diff --git a/Filters.md b/Filters.md deleted file mode 100644 index d56b31a..0000000 --- a/Filters.md +++ /dev/null @@ -1,69 +0,0 @@ -# Filters -The following filters are provided. - - -| Filter | Description -| :---------------- |:----------------------------------------------------------------------- -| *[grok][4]* |Similar to the [logstash grok][1] filter -| *[date][5]* |Similar to the [logstash date][2] filter -| *[mutate][6]* |Similar to the [logstash mutate][3] filter -Example Input: -```json - "Filters": [ - { - "grok": { - "condition": "[type] == \"Win32-Eventlog\"", - "match": [ - "Message", - "" - ], - "remove_field": [ - "ComputerName" - ] - } - }, - { - "grok": { - "match": [ - "message", - "%{SYSLOGLINE}" - ], - "add_field": [ - "Hello", "from %{logsource}" - ] - } - }, - { - "date": { - "condition": "[type] == \"Win32-FileLog\"", - "match": [ - "timestamp", - "MMM d HH:mm:sss", - "MMM dd HH:mm:ss" - ], - "add_field": [ - "UtcTimestamp" - ], - "convertToUTC": true - } - }, - { - "mutate": { - "_comment": "Custom Rules", - "rename": [ - "ComputerName", "Host", - "host", "Host", - "message","Message", - "type","Type", - "SID", "Username" - ] - } - } -] -``` - [1]: http://logstash.net/docs/1.4.2/filters/grok - [2]: http://logstash.net/docs/1.4.2/filters/date - [3]: http://logstash.net/docs/1.4.2/filters/mutate - [4]: https://github.com/efontana/TimberWinR/blob/master/mdocs/GrokFilter.md - [5]: https://github.com/efontana/TimberWinR/blob/master/mdocs/DateFilter.md - [6]: https://github.com/efontana/TimberWinR/blob/master/mdocs/MutateFilter.md \ No newline at end of file diff --git a/WindowsEvents.md b/WindowsEvents.md deleted file mode 100644 index 386f95a..0000000 --- a/WindowsEvents.md +++ /dev/null @@ -1,33 +0,0 @@ - -# Input: WindowsEvents - -## Parameters -The following parameters are allowed when configuring WindowsEvents. - -| Parameter | Type | Description | Legal Values | Default | -| :---------------- |:---------------| :----------------------------------------------------------------------- | :--------------------------- | :-- | -| *source* | property:string |Windows event logs | Application,System,Security | System | -| *binaryFormat* | property:string |Format of the "Data" binary field. | ASC,HEX,PRINT | **ASC** | -| *msgErrorMode* | property:string |Behavior when event messages or event category names cannot be resolved. |NULL,ERROR,MSG | **MSG** | -| *direction* | property:string |Format of the "Data" binary field. | FW,BW | **FW** | -| *stringsSep* | property:string |Separator between values of the "Strings" field. | any string | vertical bar | -| *fullEventCode* | property:bool |Return the full event ID code instead of the friendly code. | true,false | **false** | -| *fullText* | property:bool |Retrieve the full text message | true,false | **true** | -| *resolveSIDS* | property:bool |Resolve SID values into full account names | true,false | **true** | -| *formatMsg* | property:bool |Format the text message as a single line. | true,false | **true** | -Example Input: -```json -{ - "TimberWinR": { - "Inputs": { - "WindowsEvents": [ - { - "source": "System,Application", - "binaryFormat": "PRINT", - "resolveSIDS": true - } - ] - } - } -} -``` \ No newline at end of file