Working NXLog Configuration File – OSSIM
Please find below the links to working configuration files used in the video titled “Overview of OSSIM Web Console – Installation of NXLog”
- Nxlog Configuration File Code
#
# NXLog configuration for converting and sending Windows logs to AlienVault
# USM Appliance. Both Community and Enterprise Editions of NXLog are supported.
#
# Version: 0.1.0
# Last modification: 2019-07-03
#
#
# Core features:
# - only forward specific Windows event IDs
# - only forward logs collected via WinRM
# - protect against event storms
# - transform messages to a "common" CSV format for AV
#
# 20140711 - tested for windows 2008r2
# 20140714 - tested for windows 2012r2
#
#
# Configuration available:
# - NXLOG
# - ClAMWIN-NXLOG
# - DHCP-NXLOG
# - DNS-NXLOG
# - EXCHANGE-NXLOG
# - FTP-NXLOG
# - IIS-NXLOG
# - IIS-SMTP-NXLOG
# - MSSQL-NXLOG
# - NETWRIX-NXLOG
# - NPS-NXLOG
# - OBSERVEIT-NXLOG
# - ORACLE-NXLOG
# - SCOM-NXLOG
# - SECUREAUTH-NXLOG
# - SOPHOSEC-NXLOG
# - SYSMON-NXLOG
# - WINDOWS-FW-NXLOG
# - WINGFTP-NXLOG
#
#
# Common values:
#
# Uncomment the proper path depending on whether your NXLog is the 32-bit or 64-bit version
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define LOGFILE %ROOT%\data\nxlog.log
define OUTPUT_DESTINATION_ADDRESS 192.168.49.125
define OUTPUT_DESTINATION_PORT 514
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
##############################################################################################
#### NXLOG #####
#### Uncomment the following lines for Windows Security and Application log forwarding #####
##############################################################################################
#
# Extensions:
#
# Support character conversions:
#<Extension charconv>
# Module xm_charconv
#</Extension>
#
# Inputs:
#
# This nxlog servers heartbeat:
# MarkInterval defines the interval in minutes of the heartbeat-messages.
# Mark defines the text which is sent.
<Input in_nxlog_heartbeat>
Module im_mark
MarkInterval 10
Mark The nxlog service is alive.
Exec $EventType = 'Application'; $Channel = 'nxlog-ce'; $EventID = 8347;
</Input>
## Eventstorm warning message:
## The module im_internal forwards internal log messages.
<Input in_nxlog_internal>
Module im_internal
Exec if not ($Message == "Eventstorm detected.") drop();
Exec $EventType = 'Application'; $Channel = 'nxlog-ce'; $EventID = 8103;
</Input>
# Windows event log:
<Input in_windows_events>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
# Limit the log forwarding to collected events:
#Query <QueryList> \
# <Query Id='0' Path='ForwardedEvents'> \
# <Select Path='ForwardedEvents'>*</Select> \
# </Query> \
# </QueryList>
# Another example for limiting events:
Query <QueryList> \
<Query Id="0"> \
<Select Path="Security">*</Select> \
<Select Path="System">*</Select> \
<Select Path="Application">*</Select> \
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
</Query> \
</QueryList>
</Input>
##
## Transformation:
##
## Custom CSV format for nxlog and sysmon-nxlog plugin.
<Extension transform_alienvault_csv>
Module xm_csv
Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $AccountName, $AccountType, $Domain, $Message, $Task, $Category, $Keywords, $UserID, $SeverityValue, $ProviderGuid, $Version, $OpcodeValue, $Opcode, $ActivityID, $RelatedActivityID, $ProcessID, $ThreadID, $RecordNumber
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ;
</Extension>
##
## Filters:
##
## Match events by Windows event ID.
## This sets $PatternID in case it matches.
<Processor match_events>
Module pm_pattern
PatternFile %ROOT%\conf\patterndb.xml
</Processor>
##
## Outputs:
##
## Process and forward Windows logs:
<Output out_alienvault_csv>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
# If the EventID doesn't exist in 'patterndb.xml' it gets dropped:
Exec if not defined $PatternID or not defined $Message { drop(); }
#Exec if not defined $Message { drop(); }
# # Eventstorm handling:
# # While nxlog processes more than 200 events per second (EPS) it drops all windows logs.
# # If the rate in the next second is lower than 200 EPS it stops dropping.
# # If a new eventstorm is detected it sends a warning and if the storm lasts longer than a minute it sends a warning every minute
# #
# # Variables:
# # rate: this variable is used to count the events and gets reset every second
# # stormed: this variable is '1' if there was an eventstorm a second before else '0'
# # sec: this variable has a lifetime of one second and is used to calculate the rate (EPS)
# # warning: this wariable has a lifetime of 60 seconds and is used to limit the eventstorm-warnings to one per second
# Exec \
# {\
# if not defined get_var('rate') { create_var('rate'); set_var('rate',1); }\
# if not defined get_var('stormed'){ create_var('stormed',2); set_var('stormed',0); set_var('rate',1); }\
# set_var('rate',get_var('rate')+1);\
# if not defined get_var('sec')\
# {\
# create_var('sec',1);\
# set_var('sec',1);\
# if get_var('rate') >= 200 { delete_var('stormed'); create_var('stormed',2); set_var('stormed',1); set_var('rate',1); drop(); } else { set_var('stormed',0); set_var('rate',1); }\
# }\
# else if get_var('stormed') == 1\
# {\
# drop();\
# }\
# if get_var('rate') >= 200\
# {\
# if not defined get_var('warning')\
# {\
# log_warning("Eventstorm detected.");\
# create_var('warning',60);\
# set_var('warning',1);\
# }\
# drop();\
# }\
# }
# # Replace newlines, tabs and carriage returns with blanks:
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
# # Ensure that commonly undefined values are set:
Exec if not defined $AccountName { $AccountName = "-"; }
Exec if not defined $AccountType { $AccountType = "-"; }
Exec if not defined $Domain { $Domain = "-"; }
# # Ensure we send in the proper format:
Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' WIN-NXLOG ' + $raw_event + ' Task: ' + $Task + ' Category: '+ $Category + ' Keywords: ' + $Keywords + ' UserID: ' + $UserID + ' Severity: ' + $SeverityValue + ' ProviderGuid: ' + $ProviderGuid + ' Version: ' + $Version + ' OpcodeValue: ' + $OpcodeValue + ' Opcode: ' + $Opcode + ' ActivityID: ' + $ActivityID + ' RelatedActivityID: ' + $RelatedActivityID + ' ProcessID: ' + $ProcessID + ' ThreadID: ' + $ThreadID + ' RecordNumber: ' + $RecordNumber;
</Output>
## Output internal nxlog messages:
<Output out_alienvault_nxlog_csv>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec if not defined $Message { drop(); }
# # Replace newlines, tabs and carriage returns with blanks:
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
# # Ensure that commonly undefined values are set:
Exec if not defined $AccountName { $AccountName = "-"; }
Exec if not defined $AccountType { $AccountType = "-"; }
Exec if not defined $Domain { $Domain = "-"; }
# # Ensure we send in the proper format:
Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' WIN-NXLOG ' + $raw_event + ' Task: ' + $Task + ' Category: '+ $Category + ' Keywords: ' + $Keywords + ' UserID: ' + $UserID + ' Severity: ' + $SeverityValue + ' ProviderGuid: ' + $ProviderGuid + ' Version: ' + $Version + ' OpcodeValue: ' + $OpcodeValue + ' Opcode: ' + $Opcode + ' ActivityID: ' + $ActivityID + ' RelatedActivityID: ' + $RelatedActivityID + ' ProcessID: ' + $ProcessID + ' ThreadID: ' + $ThreadID + ' RecordNumber: ' + $RecordNumber;
