diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index fea0d7d09ef..9dd6da9bec0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -133,6 +133,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Adjust Winlogbeat fields to map to ECS. {pull}10333[10333] + *Functionbeat* - Correctly normalize Cloudformation resource name. {issue}10087[10087] diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index 5f7f578c7a5..75c83602ee1 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -2032,3 +2032,118 @@ to: event.created alias: true beat: journalbeat + +## Winlogbeat + +# Alias to ECS fields + +- from: xml + to: event.original + alias: true + beat: winlogbeat + +- from: level + to: log.level + alias: true + beat: winlogbeat + +# Move fields to winlog.* section, to reduce chances of top level field name conflicts. + +# renames to match Windows Event Log naming + +- from: type + to: winlog.api + alias: true + beat: winlogbeat + +- from: log_name + to: winlog.channel + alias: true + beat: winlogbeat + +- from: record_number + to: winlog.record_id + alias: true + beat: winlogbeat + +- from: process_id + to: winlog.process.pid + alias: true + beat: winlogbeat + +- from: source_name + to: winlog.provider_name + alias: true + beat: winlogbeat + +- from: thread_id + to: winlog.process.thread.id + alias: true + beat: winlogbeat + +# Fields moved without adjusting the name + +- from: activity_id + to: winlog.activity_id + alias: true + beat: winlogbeat + +- from: computer_name + to: winlog.computer_name + alias: true + beat: winlogbeat + +- from: event_id + to: winlog.event_id + alias: true + beat: winlogbeat + +- from: keywords + to: winlog.keywords + alias: true + beat: winlogbeat + +- from: message_error + to: error.message + alias: true + beat: winlogbeat + +- from: related_activity_id + to: winlog.related_activity_id + alias: true + beat: winlogbeat + +- from: opcode + to: winlog.opcode + alias: true + beat: winlogbeat + +- from: provider_guid + to: winlog.provider_guid + alias: true + beat: winlogbeat + +- from: task + to: winlog.task + alias: true + beat: winlogbeat + +- from: user.identifier + to: winlog.user.identifier + alias: true + beat: winlogbeat + +- from: user.domain + to: winlog.user.domain + alias: true + beat: winlogbeat + +- from: user.type + to: winlog.user.type + alias: true + beat: winlogbeat + +- from: version + to: winlog.version + alias: true + beat: winlogbeat diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml index 46eae698f26..f5d129a8ac0 100644 --- a/winlogbeat/_meta/fields.common.yml +++ b/winlogbeat/_meta/fields.common.yml @@ -1,198 +1,292 @@ -- key: common - title: "Common Winlogbeat" +- key: winlog + title: "Windows Event Log fields emitted by Winlogbeat" description: > - Contains common fields available in all event types. + Fields from the Windows Event Log. fields: - - name: type - required: true + # Candidate to add to ECS + - name: event.code + type: keyword + required: false description: > - The event log API type used to read the record. The possible values are - "wineventlog" for the Windows Event Log API or "eventlogging" for the - Event Logging API. + The code for this log message (Windows event ID). + + - name: event.original + overwrite: true + description: > + The raw XML representation of the event obtained from Windows. This + field is only available on operating systems supporting the Windows + Event Log API (Microsoft Windows Vista and newer). This field is not + included by default and must be enabled by setting `include_xml: true` + as a configuration option for an individual event log. + + The XML representation of the event is useful for troubleshooting + purposes. The data in the fields reported by Winlogbeat can be compared + to the data in the XML to diagnose problems. + + - name: winlog + type: group + description: > + All fields specific to the Windows Event Log are defined here. + fields: + + - name: type + required: true + description: > + The event log API type used to read the record. The possible values are + "wineventlog" for the Windows Event Log API or "eventlogging" for the + Event Logging API. + + The Event Logging API was designed for Windows Server 2003 + or Windows 2000 operating systems. In Windows Vista, the event logging + infrastructure was redesigned. On Windows Vista or later operating + systems, the Windows Event Log API is used. Winlogbeat automatically + detects which API to use for reading event logs. + + - name: activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the current activity. The + events that are published with this identifier are part of the same + activity. + + - name: computer_name + type: keyword + required: true + description: > + The name of the computer that generated the record. When using Windows + event forwarding, this name can differ from `agent.hostname`. + + - name: event_data + type: object + object_type: keyword + required: false + description: > + The event-specific