TerribleDev/TimberWinR
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove bad files

Browse Source
This commit is contained in:
Eric Fontana
2014-07-30 07:56:26 -04:00
parent e819fbae55
commit ce8d21a525
2 changed files with 0 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
Filters.md
View File

@@ -1,69 +0,0 @@
# Filters
The following filters are provided.
| Filter | Description
| :---------------- |:-----------------------------------------------------------------------
| *[grok][4]* |Similar to the [logstash grok][1] filter
| *[date][5]* |Similar to the [logstash date][2] filter
| *[mutate][6]* |Similar to the [logstash mutate][3] filter
Example Input:
```json
"Filters": [
{
"grok": {
"condition": "[type] == \"Win32-Eventlog\"",
"match": [
"Message",
""
],
"remove_field": [
"ComputerName"
]
}
},
{
"grok": {
"match": [
"message",
"%{SYSLOGLINE}"
],
"add_field": [
"Hello", "from %{logsource}"
]
}
},
{
"date": {
"condition": "[type] == \"Win32-FileLog\"",
"match": [
"timestamp",
"MMM d HH:mm:sss",
"MMM dd HH:mm:ss"
],
"add_field": [
"UtcTimestamp"
],
"convertToUTC": true
}
},
{
"mutate": {
"_comment": "Custom Rules",
"rename": [
"ComputerName", "Host",
"host", "Host",
"message","Message",
"type","Type",
"SID", "Username"
]
}
}
]
```
[1]: http://logstash.net/docs/1.4.2/filters/grok
[2]: http://logstash.net/docs/1.4.2/filters/date
[3]: http://logstash.net/docs/1.4.2/filters/mutate
[4]: https://github.com/efontana/TimberWinR/blob/master/mdocs/GrokFilter.md
[5]: https://github.com/efontana/TimberWinR/blob/master/mdocs/DateFilter.md
[6]: https://github.com/efontana/TimberWinR/blob/master/mdocs/MutateFilter.md

33
WindowsEvents.md
View File

@@ -1,33 +0,0 @@
# Input: WindowsEvents
## Parameters
The following parameters are allowed when configuring WindowsEvents.
| Parameter | Type | Description | Legal Values | Default |
| :---------------- |:---------------| :----------------------------------------------------------------------- | :--------------------------- | :-- |
| *source* | property:string |Windows event logs | Application,System,Security | System |
| *binaryFormat* | property:string |Format of the "Data" binary field. | ASC,HEX,PRINT | **ASC** |
| *msgErrorMode* | property:string |Behavior when event messages or event category names cannot be resolved. |NULL,ERROR,MSG | **MSG** |
| *direction* | property:string |Format of the "Data" binary field. | FW,BW | **FW** |
| *stringsSep* | property:string |Separator between values of the "Strings" field. | any string | vertical bar |
| *fullEventCode* | property:bool |Return the full event ID code instead of the friendly code. | true,false | **false** |
| *fullText* | property:bool |Retrieve the full text message | true,false | **true** |
| *resolveSIDS* | property:bool |Resolve SID values into full account names | true,false | **true** |
| *formatMsg* | property:bool |Format the text message as a single line. | true,false | **true** |
Example Input:
```json
{
"TimberWinR": {
"Inputs": {
"WindowsEvents": [
{
"source": "System,Application",
"binaryFormat": "PRINT",
"resolveSIDS": true
}
]
}
}
}
```