Expected Log Samples¶

<14>Jul  7 11:01:49 ABC.local Microsoft-Windows-Bits-Client[2044]: {"EventTime":"2021-07-07T11:01:49.883794+05:45","Hostname":"ABC.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,

<14>Jul  7 11:01:49 ABC.local Microsoft-Windows-Bits-Client[2044]: {"EventTime":"2021-07-07T11:01:49.883794+05:45","Hostname":"ABC.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2, "Severity":"INFO","EventID":3,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}","Version":3,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4973,"ExecutionProcessID":8112,"ExecutionThreadID":4548,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-2-123","AccountType":"User","Message":"The BITS service created a new job.\r\nTransfer job: Font Download\r\nJob ID: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}\r\nOwner: NT AUTHORITY\\LOCAL SERVICE\r\nProcess Path: C:\\Windows\\System32\\svchost.exe\r\nProcess ID: 2041","Opcode":"Info","jobTitle":"Font Download","jobId":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}","jobOwner":"NT AUTHORITY\\LOCAL SERVICE","processPath":"C:\\Windows\\System32\\svchost.exe","processId":"2044","ClientProcessStartKey":"15199648742375471","EventReceivedTime":"2021-07-09T10:36:00.024797+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}

<14>Feb 21 09:10:37 ABC AD_FS_Auditing: {"EventTime":"2019-02-21 09:10:37","Hostname":"ABC","Keywords":-xxxxxxxxxxxxxxxxxxxx,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":410,"SourceName":"AD FS Auditing","Task":3,"RecordNumber":xxxxxxxx,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Security","Domain":"ABC","AccountName":"xxx-ADFS","UserID":"x-x-x-xx-xxxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx","AccountType":"User","Message":"Following request context headers present : \r\n\r\nActivity ID: 00000000-0000-0000-xx00-00800x0000xx \r\n\r\nX-MS-Client-Application: - \r\nX-MS-Client-User-Agent: - \r\nclient-request-id: - \r\nX-MS-Endpoint-Absolute-Path: /adfs/ls/idpInitiatedxxxxxx.aspx \r\nX-MS-Forwarded-Client-IP: - \r\nX-MS-Proxy: -","Opcode":"Info","EventData":"<Data>00000000-0000-0000-xx00-00800x0000xx</Data><Data>X-MS-Client-Application</Data><Data>-</Data><Data>X-MS-Client-User-Agent</Data><Data>-</Data><Data>client-request-id</Data><Data>-</Data><Data>X-MS-Endpoint-Absolute-Path</Data><Data>/adfs/ls/idpInitiatedxxxxxx.aspx</Data><Data>X-MS-Forwarded-Client-IP</Data><Data>-</Data><Data>X-MS-Proxy</Data><Data>-</Data>","EventReceivedTime":"2019-02-21 09:10:38","SourceModuleName":"wineventlog_in","SourceModuleType":"im_msvistalog"}

<13>Oct 17 10:37:46 XYZ 17-10-2018 10:37:19 1460 PACKET 000000xxxxxxxxxx UDP Rcv xxx.xxx.x.x 7cf7 Q [0001 D NOERROR] A (10)XYZ(2)u1(2)logpoint(2)xx(0)

<13>Sep 12 15:47:39 xxxxxxxx {"EventTime":"2018-09-12 15:47:39","ThreadId":"0924","Context":"PACKET","InternalPacketIdentifier":"000000xxxxxxxxxx","Protocol":"UDP", "SendReceiveIndicator":"Rcv","RemoteIP":"xx.xx.x.xx","Xid":"xxxx","QueryResponseIndicator":"Query","Opcode":"Standard Query","FlagsHex":"0001","RecursionDesired":true,"ResponseCode":"NOERROR","QuestionType":"A","QuestionName":"xxxxxxx.xx.xxx","EventReceivedTime":"2018-0912:15:47:40","SourceModuleName":"in","SourceModuleType":"im_file","EventTime":"2018-09-12 15:47:39","ThreadId":"0924","Context":"PACKET","InternalPacketIdentifier":"000000xxxxxxx","Protocol":"UDP","SendReceiveIndicator":"Rcv","RemoteIP":"xx.xx.x.xx","Xid":"xxxx","QueryResponseIndicator":"Query","Opcode":"Standard Query","FlagsHex":"0001","RecursionDesired":true,"ResponseCode":"NOERROR","QuestionType":"A","QuestionName":"xxxxxxxx.xx.xxx"}

<13>May 29 20:24:08 WIN-xxxxxxxxxxxx DHCPEvents: {"EventReceivedTime":"2019-05-29 20:24:08","SourceModuleName":"in_dhcp","SourceModuleType":"im_file","EventID":"31","Date":"05/29/19","Time":"20:24:08","Description":"DNS Update Failed","IPAddress":"xxx.xxx.xx.xx","ReportedHostname":"WIN-xxxxxxxxxxxx.logpoint.local","TransactionID":"0","QResult":"6","DnsRegError":"xxxx","EventTime":"2019-05-29 20:24:08","SourceName":"xxxxxxxxxx"}

<14>Jun 11 10:46:07 ABC NPS[0]: {"EventTime":"2019-06-11 10:46:07","Hostname":"ABC","Keywords":"xxxxxxxxxxxxx","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":xxxx

,"SourceName":"NPS","TaskValue":0,"RecordNumber":xxxxxxx,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System",

"Message":"A LDAP connection with domain controller ABC for domain U1 is established.","EventData":"<Data>ABC</Data><Data>U1</Data>",

"EventReceivedTime":"2019-06-11 10:46:08","SourceModuleName":"wineventlog_in","SourceModuleType":"im_msvistalog"}

<11>Mar 16 09:36:01 logpoint.com Microsoft-Windows-Security-Auditing[4]: {"EventTime":"2018-03-16 09:36:01","Hostname":"logpoint.com","Keywords":-xxxxxxxxxxxxxxxxxxx,"EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":5038,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}","Version":0,"Task":12290,"OpcodeValue":0,"RecordNumber":xxxxxxxxxxxxx,"ProcessID":4,"ThreadID":76,"Channel":"Security","Message":"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\r\n\r\nFile Name:\t\\Device\\HarddiskVolume1\\Windows\\System32\\drivers\\nsrbbb.sys\t","Category":"System Integrity","Opcode":"Info","param1":"\\Device\\HarddiskVolume1\\Windows\\System32\\drivers\\nsrbbb.sys","EventReceivedTime":"2018-03-16 09:36:02","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}

<14>May 19 01119:10 ABC Microsoft-Windows-Sysmon[4920]: {"EventTime":"2020-05-19T11:50:10.151097+00:00","Hostname":"ABC","Keywords":"xxxxxxxxxxxxxxxxx","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":12,"SourceName":"Microsoft-Windows-Sysmon","ProviderGuid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}","Version":2,"TaskValue":12,"OpcodeValue":0,"RecordNumber":xxxxxx,"ExecutionProcessID":2892,"ExecutionThreadID":3860,"Channel":"Microsoft-Windows-Sysmon/Operational","Domain":"xx xxxxxxxx","AccountName":"xxxxxx","UserID":"x-x-x-xx","AccountType":"User","Message":"Registry object added or deleted:\r\nRuleName: T1122\r\nEventType: DeleteValue\r\nUtcTime: 2020-05-15 07:19:10.126\r\nProcessGuid:{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}}\r\nProcessId: xxxx\r\nImage: C:\\Windows\\system32\\reg.exe\r\nTargetObject: xxxx\\Software\\Microsoft\\Office\\14.0\\WordResiliency","Category":"Registry object added or deleted (rule: RegistryEvent)","Opcode":"Info","RuleName":"T1122","UtcTime":"2020-05-15 07:19:10.126","ProcessGuid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}","ProcessId":"4920","Image":"C:\\Windows\\system32\\reg.exe","TargetObject":"xxxx\\Software\\Microsoft\\Office\\14.0\\WordResiliency",

"EventReceivedTime":"2020-05-15T07:25:46.433823+00:00","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}'''

<11>May 13 05:18:40 SERVER Service_Control_Manager[588]: {"EventTime":"2021-05-13 05:18:40","Hostname":"ABC","Keywords":"xxxxxxxxxxxxxxxxxxxx","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":7000,"SourceName":"Service Control Manager","ProviderGuid":"{xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":61624,"ExecutionProcessID":588,"ExecutionThreadID":1236,"Channel":"System","Message":"The service name service failed to start due to the following error: \r\nThe account name is invalid or does not exist, or the password is invalid for the account name specified.","param1":"service name","param2":"%%1057","EventReceivedTime":"2021-05-13 05:18:41","SourceModuleName":"wineventlog_in","SourceModuleType":"im_msvistalog"}