data. This field is mutually exclusive with + `user_data`. If you are capturing event data on versions prior + to Windows Vista, the parameters in `event_data` are named `param1`, + `param2`, and so on, because event log parameters are unnamed in + earlier versions of Windows. + + - name: event_id + type: keyword + required: true + description: > + The event identifier. The value is specific to the source of the event. + + - name: keywords + type: keyword + required: false + description: > + The keywords are used to classify an event. + + - name: channel + type: keyword + required: true + description: > + The name of the channel from which this record was read. This value is + one of the names from the `event_logs` collection in the configuration. + + - name: record_id + type: keyword + required: true + description: > + The record ID of the event log record. The first record written + to an event log is record number 1, and other records are numbered + sequentially. If the record number reaches the maximum value (2^32^ + for the Event Logging API and 2^64^ for the Windows Event Log API), + the next record number will be 0. + + - name: related_activity_id + type: keyword + required: false + description: > + A globally unique identifier that identifies the activity to which + control was transferred to. The related events would then have this + identifier as their `activity_id` identifier. + + - name: opcode + type: keyword + required: false + description: > + The opcode defined in the event. Task and opcode are typically used to + identify the location in the application from where the event was + logged. - The Event Logging API was designed for Windows Server 2003 - or Windows 2000 operating systems. In Windows Vista, the event logging - infrastructure was redesigned. On Windows Vista or later operating - systems, the Windows Event Log API is used. Winlogbeat automatically - detects which API to use for reading event logs. + - name: provider_guid + type: keyword + required: false + description: > + A globally unique identifier that identifies the provider that logged + the event. + - name: process.pid + type: long + required: false + description: > + The process_id of the Client Server Runtime Process. + - name: provider_name + type: keyword + required: true + description: > + The source of the event log record (the application or service that + logged the record). + + - name: task + type: keyword + required: false + description: > + The task defined in the event. Task and opcode are typically used to + identify the location in the application from where the event was + logged. The category used by the Event Logging API (on pre Windows Vista + operating systems) is written to this field. + + - name: process.thread.id + type: long + required: false + + - name: user_data + type: object + object_type: keyword + required: false + description: > + The event specific data. This field is mutually exclusive with + `event_data`. + + - name: user.identifier + type: keyword + required: false + example: S-1-5-21-3541430928-2051711210-1391384369-1001 + description: > + The Windows security identifier (SID) of the account associated with + this event. + + + If Winlogbeat cannot resolve the SID to a name, then the `user.name`, + `user.domain`, and `user.type` fields will be omitted from the event. + If you discover Winlogbeat not resolving SIDs, review the log for + clues as to what the problem may be. + + - name: user.domain + type: keyword + required: false + description: > + The domain that the account associated with this event is a member of. + + - name: user.type + type: keyword + required: false + description: > + The type of account associated with this event. + + - name: version + type: long + required: false + description: The version number of the event's definition. + +# Aliases for the old fields - key: eventlog title: Event log record description: > Contains data from a Windows event log record. fields: + - name: type + type: alias + path: winlog.api + migration: true + - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The - events that are published with this identifier are part of the same - activity. + type: alias + path: winlog.activity_id + migration: true - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows - event forwarding, this name can differ from the `beat.