load time as TS

  # suse addresses are a bit odd - looks like a bit mask prepended. 
  # massage to get compatibility
  $message =~ s/::[a-f0-9]{4}://;

	addamark::setInto(1,'-1');	#default AUDIT_PARSE_SUCCESS TO -1
								#if we successfully parse,set to 1

	#addamark::dbgPrint("msg: $message");
	
	if( $message =~ /((Accepted|Failed|Postponed) (?:none|password|publickey|keyboard-interactive(?:\/pam)?)) for (?:illegal user )?(\w+) from (\S+) port (\d+) (\S+)?/ ) {
		
		addamark::setInto(2,$1);	# EVENT_ACTION
		
		if( $2  eq "Accepted" ) { 
			$event_type = 'auth'; 
		}
		else { 
			$event_type='authfail';
		}
		
		addamark::setInto(3,$event_type);	# EVENT_TYPE
		addamark::setInto(5,$3);	# USERNAME
		addamark::setInto(6,$4);	# SRCHOST
		addamark::setInto(7,$5);	# SRCPORT
		addamark::setInto(8,$6);	# PROTO
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	} elsif( $message =~ /(input\S+) (\w+ \w+) (.*)/ ) {

                addamark::setInto(2,$1);          # EVENT_ACTION
                addamark::setInto(4,$2);          # EVENT_INFO
                addamark::setInto(3,'authfail');  # EVENT_TYPE
                addamark::setInto(5,$3);          # USERNAME
                addamark::setInto(1,1);           # AUDIT_PARSE_SUCCESS
        } elsif( $message =~ /(Keyboard-interactive \(PAM\) \w+ \w+)(.*)/ ) {

                addamark::setInto(2,$1);          # EVENT_ACTION
                addamark::setInto(4,$2);          # EVENT_INFO
                addamark::setInto(3,'authfail');  # EVENT_TYPE
                addamark::setInto(1,1);           # AUDIT_PARSE_SUCCESS
        } elsif ( $message =~  /(session (opened|closed)) for user (\w+)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		if ( $2 eq 'opened') { $event_type = 'connect'; }
		else { $event_type = 'disconnect'; }
		addamark::setInto(3,$event_type);	# EVENT_TYPE
		addamark::setInto(5,$3);	# USERNAME
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	# connection from "152.16.178.138"
	elsif ( $message =~  /(connection) from "([^"]+)"/ ) {
		#addamark::dbgPrint("in connection from!");
		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'connect');	# EVENT_TYPE
		addamark::setInto(6,$2);	# SRCHOST
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /(Public key authentication) for user (\w+) (accepted|failed)/ ) {
		$event_action = $1 . " " . $3;
		if( $3 eq 'accepted') { $event_type=  'auth';}
		else { $event_type = $authfail;}

		addamark::setInto(2,$event_action);	# EVENT_ACTION
		addamark::setInto(3,$event_type);	# EVENT_TYPE
		addamark::setInto(5,$2);	# USERNAME
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	# Now running on sims0030's privileges.
	elsif ( $message =~ /Now running on (\w+)(\'s) (.*)/ ) {

		addamark::setInto(2, 'Drop privileges');	# EVENT_ACTION
		addamark::setInto(5, $1);			# USERNAME
		addamark::setInto(3, 'status');			# ACTION_TYPE
		addamark::setInto(1, '1');			# set AUDIT_PARSE_SUCCESS
	}

	# Password authentication for user sims0030 accepted.
	elsif ( $message =~ /(Password authentication) for user (\w+) accepted/ ) {

		addamark::setInto(2, $1);	# EVENT_ACTION
		addamark::setInto(5, $2);	# USERNAME
		addamark::setInto(3, 'auth');	# EVENT_TYPE
		addamark::setInto(1, '1');	# set AUDIT_PARSE_SUCCESS

	}
	# User sims0030's local password accepted.
	elsif ( $message =~ /User (\w+)(\'s) (.*)/ ) {

		addamark::setInto(2, $3); 	# EVENT_ACTION
		addamark::setInto(3, 'auth');	# EVENT_TYPE
		addamark::setInto(5, $1); 	# USERNAME
		addamark::setInto(1, '1');	# set AUDIT_PARSE_SUCCESS

