Server : Apache System : Linux cs317.bluehost.com 4.19.286-203.ELK.el7.x86_64 #1 SMP Wed Jun 14 04:33:55 CDT 2023 x86_64 User : andertr9 ( 1047) PHP Version : 8.2.18 Disable Function : NONE Directory : /usr/share/nxlog-ce/ |
Upload File : |
<fields> <module>im_msvistalog</module> <field> <name>raw_event</name> <type>string</type> <persist>FALSE</persist> <description> <en> A string containing the EventTime, Hostname, Severity, EventID, and Message from the event. </en> </description> </field> <field> <name>Message</name> <type>string</type> <persist>FALSE</persist> <lookup>FALSE</lookup> <description> <en> The message from the event. </en> </description> </field> <field> <name>EventTime</name> <type>datetime</type> <persist>TRUE</persist> <description> <en> The EvtSystemTimeCreated field. </en> </description> </field> <field> <name>Hostname</name> <type>string</type> <persist>TRUE</persist> <lookup>TRUE</lookup> <description> <en> The EvtSystemComputer field. </en> </description> </field> <field> <name>SourceName</name> <type>string</type> <persist>TRUE</persist> <description> <en> The event source which produced the event, from the EvtSystemProviderName field. </en> </description> </field> <field> <name>EventID</name> <type>integer</type> <persist>TRUE</persist> <description> <en> The event ID (specific to the event source) from the EvtSystemEventID field. </en> </description> </field> <field> <name>Task</name> <type>integer</type> <persist>FALSE</persist> <description> <en> The task number from the EvtSystemTask field. </en> </description> </field> <field> <name>Category</name> <type>string</type> <persist>TRUE</persist> <description> <en> The category name resolved from Task. </en> </description> </field> <field> <name>Keywords</name> <type>integer</type> <persist>FALSE</persist> <description> <en> The value of the Keywords field from EvtSystemKeywords. </en> </description> </field> <field> <name>Channel</name> <type>string</type> <persist>TRUE</persist> <lookup>TRUE</lookup> <description> <en> The Channel of the event source (for example, `Security` or `Application`). </en> </description> </field> <field> <name>AccountName</name> <type>string</type> <persist>TRUE</persist> <lookup>TRUE</lookup> <description> <en> The username associated with the event. </en> </description> </field> <field> <name>AccountType</name> <type>string</type> <persist>TRUE</persist> <lookup>TRUE</lookup> <description> <en> The type of the account. Possible values are: `User`, `Group`, `Domain`, `Alias`, `Well Known Group`, `Deleted Account`, `Invalid`, `Unknown`, and `Computer`. </en> </description> </field> <field> <name>Domain</name> <type>string</type> <persist>TRUE</persist> <lookup>TRUE</lookup> <description> <en> The domain name of the user. </en> </description> </field> <field> <name>UserID</name> <type>string</type> <persist>FALSE</persist> <lookup>TRUE</lookup> <description> <en> The Security Identifier (SID) which resolves to <<im_msvistalog_field_AccountName,$AccounteName>>, stored in EvtSystemUserID. </en> </description> </field> <field> <name>SeverityValue</name> <type>integer</type> <persist>TRUE</persist> <description> <en> The normalized severity number of the event, mapped as follows. [cols="2", options="header,autowidth"] |=== |Event Log Severity |Normalized Severity |0/Audit Success |2/INFO |0/Audit Failure |4/ERROR |1/Critical |5/CRITICAL |2/Error |4/ERROR |3/Warning |3/WARNING |4/Information |2/INFO |5/Verbose |1/DEBUG |=== </en> </description> </field> <field> <name>Severity</name> <type>string</type> <persist>TRUE</persist> <description> <en> The normalized severity name of the event. See <<im_msvistalog_field_SeverityValue,$SeverityValue>>. </en> </description> </field> <field> <name>EventType</name> <type>string</type> <persist>TRUE</persist> <lookup>TRUE</lookup> <description> <en> The type of the event, which is a string describing the severity. This is translated to its string representation from EvtSystemLevel. Possible values are: `CRITICAL`, `ERROR`, `AUDIT_FAILURE`, `AUDIT_SUCCESS`, `INFO`, `WARNING`, and `VERBOSE`. </en> </description> </field> <field> <name>ProviderGuid</name> <type>string</type> <persist>FALSE</persist> <lookup>TRUE</lookup> <description> <en> The globally unique identifier of the event's provider as stored in EvtSystemProviderGuid. This corresponds to the name of the provider in the <<im_msvistalog_field_SourceName,$SourceName>> field. </en> </description> </field> <field> <name>Version</name> <type>integer</type> <persist>FALSE</persist> <description> <en> The Version number of the event as in EvtSystemVersion. </en> </description> </field> <field> <name>OpcodeValue</name> <type>integer</type> <persist>FALSE</persist> <description> <en> The Opcode number of the event as in EvtSystemOpcode. </en> </description> </field> <field> <name>Opcode</name> <type>string</type> <persist>TRUE</persist> <description> <en> The Opcode string resolved from OpcodeValue. </en> </description> </field> <field> <name>ActivityID</name> <type>string</type> <persist>FALSE</persist> <lookup>TRUE</lookup> <description> <en> A globally unique identifier for the current activity, as stored in EvtSystemActivityID. </en> </description> </field> <field> <name>RelatedActivityID</name> <type>string</type> <persist>FALSE</persist> <lookup>TRUE</lookup> <description> <en> The RelatedActivityID as stored in EvtSystemRelatedActivityID. </en> </description> </field> <field> <name>ProcessID</name> <type>integer</type> <persist>FALSE</persist> <description> <en> The process identifier of the event producer as in EvtSystemProcessID. </en> </description> </field> <field> <name>ThreadID</name> <type>integer</type> <persist>FALSE</persist> <description> <en> The thread identifier of the event producer as in EvtSystemThreadID. </en> </description> </field> <field> <name>RecordNumber</name> <type>integer</type> <persist>FALSE</persist> <description> <en> The number of the event record. </en> </description> </field> </fields>