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with - `user_data`. If you are capturing event data on versions prior - to Windows Vista, the parameters in `event_data` are named `param1`, - `param2`, and so on, because event log parameters are unnamed in - earlier versions of Windows. + type: alias + path: winlog.computer_name + migration: true - name: event_id - type: long - required: true - description: > - The event identifier. The value is specific to the source of the event. + type: alias + path: winlog.event_id + migration: true - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. + type: alias + path: winlog.keywords + migration: true - name: log_name - type: keyword - required: true - description: > - The name of the event log from which this record was read. This value is - one of the names from the `event_logs` collection in the configuration. - - - name: level - type: keyword - required: false - description: > - The level of the event. There are five levels of events that can be - logged: Success, Information, Warning, Error, Audit Success, and Audit - Failure. + type: alias + path: winlog.channel + migration: true - name: message_error - type: keyword - required: false - description: > - The error that occurred while reading and formatting the message from - the log. + type: alias + path: error.message + migration: true - name: record_number - type: keyword - required: true - description: > - The record number of the event log record. The first record written - to an event log is record number 1, and other records are numbered - sequentially. If the record number reaches the maximum value (2^32^ - for the Event Logging API and 2^64^ for the Windows Event Log API), - the next record number will be 0. + type: alias + path: winlog.record_id + migration: true - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which - control was transferred to. The related events would then have this - identifier as their `activity_id` identifier. + type: alias + path: winlog.related_activity_id + migration: true - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to - identify the location in the application from where the event was - logged. + type: alias + path: winlog.opcode + migration: true - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged - the event. + type: alias + path: winlog.provider_guid + migration: true - name: process_id - type: long - required: false - description: > - The process_id identifies the process that generated the event. + type: alias + path: winlog.process.pid + migration: true - name: source_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that - logged the record). + type: alias + path: winlog.provider_name + migration: true - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to - identify the location in the application from where the event was - logged. The category used by the Event Logging API (on pre Windows Vista - operating systems) is written to this field. + type: alias + path: winlog.task + migration: true - name: thread_id - type: long - required: false - description: > - The thread_id identifies the thread that generated the event. - - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with - `event_data`. + type: alias + path: winlog.process.thread.id + migration: true - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with - this event. - - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, - `user.domain`, and `user.type` fields will be omitted from the event. - If you discover Winlogbeat not resolving SIDs, review the log for - clues as to what the problem may be. + type: alias + path: winlog.user.identifier + migration: true - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. + type: alias + path: winlog.user.domain + migration: true - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. + type: alias + path: winlog.user.type + migration: true - name: version - type: long - required: false - description: The version number of the event's definition. + type: alias + path: winlog.version + migration: true - name: xml - type: text - required: false - description: > - The raw XML representation of the event obtained from Windows. This - field is only available on operating systems supporting the Windows - Event Log API (Microsoft Windows Vista and newer). This field is not - included by default and must be enabled by setting `include_xml: true` - as a configuration option for an individual event log. - - - The XML representation of the event is useful for troubleshooting - purposes. The data in the fields reported by Winlogbeat can be compared - to the data in the XML to diagnose problems. + type: alias + path: event.original + migration: true diff --git a/winlogbeat/_meta/kibana/7/dashboard/Winlogbeat-overview.json b/winlogbeat/_meta/kibana/7/dashboard/Winlogbeat-overview.json index 21f3e80cc86..ac6f17f6246 100644 --- a/winlogbeat/_meta/kibana/7/dashboard/Winlogbeat-overview.json +++ b/winlogbeat/_meta/kibana/7/dashboard/Winlogbeat-overview.json @@ -1,366 +1,183 @@ { - "objects": [ + "objects": [ + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.0.0-SNAPSHOT\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.0.0-SNAPSHOT\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"4\",\"version\":\"7.0.0-SNAPSHOT\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"5\",\"version\":\"7.0.0-SNAPSHOT\",\"panelRefName\":\"panel_3\"},{\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"6\",\"version\":\"7.0.0-SNAPSHOT\",\"panelRefName\":\"panel_4\"}]", + "timeRestore": false, + "title": "Winlogbeat Dashboard", + "version": 