### XmlWinEventLog

[XmlWinEventLog:Security]
KV_MODE = none
EXTRACT-dest = <Data Name='TargetServerName'>(?<dest>[^<]+)<\/Data>
EXTRACT-dest_01 = <Data Name='DestAddress'>(?<dest>[^<]+)<\/Data>
# Set Computer as last dest
EXTRACT-dest_02 = <Computer>(?<dest>[^<]+)<\/Computer>
EXTRACT-dest_nt_domain = <Data Name='TargetDomainName'>(?<dest_nt_domain>[^<]+)<\/Data>
EXTRACT-dest_port = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
EXTRACT-event_id,signature_id = <EventID>(?<signature_id>(?<event_id>\d+))<\/EventID>
EXTRACT-event_record_id = <EventRecordID>(?<event_record_id>\d+)<\/EventRecordID>
EXTRACT-logon_id = <Data Name='SubjectLogonId'>(?<logon_id>[^<]+)<\/Data>
EXTRACT-logon_type = <Data Name='LogonType'>(?<logon_type>\d+)<\/Data>
EXTRACT-object_attrs = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
EXTRACT-process = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
EXTRACT-process_id = <Execution ProcessID='(?<process_id>\d+)'
EXTRACT-src = <Data Name='IpAddress'>(?<src>[^<]+)</Data>
EXTRACT-src_01 = <Data Name='SourceAddress'>(?<src>[^<]+)<\/Data>
EXTRACT-src_nt_domain = <Data Name='SubjectDomainName'>(?<src_nt_domain>[^<]+)<\/Data>
EXTRACT-src_port = <Data Name='SourcePort'>(?<src_port>[^<]+)<\/Data>
EXTRACT-src_user = <Data Name='SubjectUserName'>(?<src_user>[^<]+)<\/Data>
EXTRACT-signature_sub_id = <Data Name='Status'>(?<signature_sub_id>[^<]+)<\/Data>
EXTRACT-thread_id = <Execution ProcessID='\d+' ThreadID='(?<thread_id>\d+)'
EXTRACT-user = <Data Name='TargetUserName'>(?<user>[^<]+)<\/Data>
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_security_signature_id = wineventlog_security_signature_id signature_id OUTPUTNEW action, category, object, object_category, subcategory, signature, status
LOOKUP-wineventlog_security_signature_sub_id = wineventlog_security_signature_sub_id signature_id signature_sub_id OUTPUTNEW signature_sub
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_app-event_id = wineventlog_app event_id OUTPUTNEW app
LOOKUP-wineventlog_app-src = wineventlog_app src OUTPUTNEW app
LOOKUP-wineventlog_app-logon_type = wineventlog_app logon_type OUTPUTNEW logon_type_description app

[XmlWinEventLog:System]
KV_MODE = none
EXTRACT-dest = <Computer>(?<dest>[^<]+)<\/Computer>
EXTRACT-event_id = <EventID>(?<event_id>\d+)<\/EventID>
EXTRACT-event_record_id = <EventRecordID>(?<event_record_id>\d+)<\/EventRecordID>
EXTRACT-event_source = EventSourceName='(?<event_source>[^']+)'
EXTRACT-guid = Guid='(?<guid>[^']+)'
EXTRACT-provider = <Provider Name='(?<provider>[^']+)'
EXTRACT-vendor_severity_id = <Level>(?<vendor_severity_id>\d+)<\/Level>
REPORT-signature,signature_id = xmleventlog_updatelist,xmleventlog_signature_signature_id
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity
LOOKUP-windows_timesync_action = windows_timesync_action event_id, provider OUTPUTNEW action

[XmlWinEventLog:Application]
KV_MODE = none
EXTRACT-event_id = <EventID(?: Qualifiers='\d+')?>(?<event_id>\d+)<\/EventID>
EXTRACT-event_record_id = <EventRecordID>(?<event_record_id>\d+)<\/EventRecordID>
EXTRACT-event_source = EventSourceName='(?<event_source>[^']+)'
EXTRACT-guid = Guid='(?<guid>[^']+)'
EXTRACT-provider = <Provider Name='(?<provider>[^']+)'
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity

### WinEventLog

[source::WinEventLog...]
# Disable unneeded $SPLUNK_HOME/etc/default/props.conf report
REPORT-MESSAGE = 

[WinEventLog:Security]
KV_MODE = none
EXTRACT-dest = (?s)Network Information:.*?Destination Address:\s+(?<dest>\S+).*?(?:(?:\r*\n){2})
# Set ComputerName as last dest
EXTRACT-dest_01 = ComputerName=(?<dest>\S+)
EXTRACT-dest_port = (?s)Network Information:.*?Destination Port:\s+(?<dest_port>\S+).*?(?:(?:\r*\n){2})
EXTRACT-dest_nt_domain = (?s)Account Whose Credentials Were Used:.*?Account Domain:\s+(?<dest_nt_domain>\S+).*?(?:(?:\r*\n){2})
EXTRACT-event_id,signature_id = EventCode=(?<signature_id>(?<event_id>\d+))
EXTRACT-event_record_id = RecordNumber=(?<event_record_id>\d+)
EXTRACT-logon_id = Logon ID:\s+(?<logon_id>\S+)
EXTRACT-logon_type = Logon Type:\s+(?<logon_type>\d+)
EXTRACT-object_attrs = Rule Name:\s+(?<object_attrs>[^$]+)$
EXTRACT-process = (?s)Application Information:.*?Process Name:\s+(?<process>\S+).*?(?:(?:\r*\n){2})
EXTRACT-process_id = (?s)Application Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-process_id_01 = (?s)Process Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-signature_sub_id = (?s)Failure Information:.*?Sub Status:\s+(?<signature_sub_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src = (?s)Network Information:.*?Source Address:\s+(?<src>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src_nt_domain =(?s)Subject:.*?Account Domain:\s+(?<src_nt_domain>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src_port = (?s)Network Information:.*?Source Port:\s+(?<src_port>\S+).*?(?:(?:\r*\n){2})
EXTRACT-src_user = (?s)Subject:.*?Account Name:\s+(?<src_user>\S+).*?(?:(?:\r*\n){2})
EXTRACT-user = (?s)Account Whose Credentials Were Used:.*?Account Name:\s+(?<user>\S+).*?(?:(?:\r*\n){2})
EXTRACT-vendor_direction = (?s)Network Information:.*?Direction:\s+(?<vendor_direction>\S+).*?(?:(?:\r*\n){2})
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_security_signature_id = wineventlog_security_signature_id signature_id OUTPUTNEW action, category, object, object_category, subcategory, signature, status
LOOKUP-wineventlog_security_signature_sub_id = wineventlog_security_signature_sub_id signature_id signature_sub_id OUTPUTNEW signature_sub
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_app-event_id = wineventlog_app event_id OUTPUTNEW app
LOOKUP-wineventlog_app-src = wineventlog_app src OUTPUTNEW app
LOOKUP-wineventlog_app-logon_type = wineventlog_app logon_type OUTPUTNEW logon_type_description app

[WinEventLog:System]
KV_MODE = none
EXTRACT-dest = ComputerName=(?<dest>\S+)
EXTRACT-event_id = EventCode=(?<event_id>\d+)
EXTRACT-event_record_id = RecordNumber=(?<event_record_id>\d+)
EXTRACT-event_source = SourceName=(?<event_source>\S+)
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity
LOOKUP-windows_timesync_action = windows_timesync_action event_id, provider as event_source OUTPUT action

[WinEventLog:Application]
KV_MODE = none
EXTRACT-event_id = EventCode=(?<event_id>\d+)
EXTRACT-event_record_id = RecordNumber=(?<event_record_id>\d+)
EXTRACT-event_source = SourceName=(?<event_source>\S+)
FIELDALIAS-dvc = host as dvc, host as dvc_nt_host
LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product
LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity

### Perfmon

[Perfmon:CPU]
EXTRACT-cpu_load_mhz = (?s)counter="Processor Frequency".*?Value=(?<cpu_load_mhz>\S+)
EXTRACT-cpu_load_percent = (?s)counter="% Processor Time".*?instance=_Total.*?Value=(?<cpu_load_percent>\S+)
EXTRACT-cpu_user_percent = (?s)counter="% User Time".*?instance=_Total.*?Value=(?<cpu_user_percent>\S+)
EXTRACT-cpu_interrupts = (?s)counter="Interrupts/sec".*?instance=_Total.*?Value=(?<cpu_interrupts>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src

[Perfmon:CPUTime]
EXTRACT-cpu_load_mhz = (?s)counter="Processor Frequency".*?Value=(?<cpu_load_mhz>\S+)
EXTRACT-cpu_load_percent = (?s)counter="% Processor Time".*?Value=(?<cpu_load_percent>\S+)
EXTRACT-cpu_user_percent = (?s)counter="% User Time".*?Value=(?<cpu_user_percent>\S+)
EXTRACT-cpu_interrupts = (?s)counter="Interrupts/sec".*?Value=(?<cpu_interrupts>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src

[Perfmon:System]
EXTRACT-wait_threads_count = (?s)counter="Processor Queue Length".*?Value=(?<wait_threads_count>\S+)
EXTRACT-system_threads_count = (?s)counter="Threads".*?Value=(?<system_threads_count>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src

[Perfmon:FreeDiskSpace]
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
FIELDALIAS-mount = instance as mount
EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null())
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null())

[Perfmon:LogicalDisk]
EXTRACT-read_latency = (?s)counter="Avg. Disk sec/Read".*?Value=(?<read_latency>\S+)
EXTRACT-write_latency = (?s)counter="Avg. Disk sec/Write".*?Value=(?<write_latency>\S+)
EXTRACT-storage_free_percent = (?s)counter="% Free Space".*?Value=(?<storage_free_percent>\S+)
EXTRACT-read_ops = (?s)counter="Disk Reads/sec".*?Value=(?<read_ops>\S+)
EXTRACT-write_ops = (?s)counter="Disk Writes/sec".*?Value=(?<write_ops>\S+)
EXTRACT-total_ops = (?s)counter="Disk Transfers/sec".*?Value=(?<total_ops>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
EVAL-mount = if(instance=="_Total", null(), instance)
# Keeping this field in ms
EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null())

[Perfmon:LocalNetwork]
EXTRACT-thruput = (?s)counter="Bytes Total/sec".*?Value=(?<thruput>\S+)
EXTRACT-thruput_max = (?s)counter="Current Bandwidth".*?Value=(?<thruput>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src

[Perfmon:Process]
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())

[Perfmon:Memory]
EXTRACT-mem_committed = (?s)counter="Committed Bytes".*?Value=(?<mem_committed>\S+)
EXTRACT-mem_page_ops = (?s)counter="Pages/sec".*?Value=(?<mem_page_ops>\S+)
EXTRACT-swap_free = (?s)counter="Pool Nonpaged Bytes".*?Value=(?<swap_free>\S+)
EXTRACT-swap_used = (?s)counter="Pool Paged Bytes".*?Value=(?<swap_used>\S+)
FIELDALIAS-dest = host as dest
FIELDALIAS-src = host as src
EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())

### WinHostMon

[WinHostMon]
EXTRACT-mount = Type=Disk.*?Name="(?<mount>[^"]+)"
EXTRACT-process = Type=Process.*?Name="(?<process>[^"]+)"
EXTRACT-service = DisplayName="(?<service>[^"]+)"
FIELDALIAS-cpu_mhz = ClockSpeedMHz as cpu_mhz
FIELDALIAS-cpu_cores = NumberOfCores AS cpu_cores
FIELDALIAS-cpu_count = NumberOfProcessors AS cpu_count
FIELDALIAS-dest = host as dest
FIELDALIAS-family = Architecture as family
FIELDALIAS-os = OS as os
FIELDALIAS-version = Version as version
EVAL-mem_free_percent = FreePhysicalMemoryKB/TotalPhysicalMemoryKB
EVAL-mem_used = (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024
EVAL-mem = if(source=="os", TotalPhysicalMemoryKB/1024, null())
EVAL-storage = if (source=="disk", TotalSpaceKB/1024, null())
EVAL-storage_free = if (source=="disk", FreeSpaceKB/1024, null())
EVAL-storage_used = if (source=="disk", (TotalSpaceKB-FreeSpaceKB)/1024, null())
LOOKUP-windows_service_startmode = windows_service_startmode StartMode OUTPUT start_mode
LOOKUP-windows_service_status = windows_service_status Status State OUTPUT status

