Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Copyright (C) 2009-2016 Splunk Inc. All Rights Reserved.
- # DO NOT EDIT THIS FILE!
- # Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
- # To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
- # into ../local and edit there.
- #
- ###########################
- ## DHCP
- ###########################
- [source::....DhcpSrvLog]
- sourcetype = DhcpSrvLog
- [source::...\\(DhcpSrvLog-)...]
- sourcetype = DhcpSrvLog
- [DhcpSrvLog]
- SHOULD_LINEMERGE = false
- TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers
- REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
- LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature
- LOOKUP-vendor_info_for_microsoft_dhcp = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
- FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host
- EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":")))
- EVAL-dest = coalesce(nt_host, ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))))
- ################################
- ## Monitorware Windows Event Log
- ################################
- ## Apply the following properties to MonitorWare single-line text files (.monitorware)
- [source::....monitorware]
- SHOULD_LINEMERGE = false
- TRANSFORMS-force_sourcetype_for_monitorware_txt = force_sourcetype_for_monitorware
- TRANSFORMS-force_host_for_monitorware_txt = force_host_for_monitorware
- TRANSFORMS-force_source_for_monitorware_txt = force_source_for_monitorware
- ## Apply the following properties to incoming syslog data (udp/514)
- ## Uncomment and modify the stanza ([source::udp:514]) below based on incoming MonitorWare data
- #[source::udp:514]
- #SHOULD_LINEMERGE = false
- #TRANSFORMS-force_sourcetype_for_monitorware_syslog = force_sourcetype_for_monitorware
- #TRANSFORMS-force_host_for_monitorware_syslog = force_host_for_monitorware
- #TRANSFORMS-force_source_for_monitorware_syslog = force_source_for_monitorware
- ## Apply the following properties to all MonitorWare events
- [source::MonitorWare...]
- ## Using REPORT-0 to force alphanumeric precedence
- REPORT-0kv_for_tab_monitorware = raw_kv_for_tab_monitorware,Message_kv_for_tab_monitorware
- ## Using REPORT-1 to force alphanumeric precedence
- REPORT-1Failure_Reason_for_monitorware = Failure_Reason_for_monitorware
- REPORT-1User_for_monitorware = User_for_monitorware
- #############################
- ## NTSyslog Windows Event Log
- #############################
- ## Currently we only support NTSyslog:Security
- [source::....ntsyslog]
- SHOULD_LINEMERGE = false
- TRANSFORMS-force_sourcetype_for_ntsyslog_txt = force_sourcetype_for_ntsyslog_security
- TRANSFORMS-force_host_for_ntsyslog_txt = force_host_for_ntsyslog
- TRANSFORMS-force_source_for_ntsyslog_txt = force_source_for_ntsyslog_security
- ## Apply the following properties to incoming syslog data (udp/514)
- ## Uncomment and modify the stanza ([source::udp:514]) below based on incoming NTSyslog data
- #[source::udp:514]
- #SHOULD_LINEMERGE = false
- #TRANSFORMS-force_sourcetype_for_ntsyslog_syslog = force_sourcetype_for_ntsyslog_security
- #TRANSFORMS-force_host_for_ntsyslog_syslog = force_host_for_ntsyslog
- #TRANSFORMS-force_source_for_ntsyslog_syslog = force_source_for_ntsyslog_security
- ## Apply the following properties to NTsyslog window security event logs
- [source::NTSyslog:Security]
- ## Using REPORT-<0-2> to force alphanumeric precedence
- ## Support for both verisions ([] and <>) of NTSyslog
- REPORT-0raw_kv_for_ntsyslog = raw_kv_for_ntsyslog_square, raw_kv_for_ntsyslog_angle
- REPORT-1message_kv_for_ntsyslog = message_kv_for_message_for_ntsyslog
- ## Commenting in order to disable by default. If NTSyslog is used this should be enabled
- #LOOKUP-2action_EventCode_for_ntsyslog = ntsyslog_mappings NTSyslogID OUTPUTNEW action,EventCode,EventCode as signature_id
- ###########################
- ## Snare Windows Event Log
- ###########################
- ## Apply the following properties to Snare single-line text files (.snare)
- [source::....snare]
- SHOULD_LINEMERGE = false
- TRANSFORMS-force_sourcetype_for_snare_txt = force_sourcetype_for_snare
- TRANSFORMS-force_host_for_snare_txt = force_host_for_snare
- TRANSFORMS-force_source_for_snare_txt = force_source_for_snare
- ## Apply the following properties to incoming syslog data (udp/514)
- ## Uncomment and modify the stanza ([source::udp:514]) below based on incoming Snare data
- #[source::udp:514]
- #SHOULD_LINEMERGE=false
- #TRANSFORMS-force_sourcetype_for_snare_syslog = force_sourcetype_for_snare
- #TRANSFORMS-force_host_for_snare_syslog = force_host_for_snare
- #TRANSFORMS-force_source_for_snare_syslog = force_source_for_snare
- ## Apply the following properties to all Snare events
- [source::Snare...]
