Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: modules/windows/event-logs.toml

Source

  • Original path: profiles/modules/windows/event-logs.toml

Profile (TOML)

# Windows Event Logs Module
# Collects Windows Event Log files (.evtx)

[module]
name = "Windows Event Logs"
description = "Windows Event Log files (.evtx) for system, security, and application events"
category = "windows"
platform = ["windows"]
priority = "high"

# Event Log Files
[[patterns]]
  name = "EVTX File"
  pattern = "\\.evtx$"
  case-insensitive = true
  type = "regex"

# Specific Event Logs
[[patterns]]
  name = "System Event Log"
  pattern = "System\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Security Event Log"
  pattern = "Security\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Application Event Log"
  pattern = "Application\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PowerShell Event Log"
  pattern = "(?:PowerShell|Windows PowerShell)\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Sysmon Event Log"
  pattern = "Microsoft-Windows-Sysmon.*\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Terminal Services Event Log"
  pattern = "TerminalServices.*\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Defender Event Log"
  pattern = "Windows Defender.*\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "TaskScheduler Event Log"
  pattern = "TaskScheduler.*\\.evtx"
  case-insensitive = true
  type = "regex"

# Event Log Directory
[[patterns]]
  name = "Winevt Logs Directory"
  pattern = "Winevt[/\\\\]Logs"
  case-insensitive = true
  type = "regex"