bindview_windows_event = { # The name of the log format log.format.format_label = "Bindview Windows Event Log Format" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^ Event Date/Time Machine Name Event Description
Event ID" statistics.miscellaneous.entry_name = "events" # The format of dates and times in this log log.format.date_format = "m/d/yyyy" log.format.time_format = "h:mm:ss AM/PM" log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time machine_name = { label = "$lang_stats.field_labels.machine_name" type = "flat" index = 0 subindex = 0 } # machine_name event_code = { label = "$lang_stats.field_labels.event_code" type = "flat" index = 0 subindex = 0 } # event_code reason = { label = "$lang_stats.field_labels.reason" type = "flat" index = 0 subindex = 0 } # reason user_name = { label = "$lang_stats.field_labels.user_name" type = "flat" index = 0 subindex = 0 } # user_name domain = { label = "$lang_stats.field_labels.domain" type = "flat" index = 0 subindex = 0 } # domain logon_type = { label = "$lang_stats.field_labels.logon_type" type = "flat" index = 0 subindex = 0 } # logon_type logon_process = { label = "$lang_stats.field_labels.logon_process" type = "flat" index = 0 subindex = 0 } # logon_process authentication_package = { label = "$lang_stats.field_labels.authentication_package" type = "flat" index = 0 subindex = 0 } # authentication_package workstation_name = { label = "$lang_stats.field_labels.workstation_name" type = "flat" index = 0 subindex = 0 } # workstation_name caller_user_name = { label = "$lang_stats.field_labels.caller_user_name" type = "flat" index = 0 subindex = 0 } # caller_user_name caller_domain = { label = "$lang_stats.field_labels.caller_domain" type = "flat" index = 0 subindex = 0 } # caller_domain caller_logon_id = { label = "$lang_stats.field_labels.caller_logon_id" type = "flat" index = 0 subindex = 0 } # caller_logon_id caller_process_id = { label = "$lang_stats.field_labels.caller_process_id" type = "flat" index = 0 subindex = 0 } # caller_process_id transited_services = { label = "$lang_stats.field_labels.transited_services" type = "flat" index = 0 subindex = 0 } # transited_services source_network_address = { label = "$lang_stats.field_labels.source_network_address" type = "flat" index = 0 subindex = 0 } # source_network_address source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type event_type = { label = "$lang_stats.field_labels.event_type" type = "flat" index = 0 subindex = 0 } # event_type process = { label = "$lang_stats.field_labels.process" type = "flat" index = 0 subindex = 0 } # process category = { label = "$lang_stats.field_labels.category" type = "flat" index = 0 subindex = 0 } # category logon_account = { label = "$lang_stats.field_labels.logon_account" type = "flat" index = 0 subindex = 0 } # logon_account logon_id = { label = "$lang_stats.field_labels.logon_id" type = "flat" index = 0 subindex = 0 } # logon_id source_workstation = { label = "$lang_stats.field_labels.source_workstation" type = "flat" index = 0 subindex = 0 } # source_workstation error_code = { label = "$lang_stats.field_labels.error_code" type = "flat" index = 0 subindex = 0 } # error_code status_code = { label = "$lang_stats.field_labels.status_code" type = "flat" index = 0 subindex = 0 } # status_code substatus_code = { label = "$lang_stats.field_labels.substatus_code" type = "flat" index = 0 subindex = 0 } # substatus_code } # log.fields # # Log Parsing Filters log.parsing_filters = { # Accept the previous entry when we see the start of a new one 1 = { label = "1" comment = "" value = "accept_collected_entry_using_regexp('()^ *[0-9]+/[0-9]+/[0-9]+ [0-9]+:[0-9]+:[0-9]+ [AP]M', false)" } # 1 # Parse out the date, time, and machine name 2 = { label = "2" comment = "" value = "collect_fields_using_regexp('()^ *([0-9]+/[0-9]+/[0-9]+) ([0-9]+:[0-9]+:[0-9]+ [AP]M) *([^ ]+)* ', '*KEY*,date,time,machine_name')" } # 2 # Parse out the event code 3 = { label = "3" comment = "" value = "collect_fields_using_regexp('()^ *([0-9]+)$', '*KEY*,event_code')" } # 3 # Parse out the ':' separated, = divided variables # do_b # "" "" "" "" "" # collect_multiple_fields_regexp_listed "^ * ([A-Z][^:]*: * [^ ].*)$" "xxxx////:" "" "" # goto_next_filter "" "" "" "" # "" # Parse out Reason 4 = { label = "4" comment = "" value = "collect_fields_using_regexp('()^ * *Reason: * *([^ ].*)$', '*KEY*,reason')" } # 4 # Parse out User Name 5 = { label = "5" comment = "" value = "collect_fields_using_regexp('()^ * *User Name: * *([^ ].*)$', '*KEY*,user_name')" } # 5 # Parse out Domain 6 = { label = "6" comment = "" value = "collect_fields_using_regexp('()^ * *Domain: * *([^ ].*)$', '*KEY*,domain')" } # 6 # Parse out Logon Type 7 = { label = "7" comment = "" value = "collect_fields_using_regexp('()^ * *Logon Type: * *([^ ].*)$', '*KEY*,logon_type')" } # 7 # Parse out Logon Process 8 = { label = "8" comment = "" value = "collect_fields_using_regexp('()^ * *Logon Process: * *([^ ].*)$', '*KEY*,logon_process')" } # 8 # Parse out Authentication Package 9 = { label = "9" comment = "" value = "collect_fields_using_regexp('()^ * *Authentication Package: * *([^ ].*)$', '*KEY*,authentication_package')" } # 9 # Parse out Workstation Name 10 = { label = "10" comment = "" value = "collect_fields_using_regexp('()^ * *Workstation Name: * *([^ ].*)$', '*KEY*,workstation_name')" } # 10 # Parse out Caller User Name 11 = { label = "11" comment = "" value = "collect_fields_using_regexp('()^ * *Caller User Name: * *([^ ].*)$', '*KEY*,caller_user_name')" } # 11 # Parse out Caller Domain 12 = { label = "12" comment = "" value = "collect_fields_using_regexp('()^ * *Caller Domain: * *([^ ].