Windows Event Logs

This example shows collecting Windows Event Logs (wel) from a Windows box natively (and therefore is only available using the Windows Adapter). This is useful for cases where you'd like to collect WEL without running the LimaCharlie Windows Agent.

./lc_adapter wel client_options.identity.installation_key=e9a3bcdf-efa2-47ae-b6df-579a02f3a54d client_options.identity.oid=8cbe27f4-bfa1-4afb-ba19-138cd51389cd client_options.sensor_seed_key=domain-controller1 client_options.platform=wel evt_sources=security:*,application:*,system:*,Microsoft-Windows-Windows Defender/Operational:*

Here's a breakdown of the above example:

• lc_adapter: simply the CLI Adapter.

• wel: the method the Adapter should use to collect data locally. The wel value will use a native local Windows Event Logs subscription.

• client_options.identity.installation_key=....: the Installation Key value from LimaCharlie.

• client_options.identity.oid=....: the Organization ID from LimaCharlie the installation key above belongs to.

• client_options.platform=wel: this indicates the type of data that will be received from this adapter. In this case it's wel events.

• client_options.sensor_seed_key=....: this is the value that identifies this instance of the Adapter. Record it to re-use the Sensor ID generated for this Adapter later if you have to re-install the Adapter.

• evt_sources=....: a comma separated list of event channel to collect along with a XPath filter expression for each. The format is CHANNEL_NAME:FILTER_EXPRESSION where a filter of * means all events. Common channels: security, system and application.