admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '722ce731f3'
${ noResults }
Deploiement_Server/deployment-apps/TA-microsoft-windows/default/eventgen.conf

293 lines
7.3 KiB
Raw Blame History

#### Use TA-microsoft-windows/default/inputs.conf sequence
#### Default replacement for all DhcpSrvLog logs
[sample.DhcpSrvLog]
index = windows
source=c:\windows\system32\dhcp\dhcpsrvlog.log
sourcetype = DhcpSrvLog
interval = 300
## Generate all events in sample
count = 0
earliest = -5m
latest = now
## replace timestamp 10,07/21/06,19:42:47
token.0.token = ^\d+\,(\d{2}\/\d{2}\/\d{2}\,\d{2}:\d{2}:\d{2})
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%y,%H:%M:%S
#### Default replacements for all WindowsUpdateLog logs
[.*\.WindowsUpdateLog]
index = windows
source = WindowsUpdateLog
sourcetype = WindowsUpdateLog
interval = 7200
## Generate all events in sample
count = 0
earliest = -5m
latest = now
## replace timestamp 2010-06-16 18:35:22:743
token.0.token = ^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}):\d+
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S
[WindowsUpdateClient.19.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
interval = 7200
## Generate all events in sample
count = 10
## replace ComputerName:
token.0.token = ComputerName=(\S+)
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample
#### Replacement for win_listening_ports
[sample.win_listening_ports]
index = windows
source = Script:ListeningPorts
sourcetype = Script:ListeningPorts
spoolFile = win_listening_ports.bat
interval = 300
count = 10
earliest = -5m
latest = now
## replace timestamp 04/14/2011 19:42:27
token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
## replace ip
token.1.token = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
token.1.replacementType = random
token.1.replacement = ipv4
## replace port
token.2.token = dest_port=(\d+)
token.2.replacementType = random
token.2.replacement = integer[0:1024]
## replace pid
token.3.token = pid=(\d+)
token.3.replacementType = random
token.3.replacement = integer[1:65535]
#### Replacement for win_installed_apps
[sample.win_installed_apps]
index = windows
source = Script:InstalledApps
sourcetype = Script:InstalledApps
breaker = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
spoolFile = win_installed_apps.bat
interval = 3600
count = 3
earliest = -60m
latest = now
## replace timestamp 05/19/2011 10:48:34
token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
#### Default replacement for all perfmon logs
[.*\.perfmon]
index = perfmon
interval = 3600
count = 10
earliest = -5m
latest = now
## replace timestamp 04/14/2011 11:53:26.486
token.0.token = (\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
#### Perfmon:CPU
[CPUTime.perfmon]
index = perfmon
source = Perfmon:CPU
sourcetype = Perfmon:CPU
breaker = counter="% Processor Time"
token.0.token = @@proc_time
token.0.replacementType = random
token.0.replacement = integer[25:100]
token.1.token = @@user_time
token.1.replacementType = random
token.1.replacement = integer[0:25]
#### Perfmon:FreeDiskSpace
[FreeDiskSpace.perfmon]
index = perfmon
source = Perfmon:FreeDiskSpace
sourcetype = Perfmon:FreeDiskSpace
breaker = counter="Free Megabytes"
token.0.token = @@mbytes_free
token.0.replacementType = random
token.0.replacement = integer[1000:10000]
token.1.token = @@perc_free
token.1.replacementType = random
token.1.replacement = integer[0:100]
#### Perfmon:Memory
[Memory.perfmon]
source = Perfmon:Memory
sourcetype = Perfmon:Memory
breaker = counter="Available MBytes"
#### Perfmon:LocalNetwork
[LocalNetwork.perfmon]
source = Perfmon:LocalNetwork
sourcetype = Perfmon:LocalNetwork
breaker = counter="Current Bandwidth"
#### Default replacement for all windows logs
[.*\.windows]
index = wineventlog
breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
interval = 3600
count = 10
earliest = -5m
latest = now
## replace timestamp 03/11/10 01:12:01 PM
token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %I:%M:%S %p
## replace @@RecordNumber
token.1.token = RecordNumber=(\d+)
token.1.replacementType = random
token.1.replacement = integer[0:999999999]
## replace Source Port:
token.2.token = Source Port:\s*(.*)
token.2.replacementType = random
token.2.replacement = integer[1025:65535]
## Moving the stanza below to exclude renaming anomalous eventtypes
## replace ComputerName:
#token.3.token = ComputerName=(\S+)
#token.3.replacementType = file
#token.3.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample
[SCM.7036.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[LSASRV.40961.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[AppPopup.26.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[W32Time\.[0-9]*\.windows]
index = wineventlog
source = WinEventLog:System
sourcetype = WinEventLog:System
[Security\.[0-9]*\.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
## replace ComputerName:
token.0.token = ComputerName=(\S+)
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample
#### Sample specific settings
## replace @@AuditType
#token.token = Type=(Success|Failure)\s+Audit
#token.replacementType = file
#token.replacement = $SPLUNK_HOME/etc/apps/TA-microsoft-windows/samples/audit_types.list
##################################################
## Anomalous events
##################################################
[Security.1102.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 3600
## Generate all events in sample
count = 0
[Security.4726.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 900
## Generate all events in sample
count = 0
[Security.4743.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
interval = 900
## Generate all events in sample
count = 0
[Security.4672.windows]
index = wineventlog
source = WinEventLog:Security
sourcetype = WinEventLog:Security
## replace @@user
token.0.token = @@user
token.0.replacementType = file
token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/dist.all.last
#### Default replacements for all WinRegistry logs
[.*\.winregistry]
index = windows
source = WinRegistry
sourcetype = WinRegistry
breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+
interval = 300
count = 10
earliest = -5m
latest = now
## replace timestamp 09/09/2010 23:36:32.0128
token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%Y %H:%M:%S
[WinHostMon-OperatingSystem]
index = windows
sourcetype = WinHostMon
source = OperatingSystem
count = 0
[WinHostMon-Processor]
index = windows
sourcetype = Processor
source = Computer
count = 0
[XmlSecurity\.[0-9]*\.windows\.xml]
index = wineventlog
source = WinEventLog:Security
sourcetype = XmlWinEventLog:Security
breaker = ^<\/Events>$
[XmlSystem.update_.*\.xml]
index = wineventlog
source = WinEventLog:System
sourcetype = XmlWinEventLog:System
breaker = ^<\/Events>$
Reference in new issue View Git Blame Copy Permalink