# This file contains a mapping of windows event Description subfield names, as they appear in event logs, to Sawmill's internal versions
# of these names.  Because these subfield names appear in the local language, each language must list all field names here, or they will not
# be extracted properly by Windows event log plug-ins.  The right-hand-side of each "=" should be the internal name of a subfield,
# which can be determine by looking at the English section (also, these will always be all lowercase versions of the English event log name,
# with spaces converted to underbars).

windows_event_field_names = {

	# English
	"User Name" = "user_name"
	"Domain" = "domain"
	"Logon ID" = "logon_id"
	"Caller User Name" = "caller_user_name"
	"Caller User Domain" = "caller_user_domain"
	"Caller User Logon ID" = "caller_user_logon_id"
	## Server 2008
	"Security ID" = "security_id"
	"Account Name" = "account_name"
	"Account Domain" = "account_domain"
	"Logon ID" = "logon_id"
	"Logon Type" = "logon_type"
	"New Logon" = "new_logon"
	"ID" = "id"
	"Logon GUID" = "logon_guid"
	"Process ID" = "process_id"
	"Process Name" = "process_name"
	"Workstation Name" = "worksatation_name"
	"Source Network Address" = "source_network_address"
	"Source Port" = "source_port"
	"Logon Process" = "logon_process"
	"Package" = "auth_package"
	"Transited Services" = "transited_services"
	"Package Name (NTLM only)" = "package_name"
	"Key Length" = "key_length"

	# Traditional Chinese
	"使用者名稱" = "user_name"
	"主要使用者名稱" = "primary_user_name"
	"用戶端使用者名稱" = "client_user_name"
	"網域" = "domain"
	"主網域" = "primary_domain"
	"用戶端網域" = "client_domain"
	"登入識別碼" = "logon_id"
	"主要登入識別碼" = "primary_logon_id"
	"主登入 ID" = "primary_logon_id"
	"用戶端登入識別碼" = "client_logon_id"
	"用戶端登入 ID" = "client_logon_id"
	"登入類型" = "logon_type"
	"登入處理" = "logon_process"
	"驗證封裝" = "authentication_package"
	"工作站名稱" = "workstation_name"
	"登入 GUID" = "logon_guid"
	"呼叫者使用者名稱" = "caller_user_name"
	"用戶端使用者名稱" = "caller_user_name"
	"呼叫者網域" = "caller_domain"
	"用戶端網域" = "caller_domain"
	"呼叫者登入識別碼" = "caller_logon_id"
	"用戶端登入識別碼" = "caller_logon_id"
	"呼叫者處理識別碼" = "caller_process_id"
	"轉送的服務" = "transited_services"
	"來源網路位址" = "source_network_address"
	"來源連接埠" = "source_port"
	"物件伺服器" = "object_server"
	"物件名稱" = "object_name"
	"物件類型" = "object_type"
	"處理識別碼" = "handle_id"
	"新的處理識別碼" = "new_handle_id"
	"程序識別碼" = "process_id"
	"影像檔案名稱" = "image_file_name"
	"新的處理 ID" = "new_process_id"
	"建立者處理 ID" = "creator_process_id"
	"伺服器" = "server"
	"服務" = "service"
	"特殊權限" = "privileges"
	"特權" = "privileges"
	"存取" = "accesses"
	"存取遮罩" = "access_mask"
	"限制的 Sid 數目" = "restricted_sid_count"
	"操作識別碼" = "operation_id"
	"登入帳戶" = "logon_account"
	"來源工作站" = "source_workstation"
	"錯誤碼" = "error_code"
	"處理名稱" = "process_name"
	## Server 2008
	"安全性識別碼" = "security_id"
	"帳戶名稱" = "account_name"
	"帳戶網域" = "account_domain"
	"新登入" = "new_logon"
	"處理程序識別碼" = "process_id"
	"處理程序名稱" = "process_name"
	"登入處理程序" = "logon_process"
	"封裝名稱 (僅限 NTLM)" = "package_name"
	"金鑰長度" = "key_length"
	"來源位址" = "source_address"
	"目的地位址" = "destination_address"
	"目的地連接埠" = "destination_port"
	"通訊協定" = "protocol"
	"用戶端位址" = "client_address"
	"用戶端連接埠" = "client_port"
	"共用名稱" = "share_name"

} # windows_event_field_names