Windows Event Logs

This example shows collecting Windows Event Logs (wel) from a Windows box natively (and therefore is only available using the Windows Adapter). This is useful for cases where you'd like to collect WEL without running the LimaCharlie Windows Agent.

Note: This example uses PowerShell backtick (`) line continuation. On Linux/macOS shells, use backslash (\) instead.

.\lc_adapter.exe wel client_options.identity.installation_key=e9a3bcdf-efa2-47ae-b6df-579a02f3a54d `
    client_options.identity.oid=8cbe27f4-bfa1-4afb-ba19-138cd51389cd `
    client_options.sensor_seed_key=domain-controller1 `
    client_options.hostname=domain-controller1 `
    client_options.platform=wel `
    evt_sources=security:*,application:*,system:*,Microsoft-Windows-Windows Defender/Operational:*

Here's a breakdown of the above example:

• wel: the method the Adapter should use to collect data locally. The wel value will use a native local Windows Event Logs subscription.
• client_options.identity.installation_key=....: the Installation Key value from LimaCharlie.
• client_options.identity.oid=....: the Organization ID from LimaCharlie the installation key above belongs to.
• client_options.platform=wel: this indicates the type of data that will be received from this adapter. In this case it's wel events.
• client_options.sensor_seed_key=....: this is the value that identifies this instance of the Adapter. Record it to re-use the Sensor ID generated for this Adapter later if you have to re-install the Adapter.
• client_options.hostname=....: specifies the sensor hostname for the adapter.
• evt_sources=....: a comma separated list of event channels to collect along with an XPath filter expression for each. The format is CHANNEL_NAME:FILTER_EXPRESSION where a filter of * means all events. Common channels: security, system and application.