Module xm_csv Fields $MSWINEventLog, $Criticality, $EventLogSource, $SnareCounter, \ $SubmitTime, $EventID, $SourceName, $UserName, $SIDType, \ $EventLogType, $ComputerName, $Category, $Data, $Expanded, \ $MD5Checksum FieldTypes string, integer, string, integer, datetime, integer, string, \ string, string, string, string, string, string, string, string Delimiter \t Module xm_json Module xm_syslog Module im_udp Host 0.0.0.0 Port 6161 parse_syslog_bsd(); if $Message =~ /^((\w+)\t)?(MSWinEventLog.+)$/ { if $2 != '' { $Hostname = $2; $Message = $3; } snare->parse_csv($Message); $Message = $Expanded; }

Module om_file File '/var/log/json' Exec to_json();

Path in => out