# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. powershell_evtx_to_csv = { plugin_version = "1.0" info.1.manufacturer = "Microsoft" info.1.device = "Windows Event Logs (Powershell ETVX to CSV)" info.1.version.1 = "" # 2014-03-12 - 1.0 - GMF - Initial implementation # The name of the log format log.format.format_label = "Microsoft Windows Event (Powershell ETVX to CSV)" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression ##TYPE System.Diagnostics.EventLogEntry#HArdwareEvents/Microsoft-Windows-Security-Auditing/4624 log.format.autodetect_regular_expression = "^#TYPE System.Diagnostics.EventLogEntry" # log.format.ignore_format_lines = "true" log.format.allow_newlines_inside_quotes = "true" log.format.field_separator = "," # This regular expression is used to parse the log fields out of the log entry # log.format.parsing_regular_expression = "^([0-9]+[/-][0-9]+[/-][0-9]+),([^,0-9]*)([0-9]+:[0-9][0-9]:[0-9][0-9][^,]*),([^,]*),([^,]*),([^,]*),([0-9]*),([^,]*),([^,]*),\"*(.*)\"*$" # Log fields log.fields = { eventid.index = 1 machinename.index = 2 data_.index = 3 index_.index = 4 category.index = 5 categorynumber.index = 6 entrytype.index = 7 message.index = 8 source.index = 9 replacementstrings.index = 10 instanceid.index = 11 timegenerated.index = 12 timewritten.index = 13 username.index = 14 site.index = 15 container.index = 16 # Extracted from timegenerated field date = "" time = "" # Extracted from message (Subject) security_id = "" account_name = "" account_domain = "" logon_id = "" # Extracted from message (New Logon) security_id = "" account_name = "" account_domain = "" logon_id = "" logon_guid = "" # Extracted from message (Process Information) process_id = "" process_name = "" # Extracted from message (Network Information) workstation_name = "" source_network_address = "" source_port = "" # Extracted from message (Detailed Authentication Information) logon_process = "" authentication_package = "" transited_services = "" package_name__ntlm_only_ = "" key_length = "" events = "" } # log.fields log.parsing_filters.parse = ` if (matches_regular_expression(timegenerated, '^([0-9/]+) ([0-9:]+)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); while (matches_regular_expression(message, '^([^ ]+) (.*)$')) ( v.line = $1; message = $2; if (matches_regular_expression(v.line, '^ ([^:]+): +([^ ].*)$')) then ( v.fieldname = lowercase(replace_all($1, ' ', '_')); v.fieldname = replace_all(v.fieldname, '(', '_'); v.fieldname = replace_all(v.fieldname, ')', '_'); set_collected_field('', v.fieldname, $2); ); ); # Remove the message value (for performance) message = "[omitted]"; set_collected_field('', 'eventid', eventid); set_collected_field('', 'machinename', machinename); set_collected_field('', 'data_', data_); set_collected_field('', 'index_', index_); set_collected_field('', 'category', category); set_collected_field('', 'categorynumber', categorynumber); set_collected_field('', 'entrytype', entrytype); set_collected_field('', 'message', message); set_collected_field('', 'source', source); set_collected_field('', 'replacementstrings', replacementstrings); set_collected_field('', 'instanceid', instanceid); set_collected_field('', 'timegenerated', timegenerated); set_collected_field('', 'timewritten', timewritten); set_collected_field('', 'username', username); set_collected_field('', 'site', site); set_collected_field('', 'container', container); accept_collected_entry('', false); ` # parsing filters # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" eventid = "" machinename = "" data_ = "" index_ = "" category = "" categorynumber = "" entrytype = "" # message = "" source = "" replacementstrings = "" instanceid = "" # timegenerated = "" # timewritten = "" username = "" site = "" container = "" # Extracted from message (Subject) security_id = "" account_name = "" account_domain = "" logon_id = "" # Extracted from message (New Logon) security_id = "" account_name = "" account_domain = "" logon_id = "" logon_guid = "" # Extracted from message (Process Information) process_id = "" process_name = "" # Extracted from message (Network Information) workstation_name = "" source_network_address = "" source_port = "" # Extracted from message (Detailed Authentication Information) logon_process = "" authentication_package = "" transited_services = "" package_name__ntlm_only_ = "" key_length = "" } # database.fields database.numerical_fields = { events = { default = true entries_field = true } # events } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" eventid = true machinename = true category = true categorynumber = true entrytype = true source = true username = true site = true logon_group = { security_id = true account_name = true account_domain = true logon_id = true logon_guid = true } # logon_group process_group = { process_id = true process_name = true } # process_group network_group = { workstation_name = true source_network_address = true source_port = true } # network_group authentication_group = { logon_process = true authentication_package = true transited_services = true package_name__ntlm_only_ = true key_length = true } # authentication_group other_group = { data_ = true index_ = true replacementstrings = true instanceid = true container = true } # other_group } # report_groups } # create_profile_wizard_options } # windows_event_log_comma_delimited