logscale-windows

infra-os-windows-dcs

sources:
  infra_os_windows_security:
    type: wineventlog
    ## Add other channels by simple adding additional "name" lines.
    ## The following command can be used to find other channels:
    ## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
    channels:
      - name: Security
      - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
      - name: Microsoft-Windows-TerminalServices-Gateway/Operational
      - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
      - name: Microsoft-Windows-TerminalServices-PnPDevices/Operational
      - name: Microsoft-Windows-TerminalServices-Printers/Operational
      - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
      - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
      - name: Microsoft-Windows-TerminalServices-SessionBroker/Operational
      - name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
      - name: Microsoft-Windows-Time-Service/Operational
    ## You can manually specify a parser to be used here.
    ## This overrides the parser specified in the LogScale UI.
    #parser: myparser
    includeXML: false
    sink: infra_os_windows_security
    # parser: wineventlog
  infra_os_windows_powershell:
    type: wineventlog
    ## Add other channels by simple adding additional "name" lines.
    ## The following command can be used to find other channels:
    ## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
    channels:
      - name: Windows PowerShell
    ## You can manually specify a parser to be used here.
    ## This overrides the parser specified in the LogScale UI.
    #parser: myparser
    includeXML: false
    sink: infra_os_windows_security
    # parser: wineventlog    
  infra_os_windows_members:
      type: wineventlog
      ## Add other channels by simple adding additional "name" lines.
      ## The following command can be used to find other channels:
      ## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
      channels:
        - name: Application
          excludeEventIDs: [ 11 ]
        - name: System
      ## You can manually specify a parser to be used here.
      ## This overrides the parser specified in the LogScale UI.
      #parser: myparser
      includeXML: false
      sink: infra_os_windows_members
  infra_os_windows_dcs:
      type: wineventlog
      ## Add other channels by simple adding additional "name" lines.
      ## The following command can be used to find other channels:
      ## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
      channels:
        - name: DFS Replication
        - name: Directory Service
        - name: DNS Server
        - name: Microsoft-Windows-DirectoryServices-Deployment/Operational
        - name: Microsoft-Windows-DNSServer/Audit
      ## You can manually specify a parser to be used here.
      ## This overrides the parser specified in the LogScale UI.
      #parser: myparser
      includeXML: false
      sink: infra_os_windows_members
      
sinks:
  infra_os_windows_security:
    type: humio
    token: 
    ## Change the URL if needed to reflect your LogScale URL.    
    url: 
    ## Keep this option as "none" unless you actually need a proxy, this must be set to none if fleet Management is enabled.
    proxy: none
    ## The TLS option can be uncommented if you're using a self-signed certificate. 
    #tls:
      #insecure: true
    ## This increases the maximum single event size to 8 MB. You can change as needed.
    maxEventSize: 8388608
  infra_os_windows_members:
    type: humio
    token: 
    ## Change the URL if needed to reflect your LogScale URL.    
    url: 
    ## Keep this option as "none" unless you actually need a proxy, this must be set to none if fleet Management is enabled.
    proxy: none
    ## The TLS option can be uncommented if you're using a self-signed certificate. 
    #tls:
      #insecure: true
    ## This increases the maximum single event size to 8 MB. You can change as needed.
    maxEventSize: 8388608
  infra_os_windows_dcs:
    type: humio
    token: 
    ## Change the URL if needed to reflect your LogScale URL.    
    url: 
    ## Keep this option as "none" unless you actually need a proxy, this must be set to none if fleet Management is enabled.
    proxy: none
    ## The TLS option can be uncommented if you're using a self-signed certificate. 
    #tls:
      #insecure: true
    ## This increases the maximum single event size to 8 MB. You can change as needed.
    maxEventSize: 8388608

infra-os-windows-members

sources:
  infra_os_windows_security:
    type: wineventlog
    ## Add other channels by simple adding additional "name" lines.
    ## The following command can be used to find other channels:
    ## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
    channels:
      - name: Security
      - name: Windows PowerShell
      - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
      - name: Microsoft-Windows-TerminalServices-Gateway/Operational
      - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
      - name: Microsoft-Windows-TerminalServices-PnPDevices/Operational
      - name: Microsoft-Windows-TerminalServices-Printers/Operational
      - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
      - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
      - name: Microsoft-Windows-TerminalServices-SessionBroker/Operational
      - name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
      - name: Microsoft-Windows-Time-Service/Operational
    ## You can manually specify a parser to be used here.
    ## This overrides the parser specified in the LogScale UI.
    #parser: myparser
    includeXML: false
    sink: infra_os_windows_security
    # parser: wineventlog
  infra_os_windows_members:
      type: wineventlog
      ## Add other channels by simple adding additional "name" lines.
      ## The following command can be used to find other channels:
      ## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
      channels:
        - name: Application
          excludeEventIDs: [ 11 ]
        - name: System
        - name: Remote-Desktop-Management-Service/Operational
        - name: Microsoft-Windows-RemoteApp and Desktop Connection Management/Operational
        - name: Microsoft-Windows-RemoteApp and Desktop Connections/Operational
        - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
        - name: Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
      ## You can manually specify a parser to be used here.
      ## This overrides the parser specified in the LogScale UI.
      #parser: myparser
      includeXML: false
      sink: infra_os_windows_members
      
sinks:
  infra_os_windows_security:
    type: humio
    token: 
    ## Change the URL if needed to reflect your LogScale URL.    
    url: 
    ## Keep this option as "none" unless you actually need a proxy, this must be set to none if fleet Management is enabled.
    proxy: none
    ## The TLS option can be uncommented if you're using a self-signed certificate. 
    #tls:
      #insecure: true
    ## This increases the maximum single event size to 8 MB. You can change as needed.
    maxEventSize: 8388608
  infra_os_windows_members:
    type: humio
    token: 
    ## Change the URL if needed to reflect your LogScale URL.    
    url: 
    ## Keep this option as "none" unless you actually need a proxy, this must be set to none if fleet Management is enabled.
    proxy: none
    ## The TLS option can be uncommented if you're using a self-signed certificate. 
    #tls:
      #insecure: true
    ## This increases the maximum single event size to 8 MB. You can change as needed.
    maxEventSize: 8388608