#sourcetype for Sofrel S4W
[sofrel:s4w]
SHOULD_LINEMERGE=false
KV_MODE = none
EXTRACT-sofrel-s4w-generic = (?<device_date>[A-Z][a-z]{2}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2}) \S+ - (?<message_text>.+)
EXTRACT-sofrel-s4w-lost-mon-msg = (?<state>Lost) (?<service>monitoring messages)
EXTRACT-sofrel-s4w-crt = ((?<user>\S+) - )?(?<certificate>Product|Root) (?<service>certificate)( Authority)?( -)? (?<state>Imminent expiration|expired|modified|not trusted)
EXTRACT-sofrel-s4w-revoc-list = ((?<user>\S+) - )?(?<service>Revocation list) (?<state>update failure|modified|removed|ignored)
EXTRACT-sofrel-s4w-crt-key-mismatch = (?<certificate>Product) (?<service>certificate) and key doesn’t match
EXTRACT-sofrel-s4w-auth-not-trusted = not trusted by (?<common_name_authority>.+)
EXTRACT-sofrel-s4w-sys-conn-ref = (?<service>System connection) (?<state>refused) by (?<remote_host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})? ?(CN=(?<common_name_remote_certificate>.+))?
EXTRACT-sofrel-s4w-refusal-crt = (?<state>Refusal) \((?<reason>Expiration|Revocation|Future validity|Bad CN|Not trusted by the CA|Other)\) of the received (?<service>certificate) of system \[(?<remote_host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) CN=(?<common_name_remote_certificate>.+)\]  
EXTRACT-sofrel-s4w-mng-fault = (?<service>Management fault) (?<state>(dis)?appeared)
EXTRACT-sofrel-s4w-dwn-conf = ((?<user>\S+) - )?(?<state>Download|Read) (?<service>Configuration|Software) (?<version>V[0-9\.]+)
EXTRACT-sofrel-s4w-conf-refuse = New (?<service>Configuration|Software) (?<state>refused) by the product
EXTRACT-sofrel-s4w-dwn = ((?<user>\S+) - )?(?<state>Download) (?<service>User List|Options)
EXTRACT-sofrel-s4w-user-modif = ((?<user>\S+) - )?(?<service>User) (?<target_user>.+) (?<state>created|deleted|updated)
EXTRACT-sofrel-s4w-erase-arch = (?<user>\S+) - (?<state>Erase) (?<service>archive)
EXTRACT-sofrel-s4w-switch-mode = Switch on (?<mode>normal|degraded) mode 
EXTRACT-sofrel-s4w-fault = (?<service>External alimentation|Battery|System) fault : (?<state>OFF|ON)
EXTRACT-sofrel-s4w-conn-fail-crt = (?<service>System) (?<state>connection failure) (?<Common_name_certificate>.+) \((?<reason>bad Common Name|revoked|not valid yet|expired|not trusted by the root Authority)\) 
EXTRACT-sofrel-s4w-conn-unk = (?<service>System) (?<state>connection unknown) (?<remote_host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
EXTRACT-sofrel-s4w-conn-refuse = (?<service>System) (?<state>connection refused) by (?<hostname>.+) (client|server)
EXTRACT-sofrel-s4w-network-attack = (?<service>Network) (?<state>attack) \((?<attack>(SYN|PING) Flood)\) detected from IP (?<remote_host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
EXTRACT-sofrel-s4w-server-state = Server (?<service>NTP|DNS|SMTP) : (?<state>N?OK)
EXTRACT-sofrel-s4w-user-conn = ((?<user>\S+) - )?(?<connection_type>Local|Remote) user (?<service>connection)( (?<state>failure))?(, (?<reason>user outside validity period))?
EXTRACT-sofrel-s4w-user-unk = User unknown \(?(?<user>[^\(\)\s]+)\)? - (?<connection_type>Local|Remote) (?<service>connection) (?<state>failure)
EXTRACT-sofrel-s4w-badging-unk = (?<service>Badging) .(?<COM>COM.). - (?<state>unknown) badge N. ?(?<badge_no>.+)
EXTRACT-sofrel-s4w-pass-chg = (?<service>Password) change notification to Management : (?<state>failure|success)
EXTRACT-sofrel-s4w-mng-user-list = Management - (?<service>User List) receipt (?<state>failure) \((<reason>not managed)\)
EXTRACT-sofrel-s4w-badging-id = (?<service>Badging) .(?<COM>COM.). - (?<state>Identification) .(?<text>.*).