Untitled

# Copyright (C) 2009-2016 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#

###########################
## DHCP
###########################

[source::....DhcpSrvLog]
sourcetype = DhcpSrvLog

[source::...\\(DhcpSrvLog-)...]
sourcetype = DhcpSrvLog

[DhcpSrvLog]
SHOULD_LINEMERGE = false
TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers
REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature
LOOKUP-vendor_info_for_microsoft_dhcp = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host

EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":")))
EVAL-dest = coalesce(nt_host, ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))))


################################
## Monitorware Windows Event Log
################################

## Apply the following properties to MonitorWare single-line text files (.monitorware)
[source::....monitorware]
SHOULD_LINEMERGE = false
TRANSFORMS-force_sourcetype_for_monitorware_txt = force_sourcetype_for_monitorware
TRANSFORMS-force_host_for_monitorware_txt = force_host_for_monitorware
TRANSFORMS-force_source_for_monitorware_txt = force_source_for_monitorware

## Apply the following properties to incoming syslog data (udp/514)
## Uncomment and modify the stanza ([source::udp:514]) below based on incoming MonitorWare data
#[source::udp:514]
#SHOULD_LINEMERGE = false
#TRANSFORMS-force_sourcetype_for_monitorware_syslog = force_sourcetype_for_monitorware
#TRANSFORMS-force_host_for_monitorware_syslog = force_host_for_monitorware
#TRANSFORMS-force_source_for_monitorware_syslog = force_source_for_monitorware

## Apply the following properties to all MonitorWare events
[source::MonitorWare...]

## Using REPORT-0 to force alphanumeric precedence
REPORT-0kv_for_tab_monitorware = raw_kv_for_tab_monitorware,Message_kv_for_tab_monitorware

## Using REPORT-1 to force alphanumeric precedence
REPORT-1Failure_Reason_for_monitorware = Failure_Reason_for_monitorware
REPORT-1User_for_monitorware = User_for_monitorware


#############################
## NTSyslog Windows Event Log
#############################

## Currently we only support NTSyslog:Security

[source::....ntsyslog]
SHOULD_LINEMERGE = false
TRANSFORMS-force_sourcetype_for_ntsyslog_txt = force_sourcetype_for_ntsyslog_security
TRANSFORMS-force_host_for_ntsyslog_txt = force_host_for_ntsyslog
TRANSFORMS-force_source_for_ntsyslog_txt = force_source_for_ntsyslog_security

## Apply the following properties to incoming syslog data (udp/514)
## Uncomment and modify the stanza ([source::udp:514]) below based on incoming NTSyslog data
#[source::udp:514]
#SHOULD_LINEMERGE = false
#TRANSFORMS-force_sourcetype_for_ntsyslog_syslog = force_sourcetype_for_ntsyslog_security
#TRANSFORMS-force_host_for_ntsyslog_syslog = force_host_for_ntsyslog
#TRANSFORMS-force_source_for_ntsyslog_syslog = force_source_for_ntsyslog_security

## Apply the following properties to NTsyslog window security event logs
[source::NTSyslog:Security]

## Using REPORT-<0-2> to force alphanumeric precedence
## Support for both verisions ([] and <>) of NTSyslog
REPORT-0raw_kv_for_ntsyslog = raw_kv_for_ntsyslog_square, raw_kv_for_ntsyslog_angle
REPORT-1message_kv_for_ntsyslog = message_kv_for_message_for_ntsyslog
## Commenting in order to disable by default.  If NTSyslog is used this should be enabled
#LOOKUP-2action_EventCode_for_ntsyslog = ntsyslog_mappings NTSyslogID OUTPUTNEW action,EventCode,EventCode as signature_id


###########################
## Snare Windows Event Log
###########################

## Apply the following properties to Snare single-line text files (.snare)
[source::....snare]
SHOULD_LINEMERGE = false
TRANSFORMS-force_sourcetype_for_snare_txt = force_sourcetype_for_snare
TRANSFORMS-force_host_for_snare_txt = force_host_for_snare
TRANSFORMS-force_source_for_snare_txt = force_source_for_snare

## Apply the following properties to incoming syslog data (udp/514)
## Uncomment and modify the stanza ([source::udp:514]) below based on incoming Snare data
#[source::udp:514]
#SHOULD_LINEMERGE=false
#TRANSFORMS-force_sourcetype_for_snare_syslog = force_sourcetype_for_snare
#TRANSFORMS-force_host_for_snare_syslog = force_host_for_snare
#TRANSFORMS-force_source_for_snare_syslog = force_source_for_snare

