Updated table.
This commit is contained in:
Eric Fontana
@@ -15,12 +15,12 @@ The following parameters are allowed when configuring WindowsEvents.
|
||||
|
||||
| Parameter | Type | Description | Details | Default |
|
||||
| :---------------- |:---------------| :----------------------------------------------------------------------- | :--------------------------- | :-- |
|
||||
| *iCodepage* | property:integer |Codepage of the text file. | 0 is the system codepage, -1 is UNICODE. | 0 |
|
||||
| *recurse* | property:integer |Max subdirectory recursion level. | 0 disables subdirectory recursion; -1 enables unlimited recursion. | 0 |
|
||||
| *minDateMod* | property:datetime |Minimum file last modified date, in local time coordinates | When this parameter is specified, the IISW3C input format processes only log files that have been modified after the specified date. | |
|
||||
| *dQuotes* | property:boolean |Specifies that string values in the log are double-quoted. | Log processors might generate W3C logs whose string values are enclosed in double-quotes. | false |
|
||||
| *dirTime* | property:boolean |Use the value of the "#Date" directive for the "date" and/or "time" field values when these fields are not logged. | When a log file is configured to not log the "date" and/or "time" fields, specifying "true" for this parameters causes the IISW3C input format to generate "date" and "time" values using the value of the last seen "#Date" directive. | false |
|
||||
| *consolidateLogs* | property:boolean |Return entries from all the input log files ordering by date and time. | When a location refers to log files from multiple IIS virtual sites, specifying true for this parameter causes the IISW3C input format to parse all the input log files in parallel, returning entries ordered by the values of the "date" and "time" fields in the log files; the input records returned will thus appear as if a single IISW3C log file was being parsed. Enabling this feature is equivalent to executing a query with an "ORDER BY date, time" clause on all the log files. However, the implementation of this feature leverages the pre-existing chronological order of entries in each log file, and it does not require the extensive memory resources otherwise required by the ORDER BY query clause. | false |
|
||||
| *iCodepage* | integer |Codepage of the text file. | 0 is the system codepage, -1 is UNICODE. | 0 |
|
||||
| *recurse* | integer |Max subdirectory recursion level. | 0 disables subdirectory recursion; -1 enables unlimited recursion. | 0 |
|
||||
| *minDateMod* | datetime |Minimum file last modified date, in local time coordinates | When this parameter is specified, the IISW3C input format processes only log files that have been modified after the specified date. | |
|
||||
| *dQuotes* | boolean |Specifies that string values in the log are double-quoted. | Log processors might generate W3C logs whose string values are enclosed in double-quotes. | false |
|
||||
| *dirTime* | boolean |Use the value of the "#Date" directive for the "date" and/or "time" field values when these fields are not logged. | When a log file is configured to not log the "date" and/or "time" fields, specifying "true" for this parameters causes the IISW3C input format to generate "date" and "time" values using the value of the last seen "#Date" directive. | false |
|
||||
| *consolidateLogs* | boolean |Return entries from all the input log files ordering by date and time. | When a location refers to log files from multiple IIS virtual sites, specifying true for this parameter causes the IISW3C input format to parse all the input log files in parallel, returning entries ordered by the values of the "date" and "time" fields in the log files; the input records returned will thus appear as if a single IISW3C log file was being parsed. Enabling this feature is equivalent to executing a query with an "ORDER BY date, time" clause on all the log files. However, the implementation of this feature leverages the pre-existing chronological order of entries in each log file, and it does not require the extensive memory resources otherwise required by the ORDER BY query clause. | false |
|
||||
|
||||
Example Input:
|
||||
```json
|
||||
@@ -39,7 +39,8 @@ Example Input:
|
||||
|
||||
|
||||
## Fields
|
||||
After a successful parse of an event, the following fields are added:
|
||||
After a successful parse of an event, the following fields are added [if configured to be logged](http://technet.microsoft.com/en-us/library/cc754702(v=ws.10).aspx)
|
||||
|
||||
| Name | Type | Description |
|
||||
| ---- |:-----| :-----------------------------------------------------------------------|
|
||||
|LogFilename| STRING | Full path of the log file containing this entry |
|
||||
|
||||
@@ -7,10 +7,10 @@ The following parameters are allowed when configuring WindowsEvents.
