crowdsec/config/acquis_win.yaml

##RDP
source: wineventlog
event_channel: Security
event_ids:
 - 4625
 - 4623
event_level: information
labels:
 type: eventlog
---
##Firewall
filenames:
  - C:\Windows\System32\LogFiles\Firewall\*.log
labels:
  type: windows-firewall
---
##SQL Server
source: wineventlog
event_channel: Application
event_ids:
 - 18456
event_level: information
labels:
 type: eventlog
---
##IIS
use_time_machine: true
filenames:
  - C:\inetpub\logs\LogFiles\*\*.log
labels:
  type: iis
update default windows acquisition configuration (#2195) 2023-05-12 11:47:01 +00:00			`##RDP`
Windows Support (#1159) 2022-05-17 10:14:59 +00:00			`source: wineventlog`
			`event_channel: Security`
			`event_ids:`
			`- 4625`
			`- 4623`
			`event_level: information`
			`labels:`
update default windows acquisition configuration (#2195) 2023-05-12 11:47:01 +00:00			`type: eventlog`
			`---`
			`##Firewall`
			`filenames:`
Used asterisk for Defender Firewall log name (#2671) Log name is configurable. MD Docs recommend a log file per profile: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune 2023-12-20 09:28:40 +00:00			`- C:\Windows\System32\LogFiles\Firewall\*.log`
update default windows acquisition configuration (#2195) 2023-05-12 11:47:01 +00:00			`labels:`
			`type: windows-firewall`
			`---`
			`##SQL Server`
			`source: wineventlog`
			`event_channel: Application`
			`event_ids:`
			`- 18456`
			`event_level: information`
			`labels:`
			`type: eventlog`
			`---`
			`##IIS`
			`use_time_machine: true`
			`filenames:`
			`- C:\inetpub\logs\LogFiles\\.log`
			`labels:`
Used asterisk for Defender Firewall log name (#2671) Log name is configurable. MD Docs recommend a log file per profile: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune 2023-12-20 09:28:40 +00:00			`type: iis`