- ## Using REPORT-0 to force alphanumeric precedence
- ## Support for both tab and comma delimitted Snare
- ## Uncomment/Comment below based on Snare log type
- REPORT-0kv_for_tab_snare = raw_kv_for_tab_snare,Message_kv_for_tab_snare
- #REPORT-0kv_for_comma_snare = raw_kv_for_comma_snare,Message_kv_for_comma_snare
- ###########################
- ## Splunk Windows Event Log
- ###########################
- ## Apply the following properties to Splunk multi-line text files (.windows)
- [source::....windows]
- SHOULD_LINEMERGE = false
- LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
- TRANSFORMS-force_sourcetype_for_windows_txt = force_sourcetype_for_windows_txt,force_sourcetype_application_sophos_for_windows_txt,force_sourcetype_application_sav_for_windows_txt,force_sourcetype_application_trendmicro_for_windows_txt,force_sourcetype_system_ias_for_windows_txt
- TRANSFORMS-force_host_for_windows_txt = force_host_for_windows_txt
- TRANSFORMS-force_source_for_windows_txt = force_source_for_windows_txt
- ## windows eventlog modular input sourceing
- [source::WinEventLog://*]
- TRANSFORMS-force_source_for_wineventlog_modular = force_source_for_wineventlog_modular,force_sourcetype_system_ias_for_wineventlog
- ## windows system sub-sourcetyping
- [source::WinEventLog:System]
- TRANSFORMS-force_sourcetype_system_ias_for_wineventlog = force_sourcetype_system_ias_for_wineventlog
- ## Apply the following properties to all WinEventLog events
- ## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf
- [source::(WMI:WinEventLog|WinEventLog)...]
- ## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
- REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
- REPORT-MESSAGE =
- ###########################
- ## Windows XML Event Log
- ###########################
- [(?::){0}XmlWinEventLog:*]
- KV_MODE = none
- REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
- REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
- ## privilege
- REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege
- # Extractions to add fields used by generic security extraction
- REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
- REPORT-EventCode_from_xml = EventID_as_EventCode
- REPORT-Source_Port_from_xml = IpPort_as_Source_Port
- REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
- REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
- REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
- REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
- REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
- REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
- REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
- REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
- REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
- REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation
- # Extractions to add fields used by generic system extraction
- REPORT-signature_message_from_xml = updatelist_from_user_data
- REPORT-signature_from_xml = updatetitle_from_user_data
- FIELDALIAS-Status_as_Error_Code = Status AS Error_Code
- LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
- LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
- ###### All Windows Event Log ######
- ## Apply the following properties to all Windows events
- [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
- LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
- FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,host AS dvc
- FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
- FIELDALIAS-severity_for_windows = Type AS severity
- FIELDALIAS-severity_id_for_windows = EventType AS severity_id
- FIELDALIAS-id_for_windows = RecordNumber AS id
- REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
- ## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
- LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
- ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
- LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
- ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
- EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
- FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
- ###### Windows Application Event Log ######
- ## All Windows Application
- [MonitorWare:Application]
- FIELDALIAS-dest_for_monitorware_application = ComputerName AS dest
- [NTSyslog:Application]
- FIELDALIAS-dest_for_ntsyslog_application = ComputerName AS dest
- [Snare:Application]
- FIELDALIAS-dest_for_snare_application = ComputerName AS dest
- [WinEventLog:Application]
- FIELDALIAS-dest_for_wineventlog_application = ComputerName AS dest
- ###### Windows Security Event Log ######
- [source::*:Security]
- ## action, status
- ## Override action to allow audit log changes to correspond to Change Analysis data model
- LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
- LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
- LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
- ## auditing
- FIELDALIAS-object_for_windows_security = sourcetype AS object
- ## privilege
- REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
- REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
- LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
- FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
- REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
- LOOKUP-vendor_info_for_windows_security = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
- FIELDALIAS-body_for_windows_security = Message AS body
- ## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
- LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
- LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
- LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
- LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
- LOOKUP-app4_for_windows_security = windows_app_lookup sourcetype OUTPUTNEW app
- ## Set the following fields based on order of operations
- REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
- REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
- REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
- REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
- REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src,ComputerName_as_src
- REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
- REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
- REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
- REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
- REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
- REPORT-user_group_for_windows_security = Target_Account_Name_as_user_group,New_Account_Name_as_user_group,Group_Name_as_user_group
- REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
- REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
- REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
- REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
- REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
- LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
- ###### Windows System Event Log ######
- ## All Windows System
- [source::*:System]
- REPORT-bestmatch_for_windows_system = ComputerName_as_dest,ComputerName_as_src
- REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
- REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2,signature_id_for_windowsupdatelog
- LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
- REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
- LOOKUP-vendor_info_for_windows_system = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
- FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body
- # Legacy field aliases to support ES 2.0.2
- FIELDALIAS-package_title_for_windows = signature AS package_title
- FIELDALIAS-package_for_windows = signature_id AS package
- ## IAS (Currently WinEventLog Support Only)
- [WinEventLog:System:IAS]
- REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
- LOOKUP-app_for_windows_system_ias = windows_app_lookup sourcetype OUTPUTNEW app
- ###### WindowsUpdateLog ######
- [source::....WindowsUpdateLog]
- sourcetype = WindowsUpdateLog
- [source::...WindowsUpdate.Log]
- sourcetype = WindowsUpdateLog
- [WindowsUpdateLog]
- FIELDALIAS-dest_for_windowsupdatelog = host AS dest
- REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
- REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
- REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
- REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
- LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
- LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
- # Legacy field aliases to support ES 2.0.2
- FIELDALIAS-package_title_for_windowsupdatelog = signature AS package_title
- FIELDALIAS-package_for_windowsupdatelog = signature_id AS package
- #####################
- ## Endpoint Changes
- #####################
- [source::....fs_notification]
- sourcetype = fs_notification
- ## fs_notification endpoint changes
- ## Required fields: action,dest,object,object_category,object_path,status,user
- ## Optional fields: object_id,object_attrs,user_type,msg,data,severity
- [fs_notification]
- REPORT-object_object_path_for_fs_notification = object_object_path_for_fs_notification
- REPORT-vendor_object_category_for_fs_notification = vendor_object_category_for_fs_notification
- FIELDALIAS-vendor_action_for_fs_notification = action AS vendor_action
- FIELDALIAS-dest_for_fs_notification = host AS dest
- FIELDALIAS-user_for_fs_notification = uid AS user
- FIELDALIAS-object_attrs_for_fs_notification = chgs AS object_attrs
- # Field aliases for conformance to Change_Analysis::Filesystem_Changes object
- FIELDALIAS-file_acl_for_fs_notification = mode AS file_acl
- FIELDALIAS-file_hash_for_fs_notification = hash AS file_hash
- EVAL-file_modify_time = strptime(modtime, "%a %b %d %H:%M:%S %Y")
- FIELDALIAS-file_name_for_fs_notification = object AS file_name
- FIELDALIAS-file_path_for_fs_notification = object_path AS file_path
- FIELDALIAS-file_size_for_fs_notification = size AS file_size
- # Legacy change_type lookup to support ES 2.0.2
- LOOKUP-change_type_for_fs_notification = fs_notification_change_type_lookup sourcetype OUTPUTNEW change_type
- LOOKUP-action_for_fs_notification = endpoint_change_vendor_action_lookup vendor_action OUTPUT action
- LOOKUP-object_category_for_fs_notification = endpoint_change_object_category_lookup object AS vendor_object_category OUTPUT object_category
- # Any fs_notification event indicates a successful change; vendor_status in the lookup is overloaded to accommodate this.