</Output>
##
## Routes:
##
## Route for Windows logs:
<Route route_windows_logs>
Path in_windows_events => match_events => out_alienvault_csv
#Path in_windows_events => out_alienvault_csv
</Route>
## Route for internal nxlog messages (eventstorm, heartbeat):
<Route route_nxlog_messages>
Path in_nxlog_internal, in_nxlog_heartbeat => out_alienvault_nxlog_csv
</Route>
#######################################################################
#### /NXLOG #####
#######################################################################
#######################################################################
#### CLAMWIN-NXLOG #####
#### Uncomment the following lines for CLAMWIN log forwarding #####
#######################################################################
#<Input CLAMWIN_Logs>
# Module im_file
# # REPLACE THE PATH IN THE FOLLOWING INPUT TO THE STORING PATH OF YOUR CLAMWIN LOGS:
# File "C:\\ProgramData\\.clamwin\\log\\ClamScanLog.txt"
# InputType LineBased
# SavePos FALSE
# Exec $Message = $raw_event;
# # Replace white spaces
# Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
#</Input>
## Output internal CLAMWIN nxlog messages:
#<Output out_alienvault_CLAMWIN_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event =$Hostname + ' CLAM-NXLOG ' + $raw_event;
#</Output>
## Route for CLAMWIN nxlog logs:
#<Route route_CLAMWIN_nxlog>
# Path CLAMWIN_Logs => out_alienvault_CLAMWIN_nxlog
#</Route>
#######################################################################
#### /CLAMWIN-NXLOG #####
#######################################################################
######################################################################################################################
#### DHCP-NXLOG / DNS-NXLOG / FTP-NXLOG / IIS-NXLOG / IIS-SMTP-NXLOG / WINDOWS-FW-NXLOG #####
#### Uncomment the following lines for DNS, DHCP, FTP, IIS, IIS-SMTP, and/or Windows Firewall log forwarding #####
######################################################################################################################
#<Extension json>
# Module xm_json
#</Extension>
#######################################################################
#### DHCP-NXLOG #####
#### Uncomment the following lines for DHCP log forwarding #####
#######################################################################
#<Extension transform_alienvault_dhcp_csv>
#
# Module xm_csv
# Fields $EventReceivedTime, $Message
# FieldTypes string, string
# Delimiter ;
#
#</Extension>
## DHCP logs assumed they are located in default location
## Use "sysnative" for DHCP Log location for 32-bit applications to access the SYSTEM32 directory on a 64 Bit System
## Use "system32" for DHCP Log location on 32 Bit systems
#<Input DHCP_IN>
# Module im_file
# File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
# SavePos TRUE
# InputType LineBased
# Exec if $raw_event =~ /^[0-3][0-9],/\
# {\
# $Message = $raw_event;\
# if $Message =~ s/^00/1000/;\
# $raw_event = to_json();\
# }\
# else\
# drop();
#</Input>
#<Output DHCP_OUT>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec transform_alienvault_dhcp_csv->to_csv(); $raw_event = $Hostname + ' DHCP-NXLOG: ' + $raw_event;
#</Output>
#<Route DHCP>
# Path DHCP_IN => DHCP_OUT
#</Route>
#######################################################################
#### /DHCP-NXLOG #####
#######################################################################
#######################################################################
#### DNS-NXLOG #####
#### Uncomment the following lines for DNS log forwarding #####
#######################################################################
## Custom CSV format for the windns-nxlog AlienVault plugin.
#<Extension transform_alienvault_csv_dns>
# Module xm_csv
# Fields $Hostname, $SourceName, $Message
# FieldTypes string, string, string
# Delimiter ,
#</Extension>
#<Input DNS_Logs>
# Module im_file
# File "C:\\Windows\\Sysnative\\dns\\dns.log"
# SavePos TRUE
# InputType LineBased
# Exec if ($raw_event =~ /^#/) OR ($raw_event == '') drop();\
# else\
# {\
# $Message = $raw_event;\
# $SourceName = "DNS";\
# $raw_event = to_json();\
# }
#</Input>
#<Output out_alienvault_dns_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec if not defined $Message { drop(); }
## Replace newlines, tabs and carriage returns with blanks:
# Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
## Ensure that commonly undefined values are set:
# Exec if not defined $AccountName { $AccountName = "-"; }
# Exec if not defined $AccountType { $AccountType = "-"; }
# Exec if not defined $Domain { $Domain = "-"; }
## Ensure we send in the proper format:
# Exec $Hostname = hostname_fqdn();
# Exec transform_alienvault_csv_dns->to_csv(); $raw_event = $Hostname + ' DNS-NXLOG: ' + $raw_event;
#</Output>
## Route for dns nxlog logs:
#<Route route_dns_nxlog>
# Path DNS_Logs => out_alienvault_dns_nxlog
#</Route>
#######################################################################
#### /DNS-NXLOG #####
#######################################################################
#######################################################################
#### EXCHANGE-NXLOG #####
#### Uncomment the following lines for Exchange log forwarding #####
#######################################################################
#<Extension syslog>
# Module xm_syslog
#</Extension>
#<Input EXCHANGE_IN>
# Module im_file
# # Modify the file path as needed
# File "C:\\Program Files\\Microsoft\\Exchange Server\\V14\\TransportRoles\\Logs\\MessageTracking\\MSGTRK????????*-*.LOG"
# SavePos TRUE
# Exec if $raw_event =~ /HealthMailbox/ drop();
# Exec if $raw_event =~ /^#/ drop();
#</Input>
#<Output EXCHANGE_OUT>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $SyslogFacility = 2;
# Exec $SourceName = 'EXCHANGE-NXLOG';
# Exec to_syslog_bsd();
#</Output>
#<Route EXCHANGE>
# Path EXCHANGE_IN => EXCHANGE_OUT
#</Route>
#######################################################################
#### /EXCHANGE-NXLOG #####
#######################################################################
#######################################################################
#### FTP-NXLOG #####
#### Uncomment the following lines for FTP log forwarding #####
#######################################################################
##<Extension w3c_ftp>
# Module xm_csv
# Fields date, time, cs-username, s-ip, s-port, cs-method, cs-uri-stem, sc-status, sc-win32-status, sc-substatus, x-session, x-fullpath
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
#</Extension>
## Windows FTP events log:
#<Input FTP_Logs>
# Module im_file
# File "C:\\inetpub\\logs\\LogFiles\\FTPSVC\\u_ex*"
# SavePos TRUE
#
# Exec if $raw_event =~/^#/ drop();\
# else\
# {\
# w3c_ftp->parse_csv();\
# $EventTime = parsedate($date + " " + $time);\
# $SourceName = "WINFTP";\
# $raw_event = to_json();\
# }
#</Input>
## Output internal ftp nxlog messages:
#<Output out_alienvault_ftp_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event =$Hostname + ' WINFTP-NXLOG ' + $raw_event;
#</Output>
## Route for ftp nxlog logs:
#<Route route_ftp_nxlog>