|
||||
|
||||
| Parameter | Type | Description | Details | Default |
|
||||
| :---------------- |:---------------| :----------------------------------------------------------------------- | :--------------------------- | :-- |
|
||||
| *location* | property:string |Location of file(s) to monitor | Path to text file(s) including wildcards. | |
|
||||
| *recurse* | property:integer |Max subdirectory recursion level. | 0 disables subdirectory recursion; -1 enables unlimited recursion. | 0 |
|
||||
| *splitLongLines* | property:boolean |Behavior when event messages or event category names cannot be resolved. |When a text line is longer than 128K characters, the format truncates the line and either discards the remaining of the line (when this parameter is set to "false"), or processes the remainder of the line as a new line (when this parameter is set to "true").| false |
|
||||
| *iCodepage* | property:integer |Codepage of the text file. | 0 is the system codepage, -1 is UNICODE. | 0 |
|
||||
| *location* | string |Location of file(s) to monitor | Path to text file(s) including wildcards. | |
|
||||
| *recurse* | integer |Max subdirectory recursion level. | 0 disables subdirectory recursion; -1 enables unlimited recursion. | 0 |
|
||||
| *splitLongLines* | boolean |Behavior when event messages or event category names cannot be resolved. |When a text line is longer than 128K characters, the format truncates the line and either discards the remaining of the line (when this parameter is set to "false"), or processes the remainder of the line as a new line (when this parameter is set to "true").| false |
|
||||
| *iCodepage* | integer |Codepage of the text file. | 0 is the system codepage, -1 is UNICODE. | 0 |
|
||||
|
||||
Example Input: Monitors all files (recursively) located at C:\Logs1\ matching *.log as a pattern. I.e. C:\Logs1\foo.log, C:\Logs1\Subdir\Log2.log, etc.
|
||||
|
||||
|
||||
@@ -9,15 +9,15 @@ The following parameters are allowed when configuring WindowsEvents.
|
||||
|
||||
| Parameter | Type | Description | Legal Values | Default |
|
||||
| :---------------- |:---------------| :----------------------------------------------------------------------- | :--------------------------- | :-- |
|
||||
| *source* | property:string |Windows event logs | Application,System,Security | System |
|
||||
| *binaryFormat* | property:string |Format of the "Data" binary field. | ASC,HEX,PRINT | **ASC** |
|
||||
| *msgErrorMode* | property:string |Behavior when event messages or event category names cannot be resolved. |NULL,ERROR,MSG | **MSG** |
|
||||
| *direction* | property:string |Format of the "Data" binary field. | FW,BW | **FW** |
|
||||
| *stringsSep* | property:string |Separator between values of the "Strings" field. | any string | vertical bar |
|
||||
| *fullEventCode* | property:bool |Return the full event ID code instead of the friendly code. | true,false | **false** |
|
||||
| *fullText* | property:bool |Retrieve the full text message | true,false | **true** |
|
||||
| *resolveSIDS* | property:bool |Resolve SID values into full account names | true,false | **true** |
|
||||
| *formatMsg* | property:bool |Format the text message as a single line. | true,false | **true** |
|
||||
| *source* | string |Windows event logs | Application,System,Security | System |
|
||||
| *binaryFormat* | string |Format of the "Data" binary field. | ASC,HEX,PRINT | **ASC** |
|
||||
| *msgErrorMode* | string |Behavior when event messages or event category names cannot be resolved. |NULL,ERROR,MSG | **MSG** |
|
||||
| *direction* | string |Format of the "Data" binary field. | FW,BW | **FW** |
|
||||
| *stringsSep* | string |Separator between values of the "Strings" field. | any string | vertical bar |
|
||||
| *fullEventCode* | bool |Return the full event ID code instead of the friendly code. | true,false | **false** |
|
||||
| *fullText* | bool |Retrieve the full text message | true,false | **true** |
|
||||
| *resolveSIDS* | bool |Resolve SID values into full account names | true,false | **true** |
|
||||
| *formatMsg* | bool |Format the text message as a single line. | true,false | **true** |
|
||||
Example Input:
|
||||
```json
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user