#### Use TA-microsoft-windows/default/inputs.conf sequence

#### Default replacement for all DhcpSrvLog logs
[sample.DhcpSrvLog]
index = windows
source=c:\windows\system32\dhcp\dhcpsrvlog.log
sourcetype = DhcpSrvLog
interval = 300
## Generate all events in sample
count = 0
earliest = -5m
latest = now

## replace timestamp 10,07/21/06,19:42:47
token.0.token = ^\d+\,(\d{2}\/\d{2}\/\d{2}\,\d{2}:\d{2}:\d{2})
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%y,%H:%M:%S

#### Default replacements for all WindowsUpdateLog logs
[.*\.WindowsUpdateLog]
index = windows
source = WindowsUpdateLog
sourcetype = WindowsUpdateLog
interval = 7200

## Generate all events in sample
count = 0
earliest = -5m
latest = now

## replace timestamp 2010-06-16 18:35:22:743
token.0.token = ^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}):\d+
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S

[WindowsUpdateClient.19.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
interval = 7200
## Generate all events in sample
count = 10

## replace ComputerName:
token.0.token = ComputerName=(\S+)
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample

#### Replacement for win_listening_ports
[sample.win_listening_ports]
index = windows
source = Script:ListeningPorts
sourcetype = Script:ListeningPorts
spoolFile = win_listening_ports.bat
interval = 300
count = 10
earliest = -5m
latest = now

## replace timestamp 04/14/2011 19:42:27
token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S

## replace ip
token.1.token = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
token.1.replacementType = random
token.1.replacement = ipv4

## replace port
token.2.token = dest_port=(\d+)
token.2.replacementType = random
token.2.replacement = integer[0:1024]

## replace pid
token.3.token = pid=(\d+)
token.3.replacementType = random
token.3.replacement = integer[1:65535]

#### Replacement for win_installed_apps
[sample.win_installed_apps]
index = windows
source = Script:InstalledApps
sourcetype = Script:InstalledApps
breaker = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
spoolFile = win_installed_apps.bat
interval = 3600
count = 3
earliest = -60m
latest = now

## replace timestamp 05/19/2011 10:48:34
token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S

#### Default replacement for all perfmon logs
[.*\.perfmon]
index = perfmon
interval = 3600
count = 10
earliest = -5m
latest = now

## replace timestamp 04/14/2011 11:53:26.486
token.0.token = (\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S

#### Perfmon:CPU
[CPUTime.perfmon]
index = perfmon
source = Perfmon:CPU
sourcetype = Perfmon:CPU
breaker = counter="% Processor Time"

token.0.token = @@proc_time
token.0.replacementType = random
token.0.replacement = integer[25:100]

token.1.token = @@user_time
token.1.replacementType = random
token.1.replacement = integer[0:25]

#### Perfmon:FreeDiskSpace
[FreeDiskSpace.perfmon]
index = perfmon
source = Perfmon:FreeDiskSpace
sourcetype = Perfmon:FreeDiskSpace
breaker = counter="Free Megabytes"

token.0.token = @@mbytes_free
token.0.replacementType = random
token.0.replacement = integer[1000:10000]

token.1.token = @@perc_free
token.1.replacementType = random
token.1.replacement = integer[0:100]

#### Perfmon:Memory
[Memory.perfmon]
source = Perfmon:Memory
sourcetype = Perfmon:Memory
breaker = counter="Available MBytes"

#### Perfmon:LocalNetwork
[LocalNetwork.perfmon]
source = Perfmon:LocalNetwork
sourcetype = Perfmon:LocalNetwork
breaker = counter="Current Bandwidth"

#### Default replacement for all windows logs
[.*\.windows]
index = wineventlog
breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
interval = 3600
count = 10
earliest = -5m
latest = now

## replace timestamp 03/11/10 01:12:01 PM
token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %I:%M:%S %p

## replace @@RecordNumber
token.1.token = RecordNumber=(\d+)
token.1.replacementType = random
token.1.replacement = integer[0:999999999]

## replace Source Port:
token.2.token = Source Port:\s*(.*)
token.2.replacementType = random
token.2.replacement = integer[1025:65535]

## Moving the stanza below to exclude renaming anomalous eventtypes
## replace ComputerName:
#token.3.token = ComputerName=(\S+)
#token.3.replacementType = file
#token.3.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample

[SCM.7036.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System

[LSASRV.40961.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System

[AppPopup.26.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System

[W32Time\.[0-9]*\.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System

[Security\.[0-9]*\.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
## replace ComputerName:
token.0.token = ComputerName=(\S+)
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample

#### Sample specific settings
## replace @@AuditType
#token.token = Type=(Success|Failure)\s+Audit
#token.replacementType = file
#token.replacement = $SPLUNK_HOME/etc/apps/TA-microsoft-windows/samples/audit_types.list

##################################################
## Anomalous events
##################################################

[Security.1102.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 3600
## Generate all events in sample
count = 0

[Security.4726.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 900
## Generate all events in sample
count = 0

[Security.4743.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 900
## Generate all events in sample
count = 0

[Security.4672.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
## replace @@user
token.0.token = @@user
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/dist.all.last

#### Default replacements for all WinRegistry logs
[.*\.winregistry]
index = windows
source = WinRegistry
sourcetype = WinRegistry
breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+
interval = 300
count = 10
earliest = -5m
latest = now

## replace timestamp 09/09/2010 23:36:32.0128
token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S

[WinHostMon-OperatingSystem]
index = windows
sourcetype = WinHostMon
source = OperatingSystem
count = 0

[WinHostMon-Processor]
index = windows
sourcetype = Processor
source = Computer
count = 0

[XmlSecurity\.[0-9]*\.windows\.xml]
index = wineventlog
source = WinEventLog:Security
sourcetype = XmlWinEventLog:Security
breaker = ^<\/Events>$

[XmlSystem.update_.*\.xml]
index = wineventlog
source = WinEventLog:System
sourcetype = XmlWinEventLog:System
breaker = ^<\/Events>$