## Apply the following properties to all Snare events
[source::Snare...]

## Using REPORT-0 to force alphanumeric precedence
## Support for both tab and comma delimitted Snare
## Uncomment/Comment below based on Snare log type
REPORT-0kv_for_tab_snare = raw_kv_for_tab_snare,Message_kv_for_tab_snare
#REPORT-0kv_for_comma_snare = raw_kv_for_comma_snare,Message_kv_for_comma_snare


###########################
## Splunk Windows Event Log
###########################

## Apply the following properties to Splunk multi-line text files (.windows)
[source::....windows]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
TRANSFORMS-force_sourcetype_for_windows_txt = force_sourcetype_for_windows_txt,force_sourcetype_application_sophos_for_windows_txt,force_sourcetype_application_sav_for_windows_txt,force_sourcetype_application_trendmicro_for_windows_txt,force_sourcetype_system_ias_for_windows_txt
TRANSFORMS-force_host_for_windows_txt = force_host_for_windows_txt
TRANSFORMS-force_source_for_windows_txt = force_source_for_windows_txt

## windows eventlog modular input sourceing
[source::WinEventLog://*]
TRANSFORMS-force_source_for_wineventlog_modular = force_source_for_wineventlog_modular,force_sourcetype_system_ias_for_wineventlog

## windows system sub-sourcetyping
[source::WinEventLog:System]
TRANSFORMS-force_sourcetype_system_ias_for_wineventlog = force_sourcetype_system_ias_for_wineventlog

## Apply the following properties to all WinEventLog events
## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf
[source::(WMI:WinEventLog|WinEventLog)...]

## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
REPORT-MESSAGE =

###########################
## Windows XML Event Log
###########################
[(?::){0}XmlWinEventLog:*]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data

## privilege
REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege

# Extractions to add fields used by generic security extraction
REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
REPORT-EventCode_from_xml = EventID_as_EventCode
REPORT-Source_Port_from_xml = IpPort_as_Source_Port
REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation

# Extractions to add fields used by generic system extraction
REPORT-signature_message_from_xml = updatelist_from_user_data
REPORT-signature_from_xml = updatetitle_from_user_data

FIELDALIAS-Status_as_Error_Code = Status AS Error_Code
LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
###### All Windows Event Log ######

## Apply the following properties to all Windows events
[source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,host AS dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
FIELDALIAS-severity_for_windows = Type AS severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows

## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject

## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject

## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)

FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id


###### Windows Application Event Log ######

## All Windows Application
[MonitorWare:Application]
FIELDALIAS-dest_for_monitorware_application = ComputerName AS dest

[NTSyslog:Application]
FIELDALIAS-dest_for_ntsyslog_application = ComputerName AS dest

[Snare:Application]
FIELDALIAS-dest_for_snare_application = ComputerName AS dest

[WinEventLog:Application]
FIELDALIAS-dest_for_wineventlog_application = ComputerName AS dest


###### Windows Security Event Log ######
[source::*:Security]

## action, status
## Override action to allow audit log changes to correspond to Change Analysis data model
LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW  action,change_type,object_category
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status

## auditing
FIELDALIAS-object_for_windows_security = sourcetype AS object

## privilege
REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege

FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
LOOKUP-vendor_info_for_windows_security = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
FIELDALIAS-body_for_windows_security = Message AS body

## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
LOOKUP-app4_for_windows_security = windows_app_lookup sourcetype OUTPUTNEW app

## Set the following fields based on order of operations
REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src,ComputerName_as_src
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
REPORT-user_group_for_windows_security = Target_Account_Name_as_user_group,New_Account_Name_as_user_group,Group_Name_as_user_group
REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass

###### Windows System Event Log ######

## All Windows System
[source::*:System]
REPORT-bestmatch_for_windows_system = ComputerName_as_dest,ComputerName_as_src
REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2,signature_id_for_windowsupdatelog
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
LOOKUP-vendor_info_for_windows_system = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body

# Legacy field aliases to support ES 2.0.2
FIELDALIAS-package_title_for_windows = signature AS package_title
FIELDALIAS-package_for_windows = signature_id AS package