- LOOKUP-object_status_for_fs_notification = endpoint_change_status_lookup vendor_status AS sourcetype OUTPUTNEW status
- [source::....winregistry]
- sourcetype = WinRegistry
- SHOULD_LINEMERGE = false
- LINE_BREAKER = ([\r\n]+)\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+
- [WinRegistry]
- ## Registry Extractions
- ## registry_path, registry_key_name, registry_value_name
- REPORT-registry_path_parser = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry
- REPORT-registry_value_data = registry_value_data_for_WinRegistry
- FIELDALIAS-registry_value_type = data_type AS registry_value_type
- ## Endpoint Change Extractions
- ## Required fields: action,dest,object,object_category,object_path,status,user
- ## Optional fields: object_id,object_attrs,user_type,msg,data,severity
- FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action
- LOOKUP-action_for_WinRegistry = endpoint_change_vendor_action_lookup vendor_action OUTPUT action
- FIELDALIAS-dest_for_WinRegistry = host AS dest
- REPORT-object_for_WinRegistry = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry
- LOOKUP-object_category_for_WinRegistry = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category
- REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry
- LOOKUP-status_for_WinRegistry = endpoint_change_status_lookup vendor_status OUTPUT status
- REPORT-user_for_WinRegistry = user_for_WinRegistry
- LOOKUP-user_type_for_WinRegistry = endpoint_change_user_type_lookup sourcetype OUTPUT user_type
- #####################
- ## Splunk Perfmon/WMI
- #####################
- ###### Global Perfmon ######
- [source::....perfmon]
- SHOULD_LINEMERGE = false
- LINE_BREAKER = ([\r\n]+)\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+
- TRANSFORMS-meta_for_perfmon = force_sourcetype_for_perfmon_txt, force_source_for_perfmon_txt
- [source::Perfmon...]
- FIELDALIAS-dest_for_perfmon = host AS dest
- FIELDALIAS-src_for_perfmon = host AS src
- ###### Global WMI ######
- [source::....wmi]
- SHOULD_LINEMERGE = false
- LINE_BREAKER = ([\r\n]+)\d+\.\d+
- TRANSFORMS-0FIELDS_for_source_wmi = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype
- ## Apply the following properties to all WMI events
- [source::WMI...]
- ## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
- REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
- REPORT-MESSAGE =
- FIELDALIAS-dest_for_wmi = host AS dest
- FIELDALIAS-pid_for_wmi = IDProcess AS pid
- FIELDALIAS-src_for_wmi = host AS src
- [wmi]
- LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+)
- ## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence
- ## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog"
- TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype
- TRANSFORMS-FIELDS =
- ###### ComputerSystem ######
- [WMI:ComputerSystem]
- FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem
- [Perfmon:CPU]
- EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null())
- EVAL-cpu_user_percent = if(counter=="% User Time" AND instance=="_Total",Value,null())
- EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
- EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
- ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
- EVAL-windows_cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
- ## Legacy fields
- EVAL-PercentProcessorTime = if(counter=="% Processor Time",Value,null())
- EVAL-PercentUserTime = if(counter=="% User Time",Value,null())
- [Perfmon:CPUTime]
- EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null())
- EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
- EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
- EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null())
- ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
- EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
- ## Legacy fields
- EVAL-PercentProcessorTime = if(counter=="% Processor Time",Value,null())
- EVAL-PercentUserTime = if(counter=="% User Time",Value,null())
- [Perfmon:System]
- EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null())
- EVAL-system_threads_count = if(counter=="Threads",Value,null())
- [WMI:CPUTime]
- REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous
- FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent
- FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent
- ###### Disk ######
- [Perfmon:FreeDiskSpace]
- FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount
- EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null())
- EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null())
- EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
- ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
- EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null())
- ## Legacy fields
- EVAL-PercentFreeSpace = if(counter=="% Free Space",Value,null())
- EVAL-FreeMBytes = if(counter=="Free Megabytes",Value,null())
- [Perfmon:LogicalDisk]
- EVAL-mount = if(instance=="_Total", null(), instance)
- # Keeping this field in ms
- EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null())
- EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null())
- EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null())
- EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
- EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null())
- EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null())
- EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null())
- [WMI:FreeDiskSpace]
- REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous
- FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount
- EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null())
- EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null())
- FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent
- EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null())
- EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null())
- ## Legacy fields
- FIELDALIAS-FreeMBytes_for_wmi_freediskspace = FreeMegabytes AS FreeMBytes
- [WMI:LogicalDisk]
- FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency
- FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency
- FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency
- FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops
- FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops
- ###### Network ######
- [Perfmon:LocalNetwork]
- EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
- EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
- [WMI:LocalNetwork]
- EVAL-thruput = if(counter=="BytesTotalPerSec",Value,null())
- EVAL-thruput_max = if(counter=="CurrentBandwidth",Value,null())
- ###### Process ######
- [Perfmon:Process]
- EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
- EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
- EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
- ###### Installed Apps ######
- [source::...win_installed_apps.bat]
- sourcetype = Script:InstalledApps
- [Script:InstalledApps]
- SHOULD_LINEMERGE = false
- LINE_BREAKER = ([\r\n]+)\d{2}\/\d{2}\/\d{4}\s+\d{1,2}:\d{2}:\d{2}
- KV_MODE = none
- REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps
- REPORT-Comments_for_win_installed_apps = Comments_for_win_installed_apps
- REPORT-Contact_for_win_installed_apps = Contact_for_win_installed_apps
- REPORT-DisplayVersion_for_win_installed_apps = DisplayVersion_for_win_installed_apps
- REPORT-HelpLink_for_win_installed_apps = HelpLink_for_win_installed_apps
- REPORT-HelpTelephone_for_win_installed_apps = HelpTelephone_for_win_installed_apps
- REPORT-InstallDate_for_win_installed_apps = InstallDate_for_win_installed_apps
- REPORT-InstallLocation_for_win_installed_apps = InstallLocation_for_win_installed_apps
- REPORT-InstallSource_for_win_installed_apps = InstallSource_for_win_installed_apps
- REPORT-ModifyPath_for_win_installed_apps = ModifyPath_for_win_installed_apps
- REPORT-NoModify_for_win_installed_apps = NoModify_for_win_installed_apps
- REPORT-NoRepair_for_win_installed_apps = NoRepair_for_win_installed_apps
- REPORT-Publisher_for_win_installed_apps = Publisher_for_win_installed_apps
- REPORT-Readme_for_win_installed_apps = Readme_for_win_installed_apps
- REPORT-Size_for_win_installed_apps = Size_for_win_installed_apps
- REPORT-EstimatedSize_for_win_installed_apps = EstimatedSize_for_win_installed_apps
- REPORT-UninstallString_for_win_installed_apps = UninstallString_for_win_installed_apps
- REPORT-URLInfoAbout_for_win_installed_apps = URLInfoAbout_for_win_installed_apps
- REPORT-URLUpdateInfo_for_win_installed_apps = URLUpdateInfo_for_win_installed_apps
- REPORT-VersionMajor_for_win_installed_apps = VersionMajor_for_win_installed_apps
- REPORT-VersionMinor_for_win_installed_apps = VersionMinor_for_win_installed_apps
- REPORT-WindowsInstaller_for_win_installed_apps = WindowsInstaller_for_win_installed_apps
- REPORT-Version_for_win_installed_apps = Version_for_win_installed_apps
- REPORT-Language_for_win_installed_apps = Language_for_win_installed_apps
- REPORT-DisplayName_for_win_installed_apps = DisplayName_for_win_installed_apps
- ###### Installed Updates ######
- [WMI:InstalledUpdates]
- REPORT-00Description_for_installedupdates = Description_for_installedupdates
- FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id
- EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null())
- LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status
- LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
- # Legacy field aliases to support ES 2.0.2
- FIELDALIAS-package_title_for_installed_updates = signature AS package_title
- FIELDALIAS-package_for_installedupdates = signature_id AS package
- ###### Listening Ports ######
- [source::...win_listening_ports.bat]
- sourcetype = Script:ListeningPorts
- [Script:ListeningPorts]
- SHOULD_LINEMERGE = false
- KV_MODE = None
- REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports
- REPORT-1kv_for_listeningports = kv_for_listeningports
- FIELDALIAS-dest_for_listeningports = dest_ip AS dest
- FIELDALIAS-process_id_for_listeningports = pid AS process_id
- ###### Local Processes ######
- [WMI:LocalProcesses]
- REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous
- FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent
- FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes
- FIELDALIAS-process_for_wmi_localprocesses = Name AS app,Name AS process
- FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id
- ###### Memory ######
- ## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory
- ## Total memory available in WMI:ComputerSystem
- [Perfmon:Memory]
- EVAL-mem_committed = if(counter=="Committed Bytes",Value,null())
- EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
- EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null())
- EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null())
- EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null())
- ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
- EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
- [Perfmon:Network]
- EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
- EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
- EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
- EVAL-packets = if(counter=="Packets/sec",Value,null())
- EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
- EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())
- ## Legacy Fields
- EVAL-FreeMBytes = case(counter=="Available Bytes",Value/1048576,counter=="Available MBytes",Value,1=1,null())
- #UsedBytes omitted
- [WMI:Memory]
- REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous
- FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed
- FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free
- FIELDALIAS-swap_used = PoolPagedBytes AS swap_used
- EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
- ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
- EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
- ## Legacy Fields
- EVAL-FreeMBytes = case(isnotnull(AvailableBytes),AvailableBytes/1048576,isnotnull(AvailableMBytes),AvailableMBytes,1=1,null())
- #UsedBytes omitted
- ###### Service ######
- [WMI:Service]
- REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous
- FIELDALIAS-file_path_for_wmi_service = PathName AS file_path
- FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service
- FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode
- FIELDALIAS-status_for_wmi_service = State AS status
- ###### Time Configuration ######
- [source::...win_timesync_configuration.bat]
- sourcetype = Script:TimesyncConfiguration
- [Script:TimesyncConfiguration]
- DATETIME_CONFIG = CURRENT
- LINE_BREAKER = ([\r\n]+)Current time:
- KV_MODE = None
- REPORT-Current_time_for_win_timesync_configuration = Current_time_for_win_timesync
- REPORT-EventLogFlags_for_win_timesync_configuration = EventLogFlags_for_win_timesync_configuration
- REPORT-AnnounceFlags_for_win_timesync_configuration = AnnounceFlags_for_win_timesync_configuration
- REPORT-TimeJumpAuditOffset_for_win_timesync_configuration = TimeJumpAuditOffset_for_win_timesync_configuration
- REPORT-MinPollInterval_for_win_timesync_configuration = MinPollInterval_for_win_timesync_configuration
- REPORT-MaxPollInterval_for_win_timesync_configuration = MaxPollInterval_for_win_timesync_configuration
- REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration
- REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration
- REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration
- REPORT-FrequencyCorrectRate_for_win_timesync_configuration = FrequencyCorrectRate_for_win_timesync_configuration
- REPORT-PollAdjustFactor_for_win_timesync_configuration = PollAdjustFactor_for_win_timesync_configuration
- REPORT-LargePhaseOffset_for_win_timesync_configuration = LargePhaseOffset_for_win_timesync_configuration
- REPORT-SpikeWatchPeriod_for_win_timesync_configuration = SpikeWatchPeriod_for_win_timesync_configuration
- REPORT-LocalClockDispersion_for_win_timesync_configuration = LocalClockDispersion_for_win_timesync_configuration