# Path FTP_Logs => out_alienvault_ftp_nxlog
#</Route>
#######################################################################
#### /FTP-NXLOG #####
#######################################################################
#######################################################################
#### IIS-NXLOG #####
#### Uncomment the following lines for IIS log forwarding #####
#######################################################################
#<Extension w3c>
# Module xm_csv
# Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
#</Extension>
## Windows IIS events log:
#<Input IIS_Logs>
# Module im_file
# File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
# SavePos TRUE
# Exec if $raw_event =~/^#/ drop();\
# else\
# {\
# w3c->parse_csv();\
# $EventTime = parsedate($date + " " + $time);\
# $SourceName = "IIS";\
# $raw_event = to_json();\
# }
#</Input>
## Output internal iis nxlog messages:
#<Output out_alienvault_iis_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#</Output>
## Route for iis nxlog logs:
#<Route route_iis_nxlog>
# Path IIS_Logs => out_alienvault_iis_nxlog
#</Route>
#######################################################################
#### /IIS-NXLOG #####
#######################################################################
#######################################################################
#### IIS-SMTP-NXLOG #####
#### Uncomment the following lines for IIS SMTP log forwarding #####
#######################################################################
#<Extension w3c_smtp>
# Module xm_csv
# Fields $date, $time, $c-ip, $cs-username, $s-sitename, $s-computername, $s-ip, $s-port, $cs-method, $cs-uri-stem, $cs-uri-query, $sc-status, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken, $cs-version, $cs-host, $cs(User-Agent), $cs(Cookie), $cs(Referer)
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
#</Extension>
## Windows IIS SMTP events log:
#<Input IIS_SMTP_Logs>
# Module im_file
# File "C:\\Windows\\System32\\LogFiles\\SmtpSvc1\\ex*"
# SavePos TRUE
# Exec if $raw_event =~/^#/ drop();\
# else\
# {\
# w3c_smtp->parse_csv();\
# $EventTime = parsedate($date + " " + $time);\
# $SourceName = "IIS_SMTP";\
# $raw_event = to_json();\
# }
#</Input>
## Output internal iis nxlog messages:
#<Output out_alienvault_iis_smtp_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#</Output>
## Route for iis nxlog logs:
#<Route route_iis_smtp_nxlog>
# Path IIS_SMTP_Logs => out_alienvault_iis_smtp_nxlog
#</Route>
#######################################################################
#### /IIS-SMTP-NXLOG #####
#######################################################################
#######################################################################
#### MSSQL-NXLOG #####
#### Uncomment the following lines for MSSQL log forwarding #####
#######################################################################
#### NOTE: You must enable SQL Server Audit and send results to the Windows application log
#<Input in_mssql>
# Module im_msvistalog
# SavePos FALSE
# ReadFromLast TRUE
#
# Query <QueryList> \
# <Query Id="0"> \
# <Select Path="Application">*[System[(EventID='33205')]]</Select>\
# </Query> \
# </QueryList>
# Exec $Message = $raw_event;
#
# # Finding some values:
# Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
# Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
# Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
# Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
# Exec if $raw_event =~ /AUDIT_SUCCESS/\
# {\
# $Result = 'Success';\
# }\
# else\
# $Result = 'Failure';
# # Replace white spaces
# Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
#</Input>
#<Output out_mssql>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
#
# # Ensure we send in the proper format:
# Exec $Hostname = hostname_fqdn();
# Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' MSSQL-NXLOG: ' + $raw_event;
#</Output>
#<Extension mssql_csv>
# Module xm_csv
# Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
# FieldTypes string, string, string, string, string, string, string, string
# Delimiter ;
#</Extension>
#<Route mssql>
# Path in_mssql => out_mssql
#</Route>
#######################################################################
#### /MSSQL-NXLOG #####
#######################################################################
############################################################################
#### NETWRIX-NXLOG #####
#### Uncomment the following lines for NETWRIX log forwarding #####
############################################################################
#<Extension transform_alienvault_csv_netwrix>
# Module xm_csv
# Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $Task, $Keywords, $Message
# FieldTypes string, string, string, string, string, string, string, string, string, string
# Delimiter ;
#</Extension>
## Netwrix events log
#<Input NETWRIX_Logs>
# Module im_msvistalog
# SavePos FALSE
# ReadFromLast TRUE
# Query <QueryList> \
# <Query Id="0"> \
# <Select Path="Netwrix_Auditor_Integration">*</Select> \
# </Query> \
# </QueryList>
#</Input>
## Output internal Netwrix nxlog messages:
#<Output out_alienvault_netwrix_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
##Replace newlines with ">>"
# Exec $Message = replace($Message, "\n", ">>");
#
# Exec $Hostname = hostname_fqdn();
# Exec transform_alienvault_csv_netwrix->to_csv(); $raw_event = $Hostname + ' NETWRIX-NXLOG: ' + $raw_event;
#</Output>
## Route for Netwrix nxlog logs:
#<Route route_netwrix_nxlog>
# Path NETWRIX_Logs => out_alienvault_netwrix_nxlog
#</Route>
#######################################################################
#### /NETWRIX-NXLOG #####
#######################################################################
#######################################################################
#### NPS-NXLOG #####
#### Uncomment the following lines for NPS log forwarding #####
#######################################################################
#<Extension transform_alienvault_nps>
# Module xm_nps
#</Extension>
## Assumed NPS logs are located in default location
#<Input NPS_IN>
# Module im_file
# File "C:\\Windows\\System32\\LogFiles\\IN*"
#
# Exec if $raw_event =~ /([^,]*,){20}("[^"]*")?([^,]*,){5}(\d+)/ $SID = $4;
# Exec if $SID =~ /0/ $SID = 1000;
# Exec parse_nps();
#</Input>
#<Output NPS_OUT>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec to_json();
# Exec $raw_event = $Hostname + ' NPS-NXLOG: ' + 'SID: ' + $SID + ' ' +$raw_event;
#</Output>
#<Route NPS>
# Path NPS_IN => NPS_OUT
#</Route>
#######################################################################
#### /NPS-NXLOG #####
#######################################################################
#######################################################################
#### OBSERVEIT-NXLOG #####
#### Uncomment the following lines for ObserveIT log forwarding #####
#######################################################################
#<Input ObserveITin>
# Module im_file
# File "C:\\Program Files (x86)\\ObserveIT\\NotificationService\\LogFiles\\ArcSight\\Observeit_activity_log.cef"
# SavePos TRUE
# InputType LineBased
# Exec if $raw_event =~ /(CEF:.*)/ $Message = $1;
#</Input>