## IAS (Currently WinEventLog Support Only)
[WinEventLog:System:IAS]
REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias

LOOKUP-app_for_windows_system_ias = windows_app_lookup sourcetype OUTPUTNEW app


###### WindowsUpdateLog ######
[source::....WindowsUpdateLog]
sourcetype = WindowsUpdateLog

[source::...WindowsUpdate.Log]
sourcetype = WindowsUpdateLog

[WindowsUpdateLog]
FIELDALIAS-dest_for_windowsupdatelog = host AS dest
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product

# Legacy field aliases to support ES 2.0.2
FIELDALIAS-package_title_for_windowsupdatelog = signature AS package_title
FIELDALIAS-package_for_windowsupdatelog = signature_id AS package


#####################
## Endpoint Changes
#####################
[source::....fs_notification]
sourcetype = fs_notification

## fs_notification endpoint changes
## Required fields: action,dest,object,object_category,object_path,status,user
## Optional fields: object_id,object_attrs,user_type,msg,data,severity
[fs_notification]
REPORT-object_object_path_for_fs_notification = object_object_path_for_fs_notification
REPORT-vendor_object_category_for_fs_notification = vendor_object_category_for_fs_notification

FIELDALIAS-vendor_action_for_fs_notification = action AS vendor_action
FIELDALIAS-dest_for_fs_notification = host AS dest
FIELDALIAS-user_for_fs_notification = uid AS user
FIELDALIAS-object_attrs_for_fs_notification = chgs AS object_attrs

# Field aliases for conformance to Change_Analysis::Filesystem_Changes object
FIELDALIAS-file_acl_for_fs_notification = mode AS file_acl
FIELDALIAS-file_hash_for_fs_notification = hash AS file_hash
EVAL-file_modify_time = strptime(modtime, "%a %b %d %H:%M:%S %Y")
FIELDALIAS-file_name_for_fs_notification = object AS file_name
FIELDALIAS-file_path_for_fs_notification = object_path AS file_path
FIELDALIAS-file_size_for_fs_notification = size AS file_size

# Legacy change_type lookup to support ES 2.0.2
LOOKUP-change_type_for_fs_notification = fs_notification_change_type_lookup sourcetype OUTPUTNEW change_type
LOOKUP-action_for_fs_notification = endpoint_change_vendor_action_lookup vendor_action OUTPUT action
LOOKUP-object_category_for_fs_notification = endpoint_change_object_category_lookup object AS vendor_object_category OUTPUT object_category
# Any fs_notification event indicates a successful change; vendor_status in the lookup is overloaded to accommodate this.
LOOKUP-object_status_for_fs_notification = endpoint_change_status_lookup vendor_status AS sourcetype OUTPUTNEW status

[source::....winregistry]
sourcetype       = WinRegistry
SHOULD_LINEMERGE = false
LINE_BREAKER     = ([\r\n]+)\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+

[WinRegistry]

## Registry Extractions

## registry_path, registry_key_name, registry_value_name
REPORT-registry_path_parser    = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry
REPORT-registry_value_data     = registry_value_data_for_WinRegistry
FIELDALIAS-registry_value_type = data_type AS registry_value_type

## Endpoint Change Extractions
## Required fields: action,dest,object,object_category,object_path,status,user
## Optional fields: object_id,object_attrs,user_type,msg,data,severity
FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action
LOOKUP-action_for_WinRegistry            = endpoint_change_vendor_action_lookup vendor_action OUTPUT action
FIELDALIAS-dest_for_WinRegistry          = host AS dest
REPORT-object_for_WinRegistry            = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry
LOOKUP-object_category_for_WinRegistry   = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category
REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry
LOOKUP-status_for_WinRegistry            = endpoint_change_status_lookup vendor_status OUTPUT status
REPORT-user_for_WinRegistry              = user_for_WinRegistry
LOOKUP-user_type_for_WinRegistry         = endpoint_change_user_type_lookup sourcetype OUTPUT user_type


#####################
## Splunk Perfmon/WMI
#####################

###### Global Perfmon ######
[source::....perfmon]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+
TRANSFORMS-meta_for_perfmon = force_sourcetype_for_perfmon_txt, force_source_for_perfmon_txt

[source::Perfmon...]
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src

###### Global WMI ######
[source::....wmi]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d+\.\d+
TRANSFORMS-0FIELDS_for_source_wmi = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype

## Apply the following properties to all WMI events
[source::WMI...]
## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
REPORT-MESSAGE =
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src

[wmi]
LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+)
## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence
## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog"
TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype
TRANSFORMS-FIELDS =

###### ComputerSystem ######
[WMI:ComputerSystem]
FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem

[Perfmon:CPU]
EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null())
EVAL-cpu_user_percent = if(counter=="% User Time" AND instance=="_Total",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())

## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())

## Legacy fields
EVAL-PercentProcessorTime = if(counter=="% Processor Time",Value,null())
EVAL-PercentUserTime = if(counter=="% User Time",Value,null())

[Perfmon:CPUTime]
EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null())

## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())

## Legacy fields
EVAL-PercentProcessorTime = if(counter=="% Processor Time",Value,null())
EVAL-PercentUserTime = if(counter=="% User Time",Value,null())

[Perfmon:System]
EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null())
EVAL-system_threads_count = if(counter=="Threads",Value,null())

[WMI:CPUTime]
REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous

FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent
FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent

###### Disk ######
[Perfmon:FreeDiskSpace]

FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount
EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null())
EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null())
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())

## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null())

## Legacy fields
EVAL-PercentFreeSpace = if(counter=="% Free Space",Value,null())
EVAL-FreeMBytes = if(counter=="Free Megabytes",Value,null())

[Perfmon:LogicalDisk]
EVAL-mount = if(instance=="_Total", null(), instance)
# Keeping this field in ms
EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null())
EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null())
EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null())
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null())
EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null())
EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null())

[WMI:FreeDiskSpace]
REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous

FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount
EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null())
EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null())
FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent
EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null())
EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null())

## Legacy fields
FIELDALIAS-FreeMBytes_for_wmi_freediskspace = FreeMegabytes AS FreeMBytes

[WMI:LogicalDisk]
FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency
FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency
FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency
FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops
FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops

###### Network ######
[Perfmon:LocalNetwork]
EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())

[WMI:LocalNetwork]
EVAL-thruput = if(counter=="BytesTotalPerSec",Value,null())
EVAL-thruput_max = if(counter=="CurrentBandwidth",Value,null())

###### Process ######
[Perfmon:Process]
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())


###### Installed Apps ######
[source::...win_installed_apps.bat]
sourcetype = Script:InstalledApps

[Script:InstalledApps]
SHOULD_LINEMERGE = false
LINE_BREAKER     = ([\r\n]+)\d{2}\/\d{2}\/\d{4}\s+\d{1,2}:\d{2}:\d{2}

KV_MODE = none

REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps
REPORT-Comments_for_win_installed_apps            = Comments_for_win_installed_apps
REPORT-Contact_for_win_installed_apps             = Contact_for_win_installed_apps
REPORT-DisplayVersion_for_win_installed_apps      = DisplayVersion_for_win_installed_apps
REPORT-HelpLink_for_win_installed_apps            = HelpLink_for_win_installed_apps
REPORT-HelpTelephone_for_win_installed_apps       = HelpTelephone_for_win_installed_apps
REPORT-InstallDate_for_win_installed_apps         = InstallDate_for_win_installed_apps
REPORT-InstallLocation_for_win_installed_apps     = InstallLocation_for_win_installed_apps
REPORT-InstallSource_for_win_installed_apps       = InstallSource_for_win_installed_apps
REPORT-ModifyPath_for_win_installed_apps          = ModifyPath_for_win_installed_apps
REPORT-NoModify_for_win_installed_apps            = NoModify_for_win_installed_apps
REPORT-NoRepair_for_win_installed_apps            = NoRepair_for_win_installed_apps
REPORT-Publisher_for_win_installed_apps           = Publisher_for_win_installed_apps
REPORT-Readme_for_win_installed_apps              = Readme_for_win_installed_apps
REPORT-Size_for_win_installed_apps                = Size_for_win_installed_apps
REPORT-EstimatedSize_for_win_installed_apps       = EstimatedSize_for_win_installed_apps
REPORT-UninstallString_for_win_installed_apps     = UninstallString_for_win_installed_apps
REPORT-URLInfoAbout_for_win_installed_apps        = URLInfoAbout_for_win_installed_apps
REPORT-URLUpdateInfo_for_win_installed_apps       = URLUpdateInfo_for_win_installed_apps
REPORT-VersionMajor_for_win_installed_apps        = VersionMajor_for_win_installed_apps
REPORT-VersionMinor_for_win_installed_apps        = VersionMinor_for_win_installed_apps
REPORT-WindowsInstaller_for_win_installed_apps    = WindowsInstaller_for_win_installed_apps
REPORT-Version_for_win_installed_apps             = Version_for_win_installed_apps
REPORT-Language_for_win_installed_apps            = Language_for_win_installed_apps
REPORT-DisplayName_for_win_installed_apps         = DisplayName_for_win_installed_apps