- REPORT-HoldPeriod_for_win_timesync_configuration = HoldPeriod_for_win_timesync_configuration
- REPORT-PhaseCorrectRate_for_win_timesync_configuration = PhaseCorrectRate_for_win_timesync_configuration
- REPORT-UpdateInterval_for_win_timesync_configuration = UpdateInterval_for_win_timesync_configuration
- REPORT-FileLogName_for_win_timesync_configuration = FileLogName_for_win_timesync_configuration
- REPORT-FileLogEntries_for_win_timesync_configuration = FileLogEntries_for_win_timesync_configuration
- REPORT-FileLogSize_for_win_timesync_configuration = FileLogSize_for_win_timesync_configuration
- REPORT-FileLogFlags_for_win_timesync_configuration = FileLogFlags_for_win_timesync_configuration
- REPORT-Time_zone_for_win_timesync_configuration = Time_zone_for_win_timesync
- ###### Time Synchronization ######
- [source::...win_timesync_status.bat]
- sourcetype = Script:TimesyncStatus
- [Script:TimesyncStatus]
- DATETIME_CONFIG = CURRENT
- LINE_BREAKER = ([\r\n]+)Current time:
- KV_MODE = None
- REPORT-Current_time_for_win_timesync_status = Current_time_for_win_timesync
- REPORT-Leap_Indicator_for_win_timesync_status = Leap_Indicator_for_win_timesync_status
- REPORT-Stratum_for_win_timesync_status = Stratum_for_win_timesync_status
- REPORT-Precision_for_win_timesync_status = Precision_for_win_timesync_status
- REPORT-Root_Delay_for_win_timesync_status = Root_Delay_for_win_timesync_status
- REPORT-Root_Dispersion_for_win_timesync_status = Root_Dispersion_for_win_timesync_status
- REPORT-ReferenceId_for_win_timesync_status = ReferenceId_for_win_timesync_status
- REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status
- REPORT-Source_for_win_timesync_status = Source_for_win_timesync_status
- REPORT-Poll_Interval_for_win_timesync_status = Poll_Interval_for_win_timesync_status
- REPORT-Phase_Offset_for_win_timesync_status = Phase_Offset_for_win_timesync_status
- REPORT-ClockRate_for_win_timesync_status = ClockRate_for_win_timesync_status
- REPORT-State_Machine_for_win_timesync_status = State_Machine_for_win_timesync_status
- REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status
- REPORT-Server_Role_for_win_timesync_status = Server_Role_for_win_timesync_status
- REPORT-Last_Sync_Error_for_win_timesync_status = Last_Sync_Error_for_win_timesync_status
- REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status
- REPORT-Time_zone_for_win_timesync_status = Time_zone_for_win_timesync
- LOOKUP-action_for_win_timesync_status = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action
- EVAL-last_sync_time = strptime(Last_Successful_Sync_Time, "%m/%d/%Y %I:%M:%S %p")
- ###### Uptime ######
- [WMI:Uptime]
- REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous
- FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime
- ###### User Accounts ######
- [WMI:UserAccounts]
- FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain
- FIELDALIAS-status_for_wmi_useraccounts = Status AS status
- FIELDALIAS-user_for_wmi_useraccounts = Name AS user
- FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id
- LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled
- ###### Version ######
- [WMI:Version]
- REPORT-0Caption_for_wmi_version = Caption_for_wmi_version
- LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range
- FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family
- FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version
- EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null())
- ###### Host Inventory ######
- [WinHostMon]
- EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null())
- EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null())
- EVAL-os = if(Type=="OperatingSystem", OS, null())
- EVAL-family = if(Type=="Processor", Architecture, null())
- EVAL-version = if(Type=="OperatingSystem", Version, null())
- EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null())
- EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null())
- EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null())
- EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null())
- EVAL-vendor_product = if(Type=="OperatingSystem", OS, null())
- EVAL-mount = if (Type=="Disk", Name, null())
- EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null())
- EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null())
- EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null())
- ## Set parameters for the sample data
- [source::...Service.wmi.demo]
- #, src_for_sample_data, dest_for_sample_data,
- SHOULD_LINEMERGE = false
- LINE_BREAKER = ([\r\n]+)\d+\.\d+
- TRANSFORMS-0FIELDS_for_source_wmi_demo_sample = wmi_host_for_sample_data, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement