windows-logs Log Parser

« windows-logs »
v0.4 by crowdsecurity
Log parser

Installation

cscli parsers install crowdsecurity/windows-logs

YAML Configuration

1filter: "evt.Line.Module == 'wineventlog'"
2onsuccess: next_stage
3name: crowdsecurity/windows-eventlog
4statics:
5  - meta: datasource_path
6    expression: evt.Line.Src
7  - meta: datasource_type
8    expression: evt.Line.Module
9  - target: evt.StrTime
10    #We need XMLGetAttributeValue because etree does not support getting an attribute value (or at least, i didn't manage to make the correct query)
11    expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/TimeCreated", "SystemTime")
12  - parsed: Channel
13    expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Channel")
14  - parsed: EventID
15    expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/EventID")
16  - parsed: Source
17    expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Provider", "Name")
18  - parsed: Computer
19    expression: XMLGetNodeValue(evt.Line.Raw, "/Event/System[1]/Computer")
20  - parsed: UserSID
21    expression: XMLGetAttributeValue(evt.Line.Raw, "/Event/System[1]/Security", "UserID")
22  - parsed: program
23    expression: evt.Line.Labels.type
24---
25filter: "evt.Line.Module != 'wineventlog'"
26onsuccess: next_stage
27name: crowdsecurity/windows-non-eventlog
28statics:
29  - parsed: message
30    expression: evt.Line.Raw
31  - parsed: program
32    expression: evt.Line.Labels.type
33  - meta: datasource_path
34    expression: evt.Line.Src
35  - meta: datasource_type
36    expression: evt.Line.Module
37
38

Hub configuration

« windows-logs »v0.4 by crowdsecurityLog parser

« windows-logs »
v0.4 by crowdsecurity
Log parser