*)$', '*KEY*,caller_domain')" } # 12 # Parse out Caller Logon ID 13 = { label = "13" comment = "" value = "collect_fields_using_regexp('()^ * *Caller Logon ID: * *([^ ].*)$', '*KEY*,caller_logon_id')" } # 13 # Parse out Caller Process ID 14 = { label = "14" comment = "" value = "collect_fields_using_regexp('()^ * *Caller Process ID: * *([^ ].*)$', '*KEY*,caller_process_id')" } # 14 # Parse out Transited Services 15 = { label = "15" comment = "" value = "collect_fields_using_regexp('()^ * *Transited Services: * *([^ ].*)$', '*KEY*,transited_services')" } # 15 # Parse out Source Network Address 16 = { label = "16" comment = "" value = "collect_fields_using_regexp('()^[ ]*Source Network Address:[ * *]([^ ].*)$', '*KEY*,source_network_address')" } # 16 # Parse out Source Port 17 = { label = "17" comment = "" value = "collect_fields_using_regexp('()^[ ]*Source Port:[ * *]([^ ].*)$', '*KEY*,source_port')" } # 17 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day machine_name = { label = "$lang_stats.field_labels.machine_name" log_field = "machine_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # machine_name event_code = { label = "$lang_stats.field_labels.event_code" log_field = "event_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # event_code reason = { label = "$lang_stats.field_labels.reason" log_field = "reason" type = "string" suppress_top = 0 suppress_bottom = 2 } # reason user_name = { label = "$lang_stats.field_labels.user_name" log_field = "user_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # user_name domain = { label = "$lang_stats.field_labels.domain" log_field = "domain" type = "string" suppress_top = 0 suppress_bottom = 2 } # domain logon_type = { label = "$lang_stats.field_labels.logon_type" log_field = "logon_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # logon_type logon_process = { label = "$lang_stats.field_labels.logon_process" log_field = "logon_process" type = "string" suppress_top = 0 suppress_bottom = 2 } # logon_process authentication_package = { label = "$lang_stats.field_labels.authentication_package" log_field = "authentication_package" type = "string" suppress_top = 0 suppress_bottom = 2 } # authentication_package workstation_name = { label = "$lang_stats.field_labels.workstation_name" log_field = "workstation_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # workstation_name caller_user_name = { label = "$lang_stats.field_labels.caller_user_name" log_field = "caller_user_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # caller_user_name caller_domain = { label = "$lang_stats.field_labels.caller_domain" log_field = "caller_domain" type = "string" suppress_top = 0 suppress_bottom = 2 } # caller_domain caller_logon_id = { label = "$lang_stats.field_labels.caller_logon_id" log_field = "caller_logon_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # caller_logon_id caller_process_id = { label = "$lang_stats.field_labels.caller_process_id" log_field = "caller_process_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # caller_process_id transited_services = { label = "$lang_stats.field_labels.transited_services" log_field = "transited_services" type = "string" suppress_top = 0 suppress_bottom = 2 } # transited_services source_network_address = { label = "$lang_stats.field_labels.source_network_address" log_field = "source_network_address" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_network_address source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type event_type = { label = "$lang_stats.field_labels.event_type" log_field = "event_type" type = "string" suppress_top = 0 suppress_bottom = 2 } # event_type process = { label = "$lang_stats.field_labels.process" log_field = "process" type = "string" suppress_top = 0 suppress_bottom = 2 } # process category = { label = "$lang_stats.field_labels.category" log_field = "category" type = "string" suppress_top = 0 suppress_bottom = 2 } # category logon_account = { label = "$lang_stats.field_labels.logon_account" log_field = "logon_account" type = "string" suppress_top = 0 suppress_bottom = 2 } # logon_account logon_id = { label = "$lang_stats.field_labels.logon_id" log_field = "logon_id" type = "string" suppress_top = 0 suppress_bottom = 2 } # logon_id source_workstation = { label = "$lang_stats.field_labels.source_workstation" log_field = "source_workstation" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_workstation error_code = { label = "$lang_stats.field_labels.error_code" log_field = "error_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # error_code status_code = { label = "$lang_stats.field_labels.status_code" log_field = "status_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # status_code substatus_code = { label = "$lang_stats.field_labels.substatus_code" log_field = "substatus_code" type = "string" suppress_top = 0 suppress_bottom = 2 } # substatus_code } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" day_of_week = true hour_of_day = true machine_name = true event_code = true reason = true user_name = true domain = true logon_type = true logon_process = true authentication_package = true workstation_name = true caller_user_name = true caller_domain = true caller_logon_id = true caller_process_id = true transited_services = true source_network_address = true source_port = true type = true event_type = true process = true category = true logon_account = true logon_id = true source_workstation = true error_code = true status_code = true substatus_code = true } # report_groups } # create_profile_wizard_options not_supported = { individualhosts = true visitors = true sessions = true pageviews = true bandwidth = true } # not_supported } # bindview_windows_event