	}
	#  User sims0030, coming from slimphi.duhs.duke.edu, authenticated.
	elsif ( $message =~  /User (\w+), coming from ([^\s,]+), authenticated/ ) {

		addamark::setInto(2,'User authenticated');	# EVENT_ACTION
		addamark::setInto(3,'auth');	# EVENT_TYPE
		addamark::setInto(5,$1);	# USERNAME
		addamark::setInto(6,$2);	# SRCHOST
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /Public key (\S+) used/ ) {

		addamark::setInto(2,'Public key used');	# EVENT_ACTION
		addamark::setInto(3,'auth');	# EVENT_TYPE
		addamark::setInto(9,$1);	# KEY_FILENAME
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /(Server listening) on (?:::)?(\S*) port (\d+)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'status');  # EVENT_TYPE
		addamark::setInto(6,$2);	# SRCHOST
		addamark::setInto(7,$3);	# SRCPORT
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	# Found matching RSA key: bb:8b:33:54:b6:3b
        elsif ( $message =~  /((Found matching RSA key): (\S+))/ ) {

		addamark::setInto(2,$2);	# EVENT_ACTION
		addamark::setInto(4,$1);	# EVENT_INFO
                addamark::setInto(3,'auth');    # EVENT_TYPE
		addamark::setInto(9,$3);	# KEY_FILENAME
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
        }
	# Connection from 1.2.3.4 port 1234 
        elsif ( $message =~  /((Connection) from (\S+) port (\d+))/ ) {

		addamark::setInto(2,$2);	# EVENT_ACTION
		addamark::setInto(4,$1);	# EVENT_INFO
                addamark::setInto(3,'connect'); # EVENT_TYPE
		addamark::setInto(6,$3);	# SRCHOST
		addamark::setInto(7,$4);	# SRCPORT
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
        }
	elsif ( $message =~  /(subsystem request) for (\S+)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'status');  # EVENT_TYPE
		addamark::setInto(8,$2);	# PROTO
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /((?:\d+ more )?authentication failures?);(.*)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'authfail');	# EVENT_TYPE
		addamark::setInto(4,$2);	# EVENT_INFO

    # MWK 12.04.2006
    # now pull out the user info.
    $message =~ /user=(\S+)/;
    addamark::setInto(5, $1); # USERNAME
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /(Illegal user) (\w+) from (\S+)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'authfail'); #EVENT_TYPE
		addamark::setInto(5,$2);	# USERNAME
		addamark::setInto(6,$3);	# SRCHOST
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /(Received signal (\d+)); (.*)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		
    my $type = 'error';
    $type = 'status' if ( $2 eq '15');
    addamark::setInto(3,$type);	# EVENT_TYPE
		addamark::setInto(4,$3);	# EVENT_INFO
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /(Received disconnect) from ([^:\s]+): (.*)/) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'disconnect');	# EVENT_TYPE
		addamark::setInto(4,$3);	# EVENT_INFO
		addamark::setInto(6,$2);	# SRCHOST
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /(Login restricted) for (\w+): (.*)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'error');	# EVENT_TYPE
		addamark::setInto(4,$3);	# EVENT_INFO
		addamark::setInto(5,$2);	# USERNAME
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
        elsif ( $message =~ /error: PAM: (.*)/ ) {

		addamark::setInto(3,'authfail'); # EVENT_TYPE
                addamark::setInto(2,'error');        # EVENT_ACTION
                addamark::setInto(4,$1);        # EVENT_INFO
                addamark::setInto(1,1); # AUDIT_PARSE_SUCCESS
	}
	# Local disconnected: Connection closed.
	elsif ( $message =~  /(Local disconnected): (.*)/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'disconnect');	# EVENT_TYPE
		addamark::setInto(4,$2);	# EVENT_INFO
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	# connection lost: 'Connection closed.'
	elsif ( $message =~  /(connection lost): '(Connection closed.)'/ ) {

		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(3,'error');	# EVENT_TYPE
		addamark::setInto(4,$2);	# EVENT_INFO
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	# Connection closed by remote host.
        elsif ( $message =~  /((Connection closed) by remote host)/ ) {

                addamark::setInto(2,$2);        # EVENT_ACTION
                addamark::setInto(3,'disconnect');      # EVENT_TYPE
                addamark::setInto(4,$1);        # EVENT_INFO
                addamark::setInto(1,1); # AUDIT_PARSE_SUCCESS
        }
	elsif ( $message =~ /(Did not receive identification string) from (\S+)/ ) {
        addamark::setInto(2,$1);    # EVENT_ACTION
		addamark::setInto(6,$2);	# SRCHOST
        addamark::setInto(3,'error');   # EVENT_TYPE
        addamark::setInto(1,1); # AUDIT_PARSE_SUCCESS	
	}
	elsif ( $message =~  /(fatal): (Timeout before authentication) for (\S*)/ ) {
	
	addamark::setInto(3,'error');	# EVENT_TYPE
		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(6,$3);	# SRCHOST
		addamark::setInto(4,$2);	# EVENT_INFO
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
	}
	elsif ( $message =~  /(error|fatal): (.*)/ ) {
    	
	addamark::setInto(3,'error');	# EVENT_TYPE
		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(4,$2);	# EVENT_INFO
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS
    if( $message =~ /change password for (\w+),/) {
      addamark::setInto(5,$1); #USERNAME
    }
	}
  elsif ( $message =~ /\s*(succeeded)$/ ) {
	  addamark::setInto(3,'status');	# EVENT_TYPE
		addamark::setInto(2,$1);	# EVENT_ACTION
		addamark::setInto(1,1);	# AUDIT_PARSE_SUCCESS

	# Following are TRU64 messages received from TIM
    
  } elsif ( $message =~ /(\w+)\s+(login)\s+on\s+([^\s]+)/ ) {
		addamark::setInto(5,$1);	# USERNAME
		addamark::setInto(3,$2);	# EVENT_ACTION
		addamark::setInto(6,$3);	# SRCPORT
  } elsif ( $message =~ /(Daemon is running\.)/ )  {
		addamark::setInto(2,$1);
  } elsif ( $message =~ /(Accepted password)\s+for([^\s]+)\s+from\s+([^\s]+)\s+port(\d+)\s(.*)/ ) {
	#Accepted password for root from 10.178.20.63 port 1692 ssh2
		addamark::setInto(3,$1);
		addamark::setInto(5,$2);
		addamark::setInto(6,$3);
		addamark::setInto(7,$4);
		addamark::setInto(8,$5);
  } elsif ( $message =~ /(Password authentication)\for\suser([^\s]+)\s(.*)/ ) {
	#Password authentication for user oracle9i accepted.
		addamark::setInto(4,$1);
		addamark::setInto(5,$2);
		addamark::setInto(3,$3);
  } elsif ( $message =~ /User\s([^\s]+),\s+coming\sfrom\s([^\s]+),\s(.*)/ ) {
	#User oracle9i, coming from dstapis232438.wks.internal.timbrasil.com.br, authenticated.
		addamark::setInto(5,$1);
		addamark::setInto(6,$2);
		addamark::setInto(2,$3);
  } elsif ( $message =~ /Users\s([\s]+)\s(.*)/ ) {
	#User oracle9i\'s local password accepted.
		addamark::setInto(5,$1);
		addamark::setInto(3,$2);
  } elsif ( $message =~ /(WARNING):\s(DNS lookup failed) for \\\"([^\\]+)/ ) {
	#WARNING: DNS lookup failed for \"10.178.20.64\".
		addamark::setInto(3,$1);
		addamark::setInto(4,$2);
		addamark::setInto(6,$3);
  } elsif ( $messages =~ /(error):\s(Couldn\\'t authenticate)\s(oracle9)\sfrom\s(10.178.205.32)/ ) {
	#error: Couldn\'t authenticate oracle9 from 10.178.205.32
		addamark::setInto(3,$1);
		addamark::setInto(4,$2);
		addamark::setInto(5,$3);
		addamark::setInto(6,$4);
  } elsif ( $message =~ /User\s([^\s]+),\scoming\sfrom\s([^\s]+),\s([^\.]+)/ ) {
	#User oracle9i, coming from 10.178.20.102, authenticated.
		addamark::setInto(5,$1);
		addamark::setInto(6,$2);
		addamark::setInto(3,$3);
  } elsif ( $message =~ /([^\s]+):\s(Timeout before authentication)\sfor\s([^\s]+)/ ) {
	#fatal: Timeout before authentication for 10.178.20.64
		addamark::setInto(3,$1);
		addamark::setInto(4,$2);
		addamark::setInto(6,$3);
  } elsif ( $messages =~ /(error):\s(Couldn\\'t\sauthenticate)\s(bscs)\sfrom\s([^\s]+)/ ) {
	#error: Couldn\'t authenticate bscs from bscs.internal.timbrasil.com.br
		addamark::setInto(3,$1);
		addamark::setInto(4,$2);
		addamark::setInto(5,$3);
		addamark::setInto(6,$4);
  } elsif ( $messages =~ /(Couldn\\'t\sauthenticate)\s([^\s]+)\sfrom\s([^\s]+)/ ) {
	#error: Couldn\'t authenticate nonexistent2134406473 from 10.178.16.219
		addamark::setInto(4,$1);
		addamark::setInto(5,$2);
		addamark::setInto(6,$3);
  } elsif ( $messages =~ /(Illegal user)\s([^\s]+)\sfrom\s([^\s]+)/ ) {
	#Illegal user ressbra from 10.178.205.74
		addamark::setInto(4,$1);
		addamark::setInto(4,$2);
		addamark::setInto(6,$3);
  } elsif ( $message =~ /(error):(\w+\s\w+:\s.*)/ ) {
	#error: setsockopt SO_KEEPALIVE: Invalid argument
		addamark::setInto(3,$1);
		addamark::setInto(4,$2);
		addamark::setInto(2,$3);
  } elsif ( $message =~ /(WARNING):\s([^\s]+):\s(.*)/ ) {
	#WARNING: ssh_user_validate_kerberos_password: uc not krb
		addamark::setInto(3,$1);
		addamark::setInto(4,$2);
		addamark::setInto(8,$3);
  } elsif ( $message =~ /(.*)/ ) {
	#subsystem request for sftp
		addamark::setInto(4,$1);
  } else {
		addamark::setInto(3,'other');   # EVENT_TYPE
		addamark::setInto(1,-1);	# IF WE GOT HERE THEN PARSING HAS FAILED
  }
}
EOF

