box.win
Deprecated parser
Note that the box.win
parser is deprecated and no longer supported by Devo. We recommend to use the corresponding box.win_*
parser for your specific technology. Learn more about these parsers here.
Introduction
The system logs from a Windows machine are assigned the box.win
 tag.
Windows events must be converted to syslog format before being sent to the Devo Cloud. One tool useful for this is the Snare Agent for Windows from InterSectAlliance, which can read the Windows event logs in their native format and forward them to a remote syslog server - in this case, to a Devo Relay or ProxyServerContainer where the box.win
tag can be applied to the events.
Devo Relay - This is the recommended option for environments with a high volume of Windows events - for example, simultaneously collecting logs from more than ten Windows machines. In this case, you configure the Snare Agent to send the logs to the UDP/TCP port 13002 on the Devo Relay. This port is preconfigured to receive Windows system events, tag them asÂ
box.win
, then forward them to the Devo Cloud.
Valid tags and data tablesÂ
The full tag must have at least 2 levels. The first two are fixed as box.win
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Windows events |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Learn how to ingest events to the box.win
table in this article.
Table structure
These are the fields displayed in this table:
box.win
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | Â | Â |
machineIp |
| Â | Â | Â |
groupName |
| Â | Â | Â |
logSource |
| Â | Â | Â |
srceventdate |
| Â nvl(timeCreated, nvl(parsedate(serverdate, serverdate_fmt), serverdate)) Â | serverdate_fmt timeCreated serverdate | Â |
keywords |
| Â | Â | Â |
eventType |
| Â | Â | Â |
eventID |
| Â | Â | Â |
sourceName |
| Â | Â | Â |
username |
| Â | Â | Â |
sidType |
| Â | Â | Â |
logType |
| Â | Â | Â |
srcHost |
| Â | Â | Â |
category |
| Â | Â | Â |
direction |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
dstIp |
| Â | Â | Â |
dstPort |
| Â | Â | Â |
dstHostname |
| Â | Â | Â |
protocol |
| Â | Â | Â |
secId |
| Â | Â | Â |
account |
| Â | Â | Â |
domain |
| Â | Â | Â |
subjectSecId |
| Â | Â | Â |
subjectUsername |
| Â | Â | Â |
subjectDomain |
| Â | Â | Â |
subjectLogonId |
| Â | Â | Â |
logonType |
| Â | Â | Â |
memberSecId |
| Â | Â | Â |
memberAcctName |
| Â | Â | Â |
groupSecurityId |
| Â | Â | Â |
groupGroupName |
| Â | Â | Â |
groupGroupDomain |
| Â | Â | Â |
impersonationLevel |
| Â | Â | Â |
restrictedAdminMode |
| Â | Â | Â |
targetOutboundUserName |
| Â | Â | Â |
targetOutboundDomainName |
| Â | Â | Â |
virtualAccount |
| Â | Â | Â |
targetLinkedLogonId |
| Â | Â | Â |
elevatedToken |
| Â | Â | Â |
reason |
| Â | Â | Â |
reasonCode |
| Â | Â | Â |
status |
| Â | Â | Â |
subStatus |
| Â | Â | Â |
logonId |
| Â | Â | Â |
logonGuid |
| Â | Â | Â |
procId |
| Â | Â | Â |
procName |
| Â | Â | Â |
procGuid |
| Â | Â | Â |
newProcId |
| Â | Â | Â |
newProcName |
| Â | Â | Â |
commandLine |
| Â | Â | Â |
workstation |
| Â | Â | Â |
workstationName |
| Â | Â | Â |
logonProc |
| Â | Â | Â |
logonProcess |
| Â | Â | Â |
authPkg |
| Â | Â | Â |
keyLength |
| Â | Â | Â |
servername |
| Â | Â | Â |
targetInfo |
| Â | Â | Â |
targetLogonGuid |
| Â | Â | Â |
description |
| Â | Â | Â |
extraInfo |
| Â | Â | Â |
samAccount |
| Â | Â | Â |
displayName |
| Â | Â | Â |
principalName |
| Â | Â | Â |
homeDir |
| Â | Â | Â |
homeDrive |
| Â | Â | Â |
filePath |
| Â | Â | Â |
scriptPath |
| Â | Â | Â |
profilePath |
| Â | Â | Â |
userWorkstations |
| Â | Â | Â |
lastPass |
| Â | Â | Â |
accExpire |
| Â | Â | Â |
groupId |
| Â | Â | Â |
logonHours |
| Â | Â | Â |
service |
| Â | Â | Â |
serviceSid |
| Â | Â | Â |
serviceFileName |
| Â | Â | Â |
serviceType |
| Â | Â | Â |
serviceStartType |
| Â | Â | Â |
serviceAccount |
| Â | Â | Â |
imagePath |
| Â | Â | Â |
parentImage |
| Â | Â | Â |
startType |
| Â | Â | Â |
accountName |
| Â | Â | Â |
ticketOpts |
| Â | Â | Â |
ticketEncType |
| Â | Â | Â |
preAuthType |
| Â | Â | Â |
preAuthType2 |
| Â | Â | Â |
certIssuer |
| Â | Â | Â |
certSerial |
| Â | Â | Â |
certThumbprint |
| Â | Â | Â |
privileges |
| Â | Â | Â |
destDra |
| Â | Â | Â |
srcDra |
| Â | Â | Â |
namingCtx |
| Â | Â | Â |
options |
| Â | Â | Â |
sessionId |
| Â | Â | Â |
startUsn |
| Â | Â | Â |
endUsn |
| Â | Â | Â |
member |
| Â | Â | Â |
memberSid |
| Â | Â | Â |
context |
| Â | Â | Â |
serverUrl |
| Â | Â | Â |
serverId |
| Â | Â | Â |
computer |
| Â | Â | Â |
ComputerAccountChange |
| Â | Â | Â |
SamAccountName |
| Â | Â | Â |
DisplayName |
| Â | Â | Â |
UserPrincipalName |
| Â | Â | Â |
HomeDirectory |
| Â | Â | Â |
HomePath |
| Â | Â | Â |
ScriptPath |
| Â | Â | Â |
ProfilePath |
| Â | Â | Â |
UserWorkstations |
| Â | Â | Â |
PasswordLastSet |
| Â | Â | Â |
AccountExpires |
| Â | Â | Â |
PrimaryGroupId |
| Â | Â | Â |
AllowedToDelegateTo |
| Â | Â | Â |
OldUacValue |
| Â | Â | Â |
NewUacValue |
| Â | Â | Â |
UserAccountControl |
| Â | Â | Â |
UserParameters |
| Â | Â | Â |
SidHistory |
| Â | Â | Â |
LogonHours |
| Â | Â | Â |
DnsHostName |
| Â | Â | Â |
ServicePrincipalNames |
| Â | Â | Â |
serviceServer |
| Â | Â | Â |
discardedMessages |
| Â | Â | Â |
objName |
| Â trim(objName2) Â | objName2 | Â |
objValueName |
| Â | Â | Â |
objType |
| Â trim(objType2) Â | objType2 | Â |
objServer |
| Â Â | objServer2 | Â |
objHandle |
| Â Â | objHandle2 | Â |
objValName |
| Â Â | objValName2 | Â |
oldValueType |
| Â | Â | Â |
oldValue |
| Â | Â | Â |
newValueType |
| Â | Â | Â |
newValue |
| Â | Â | Â |
resourceAttr |
| Â | Â | Â |
tokenElevType |
| Â | Â | Â |
mandatoryLabel |
| Â | Â | Â |
desiredAccess |
| Â | Â | Â |
failCode |
| Â | Â | Â |
user |
| Â | Â | Â |
logonFail |
| Â | Â | Â |
appName |
| Â | Â | Â |
filterRuntimeId |
| Â | Â | Â |
LayerName |
| Â | Â | Â |
LayerRuntimeId |
| Â | Â | Â |
AccessMask |
| Â | Â | Â |
AccessList |
| Â | Â | Â |
accesses |
| Â | Â | Â |
grantedAccess |
| Â | Â | Â |
DNS_XfrScopeOptionValue |
| Â | Â | Â |
DHCP_macAddress |
| Â | Â | Â |
DHCP_error |
| Â | Â | Â |
shareName |
| Â | Â | Â |
shareLocalPath |
| Â | Â | Â |
relativeTargetName |
| Â | Â | Â |
deviceId |
| Â | Â | Â |
deviceName |
| Â | Â | Â |
classId |
| Â | Â | Â |
className |
| Â | Â | Â |
taskName |
| Â | Â | Â |
taskContent |
| Â | Â | Â |
targetObject |
| Â | Â | Â |
targetImage |
| Â | Â | Â |
dsName |
| Â | Â | Â |
dsType |
| Â | Â | Â |
dsDN |
| Â | Â | Â |
dsOldDN |
| Â | Â | Â |
dsNewDN |
| Â | Â | Â |
dsGUID |
| Â | Â | Â |
dsClass |
| Â | Â | Â |
dsLDAPName |
| Â | Â | Â |
dsSyntax |
| Â | Â | Â |
dsValue |
| Â | Â | Â |
dsCorrelationId |
| Â | Â | Â |
dsApplicationCorrelationId |
| Â | Â | Â |
operationType |
| Â | Â | Â |
treeDelete |
| Â | Â | Â |
device |
| Â | Â | Â |
pipeName |
| Â | Â | Â |
queryName |
| Â | Â | Â |
queryStatus |
| Â | Â | Â |
queryResults |
| Â | Â | Â |
signature |
| Â | Â | Â |
initiated |
| Â | Â | Â |
properties |
| Â | Â | Â |
auditPolicyChanges |
| Â | Â | Â |
data |
| Â | Â | Â |
message |
| Â | Â | Â |
extMessage |
| Â | Â | Â |
criticality |
| Â | Â | Â |
evtCounter |
| Â | Â | Â |
evtCounter2 |
| Â | Â | Â |
unkData |
| Â | Â | Â |
hostchain |
| Â | Â | Â |
tag |
|  |  | ✓ |
rawMessage |
| Â | Â | Â |