#<Output ObserveITout>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event = $Hostname + ' OBSERVEIT-NXLOG: ' + $raw_event;
#</Output>
#<Route ObserveITroute>
# Path ObserveITin => ObserveITout
#</Route>
#######################################################################
#### /OBSERVEIT-NXLOG #####
#######################################################################
#######################################################################
#### ORACLE-NXLOG #####
#######################################################################
## Oracle events log
#<Input ORACLE_IN>
# Module im_msvistalog
# SavePos FALSE
# ReadFromLast TRUE
# Query <QueryList> \
# <Query Id="0"> \
# <Select Path="Application">*[System[(EventID='34')]]</Select>\
# </Query> \
# </QueryList>
#</Input>
## Output internal Oracle nxlog messages:
#<Output ORACLE_OUT>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
#
# # Ensure that commonly undefined values are set:
# Exec if not defined $AccountName { $AccountName = "-"; }
# Exec if not defined $AccountType { $AccountType = "-"; }
# Exec if not defined $Domain { $Domain = "-"; }
# Exec $Hostname = hostname_fqdn();
# Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' ORACLE-NXLOG: ' + $raw_event;
#</Output>
## Route for Oracle nxlog logs:
#<Route route_oracle_nxlog>
# Path ORACLE_IN => ORACLE_OUT
#</Route>
#######################################################################
#### /ORACLE-NXLOG #####
#######################################################################
#######################################################################
#### SCOM-NXLOG #####
#### Uncomment the following lines for SCOM log forwarding #####
#######################################################################
#<Extension transform_alienvault_csv_scom>
# Module xm_csv
# Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $AccountName, $AccountType, $Domain, $Message
# FieldTypes string, string, string, string, string, string, string, string, string, string, string
# Delimiter ,
#</Extension>
## Windows SCOM events log:
#<Input SCOM_Logs>
# Module im_msvistalog
# Query <QueryList>\
# <Query Id="0">\
# <Select Path="Operations Manager">*</Select>\
# </Query>\
# </QueryList>
#
# Exec if $raw_event =~ /^#/ drop();\
# else\
# {\
# $Message = $raw_event;\
# }
# Exec if $raw_event =~ /User name:\s*(.*?)\s+Session/i $AccountName = $1;
# Exec if $raw_event =~ /RunAs account\s*(.*?)\s+for/i $AccountName = $1;
# Exec if $raw_event =~ /CurrentUser=(.*?)\)/i $AccountName = $1;
#
#</Input>
## Output internal scom nxlog messages:
#<Output out_alienvault_scom_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
#
# Exec if not defined $Message { drop(); }
#
# Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
# Exec if not defined $AccountName { $AccountName = "-"; }
# Exec if not defined $AccountType { $AccountType = "-"; }
# Exec if not defined $Domain { $Domain = "-"; }
#
# Exec $Hostname = hostname_fqdn();
# Exec transform_alienvault_csv_scom->to_csv(); $raw_event = $Hostname + ' SCOM-NXLOG: ' + $raw_event;
#</Output>
## Route for scom nxlog logs:
#<Route route_scom_nxlog>
# Path SCOM_Logs => out_alienvault_scom_nxlog
#</Route>
#######################################################################
#### /SCOM-NXLOG #####
#######################################################################
##############################################################################
#### SECUREAUTH-NXLOG #####
#### Uncomment the following lines for SecureAuth audit log forwarding #####
##############################################################################
#<Extension xmlparser>
# Module xm_xml
#</Extension>
#<Extension syslog>
# Module xm_syslog
#</Extension>
### Windows 2FA audit log:
#<Input 2FA_Logs>
# Module im_file
# # Modify the file path as needed
# File "D:\\Secureauth\\SecureAuth2\\AuditLogs\\*Audit*"
# # SavePos FALSE
# ReadFromLast FALSE
# PollInterval 5
# Exec if $raw_event !~ /^<event>/ drop();
# ## Parse the xml event see https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html and see if you can do the same for non-multi-line xml
# Exec parse_xml();\
# Exec if $raw_event =~ /\<TimeStamp\>(.+)\<\/TimeStamp\>/ $EventTime = parsedate($1);\
# Exec $SourceName = "2FA";\
# Exec $raw_event = to_syslog_bsd();\
#</Input>
## Output internal 2FA nxlog messages:
#<Output out_alienvault_2fa_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event =$Hostname + ' 2FA-NXLOG ' + $raw_event;
#</Output>
## Route for 2fa nxlog logs:
#<Route route_2fa_nxlog>
# Path 2FA_Logs => out_alienvault_2fa_nxlog
#</Route>
##############################################################################
#### /SECUREAUTH-NXLOG #####
##############################################################################
#######################################################################
#### SOPHOSEC-NXLOG #####
#### Uncomment the following lines for Sophos-EC log forwarding #####
#######################################################################
#<Extension kvp>
# Module xm_kvp
# KVPDelimiter ;
# KVDelimiter =
#</Extension>
#<Extension syslog>
# Module xm_syslog
#</Extension>
##Sophosec logs assumed they are located in default location
#<Input SOPHOS_IN>
# Module im_file
# File "C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DefaultCommonEvents.txt"
# SavePos TRUE
# InputType LineBased
# Exec if $raw_event =~ /^#/ drop();\
# else\
# {\
# kvp->parse_kvp();\
# $Message = $raw_event;\
# }
#</Input>
#<Output SOPHOS_OUT>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec to_syslog_bsd();
# Exec $raw_event = '<13>' + $Hostname + ' SOPHOSEC-NXLOG: ' + 'InsertedAt="' +$InsertedAt + '"; ' + 'EventID="' +$EventID + '"; ' + 'EventTime="' +$EventTime + '"; ' + 'EventTypeID="' +$EventTypeID + '"; ' + 'EventType="' +$EventType + '"; ' + 'Name="' +$Name + '"; ' + 'ReportingName="' +$ReportingName + '"; ' + 'UserName="' +$UserName + '"; ' + 'ActionID="' +$ActionID + '"; ' + 'Action="' +$Action + '"; ' + 'ScanType="' +$ScanType + '"; ' + 'SubTypeID="' +$SubTypeID + '"; ' + 'SubType="' +$SubType + '"; ' + 'ComputerName="' +$ComputerName + '"; ' + 'ComputerDomain="' +$ComputerDomain + '"; ' + 'ComputerIPAddress="' + $ComputerIPAddress + '"';
#</Output>
#<Route Sophos>
# Path SOPHOS_IN => SOPHOS_OUT
#</Route>
#######################################################################
#### /SOPHOSEC-NXLOG #####
#######################################################################
#######################################################################
#### /SYSMON-NXLOG #####
#######################################################################
#<Input in_sysmon_events>
# Module im_msvistalog
# SavePos FALSE
# ReadFromLast TRUE
#
# Query <QueryList>\
# <Query Id="0">\
# <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
# </Query>\
# </QueryList>
#</Input>
#<Output out_sysmon_events>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
#
# # Replace newlines, tabs and carriage returns with blanks:
# Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