### Script:InstalledApps

[Script:InstalledApps]
SHOULD_LINEMERGE = true
LINE_BREAKER  =

### Script:ListeningPorts

[Script:ListeningPorts]
SHOULD_LINEMERGE = false
KV_MODE = none
EXTRACT-dest_ip = dest_ip=\[(?<dest>(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\]
EXTRACT-dest_port = dest_port=(?<dest_port>\d+)
EXTRACT-process_id = pid=(?<process_id>\d+)
EXTRACT-transport = transport=(?<transport>\S+)
FIELDALIAS-dest = host as dest

### Script:TimesyncConfiguration

[Script:TimesyncConfiguration]
DATETIME_CONFIG = CURRENT
LINE_BREAKER    = ([\r\n]+)Current time:
KV_MODE = None

### Script:TimesyncStatus

[Script:TimesyncStatus]
DATETIME_CONFIG = CURRENT
LINE_BREAKER    = ([\r\n]+)Current time:
KV_MODE = None
EXTRACT-last_sync_error = Last Sync Error: (?<last_sync_error>\d+)
LOOKUP-windows_timesync_action = windows_timesync_action last_sync_error OUTPUT action

### WindowsUpdateLog

[WindowsUpdateLog]
KV_MODE = none
FIELDALIAS-dest_for_windowsupdate = host as dest
EXTRACT-signature = Windows successfully installed the following update:\s+(?<signature>.*?(?<signature_id>KB\d+)[^$]+)
EXTRACT-component = ^\S+\s+\S+\s+\S+\s+\S+\s+(?<component>\S+)
EXTRACT-process_id = ^\S+\s+\S+\s+(?<process_id>\S+)
EXTRACT-thread_id = ^\S+\s+\S+\s+\d+\s+(?<thread_id>\S+)
EXTRACT-vendor_status = (?<vendor_status>(?:Installation\s+successful\s+and\s+restart\s+required|Installation\s+(Successful|Failure)|Restart\s+Required|Installation\s+Ready))
REPORT-signature,signature_id = windowsupdatelog_signature_message,windowsupdatelog_signature_signature_id
LOOKUP-windowsupdatelog_status = windowsupdatelog_status vendor_status OUTPUT status

### DHCP

[DhcpSrvLog]
SHOULD_LINEMERGE = false
KV_MODE = none
TRANSFORMS-dhcp_discard_headers = dhcpsrvlog_discard_headers
EXTRACT-msdhcp_id,description,dest_ip,dest_nt_host,dest_mac = (?<msdhcp_id>[^,]+),[^,]+,[^,]+,(?<description>[^,]?),(?<dest_ip>[^,]+),(?<dest_nt_host>[^,]+),(?<dest_mac>[^$]+)
REPORT-dest = dchpsrvlog_dest_nt_host_as_dest,dchpsrvlog_dest_mac_as_dest,dchpsrvlog_dest_ip_as_dest
LOOKUP-windows_msdhcp_id = windows_msdhcp_id msdhcp_id OUTPUT signature

### WinRegistry

[WinRegistry]
KV_MODE = none
EXTRACT-object_path = key_path="(?<object_path>[^"]+)"
EXTRACT-object = (?s)key_path="(\\[^\n]+)*\\(?<object>[^"]+)".*?data_type
EXTRACT-user = (?s)process_image="(\\[^\n]+)*\\(?<user>[^"]+)".*?registry_type
EXTRACT-vendor_action = registry_type="(?<vendor_action>[^"]+)"
EXTRACT-vendor_status,msg = event_status="\((?<vendor_status>[0-9-]+)\)(?<msg>[^\"]+)"
LOOKUP-windows_object_category = windows_object_category object as sourcetype OUTPUT object_category
LOOKUP-windows_status = windows_status vendor_status OUTPUT status
LOOKUP-windows_vendor_action = windows_vendor_action sourcetype, vendor_action OUTPUT action
FIELDALIAS-dest = host as dest