Windows Event Log

# Windows Event Log (WEL) Specific Docs: https://docs.limacharlie.io/docs/adapter-types-windows-event-log


sensor_type: "wel"
wel:
  # (required) A comma separated list of elements in the format SOURCE:FILTER,
  # where SOURCE is an Event Log name like Application, System, Security or a full .evtx file path.
  # FILTER is an optional XPath query.
  evt_sources: "Security:'*[System[(Level=1 or Level=2 or Level=3)]]', System, Application:%SystemRoot%\\System32\\Winevt\\Logs\\Application.evtx:'*[System[Provider[@Name=\"Microsoft-Windows-ApplicationError\"]]]'"
  write_timeout_sec: 10 # (optional) Timeout in seconds for writing data. e.g., 10 or null.
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_WEL" # (required) Installation key associated with the OID.
    # For WEL, hostname is critically important as it identifies the source machine.
    # It's often derived from the actual host the adapter runs on but can be overridden.
    hostname: "prod-dc01.example.local" # (required) A unique hostname for this sensor instance (e.g., the actual Windows hostname).
    platform: "windows" # (required) The platform of the sensor must be "windows".
    architecture: "x86_64" # (optional) The architecture of the Windows host. e.g., "x86_64", "arm64".
    mapping:
      # WEL events are converted to JSON by LimaCharlie's sensor/adapter, so parsing_re is usually null.
      parsing_re: null
      # (optional) LimaCharlie typically creates a unique ID like 'winlog.event_id_record_id_pair'.
      sensor_key_path: "winlog.event_id_record_id_pair"
      # (optional) If client_options.hostname is NOT static or needs to be derived differently (rare for WEL adapter).
      sensor_hostname_path: null # Typically, client_options.hostname is the authority for WEL.
      # (optional) Example: "WEL_SECURITY_4624", "WEL_SYSTEM_1074".
      event_type_path: "WEL_{{ .winlog.channel | token | upper }}_{{ .winlog.event_id }}"
      # (optional) LimaCharlie standard field for WEL event timestamp.
      event_time_path: "winlog.timestamp"
      # (optional) JSON path for a field to populate LimaCharlie's investigation_id.
      investigation_id_path: "winlog.event_data.TicketOptions" # Example for a specific Kerberos event.
      # (optional) Use +/- syntax for transforms.
      transform:
        "+log_source_type": "WindowsEventLog"
        "+event_log_channel": "{{ .winlog.channel }}"
        "+provider_guid": "{{ .winlog.provider_guid }}"
        # Example: Create a summary field for logon events
        # This requires careful crafting based on actual event data and available template functions.
        # "+logon_summary": "{{ if eq .winlog.event_id 4624 }}User {{ .winlog.event_data.TargetUserName }} logged on from {{ .winlog.event_data.IpAddress }}{{ end }}"
        "-winlog.task_name": null # Remove if task_name is not needed
      # (optional) A list of field paths to drop from the event.
      drop_fields:
      - "winlog.user_data" # Can be very verbose if not specifically needed
      - "winlog.original_xml" # If the parsed JSON is sufficient
      # (optional) JSON path to a field containing a Windows SID to replicate to other SID fields in LimaCharlie.
      sid_replication_path: "winlog.event_data.TargetUserSid" # Common for many security events.
    # mappings: null
    indexing:
      enabled: true
      default_index: "wel-{{ .winlog.channel | lower | default \"data\" }}-{{ .identity.oid | substr 0 8 }}" # Example: index by channel and org
    is_compressed: false # (optional) Data is collected locally, not typically compressed before ingestion by this adapter.
    sensor_seed_key: "SEED_KEY_WEL_ADAPTER_001" # (required) A unique key for this sensor to register with LimaCharlie.
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.