windows_event_log24_hour_dmyyyy = {
# The name of the log format
log.format.format_label = "Windows Event Log Format (24 hour times, d/m/yyyy dates)"
log.miscellaneous.log_data_type = "generic"
log.miscellaneous.log_format_type = "other"
# The log is in this format if any of the first ten lines match this regular expression
log.format.autodetect_regular_expression = "^[0-9]+/[0-9]+/[0-9][0-9][0-9][0-9],[0-9]+:[0-9][0-9]:[0-9][0-9],[^,]*,[^,]*,[^,]*,[0-9]*,[^,]*,[^,]*,.*$"
# This regular expression is used to parse the log fields out of the log entry
log.format.parsing_regular_expression = "^([0-9]+/[0-9]+/[0-9][0-9][0-9][0-9]),([0-9]+:[0-9][0-9]:[0-9][0-9]),([^,]*),([^,]*),([^,]*),([0-9]*),([^,]*),([^,]*),\"*(.*)\"*$"
# The format of dates and times in this log
log.format.date_format = "d/m/yyyy"
log.format.time_format = "h:mm:ss"
# There can be newlines inside quotes in CSV files-- let them field values across lines
log.format.allow_newlines_inside_quotes = "true"
# Log fields
log.fields = {
date = {
label = "$lang_stats.field_labels.date"
type = "date"
index = 0
subindex = 0
hierarchy_dividers = ""
left_to_right = false
leading_divider = "false"
} # date
time = {
label = "$lang_stats.field_labels.time"
type = "time"
index = 0
subindex = 0
hierarchy_dividers = ""
left_to_right = false
leading_divider = "false"
} # time
from = {
label = "$lang_stats.field_labels.from"
type = "flat"
index = 0
subindex = 0
} # from
to = {
label = "$lang_stats.field_labels.to"
type = "flat"
index = 0
subindex = 0
} # to
subject = {
label = "$lang_stats.field_labels.subject"
type = "flat"
index = 0
subindex = 0
} # subject
encoding = {
label = "$lang_stats.field_labels.encoding"
type = "flat"
index = 0
subindex = 0
} # encoding
nfiles = {
label = "$lang_stats.field_labels.nfiles"
type = "integer"
index = 0
subindex = 0
hierarchy_dividers = ""
left_to_right = false
leading_divider = "false"
} # nfiles
nbytes = {
label = "$lang_stats.field_labels.nbytes"
type = "size"
index = 0
subindex = 0
hierarchy_dividers = ""
left_to_right = false
leading_divider = "false"
} # nbytes
name = {
label = "$lang_stats.field_labels.name"
type = "flat"
index = 0
subindex = 0
} # name
attachment = {
label = "$lang_stats.field_labels.attachment"
type = "flat"
index = 0
subindex = 0
} # attachment
attno = {
label = "$lang_stats.field_labels.attno"
type = "integer"
index = 0
subindex = 0
hierarchy_dividers = ""
left_to_right = false
leading_divider = "false"
} # attno
} # log.fields
#
# Log Parsing Filters
log.parsing_filters = {
# Parse out the "Scanned: CONTAINS A VIRUS "MIME: 4 838""
1 = {
label = "1"
comment = ""
value = "collect_fields_using_regexp('^([0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([A-Za-z][^ ]*) (Scanned\\\\: CONTAINS A VIRUS) (\\\\[Prescan OK\\\\])*\\\\[([^ ]*) ([0-9]*) ([0-9]*)\\\\]', 'date,time,*KEY*,dummy,dummy2,encoding,nfiles,nbytes')"
} # 1
# Parse out the "From: To: victim@example.com"
2 = {
label = "2"
comment = ""
value = "collect_fields_using_regexp('([A-Za-z][^ ]*) From: ([^ ]*) To: ([^ ]*)', '*KEY*,from,to')"
} # 2
# Parse out the "Subject: ILOVEYOU"
3 = {
label = "3"
comment = ""
value = "collect_fields_using_regexp('([A-Za-z][^ ]*) Subject: (.*)', '*KEY*,subject')"
} # 3
# Parse out the "Scanner 1: Virus=EICAR_Test_File Attachment=eicar.com "1""
4 = {
label = "4"
comment = ""
value = "collect_fields_using_regexp('([A-Za-z][^ ]*) Scanner [0-9]\\\\: Virus=([^ ]*) Attachment=([^ ]*) \\\\[([0-9]*)\\\\]', '*KEY*,name,attachment,attno')"
} # 4
} # log.parsing_filters
# Database fields
database.fields = {
date_time = {
label = "$lang_stats.field_labels.date_time"
log_field = "date_time"
type = "string"
suppress_top = 0
suppress_bottom = 3
display_format_type = "date_time"
} # date_time
day_of_week = {
label = "$lang_stats.field_labels.day_of_week"
log_field = "day_of_week"
type = "string"
suppress_top = 0
suppress_bottom = 2
display_format_type = "day_of_week"
} # day_of_week
hour_of_day = {
label = "$lang_stats.field_labels.hour_of_day"
log_field = "hour_of_day"
type = "string"
suppress_top = 0
suppress_bottom = 2
display_format_type = "hour_of_day"
} # hour_of_day
from = {
label = "$lang_stats.field_labels.from"
log_field = "from"
type = "string"
suppress_top = 0
suppress_bottom = 2
} # from
to = {
label = "$lang_stats.field_labels.to"
log_field = "to"
type = "string"
suppress_top = 0
suppress_bottom = 2
} # to
subject = {
label = "$lang_stats.field_labels.subject"
log_field = "subject"
type = "string"
suppress_top = 0
suppress_bottom = 2
} # subject
encoding = {
label = "$lang_stats.field_labels.encoding"
log_field = "encoding"
type = "string"
suppress_top = 0
suppress_bottom = 2
} # encoding
name = {
label = "$lang_stats.field_labels.name"
log_field = "name"
type = "string"
suppress_top = 0
suppress_bottom = 2
} # name
attachment = {
label = "$lang_stats.field_labels.attachment"
log_field = "attachment"
type = "string"
suppress_top = 0
suppress_bottom = 2
} # attachment
attno = {
label = "$lang_stats.field_labels.attno"
log_field = "attno"
type = "string"
suppress_top = 0
suppress_bottom = 2
} # attno
} # database.fields
database.numerical_fields = {
hits = {
label = "$lang_stats.field_labels.hits"
default = true
requires_log_field = false
type = "int"
display_format_type = "integer"
entries_field = true
} # hits
} # database.numerical_fields
log.filters = {
mark_entry = {
label = '$lang_admin.log_filters.mark_entry_label'
comment = '$lang_admin.log_filters.mark_entry_comment'
value = 'hits = 1;'
} # mark_entry
} # log.filters
create_profile_wizard_options = {
date_time_tracking = true
# How the reports should be grouped in the report menu
report_groups = {
date_time_group = ""
day_of_week = true
hour_of_day = true
from = true
to = true
subject = true
encoding = true
name = true
attachment = true
attno = true
} # report_groups
} # create_profile_wizard_options
not_supported = {
individualhosts = true
visitors = true
sessions = true
pageviews = true
bandwidth = true
} # not_supported
} # windows_event_log24_hour_dmyyyy