box.win_kinesis
Introduction
The tags beginning with box.win_kinesis
identify events generated by the Windows Kinesis Agent.
Valid tags and data tablesÂ
The full tag must have 3 levels. The first two are fixed as box.win_kinesis
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Windows Kinesis Agent |
|
|
|
| |
|
| |
|
| |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
box.win_kinesis
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
hostname |
| Â | Â |
hostIp |
| Â | Â |
type |
| vtype | Â |
EventId |
| Â | Â |
Description |
| Â | Â |
LevelDisplayName |
| Â | Â |
LogName |
| Â | Â |
MachineName |
| Â | Â |
ProviderName |
| Â | Â |
TimeCreated |
| Â | Â |
Index |
| Â | Â |
UserName |
| Â | Â |
Keywords |
| Â | Â |
subject__security_id |
| Â | Â |
subject__account_name |
| Â | Â |
subject__account_domain |
| Â | Â |
subject__logon_id |
| Â | Â |
account_information__security_id |
| Â | Â |
account_information__account_name |
| Â | Â |
account_information__account_domain |
| Â | Â |
network_information__workstation_name |
| Â | Â |
network_information__source_address |
| Â | Â |
network_information__source_port |
| Â | Â |
network_information__destination_address |
| Â | Â |
network_information__destination_port |
| Â | Â |
failure_reason__failure_reason |
| Â | Â |
failure_reason__status |
| Â | Â |
failure_reason__sub_status |
| Â | Â |
process_information__process_id |
| Â | Â |
process_information__process_name |
| Â | Â |
service_information__service_id |
| Â | Â |
service_information__service_name |
| Â | Â |
service_information__service_file_name |
| Â | Â |
service_information__service_type |
| Â | Â |
service_information__service_start_type |
| Â | Â |
service_information__service_account |
| Â | Â |
access_request_information__access_mask |
| Â | Â |
access_request_information__accesses |
| Â | Â |
access_request_information__access_reasons |
| Â | Â |
access_request_information__properties |
| Â | Â |
logon_type |
| Â | Â |
object_server |
| Â | Â |
object_name |
| Â | Â |
object_type |
| Â | Â |
object_value_name |
| Â | Â |
object_handle_id |
| Â | Â |
operation_type |
| Â | Â |
share_information__share_name |
| Â | Â |
share_information__share_path |
| Â | Â |
share_information__relative_target_name |
| Â | Â |
task_information__task_name |
| Â | Â |
task_information__task_content |
| Â | Â |
attribute__sam_account_name |
| Â | Â |
attribute__ldap_display_name |
| Â | Â |
attribute__value |
| Â | Â |
additional_information__ticket_options |
| Â | Â |
additional_information__ticket_encryption_type |
| Â | Â |
additional_information__privileges |
| Â | Â |
audit_policy__changes |
| Â | Â |
change_information__new_value |
| Â | Â |
filter_information__layer_runtime_id |
| Â | Â |
detailed_authentication_information__authentication_package |
| Â | Â |
detailed_authentication_information__key_length |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| Â | Â |
box.win_kinesis.application
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
EventId |
| Â |
Description |
| Â |
LevelDisplayName |
| Â |
LogName |
| Â |
MachineName |
| Â |
ProviderName |
| Â |
TimeCreated |
| Â |
Index |
| Â |
UserName |
| Â |
Keywords |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| Â |
box.win_kinesis.invalid
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
host |
| split(hostchain, "=", 0) | hostchain | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
| Â | Â | Â |
box.win_kinesis.security
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
EventId |
| Â |
Description |
| Â |
LevelDisplayName |
| Â |
LogName |
| Â |
MachineName |
| Â |
ProviderName |
| Â |
TimeCreated |
| Â |
Index |
| Â |
UserName |
| Â |
Keywords |
| Â |
account_information__security_id |
| Â |
account_information__account_name |
| Â |
account_information__account_domain |
| Â |
account_information__logon_guid |
| Â |
service_information__service_name |
| Â |
service_information__service_id |
| Â |
service_information__service_file_name |
| Â |
service_information__service_type |
| Â |
service_information__service_start_type |
| Â |
service_information__service_account |
| Â |
application_information__process_id |
| Â |
application_information__application_name |
| Â |
subject__security_id |
| Â |
subject__account_name |
| Â |
subject__account_domain |
| Â |
subject__logon_id |
| Â |
logon_type |
| Â |
new_logon__security_id |
| Â |
new_logon__account_name |
| Â |
new_logon__account_domain |
| Â |
new_logon__logon_id |
| Â |
new_logon__logon_guid |
| Â |
failure_reason__failure_reason |
| Â |
failure_reason__status |
| Â |
failure_reason__sub_status |
| Â |
process_information__process_id |
| Â |
process_information__process_name |
| Â |
network_information__direction |
| Â |
network_information__workstation_name |
| Â |
network_information__source_network_address |
| Â |
network_information__source_address |
| Â |
network_information__source_port |
| Â |
network_information__client_address |
| Â |
network_information__client_port |
| Â |
network_information__destination_address |
| Â |
network_information__destination_port |
| Â |
network_information__protocol |
| Â |
network_information__object_type |
| Â |
share_information__share_name |
| Â |
share_information__share_path |
| Â |
share_information__relative_target_name |
| Â |
task_information__task_name |
| Â |
task_information__task_content |
| Â |
access_request_information__access_mask |
| Â |
access_request_information__accesses |
| Â |
access_request_information__properties |
| Â |
access_request_information__access_reasons |
| Â |
access_check_results |
| Â |
filter_information__filter_runtime_id |
| Â |
filter_information__layer_name |
| Â |
filter_information__layer_runtime_id |
| Â |
detailed_authentication_information__logon_process |
| Â |
detailed_authentication_information__authentication_package |
| Â |
detailed_authentication_information__transited_services |
| Â |
detailed_authentication_information__package_name |
| Â |
detailed_authentication_information__key_length |
| Â |
additional_information__ticket_options |
| Â |
additional_information__ticket_encryption_type |
| Â |
additional_information__failure_code |
| Â |
additional_information__result_code |
| Â |
additional_information__transited_services |
| Â |
additional_information__pre_authentication_type |
| Â |
object_server |
| Â |
object_name |
| Â |
object_type |
| Â |
object_value_name |
| Â |
object_handle_id |
| Â |
operation_type |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| Â |
box.win_kinesis.system
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
EventId |
| Â |
Description |
| Â |
LevelDisplayName |
| Â |
LogName |
| Â |
MachineName |
| Â |
ProviderName |
| Â |
TimeCreated |
| Â |
Index |
| Â |
UserName |
| Â |
Keywords |
| Â |
service_information__service_name |
| Â |
service_information__service_file_name |
| Â |
service_information__service_type |
| Â |
service_information__service_start_type |
| Â |
service_information__service_account |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| Â |