# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. windows_event_log_dumpel = { plugin_version = "1.3" info.1.manfacturer = "Microsoft" info.1.device = "dumpel.exe" info.1.version.1 = "" # 03/08/2006: 1.1: Graham added "strings" field # 01/23/2007: 1.2: GMF: Added parsing of 560, 562, and 567 event codes. # 02/01/2008: 1.3: GMF: Added reporting of event code description and category. # 06/07/2010: 1.4: MSG: Added support for a space in the category field. # sessions, hits, bandwidth, pageviews, and visitors. # The name of the log format log.format.format_label = "Windows Event Log Format (dumpel.exe export)" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+/[0-9]+/[0-9][0-9][0-9][0-9] [0-9]+[:.][0-9][0-9][:.][0-9][0-9][^ ]* [0-9]+ [0-9]+ [0-9]+ [A-Za-z ]+ " # Fields are separated by tabs log.format.field_separator = " " # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Entries are called "events" statistics.miscellaneous.entry_name = "events" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 1 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 2 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time source = { label = "$lang_stats.field_labels.source" type = "flat" index = 3 subindex = 0 } # source event = { label = "$lang_stats.field_labels.event" type = "flat" index = 4 subindex = 0 } # event event_code = { label = "$lang_stats.field_labels.event_code" type = "flat" index = 5 subindex = 0 } # event_code event_code_category = "" event_code_description = "" category = { label = "$lang_stats.field_labels.category" type = "flat" index = 6 subindex = 0 } # category user = { label = "$lang_stats.field_labels.user" type = "flat" index = 7 subindex = 0 } # user computer = { label = "$lang_stats.field_labels.computer" type = "flat" index = 8 subindex = 0 } # computer description = { label = "$lang_stats.field_labels.description" type = "flat" index = 9 subindex = 0 } # description strings = { label = "$lang_stats.field_labels.strings" type = "flat" index = 10 subindex = 0 } # strings # 560 object_server = "" object_type = "" object_name = "" new_handle_id = "" operation_id = "" process_id = "" # 562 handle_id = "" } # log.fields log.filter_initialization = ` node event_code_info; ` log.parsing_filters.parse = ` # Event code 560 (http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=560) #Object Open: #Object Server:Security #Object Type:File #Object Name:C:\ConfidentialFiles\ ProjectPlan.doc.txt #New Handle ID:1468 #Operation ID:{0,1023441} #Process ID:1688 # #Windows Server 2003 adds this field: # #Image File Name:C:\WINDOWS\ system32\ notepad.exe # if ((event_code == 560) and (matches_regular_expression(strings, '^([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+ [0-9]+) ([0-9]+)'))) then ( object_server = $1; object_type = $2; object_name = $3; new_handle_id = $4; operation_id = $5; process_id = $6; ); # Event code 562 (http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=562) # #Handle Closed: #Object Server:Security #Handle ID:1468 #Process ID:1688 # #Windows Server 2003 adds this field: # #Image File Name:C:\ WINDOWS\ system32\ notepad.exe else if ((event_code == 562) and (matches_regular_expression(strings, '^([^ ]+) ([0-9]+) ([0-9]+)'))) then ( object_server = $1; handle_id = $2; process_id = $3; ); # Event code 567 (http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=567) # #Object Access Attempt: #Object Server:Security #Handle ID:144 #Object Type:File #Process ID:3156 #Image File Name:C:\ WINDOWS\ system32\ notepad.exe #Accesses:WriteData (or AddFile) #AppendData (or AddSubdirectory or CreatePipeInstance) # #Access Mask:0x6 else if ((event_code == 567) and (matches_regular_expression(strings, '^([^ ]+) ([0-9]+) ([^ ]+) ([0-9]+) '))) then ( object_server = $1; handle_id = $2; object_type = $3; process_id = $4; ); if (subnode_exists('lang_stats.windows_event_codes', event_code)) then ( event_code_info = subnode_by_name('lang_stats.windows_event_codes', event_code); event_code_description = node_value(subnode_by_name(event_code_info, 'description')); event_code_category = node_value(subnode_by_name(event_code_info, 'category')); ); else ( event_code_description = "Unknown"; event_code_category = "Unknown"; ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" source = "" event = "" event_code = "" event_code_category = "" event_code_description = "" category = "" user = "" computer = "" description = "" strings = "" # 560 object_server = "" object_type = "" object_name = "" new_handle_id = "" operation_id = "" process_id = "" # 562 handle_id = "" } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events pages = "" size = { type = "float" display_format_type = "bandwidth" } } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # windows_event_log_dumpel