#
# # Ensure that commonly undefined values are set:
# Exec if not defined $AccountName { $AccountName = "-"; }
# Exec if not defined $AccountType { $AccountType = "-"; }
# Exec if not defined $Domain { $Domain = "-"; }
#
# # Ensure we send in the proper format:
# Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' SYSMON-NXLOG ' + $raw_event;
#</Output>
#<Route route_sysmon_logs>
# Path in_sysmon_events => out_sysmon_events
#</Route>
#######################################################################
#### /SYSMON-NXLOG #####
#######################################################################
############################################################################
#### WINDOWS-FW-NXLOG #####
#### Uncomment the following lines for WINDOWS FIREWALL log forwarding #####
############################################################################
#<Extension transform_alienvault_csv_windows_firewall>
# Module xm_csv
# Fields date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
#</Extension>
## Windows firewall events log:
#<Input WINDOWS-FW_Logs>
# Module im_file
# File "C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log"
#
# Exec if $raw_event =~ /^#/ drop();\
# {\
# transform_alienvault_csv_windows_firewall->parse_csv();\
# $EventTime = parsedate($date + " " + $time);\
# $SourceName = "WINDOWS-FW";\
# $raw_event = to_json();\
# }
#
#</Input>
## Output internal windows firewall nxlog messages:
#<Output out_alienvault_windows_firewall_nxlog>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event = $Hostname + ' WIN-FW-NXLOG: ' + $raw_event;
#</Output>
## Route for windows firewall nxlog logs:
#<Route route_windows_fw_nxlog>
# Path WINDOWS-FW_Logs => out_alienvault_windows_firewall_nxlog
#</Route>
#######################################################################
#### /WINDOWS-FW-NXLOG #####
#######################################################################
#######################################################################
#### WINGFTP-NXLOG #####
#######################################################################
#define WING_DOMAIN <EDIT THIS WITH YOUR DOMAIN NAME!>
#<Input in_wingftp_admin>
# Module im_file
# # Modify the file path as needed
# File "C:\\Program Files (x86)\\Wing FTP Server\\Log\\Admin\\Admin-*.log"
# SavePos TRUE
#</Input>
#<Input in_wingftp_system>
# Module im_file
# # Modify the file path as needed
# File "C:\\Program Files (x86)\\Wing FTP Server\\Log\\System\\System-*.log"
# SavePos TRUE
#</Input>
#<Input in_wingftp_domain>
# Module im_file
# # Modify the file path as needed
# File "C:\\Program Files (x86)\\Wing FTP Server\\Log\\Domains\\%WING_DOMAIN%\\AV-*.log"
# SavePos TRUE
#</Input>
#<Output out_wingftp>
# Module om_udp
# Host %OUTPUT_DESTINATION_ADDRESS%
# Port %OUTPUT_DESTINATION_PORT%
# # Ensure we send in the proper format:
# Exec $Hostname = hostname_fqdn();
# Exec $raw_event = $Hostname + ' WINGFTP-NXLOG: ' + $raw_event;
#</Output>
#<Route WINGFTP>
# Path in_wingftp_admin,in_wingftp_system,in_wingftp_domain => out_wingftp
#</Route>
#######################################################################
#### /WINGFTP-NXLOG #####
#######################################################################
<?xml version='1.0' encoding='UTF-8'?>
<patterndb>
<created>2016-12-02 13:39:49</created>
<version>1</version>
<group>
<name>winnxlog</name>
<id>1</id>
<pattern>
<id>1</id>
<name>Event - 19</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>19</value>
</matchfield>
<exec>$PatternID=1;</exec>
</pattern>
<pattern>
<id>2</id>
<name>Event - 36</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>36</value>
</matchfield>
<exec>$PatternID=2;</exec>
</pattern>
<pattern>
<id>3</id>
<name>Event - 51</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>51</value>
</matchfield>
<exec>$PatternID=3;</exec>
</pattern>
<pattern>
<id>4</id>
<name>Event - 41</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>41</value>
</matchfield>
<exec>$PatternID=4;</exec>
</pattern>
<pattern>
<id>5</id>
<name>Event - 2004</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>2004</value>
</matchfield>
<exec>$PatternID=5;</exec>
</pattern>
<pattern>
<id>6</id>
<name>Event - 2005</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>2005</value>
</matchfield>
<exec>$PatternID=6;</exec>
</pattern>
<pattern>
<id>7</id>
<name>Event - 2006</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>2006</value>
</matchfield>
<exec>$PatternID=7;</exec>
</pattern>
<pattern>
<id>8</id>
<name>Event - 24</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>24</value>
</matchfield>
<exec>$PatternID=8;</exec>
</pattern>
<pattern>
<id>9</id>
<name>Event - 22</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>22</value>
</matchfield>
<exec>$PatternID=9;</exec>
</pattern>
<pattern>
<id>10</id>
<name>Event - 24</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>24</value>
</matchfield>
<exec>$PatternID=10;</exec>
</pattern>
<pattern>
<id>11</id>
<name>Event - 25</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>25</value>
</matchfield>
<exec>$PatternID=11;</exec>
</pattern>
<pattern>
<id>12</id>
<name>Event - 104</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>104</value>
</matchfield>
<exec>$PatternID=12;</exec>
</pattern>
<pattern>
<id>13</id>
<name>Event - 104</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>104</value>
</matchfield>
<exec>$PatternID=13;</exec>
</pattern>
<pattern>
<id>14</id>
<name>Event - 307</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>307</value>
</matchfield>
<exec>$PatternID=14;</exec>
</pattern>
<pattern>
<id>15</id>
<name>Event - 800</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>800</value>
</matchfield>
<exec>$PatternID=15;</exec>
</pattern>
<pattern>
<id>16</id>
<name>Event - 800</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>800</value>
</matchfield>
<exec>$PatternID=16;</exec>
</pattern>
<pattern>
<id>17</id>
<name>Event - 800</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>800</value>
</matchfield>
<exec>$PatternID=17;</exec>
</pattern>
<pattern>
<id>18</id>
<name>Event - 903</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>903</value>
</matchfield>
<exec>$PatternID=18;</exec>
</pattern>
<pattern>
<id>19</id>
<name>Event - 903</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>903</value>
</matchfield>
<exec>$PatternID=19;</exec>
</pattern>
<pattern>
<id>20</id>
<name>Event - 904</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>904</value>
</matchfield>
<exec>$PatternID=20;</exec>
</pattern>
<pattern>
<id>21</id>
<name>Event - 908</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>908</value>
</matchfield>
<exec>$PatternID=21;</exec>
</pattern>
<pattern>
<id>22</id>
<name>Event - 140</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>140</value>
</matchfield>
<exec>$PatternID=22;</exec>
</pattern>
<pattern>
<id>23</id>
<name>Event - 1000</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1000</value>
</matchfield>
<exec>$PatternID=23;</exec>
</pattern>
<pattern>
<id>24</id>
<name>Event - 1002</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1002</value>
</matchfield>
<exec>$PatternID=24;</exec>
</pattern>
<pattern>
<id>25</id>
<name>Event - 1002</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1002</value>
</matchfield>
<exec>$PatternID=25;</exec>
</pattern>
<pattern>
<id>26</id>
<name>Event - 1002</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1002</value>
</matchfield>
<exec>$PatternID=26;</exec>
</pattern>
<pattern>
<id>27</id>
<name>Event - 1022</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1022</value>
</matchfield>
<exec>$PatternID=27;</exec>
</pattern>
<pattern>
<id>28</id>
<name>Event - 1033</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1033</value>
</matchfield>
<exec>$PatternID=28;</exec>
</pattern>
<pattern>
<id>29</id>
<name>Event - 1033</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1033</value>
</matchfield>
<exec>$PatternID=29;</exec>
</pattern>
<pattern>
<id>30</id>
<name>Event - 1074</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1074</value>
</matchfield>
<exec>$PatternID=30;</exec>
</pattern>
<pattern>
<id>31</id>
<name>Event - 1073</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1073</value>
</matchfield>
<exec>$PatternID=31;</exec>
</pattern>
<pattern>
<id>32</id>
<name>Event - 1102</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1102</value>
</matchfield>
<exec>$PatternID=32;</exec>
</pattern>
<pattern>
<id>33</id>
<name>Event - 4608</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4608</value>
</matchfield>
<exec>$PatternID=33;</exec>
</pattern>
<pattern>
<id>34</id>
<name>Event - 4624</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4624</value>
</matchfield>
<exec>$PatternID=34;</exec>
</pattern>
<pattern>
<id>35</id>
<name>Event - 4625</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4625</value>
</matchfield>
<exec>$PatternID=35;</exec>
</pattern>
<pattern>
<id>36</id>
<name>Event - 4634</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4634</value>
</matchfield>
<exec>$PatternID=36;</exec>
</pattern>
<pattern>
<id>37</id>
<name>Event - 4647</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4647</value>
</matchfield>
<exec>$PatternID=37;</exec>
</pattern>
<pattern>
<id>38</id>
<name>Event - 4648</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4648</value>
</matchfield>
<exec>$PatternID=38;</exec>
</pattern>
<pattern>
<id>39</id>
<name>Event - 5145</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>5145</value>
</matchfield>
<exec>$PatternID=39;</exec>
</pattern>
<pattern>
<id>40</id>
<name>Event - 4656</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4656</value>
</matchfield>
<exec>$PatternID=40;</exec>
</pattern>
<pattern>
<id>41</id>
<name>Event - 4657</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4657</value>
</matchfield>
<exec>$PatternID=41;</exec>
</pattern>
<pattern>
<id>42</id>
<name>Event - 4663</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4663</value>
</matchfield>
<exec>$PatternID=42;</exec>
</pattern>
<pattern>
<id>43</id>
<name>Event - 4672</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4672</value>
</matchfield>
<exec>$PatternID=43;</exec>
</pattern>
<pattern>
<id>44</id>
<name>Event - 4704</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4704</value>
</matchfield>
<exec>$PatternID=44;</exec>
</pattern>
<pattern>
<id>45</id>
<name>Event - 4705</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4705</value>
</matchfield>
<exec>$PatternID=45;</exec>
</pattern>
<pattern>
<id>46</id>
<name>Event - 4706</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4706</value>
</matchfield>
<exec>$PatternID=46;</exec>
</pattern>
<pattern>
<id>47</id>
<name>Event - 4707</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4707</value>
</matchfield>
<exec>$PatternID=47;</exec>
</pattern>
<pattern>
<id>48</id>
<name>Event - 4716</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4716</value>
</matchfield>
<exec>$PatternID=48;</exec>
</pattern>
<pattern>
<id>49</id>
<name>Event - 4719</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4719</value>
</matchfield>
<exec>$PatternID=49;</exec>
</pattern>
<pattern>
<id>50</id>
<name>Event - 4720</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4720</value>
</matchfield>
<exec>$PatternID=50;</exec>
</pattern>
<pattern>
<id>51</id>
<name>Event - 4722</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4722</value>
</matchfield>
<exec>$PatternID=51;</exec>
</pattern>
<pattern>
<id>52</id>
<name>Event - 4723</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4723</value>
</matchfield>
<exec>$PatternID=52;</exec>
</pattern>
<pattern>
<id>53</id>
<name>Event - 4724</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4724</value>
</matchfield>
<exec>$PatternID=53;</exec>
</pattern>
<pattern>
<id>54</id>
<name>Event - 4724</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4724</value>
</matchfield>
<exec>$PatternID=54;</exec>
</pattern>
<pattern>
<id>55</id>
<name>Event - 4725</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4725</value>
</matchfield>
<exec>$PatternID=55;</exec>
</pattern>
<pattern>
<id>56</id>
<name>Event - 4726</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4726</value>
</matchfield>
<exec>$PatternID=56;</exec>
</pattern>
<pattern>
<id>57</id>
<name>Event - 4738</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4738</value>
</matchfield>
<exec>$PatternID=57;</exec>
</pattern>
<pattern>
<id>58</id>
<name>Event - 4739</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4739</value>
</matchfield>
<exec>$PatternID=58;</exec>
</pattern>
<pattern>
<id>59</id>
<name>Event - 4740</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4740</value>
</matchfield>
<exec>$PatternID=59;</exec>
</pattern>
<pattern>
<id>60</id>
<name>Event - 4741</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4741</value>
</matchfield>
<exec>$PatternID=60;</exec>
</pattern>
<pattern>
<id>61</id>
<name>Event - 4104</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4104</value>
</matchfield>
<exec>$PatternID=61;</exec>
</pattern>
<pattern>
<id>62</id>
<name>Event - 13</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>13</value>
</matchfield>
<exec>$PatternID=62;</exec>
</pattern>
<pattern>
<id>63</id>
<name>Event - 8193</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>8193</value>
</matchfield>
<exec>$PatternID=63;</exec>
</pattern>
<pattern>
<id>64</id>
<name>Event - 4742</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4742</value>
</matchfield>
<exec>$PatternID=64;</exec>
</pattern>
<pattern>
<id>65</id>
<name>Event - 4743</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4743</value>
</matchfield>
<exec>$PatternID=65;</exec>
</pattern>
<pattern>
<id>66</id>
<name>Event - 4764</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4764</value>
</matchfield>
<exec>$PatternID=66;</exec>
</pattern>
<pattern>
<id>67</id>
<name>Event - 4728</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4728</value>
</matchfield>
<exec>$PatternID=67;</exec>
</pattern>
<pattern>
<id>68</id>
<name>Event - 4729</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4729</value>
</matchfield>
<exec>$PatternID=68;</exec>
</pattern>
<pattern>
<id>69</id>
<name>Event - 4732</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4732</value>
</matchfield>
<exec>$PatternID=69;</exec>
</pattern>
<pattern>
<id>70</id>
<name>Event - 4733</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4733</value>
</matchfield>
<exec>$PatternID=70;</exec>
</pattern>
<pattern>
<id>71</id>
<name>Event - 4746</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4746</value>
</matchfield>
<exec>$PatternID=71;</exec>
</pattern>
<pattern>
<id>72</id>
<name>Event - 4747</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4747</value>
</matchfield>
<exec>$PatternID=72;</exec>
</pattern>
<pattern>
<id>73</id>
<name>Event - 4751</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4751</value>
</matchfield>
<exec>$PatternID=73;</exec>
</pattern>
<pattern>
<id>74</id>
<name>Event - 4752</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4752</value>
</matchfield>
<exec>$PatternID=74;</exec>
</pattern>
<pattern>
<id>75</id>
<name>Event - 4756</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4756</value>
</matchfield>
<exec>$PatternID=75;</exec>
</pattern>
<pattern>
<id>76</id>
<name>Event - 4757</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4757</value>
</matchfield>
<exec>$PatternID=76;</exec>
</pattern>
<pattern>
<id>77</id>
<name>Event - 4761</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4761</value>
</matchfield>
<exec>$PatternID=77;</exec>
</pattern>
<pattern>
<id>78</id>
<name>Event - 4762</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4762</value>
</matchfield>
<exec>$PatternID=78;</exec>
</pattern>
<pattern>
<id>79</id>
<name>Event - 4727</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4727</value>
</matchfield>
<exec>$PatternID=79;</exec>
</pattern>
<pattern>
<id>80</id>
<name>Event - 4730</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4730</value>
</matchfield>
<exec>$PatternID=80;</exec>
</pattern>
<pattern>
<id>81</id>
<name>Event - 4731</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4731</value>
</matchfield>
<exec>$PatternID=81;</exec>
</pattern>
<pattern>
<id>82</id>
<name>Event - 4734</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4734</value>
</matchfield>
<exec>$PatternID=82;</exec>
</pattern>
<pattern>
<id>83</id>
<name>Event - 4735</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4735</value>
</matchfield>
<exec>$PatternID=83;</exec>
</pattern>
<pattern>
<id>84</id>
<name>Event - 4737</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4737</value>
</matchfield>
<exec>$PatternID=84;</exec>
</pattern>
<pattern>
<id>85</id>
<name>Event - 4744</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4744</value>
</matchfield>
<exec>$PatternID=85;</exec>
</pattern>
<pattern>
<id>86</id>
<name>Event - 4745</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4745</value>
</matchfield>
<exec>$PatternID=86;</exec>
</pattern>
<pattern>
<id>87</id>
<name>Event - 4748</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4748</value>
</matchfield>
<exec>$PatternID=87;</exec>
</pattern>
<pattern>
<id>88</id>
<name>Event - 4749</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4749</value>
</matchfield>
<exec>$PatternID=88;</exec>
</pattern>
<pattern>
<id>89</id>
<name>Event - 4750</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4750</value>
</matchfield>
<exec>$PatternID=89;</exec>
</pattern>
<pattern>
<id>90</id>
<name>Event - 4753</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4753</value>
</matchfield>
<exec>$PatternID=90;</exec>
</pattern>
<pattern>
<id>91</id>
<name>Event - 4754</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4754</value>
</matchfield>
<exec>$PatternID=91;</exec>
</pattern>
<pattern>
<id>92</id>
<name>Event - 4755</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4755</value>
</matchfield>
<exec>$PatternID=92;</exec>
</pattern>
<pattern>
<id>93</id>
<name>Event - 4758</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4758</value>
</matchfield>
<exec>$PatternID=93;</exec>
</pattern>
<pattern>
<id>94</id>
<name>Event - 4759</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4759</value>
</matchfield>
<exec>$PatternID=94;</exec>
</pattern>
<pattern>
<id>95</id>
<name>Event - 4760</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4760</value>
</matchfield>
<exec>$PatternID=95;</exec>
</pattern>
<pattern>
<id>96</id>
<name>Event - 4763</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4763</value>
</matchfield>
<exec>$PatternID=96;</exec>
</pattern>
<pattern>
<id>97</id>
<name>Event - 4767</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4767</value>
</matchfield>
<exec>$PatternID=97;</exec>
</pattern>
<pattern>
<id>98</id>
<name>Event - 4776</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4776</value>
</matchfield>
<exec>$PatternID=98;</exec>
</pattern>
<pattern>
<id>99</id>
<name>Event - 4781</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4781</value>
</matchfield>
<exec>$PatternID=99;</exec>
</pattern>
<pattern>
<id>100</id>
<name>Event - 5152</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>5152</value>
</matchfield>
<exec>$PatternID=100;</exec>
</pattern>
<pattern>
<id>101</id>
<name>Event - 5157</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>5157</value>
</matchfield>
<exec>$PatternID=101;</exec>
</pattern>
<pattern>
<id>102</id>
<name>Event - 6008</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>6008</value>
</matchfield>
<exec>$PatternID=102;</exec>
</pattern>
<pattern>
<id>103</id>
<name>Event - 7023</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7023</value>
</matchfield>
<exec>$PatternID=103;</exec>
</pattern>
<pattern>
<id>104</id>
<name>Event - 7024</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7024</value>
</matchfield>
<exec>$PatternID=104;</exec>
</pattern>
<pattern>
<id>105</id>
<name>Event - 7022</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7022</value>
</matchfield>
<exec>$PatternID=105;</exec>
</pattern>
<pattern>
<id>106</id>
<name>Event - 4778</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4778</value>
</matchfield>
<exec>$PatternID=106;</exec>
</pattern>
<pattern>
<id>107</id>
<name>Event - 4779</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4779</value>
</matchfield>
<exec>$PatternID=107;</exec>
</pattern>
<pattern>
<id>108</id>
<name>Event - 7036</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7036</value>
</matchfield>
<exec>$PatternID=108;</exec>
</pattern>
<pattern>
<id>109</id>
<name>Event - 7045</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7045</value>
</matchfield>
<exec>$PatternID=109;</exec>
</pattern>
<pattern>
<id>110</id>
<name>Event - 4800</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4800</value>
</matchfield>
<exec>$PatternID=110;</exec>
</pattern>
<pattern>
<id>111</id>
<name>Event - 4801</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4801</value>
</matchfield>
<exec>$PatternID=111;</exec>
</pattern>
<pattern>
<id>112</id>
<name>Event - 8003</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>8003</value>
</matchfield>
<exec>$PatternID=112;</exec>
</pattern>
<pattern>
<id>113</id>
<name>Event - 8004</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>8004</value>
</matchfield>
<exec>$PatternID=113;</exec>
</pattern>
<pattern>
<id>114</id>
<name>Event - 8006</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>8006</value>
</matchfield>
<exec>$PatternID=114;</exec>
</pattern>
<pattern>
<id>115</id>
<name>Event - 8007</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>8007</value>
</matchfield>
<exec>$PatternID=115;</exec>
</pattern>
<pattern>
<id>116</id>
<name>Event - 865</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>865</value>
</matchfield>
<exec>$PatternID=116;</exec>
</pattern>
<pattern>
<id>117</id>
<name>Event - 866</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>866</value>
</matchfield>
<exec>$PatternID=117;</exec>
</pattern>
<pattern>
<id>118</id>
<name>Event - 867</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>867</value>
</matchfield>
<exec>$PatternID=118;</exec>
</pattern>
<pattern>
<id>119</id>
<name>Event - 868</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>868</value>
</matchfield>
<exec>$PatternID=119;</exec>
</pattern>
<pattern>
<id>120</id>
<name>Event - 882</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>882</value>
</matchfield>
<exec>$PatternID=120;</exec>
</pattern>
<pattern>
<id>121</id>
<name>Event - 10110</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>10110</value>
</matchfield>
<exec>$PatternID=121;</exec>
</pattern>
<pattern>
<id>122</id>
<name>Event - 10111</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>10111</value>
</matchfield>
<exec>$PatternID=122;</exec>
</pattern>
<pattern>
<id>123</id>
<name>Event - 1000</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1000</value>
</matchfield>
<exec>$PatternID=123;</exec>
</pattern>
<pattern>
<id>124</id>
<name>Event - 1001</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>1001</value>
</matchfield>
<exec>$PatternID=124;</exec>
</pattern>
<pattern>
<id>125</id>
<name>Event - 4768</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4768</value>
</matchfield>
<exec>$PatternID=125;</exec>
</pattern>
<pattern>
<id>126</id>
<name>Event - 4769</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4769</value>
</matchfield>
<exec>$PatternID=126;</exec>
</pattern>
<pattern>
<id>127</id>
<name>Event - 4770</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4770</value>
</matchfield>
<exec>$PatternID=127;</exec>
</pattern>
<pattern>
<id>128</id>
<name>Event - 4771</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4771</value>
</matchfield>
<exec>$PatternID=128;</exec>
</pattern>
<pattern>
<id>129</id>
<name>Event - 4802</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4802</value>
</matchfield>
<exec>$PatternID=129;</exec>
</pattern>
<pattern>
<id>130</id>
<name>Event - 4803</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4803</value>
</matchfield>
<exec>$PatternID=130;</exec>
</pattern>
<pattern>
<id>131</id>
<name>Event - 7031</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7031</value>
</matchfield>
<exec>$PatternID=131;</exec>
</pattern>
<pattern>
<id>132</id>
<name>Event - 7032</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7032</value>
</matchfield>
<exec>$PatternID=132;</exec>
</pattern>
<pattern>
<id>133</id>
<name>Event - 7030</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7030</value>
</matchfield>
<exec>$PatternID=133;</exec>
</pattern>
<pattern>
<id>134</id>
<name>Event - 7001</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7001</value>
</matchfield>
<exec>$PatternID=134;</exec>
</pattern>
<pattern>
<id>135</id>
<name>Event - 10010</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>10010</value>
</matchfield>
<exec>$PatternID=135;</exec>
</pattern>
<pattern>
<id>136</id>
<name>Event - 10016</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>10016</value>
</matchfield>
<exec>$PatternID=136;</exec>
</pattern>
<pattern>
<id>137</id>
<name>Event - 528</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>528</value>
</matchfield>
<exec>$PatternID=137;</exec>
</pattern>
<pattern>
<id>138</id>
<name>Event - 538</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>538</value>
</matchfield>
<exec>$PatternID=138;</exec>
</pattern>
<pattern>
<id>139</id>
<name>Event - 540</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>540</value>
</matchfield>
<exec>$PatternID=139;</exec>
</pattern>
<pattern>
<id>140</id>
<name>Event - 551</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>551</value>
</matchfield>
<exec>$PatternID=140;</exec>
</pattern>
<pattern>
<id>141</id>
<name>Event - 552</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>552</value>
</matchfield>
<exec>$PatternID=141;</exec>
</pattern>
<pattern>
<id>142</id>
<name>Event - 576</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>576</value>
</matchfield>
<exec>$PatternID=142;</exec>
</pattern>
<pattern>
<id>143</id>
<name>Event - 615</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>615</value>
</matchfield>
<exec>$PatternID=143;</exec>
</pattern>
<pattern>
<id>144</id>
<name>Event - 624</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>624</value>
</matchfield>
<exec>$PatternID=144;</exec>
</pattern>
<pattern>
<id>145</id>
<name>Event - 626</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>626</value>
</matchfield>
<exec>$PatternID=145;</exec>
</pattern>
<pattern>
<id>146</id>
<name>Event - 628</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>628</value>
</matchfield>
<exec>$PatternID=146;</exec>
</pattern>
<pattern>
<id>147</id>
<name>Event - 632</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>632</value>
</matchfield>
<exec>$PatternID=147;</exec>
</pattern>
<pattern>
<id>148</id>
<name>Event - 636</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>636</value>
</matchfield>
<exec>$PatternID=148;</exec>
</pattern>
<pattern>
<id>149</id>
<name>Event - 642</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>642</value>
</matchfield>
<exec>$PatternID=149;</exec>
</pattern>
<pattern>
<id>150</id>
<name>Event - 680</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>680</value>
</matchfield>
<exec>$PatternID=150;</exec>
</pattern>
<pattern>
<id>151</id>
<name>Event - 7035</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>7035</value>
</matchfield>
<exec>$PatternID=151;</exec>
</pattern>
<pattern>
<id>152</id>
<name>Event - 4698</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4698</value>
</matchfield>
<exec>$PatternID=152;</exec>
</pattern>
<pattern>
<id>153</id>
<name>Event - 4699</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4699</value>
</matchfield>
<exec>$PatternID=153;</exec>
</pattern>
<pattern>
<id>154</id>
<name>Event - 4700</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4700</value>
</matchfield>
<exec>$PatternID=154;</exec>
</pattern>
<pattern>
<id>155</id>
<name>Event - 4701</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4701</value>
</matchfield>
<exec>$PatternID=155;</exec>
</pattern>
<pattern>
<id>156</id>
<name>Event - 4702</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>4702</value>
</matchfield>
<exec>$PatternID=156;</exec>
</pattern>
<pattern>
<id>157</id>
<name>Event - 5139</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>5139</value>
</matchfield>
<exec>$PatternID=157;</exec>
</pattern>
<pattern>
<id>158</id>
<name>Event - 5141</name>
<matchfield>
<name>EventID</name>
<type>exact</type>
<value>5141</value>
</matchfield>
<exec>$PatternID=158;</exec>
</pattern>
</group>
</patterndb>
Leave a Reply