###### Installed Updates ######
[WMI:InstalledUpdates]
REPORT-00Description_for_installedupdates = Description_for_installedupdates
FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id
EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null())
LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status
LOOKUP-vendor_info_for_windowsupdatelog = windows_vendor_info_lookup sourcetype OUTPUT vendor,product

# Legacy field aliases to support ES 2.0.2
FIELDALIAS-package_title_for_installed_updates = signature AS package_title
FIELDALIAS-package_for_installedupdates = signature_id AS package

###### Listening Ports ######
[source::...win_listening_ports.bat]
sourcetype = Script:ListeningPorts

[Script:ListeningPorts]
SHOULD_LINEMERGE = false

KV_MODE = None
REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports
REPORT-1kv_for_listeningports = kv_for_listeningports
FIELDALIAS-dest_for_listeningports = dest_ip AS dest
FIELDALIAS-process_id_for_listeningports = pid AS process_id

###### Local Processes ######
[WMI:LocalProcesses]
REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous

FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent
FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes
FIELDALIAS-process_for_wmi_localprocesses = Name AS app,Name AS process
FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id

###### Memory ######
## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory
## Total memory available in WMI:ComputerSystem
[Perfmon:Memory]
EVAL-mem_committed = if(counter=="Committed Bytes",Value,null())
EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null())
EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null())
EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null())

## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())

[Perfmon:Network]
EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
EVAL-packets = if(counter=="Packets/sec",Value,null())
EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())

## Legacy Fields
EVAL-FreeMBytes = case(counter=="Available Bytes",Value/1048576,counter=="Available MBytes",Value,1=1,null())
#UsedBytes omitted

[WMI:Memory]
REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous

FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed
FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free
FIELDALIAS-swap_used = PoolPagedBytes AS swap_used


EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())

## Legacy Fields
EVAL-FreeMBytes = case(isnotnull(AvailableBytes),AvailableBytes/1048576,isnotnull(AvailableMBytes),AvailableMBytes,1=1,null())
#UsedBytes omitted

###### Service ######
[WMI:Service]
REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous

FIELDALIAS-file_path_for_wmi_service = PathName AS file_path
FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service
FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode
FIELDALIAS-status_for_wmi_service = State AS status

###### Time Configuration ######
[source::...win_timesync_configuration.bat]
sourcetype = Script:TimesyncConfiguration

[Script:TimesyncConfiguration]
DATETIME_CONFIG = CURRENT
LINE_BREAKER    = ([\r\n]+)Current time:

KV_MODE = None

REPORT-Current_time_for_win_timesync_configuration          = Current_time_for_win_timesync
REPORT-EventLogFlags_for_win_timesync_configuration         = EventLogFlags_for_win_timesync_configuration
REPORT-AnnounceFlags_for_win_timesync_configuration         = AnnounceFlags_for_win_timesync_configuration
REPORT-TimeJumpAuditOffset_for_win_timesync_configuration   = TimeJumpAuditOffset_for_win_timesync_configuration
REPORT-MinPollInterval_for_win_timesync_configuration       = MinPollInterval_for_win_timesync_configuration
REPORT-MaxPollInterval_for_win_timesync_configuration       = MaxPollInterval_for_win_timesync_configuration
REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration
REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration
REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration
REPORT-FrequencyCorrectRate_for_win_timesync_configuration  = FrequencyCorrectRate_for_win_timesync_configuration
REPORT-PollAdjustFactor_for_win_timesync_configuration      = PollAdjustFactor_for_win_timesync_configuration
REPORT-LargePhaseOffset_for_win_timesync_configuration      = LargePhaseOffset_for_win_timesync_configuration
REPORT-SpikeWatchPeriod_for_win_timesync_configuration      = SpikeWatchPeriod_for_win_timesync_configuration
REPORT-LocalClockDispersion_for_win_timesync_configuration  = LocalClockDispersion_for_win_timesync_configuration
REPORT-HoldPeriod_for_win_timesync_configuration            = HoldPeriod_for_win_timesync_configuration
REPORT-PhaseCorrectRate_for_win_timesync_configuration      = PhaseCorrectRate_for_win_timesync_configuration
REPORT-UpdateInterval_for_win_timesync_configuration        = UpdateInterval_for_win_timesync_configuration
REPORT-FileLogName_for_win_timesync_configuration           = FileLogName_for_win_timesync_configuration
REPORT-FileLogEntries_for_win_timesync_configuration        = FileLogEntries_for_win_timesync_configuration
REPORT-FileLogSize_for_win_timesync_configuration           = FileLogSize_for_win_timesync_configuration
REPORT-FileLogFlags_for_win_timesync_configuration          = FileLogFlags_for_win_timesync_configuration
REPORT-Time_zone_for_win_timesync_configuration             = Time_zone_for_win_timesync

###### Time Synchronization ######
[source::...win_timesync_status.bat]
sourcetype = Script:TimesyncStatus

[Script:TimesyncStatus]
DATETIME_CONFIG = CURRENT
LINE_BREAKER    = ([\r\n]+)Current time:

KV_MODE = None

REPORT-Current_time_for_win_timesync_status      = Current_time_for_win_timesync
REPORT-Leap_Indicator_for_win_timesync_status    = Leap_Indicator_for_win_timesync_status
REPORT-Stratum_for_win_timesync_status           = Stratum_for_win_timesync_status
REPORT-Precision_for_win_timesync_status         = Precision_for_win_timesync_status
REPORT-Root_Delay_for_win_timesync_status        = Root_Delay_for_win_timesync_status
REPORT-Root_Dispersion_for_win_timesync_status   = Root_Dispersion_for_win_timesync_status
REPORT-ReferenceId_for_win_timesync_status       = ReferenceId_for_win_timesync_status
REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status
REPORT-Source_for_win_timesync_status            = Source_for_win_timesync_status
REPORT-Poll_Interval_for_win_timesync_status     = Poll_Interval_for_win_timesync_status
REPORT-Phase_Offset_for_win_timesync_status      = Phase_Offset_for_win_timesync_status
REPORT-ClockRate_for_win_timesync_status         = ClockRate_for_win_timesync_status
REPORT-State_Machine_for_win_timesync_status     = State_Machine_for_win_timesync_status
REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status
REPORT-Server_Role_for_win_timesync_status       = Server_Role_for_win_timesync_status
REPORT-Last_Sync_Error_for_win_timesync_status   = Last_Sync_Error_for_win_timesync_status
REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status
REPORT-Time_zone_for_win_timesync_status         = Time_zone_for_win_timesync

LOOKUP-action_for_win_timesync_status            = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action
EVAL-last_sync_time                              = strptime(Last_Successful_Sync_Time, "%m/%d/%Y %I:%M:%S %p")
###### Uptime ######
[WMI:Uptime]
REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous

FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime

###### User Accounts ######
[WMI:UserAccounts]
FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain
FIELDALIAS-status_for_wmi_useraccounts = Status AS status
FIELDALIAS-user_for_wmi_useraccounts = Name AS user
FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id
LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled

###### Version ######
[WMI:Version]
REPORT-0Caption_for_wmi_version = Caption_for_wmi_version
LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range
FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family
FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version
EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null())

###### Host Inventory ######
[WinHostMon]
EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null())
EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null())
EVAL-os = if(Type=="OperatingSystem", OS, null())
EVAL-family = if(Type=="Processor", Architecture, null())
EVAL-version = if(Type=="OperatingSystem", Version, null())
EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null())
EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null())
EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null())
EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null())
EVAL-vendor_product = if(Type=="OperatingSystem", OS, null())
EVAL-mount = if (Type=="Disk", Name, null())
EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null())
EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null())
EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null())


## Set parameters for the sample data
[source::...Service.wmi.demo]
#, src_for_sample_data, dest_for_sample_data,
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d+\.\d+
TRANSFORMS-0FIELDS_for_source_wmi_demo_sample = wmi_host_for_sample_data, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype