-
Notifications
You must be signed in to change notification settings - Fork 0
/
windows_log_conf
50 lines (47 loc) · 2.1 KB
/
windows_log_conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#####
## Sample configuration file for Microsoft Windows.
## This is YAML, so structure and indentation is important.
## Lines can be uncommented by removing the #. You should not need to change the number of spaces after that.
## Config options have a single #, comments have a ##. Only uncomment the single # lines if you need them.
#####
## Uncomment dataDirectory if you need to manually set the directory.
## Note: Not used with Data Ingest / Fleet configuration
#dataDirectory: C:\ProgramData\LogScale Collector
sources:
windows_events:
type: wineventlog
## Add other channels by simple adding additional "name" lines.
## The following command can be used to find other channels:
## Get-WinEvent -ListLog * -EA silentlycontinue | sort-object -Property Recordcount -desc
channels:
- name: Application
- name: Security
- name: System
- name: Windows PowerShell
- name: ForwardedEvents
sink: next-gen-siem
sinks:
next-gen-siem:
type: hec
# Replace with your specified ingest token.
token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
# Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
# NOTE: you MUST REMOVE the "services/collector" from the URL if it exists.
url: https://ingest.XX-X.crowdstrike.com/api/ingest/hec/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/v1/
## Keep this option as "none" unless you actually need a proxy.
proxy: none
## This sets the maximum single event size to 8 MB. You can change as needed.
#maxEventSize: 8388608
## Uncomment if you would like to force a specific level of gzip compression. 9 is the highest.
#maxBatchSize: 16777216
#compression: gzip
#compressionLevel: 9
## Uncomment if you want to use disk for event queue storage instead of memory.
## Please note this will be much slower than a memory queue.
#queue:
#type: disk
#fullAction: pause
#maxLimitInMB: 4096
## Add more workers to processing. The default is 4 workers.
## This can be increased if FLC is falling behind on processing.
workers: 16