[wineventlog_security_signature_id]
filename = wineventlog_security_signature_id.csv

[wineventlog_security_signature_sub_id]
filename = wineventlog_security_signature_sub_id.csv

[wineventlog_sourcetype_vendor_product]
filename = wineventlog_sourcetype_vendor_product.csv

[wineventlog_app]
filename = wineventlog_app.csv

[wineventlog_vendor_severity_id]
filename = wineventlog_vendor_severity_id.csv

[xmleventlog_updatelist]
REGEX = <updatelist xmlns='[^']+'>([^<]+)<\/updatelist>
FORMAT = updatelist::"$1"

[xmleventlog_signature_signature_id]
SOURCE_KEY = updatelist
REGEX = -\s(.*?\((KB\S+)\))
FORMAT = signature::"$1" signature_id::"$2"
MV_ADD = true

[windowsupdatelog_signature_message]
REGEX = (?:Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on .*?|Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates: .*?|Restart Required: To complete the installation of the following updates, the computer will be restarted within \d+ minutes:.*?)(-.*)
FORMAT = signature_message::"$1"

[windowsupdatelog_signature_signature_id]
SOURCE_KEY = signature_message
REGEX = -\s(.*?\((KB\S+)\))
FORMAT = signature::"$1" signature_id::"$2"
MV_ADD = true

[windowsupdatelog_status]
filename = windowsupdatelog_status.csv

[windows_msdhcp_id]
filename = windows_msdhcp_id.csv

[dhcpsrvlog_discard_headers]
REGEX = ^(ID|#)
DEST_KEY = queue
FORMAT = nullQueue

[dchpsrvlog_dest_nt_host_as_dest]
SOURCE_KEY = dest_nt_host
REGEX = (.+)
FORMAT = dest::"$1"
MV_ADD = true

[dchpsrvlog_dest_ip_as_dest]
SOURCE_KEY = dest_ip
REGEX = (.+)
FORMAT = dest::"$1"
MV_ADD = true

[dchpsrvlog_dest_mac_as_dest]
SOURCE_KEY = dest_mac
REGEX = (.+)
FORMAT = dest::"$1"
MV_ADD = true

[windows_object_category]
filename = windows_object_category.csv

[windows_status]
filename = windows_status.csv
default_match = failure
min_matches = 1
max_matches = 1

[windows_timesync_action]
filename = windows_timesync_action.csv
match_type  = WILDCARD(last_sync_error)
max_matches = 1

[windows_vendor_action]
filename = windows_vendor_action.csv

[windows_service_startmode]
filename = windows_service_startmode.csv

[windows_service_status]
filename = windows_service_status.csv