1 + }, + "id": "Winlogbeat-Dashboard", + "migrationVersion": { + "dashboard": "7.0.0" + }, + "references": [ { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "index": "winlogbeat-*", - "query": { - "query_string": { - "analyze_wildcard": true, - "query": "*" - } - } - } - }, - "title": "Number of Events Over Time By Event Log", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "id": "2", - "params": { - "customInterval": "2h", - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1 - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "id": "3", - "params": { - "field": "log_name", - "order": "desc", - "orderBy": "1", - "size": 6 - }, - "schema": "group", - "type": "terms" - } - ], - "listeners": {}, - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "defaultYExtents": false, - "mode": "stacked", - "scale": "linear", - "setYExtents": false, - "shareYAxis": true, - "times": [], - "yAxis": {} - }, - "type": "histogram" - } - }, - "id": "Number-of-Events-Over-Time-By-Event-Log", - "type": "visualization", - "version": 1 - }, + "id": "Number-of-Events-Over-Time-By-Event-Log", + "name": "panel_0", + "type": "visualization" + }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "index": "winlogbeat-*", - "query": { - "query_string": { - "analyze_wildcard": true, - "query": "*" - } - } - } - }, - "title": "Number of Events", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - } - ], - "listeners": {}, - "params": { - "fontSize": 60 - }, - "type": "metric" - } - }, - "id": "Number-of-Events", - "type": "visualization", - "version": 1 - }, + "id": "Number-of-Events", + "name": "panel_1", + "type": "visualization" + }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "index": "winlogbeat-*", - "query": { - "query_string": { - "analyze_wildcard": true, - "query": "*" - } - } - } - }, - "title": "Top Event IDs", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "id": "2", - "params": { - "field": "event_id", - "order": "desc", - "orderBy": "1", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "listeners": {}, - "params": { - "perPage": 10, - "showMeticsAtAllLevels": false, - "showPartialRows": false - }, - "type": "table" - } - }, - "id": "Top-Event-IDs", - "type": "visualization", - "version": 1 - }, + "id": "Top-Event-IDs", + "name": "panel_2", + "type": "visualization" + }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "index": "winlogbeat-*", - "query": { - "query_string": { - "analyze_wildcard": true, - "query": "*" - } - } - } - }, - "title": "Event Levels", - "uiStateJSON": { - "vis": { - "params": { - "sort": { - "columnIndex": null, - "direction": null - } - } - } - }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "level", - "order": "desc", - "orderBy": "1", - "size": 5 - }, - "schema": "bucket", - "type": "terms" - } - ], - "listeners": {}, - "params": { - "perPage": 10, - "showMeticsAtAllLevels": false, - "showPartialRows": false, - "showTotal": false, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "title": "Event Levels", - "type": "table" - } - }, - "id": "Event-Levels", - "type": "visualization", - "version": 1 - }, + "id": "Event-Levels", + "name": "panel_3", + "type": "visualization" + }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "index": "winlogbeat-*", - "query": { - "query_string": { - "analyze_wildcard": true, - "query": "*" - } - } - } - }, - "title": "Sources", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "source_name", - "order": "desc", - "orderBy": "1", - "size": 7 - }, - "schema": "segment", - "type": "terms" - } - ], - "listeners": {}, - "params": { - "addLegend": true, - "addTooltip": true, - "isDonut": false, - "legendPosition": "right", - "shareYAxis": true - }, - "title": "Sources", - "type": "pie" - } - }, - "id": "Sources", - "type": "visualization", - "version": 1 - }, + "id": "Sources", + "name": "panel_4", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-02-05T04:31:28.874Z", + "version": 5 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "Number of Events Over Time By Channel", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Number of Events Over Time By Channel\",\"type\":\"histogram\",\"params\":{\"scale\":\"linear\",\"yAxis\":{},\"addTimeMarker\":false,\"addLegend\":true,\"shareYAxis\":true,\"mode\":\"stacked\",\"defaultYExtents\":false,\"setYExtents\":false,\"addTooltip\":true,\"times\":[],\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"setYExtents\":false,\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\"}],\"legendPosition\":\"right\",\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"date\":true,\"interval\":43200000,\"format\":\"YYYY-MM-DD HH:mm\",\"bounds\":{\"min\":\"2019-01-21T04:30:25.961Z\",\"max\":\"2019-02-05T04:30:25.961Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15d\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"time_zone\":\"America/Montreal\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"winlog.channel\",\"size\":6,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Channel\"}}]}" + }, + "id": "Number-of-Events-Over-Time-By-Event-Log", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-05T04:30:57.063Z", + "version": 9 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "Number of Events", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"type\": \"metric\", \"listeners\": {}, \"params\": {\"fontSize\": 60}, \"aggs\": [{\"type\": \"count\", \"params\": {}, \"id\": \"1\", \"schema\": \"metric\"}]}" + }, + "id": "Number-of-Events", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-05T03:54:42.903Z", + "version": 4 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "Top Event IDs", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"title\":\"Top Event IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"winlog.event_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Event IDs\"}}]}" + }, + "id": "Top-Event-IDs", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-05T04:29:29.657Z", + "version": 7 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "Event Levels", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"title\":\"Event Levels\",\"type\":\"table\",\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null},\"perPage\":10,\"showPartialRows\":false,\"totalFunc\":\"sum\",\"showTotal\":false,\"showMetricsAtAllLevels\":false,\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"log.level\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Levels\"}}]}" + }, + "id": "Event-Levels", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-05T04:29:58.730Z", + "version": 7 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "Sources (Provider Names)", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Sources (Provider Names)\",\"type\":\"pie\",\"params\":{\"legendPosition\":\"right\",\"isDonut\":false,\"addTooltip\":true,\"shareYAxis\":true,\"addLegend\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"winlog.provider_name\",\"size\":7,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}" + }, + "id": "Sources", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "query": { - "query_string": { - "analyze_wildcard": true, - "query": "*" - } - } - } - ] - } - }, - "optionsJSON": { - "darkTheme": false - }, - "panelsJSON": [ - { - "col": 4, - "id": "Number-of-Events-Over-Time-By-Event-Log", - "panelIndex": 1, - "row": 1, - "size_x": 9, - "size_y": 4, - "type": "visualization" - }, - { - "col": 1, - "id": "Number-of-Events", - "panelIndex": 3, - "row": 1, - "size_x": 3, - "size_y": 4, - "type": "visualization" - }, - { - "col": 5, - "id": "Top-Event-IDs", - "panelIndex": 4, - "row": 5, - "size_x": 4, - "size_y": 4, - "type": "visualization" - }, - { - "col": 9, - "id": "Event-Levels", - "panelIndex": 5, - "row": 5, - "size_x": 4, - "size_y": 4, - "type": "visualization" - }, - { - "col": 1, - "id": "Sources", - "panelIndex": 6, - "row": 5, - "size_x": 4, - "size_y": 4, - "type": "visualization" - } - ], - "timeRestore": false, - "title": "Winlogbeat Dashboard", - "uiStateJSON": {}, - "version": 1 - }, - "id": "Winlogbeat-Dashboard", - "type": "dashboard", - "version": 1 + "id": "winlogbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" } - ], - "version": "6.0.0-alpha3-SNAPSHOT" + ], + "type": "visualization", + "updated_at": "2019-02-05T04:28:30.544Z", + "version": 7 + } + ], + "version": "7.0.0-SNAPSHOT" } \ No newline at end of file diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index a76fb2a3c17..b7003f99662 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -14,13 +14,13 @@ grouped in the following categories: * <> * <> -* <> * <> * <> * <> * <> * <> * <> +* <> -- [[exported-fields-beat]] @@ -162,24 +162,6 @@ type: alias alias to: cloud.region --- - -[[exported-fields-common]] -== Common Winlogbeat fields - -Contains common fields available in all event types. - - - -*`type`*:: -+ --- -required: True - -The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. -The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - -- [[exported-fields-docker-processor]] @@ -3282,383 +3264,568 @@ Contains data from a Windows event log record. -*`activity_id`*:: +*`type`*:: + -- -type: keyword +type: alias -required: False +alias to: winlog.api -A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. +-- + +*`activity_id`*:: ++ +-- +type: alias +alias to: winlog.activity_id -- *`computer_name`*:: + -- -type: keyword +type: alias -required: True +alias to: winlog.computer_name -The name of the computer that generated the record. When using Windows event forwarding, this name can differ from the `beat.hostname`. +-- +*`event_id`*:: ++ +-- +type: alias + +alias to: winlog.event_id -- -*`event_data`*:: +*`keywords`*:: + -- -type: object +type: alias -required: False +alias to: winlog.keywords -The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. +-- +*`log_name`*:: ++ +-- +type: alias + +alias to: winlog.channel -- -*`event_id`*:: +*`message_error`*:: + -- -type: long +type: alias -required: True +alias to: error.message -The event identifier. The value is specific to the source of the event. +-- +*`record_number`*:: ++ +-- +type: alias + +alias to: winlog.record_id -- -*`keywords`*:: +*`related_activity_id`*:: + -- -type: keyword +type: alias -required: False +alias to: winlog.related_activity_id -The keywords are used to classify an event. +-- +*`opcode`*:: ++ +-- +type: alias + +alias to: winlog.opcode -- -*`log_name`*:: +*`provider_guid`*:: + -- -type: keyword +type: alias -required: True +alias to: winlog.provider_guid + +-- -The name of the event log from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. +*`process_id`*:: ++ +-- +type: alias +alias to: winlog.process.pid -- -*`level`*:: +*`source_name`*:: + -- -type: keyword +type: alias -required: False +alias to: winlog.provider_name -The level of the event. There are five levels of events that can be logged: Success, Information, Warning, Error, Audit Success, and Audit Failure. +-- +*`task`*:: ++ +-- +type: alias + +alias to: winlog.task -- -*`message_error`*:: +*`thread_id`*:: + -- -type: keyword +type: alias -required: False +alias to: winlog.process.thread.id -The error that occurred while reading and formatting the message from the log. +-- + +*`user.identifier`*:: ++ +-- +type: alias +alias to: winlog.user.identifier -- -*`record_number`*:: +*`user.domain`*:: + -- -type: keyword +type: alias -required: True +alias to: winlog.user.domain -The record number of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. +-- + +*`user.type`*:: ++ +-- +type: alias +alias to: winlog.user.type -- -*`related_activity_id`*:: +*`version`*:: + -- -type: keyword +type: alias -required: False +alias to: winlog.version -A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. +-- + +*`xml`*:: ++ +-- +type: alias +alias to: event.original -- -*`opcode`*:: +[[exported-fields-host-processor]] +== Host fields + +Info collected for the host machine. + + +[[exported-fields-kubernetes-processor]] +== Kubernetes fields + +Kubernetes metadata added by the kubernetes processor + + + + +*`kubernetes.pod.name`*:: + -- type: keyword -required: False +Kubernetes pod name -The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. +-- +*`kubernetes.pod.uid`*:: ++ -- +type: keyword -*`provider_guid`*:: +Kubernetes Pod UID + + +-- + +*`kubernetes.namespace`*:: + -- type: keyword -required: False +Kubernetes namespace -A globally unique identifier that identifies the provider that logged the event. +-- +*`kubernetes.node.name`*:: ++ -- +type: keyword -*`process_id`*:: +Kubernetes node name + + +-- + +*`kubernetes.labels`*:: + -- -type: long +type: object -required: False +Kubernetes labels map -The process_id identifies the process that generated the event. +-- +*`kubernetes.annotations`*:: ++ -- +type: object -*`source_name`*:: +Kubernetes annotations map + + +-- + +*`kubernetes.container.name`*:: + -- type: keyword -required: True +Kubernetes container name -The source of the event log record (the application or service that logged the record). +-- +*`kubernetes.container.image`*:: ++ -- +type: keyword -*`task`*:: +Kubernetes container image + + +-- + +[[exported-fields-process]] +== Process fields + +Process metadata fields + + + + +*`process.exe`*:: ++ +-- +type: alias + +alias to: process.executable + +-- + +[[exported-fields-winlog]] +== Windows Event Log fields emitted by Winlogbeat fields + +Fields from the Windows Event Log. + + + +*`event.code`*:: + -- type: keyword required: False -The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. +The code for this log message (Windows event ID). -- -*`thread_id`*:: +*`event.original`*:: + -- -type: long +The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log. +The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems. -required: False -The thread_id identifies the thread that generated the event. +-- + +[float] +== winlog fields +All fields specific to the Windows Event Log are defined here. + + +*`winlog.type`*:: ++ -- +required: True + +The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. +The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. + -*`user_data`*:: +-- + +*`winlog.activity_id`*:: + -- -type: object +type: keyword required: False -The event specific data. This field is mutually exclusive with `event_data`. +A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. -- -*`user.identifier`*:: +*`winlog.computer_name`*:: + -- type: keyword -example: S-1-5-21-3541430928-2051711210-1391384369-1001 +required: True -required: False +The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. -The Windows security identifier (SID) of the account associated with this event. -If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. +-- + +*`winlog.event_data`*:: ++ +-- +type: object + +required: False + +The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. -- -*`user.domain`*:: +*`winlog.event_id`*:: + -- type: keyword -required: False +required: True -The