-- ====================================================================== --
-- ====================================================================== --

SELECT
parse_message(msg_payload) INTO parsed AS __UNUSED_01__,

-- We need to use the current time (load time) as TS
_TIMESTAMP(parsed[10]) AS TS,

--And what we were using as TS (the event timestamp), we need to save it as EVENT_TS
-- if the message parsing fails set the EVENT_TS value to current time
CASE
   WHEN f_rawmsg <> "" THEN _timestamp(now())
   ELSE  _TIMESTAMP(_strptime(timestamp, "%Y-%m-%d %T", $TZ))
END as EVENT_TS,



-------------------------------------------------------
-- Schema - Required Fields (PREPEND)
-------------------------------------------------------

    _VARCHAR($ADAPTER_VER)          AS ADAPTER_VER,
    _VARCHAR($APP_NAME)				AS APP_NAME,
    _VARCHAR($APP_VENDOR)			AS APP_VENDOR,
    _VARCHAR($APP_VERSION)          AS APP_VERSION,
    _VARCHAR($TZ)                   AS TIMEZONE,



-------------------------------------------------------
-- Schema - Adapter Specific Fields
-------------------------------------------------------


-------------------------------------------------------
-- Schema -  SenSage PTL extended Setup (APPEND)
-- Notes: No Extended Setup
-------------------------------------------------------

	-- parsed[1] --> contains return value/ AUDIT_PARSE_SUCCESS

	_VARCHAR(facility) AS       FACILITY,
	_VARCHAR(pri)   AS          PRIORITY,
	_VARCHAR(proc_name) AS      PROC_NAME,
	_VARCHAR(proc_uname) AS     PROC_UNAME,
	_VARCHAR(proc_pid) AS       PROC_PID,
	_VARCHAR(rptr_host) AS      RPTR_HOST,
	_VARCHAR(parsed[2]) AS      EVENT_ACTION,    --- 
	_VARCHAR(parsed[3]) AS      EVENT_TYPE,      --- auth|authfail|error|status|other|connect|disconnect 
	_VARCHAR(parsed[4]) AS      EVENT_INFO,      --- status message accompanying EVENT_ACTION
	_VARCHAR(parsed[5]) AS      USERNAME,        --- user name
	_VARCHAR(parsed[6]) AS      SRCHOST,         --- either ipaddress or hostname or src
	_VARCHAR(parsed[7]) AS      SRCPORT,         --- source port
	_VARCHAR(parsed[8]) AS      PROTO,           --- app proto (i.e. ssh , ssh2)
	_VARCHAR(parsed[9]) AS      KEY_FILENAME,    --- if a public keyfile name is available
	
-------------------------------------------------------
-- Schema - Required Fields (APPEND)
-------------------------------------------------------

CASE
   WHEN f_rawmsg <> "" THEN _int64(-1)				-- if there is a value in f_rawmsg then the main parsing failed
--   WHEN parsed[1] <> "" AND parsed[1] <> "1" THEN _int64(-1) 
	 ELSE _int64(1)
END as AUDIT_PARSE_SUCCESS,

-- use the success/fail rawmsg value to unparsed_message
-- do to alternation rules only one will be populated
-- s_rawmsg = success
-- f_rawmsg = failure
CASE
   WHEN s_rawmsg <> "" and $STORE_RAW_PARSE_SUCCESS=="Y" THEN _varchar(s_rawmsg)
   WHEN f_rawmsg <> "" and $STORE_RAW_PARSE_FAILURE=="Y" THEN _varchar(f_rawmsg)
   ELSE _varchar("")
END as unparsed_message,

-------------------------------------------------------
-- Non-Schema - Adapter Required Fields
-- DO NOT DELETE THESE FIELDS - required to change table schema
-------------------------------------------------------

_BOOL(0)                      as _internal_bool,
_FLOAT(0)                     as _internal_float,
_INT32(0)                     as _internal_int32,
_INT64(0)                     as _internal_int64,
_TIMESTAMP(0)                 as _internal_timestamp,
_VARCHAR('')                  as _internal_varchar

FROM stdin;