domain that the account associated with this event is a member of. +The event identifier. The value is specific to the source of the event. -- -*`user.type`*:: +*`winlog.keywords`*:: + -- type: keyword required: False -The type of account associated with this event. +The keywords are used to classify an event. -- -*`version`*:: +*`winlog.channel`*:: + -- -type: long +type: keyword -required: False +required: True + +The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. -The version number of the event's definition. -- -*`xml`*:: +*`winlog.record_id`*:: + -- -type: text +type: keyword -required: False +required: True -The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log. +The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. -The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems. +-- +*`winlog.related_activity_id`*:: ++ -- +type: keyword -[[exported-fields-host-processor]] -== Host fields +required: False -Info collected for the host machine. +A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. -[[exported-fields-kubernetes-processor]] -== Kubernetes fields +-- -Kubernetes metadata added by the kubernetes processor +*`winlog.opcode`*:: ++ +-- +type: keyword + +required: False +The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. +-- -*`kubernetes.pod.name`*:: +*`winlog.provider_guid`*:: + -- type: keyword -Kubernetes pod name +required: False + +A globally unique identifier that identifies the provider that logged the event. -- -*`kubernetes.pod.uid`*:: +*`winlog.process.pid`*:: + -- -type: keyword +type: long -Kubernetes Pod UID +required: False + +The process_id of the Client Server Runtime Process. -- -*`kubernetes.namespace`*:: +*`winlog.provider_name`*:: + -- type: keyword -Kubernetes namespace +required: True + +The source of the event log record (the application or service that logged the record). -- -*`kubernetes.node.name`*:: +*`winlog.task`*:: + -- type: keyword -Kubernetes node name +required: False + +The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. -- -*`kubernetes.labels`*:: +*`winlog.process.thread.id`*:: + -- -type: object - -Kubernetes labels map +type: long +required: False -- -*`kubernetes.annotations`*:: +*`winlog.user_data`*:: + -- type: object -Kubernetes annotations map +required: False + +The event specific data. This field is mutually exclusive with `event_data`. -- -*`kubernetes.container.name`*:: +*`winlog.user.identifier`*:: + -- type: keyword -Kubernetes container name +example: S-1-5-21-3541430928-2051711210-1391384369-1001 + +required: False + +The Windows security identifier (SID) of the account associated with this event. + +If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. -- -*`kubernetes.container.image`*:: +*`winlog.user.domain`*:: + -- type: keyword -Kubernetes container image +required: False + +The domain that the account associated with this event is a member of. -- -[[exported-fields-process]] -== Process fields +*`winlog.user.type`*:: ++ +-- +type: keyword -Process metadata fields +required: False +The type of account associated with this event. +-- -*`process.exe`*:: +*`winlog.version`*:: + -- -type: alias +type: long -alias to: process.executable +required: False + +The version number of the event's definition. -- diff --git a/winlogbeat/docs/winlogbeat-filtering.asciidoc b/winlogbeat/docs/winlogbeat-filtering.asciidoc index 08248b9e0b1..c6fd80e2250 100644 --- a/winlogbeat/docs/winlogbeat-filtering.asciidoc +++ b/winlogbeat/docs/winlogbeat-filtering.asciidoc @@ -9,7 +9,7 @@ For example, the following filter configuration drops a few fields that are rare ----------------------------------------------------- processors: - drop_fields: - fields: [provider_guid, process_id, thread_id, version, event_data.ErrorSourceTable] + fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable] ----------------------------------------------------- include::{libbeat-dir}/docs/processors-using.asciidoc[] diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go index 1b6dcc475e1..8d3ed476afc 100644 --- a/winlogbeat/eventlog/eventlog.go +++ b/winlogbeat/eventlog/eventlog.go @@ -22,7 +22,9 @@ import ( "fmt" "reflect" "strconv" + "strings" "syscall" + "time" "github.com/elastic/beats/libbeat/beat" "github.com/elastic/beats/libbeat/common" @@ -80,53 +82,66 @@ type Record struct { // ToMapStr returns a new MapStr containing the data from this Record. func (e Record) ToEvent() beat.Event { - m := common.MapStr{ - "type": e.API, - "log_name": e.Channel, - "source_name": e.Provider.Name, - "computer_name": e.Computer, - "record_number": strconv.FormatUint(e.RecordID, 10), + // Windows Log Specific data + win := common.MapStr{ + "channel": e.Channel, "event_id": e.EventIdentifier.ID, + "provider_name": e.Provider.Name, + "record_id": e.RecordID, + "task": e.Task, + "api": e.API, } - - addOptional(m, "xml", e.XML) - addOptional(m, "provider_guid", e.Provider.GUID) - addOptional(m, "version", e.Version) - addOptional(m, "level", e.Level) - addOptional(m, "task", e.Task) - addOptional(m, "opcode", e.Opcode) - addOptional(m, "keywords", e.Keywords) - addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message)) - addOptional(m, "message_error", e.RenderErr) - + addOptional(win, "computer_name", e.Computer) + addOptional(win, "kernel_time", e.Execution.KernelTime) + addOptional(win, "keywords", e.Keywords) + addOptional(win, "opcode", e.Opcode) + addOptional(win, "processor_id", e.Execution.ProcessorID) + addOptional(win, "processor_time", e.Execution.ProcessorTime) + addOptional(win, "provider_guid", e.Provider.GUID) + addOptional(win, "session_id", e.Execution.SessionID) + addOptional(win, "task", e.Task) + addOptional(win, "user_time", e.Execution.UserTime) + addOptional(win, "version", e.Version) // Correlation - addOptional(m, "activity_id", e.Correlation.ActivityID) - addOptional(m, "related_activity_id", e.Correlation.RelatedActivityID) - + addOptional(win, "activity_id", e.Correlation.ActivityID) + addOptional(win, "related_activity_id", e.Correlation.RelatedActivityID) // Execution - addOptional(m, "process_id", e.Execution.ProcessID) - addOptional(m, "thread_id", e.Execution.ThreadID) - addOptional(m, "processor_id", e.Execution.ProcessorID) - addOptional(m, "session_id", e.Execution.SessionID) - addOptional(m, "kernel_time", e.Execution.KernelTime) - addOptional(m, "user_time", e.Execution.UserTime) - addOptional(m, "processor_time", e.Execution.ProcessorTime) + addOptional(win, "process.pid", e.Execution.ProcessID) + addOptional(win, "process.thread.id", e.Execution.ThreadID) if e.User.Identifier != "" { user := common.MapStr{ "identifier": e.User.Identifier, } - m["user"] = user - + win["user"] = user addOptional(user, "name", e.User.Name) addOptional(user, "domain", e.User.Domain) addOptional(user, "type", e.User.Type.String()) } - addPairs(m, "event_data", e.EventData.Pairs) - userData := addPairs(m, "user_data", e.UserData.Pairs) + addPairs(win, "event_data", e.EventData.Pairs) + userData := addPairs(win, "user_data", e.UserData.Pairs) addOptional(userData, "xml_name", e.UserData.Name.Local) + m := common.MapStr{ + "winlog": win, + } + + // ECS data + m.Put("event.kind", "event") + m.Put("event.code", e.EventIdentifier.ID) + addOptional(m, "event.action", e.Task) + + m.Put("event.created", time.Now()) + + addOptional(m, "log.level", strings.ToLower(e.Level)) + addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message)) + // Errors + addOptional(m, "error.code", e.RenderErrorCode) + addOptional(m, "error.message", e.RenderErr) + + addOptional(m, "event.original", e.XML) + return beat.Event{ Timestamp: e.TimeCreated.SystemTime, Fields: m, @@ -139,7 +154,7 @@ func (e Record) ToEvent() beat.Event { // MapStr. func addOptional(m common.MapStr, key string, v interface{}) { if m != nil && !isZero(v) { - m[key] = v + m.Put(key, v) } } diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 6a541784912..b43981924cd 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -243,7 +243,7 @@ func (l *winEventLog) buildRecordFromXML(x []byte, recoveredErr error) (Record, if e.RenderErrorCode != 0 { // Convert the render error code to an error message that can be - // included in the "message_error" field. + // included in the "error.message" field. e.RenderErr = syscall.Errno(e.RenderErrorCode).Error() } else if recoveredErr != nil { e.RenderErr = recoveredErr.Error() diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index 25059ce355c..6a4821f55ac 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvf1zHDdyAPq7/woUXfUsJcvhkqI+zNS9hCfJNuskmRHlcy65HBc7g92FOQOMAQxX6yT/+yt0AxhgZna5/Fidk0dd1VmanWk0gEajv3ufXLHVCWG5/ooQw03JTsjb1xdfEVIwnSteGy7FCfl/vyKE2B/IjLOy0NlXxP3t5Cv4aZ8IWrETsvcvhldMG1rVe/ADIWZVsxNSUMPcg5Jds/KE5FL5J4r92nDFihNiVOMfss+0qi0+e0fjwxf74+f7R88+jV+djJ+fPDvOXj1/9u9+hAFU7Z831LADiw5ZLpggZsEIu2bCEKn4nAtqWJF9Fd7+TipSyjm+oolZcE24hq+KdYCWVJM5E0xZWCNCRRHACWnwbY6vKUbj0T66GeMqkplUhJalGzxL19TQuV67dLi6V2y1lKrordx//HWvVrJocrs2f90bkb/uMXF99Ne9/7xh7d5xbYicecCaNJoVxEiLDGE0XyCqHUxLOmXlTbjK6S8sN11U/4uJ6xPSIjsitK5LnlPEbCbl/pSq/9mM9Z/Y6uCalg0jNeVKR+v9mgoyZWEWtChIxQwlXMykqmAQ+9ytP7lYyKYsYBNzKQzlggimDWv3F2ehM3JalgTG1IQqRrSRdlup9ksXIfHWT3ZSyPyKqYmlGDK5eqUnbuk661kxrel8/bnBBTXsc285935gZSnJz1KVxQ1b3SN85sd1xOlWAH+yb7qfo5mdCSLNgim7wCSnmg3CSfcglyKnhomWMRBS8NmMKXu03JIuFzxfwMIae5hmirFyRTSjKl/QackycjYjVVMaXpctGDeuJuwz12Zkv1354XNZTblgBeHCSCIF60zHrz2dM+GX1THG0+jRXMmmPiFHm9f204IhIMctAzU5tkIJncrGwD+1nJmlnSkThpvViPAZoWJlsaeWDMvSEtyIFMzgX6QicqqZurYTxc2TglCykHbOUhFDr5gmFaO6UaxKX8g8NWrCRV42BSN/ZBQIeg5vVnRFaKklUY2wn7mhlM7gHoBZZf/g56UXln1NGall3ZSWHZIlNwuLLOWltqzEhLVQjRBczC1U+9CiE01GWb6JG+7Y7ILWNbNbZucEZBVmBLzVzlNkbtFnUhohDYu3wU/1xBKqhWBJ1OIEUwbuW8q5HrU4ZpYILP+f8ZJNGTUZnJPT8/cjy9HxYgjw02m57aV1fWAnxHOWRYQQc5xCMo1MZkHFnBE+a0+CJQ6uibbfmIWSzXxBfm1YY0fQK21YpUnJrxj5E51d0RH5yAqORFErmTOtoxcDVN3Y06TJOznXhuoFwTmRC1j4LGErQOF+UeO7Pj4lliC4FOH5EJcia66pDefG/vkzgk5IJ2I5EbN7kY2z8b7Kj/r42f/fBXIfLHmsxcwefBQfKGDgjjAyoDm/ZnDZUOE+xbfdzwtW1rOmjGkByVr5CROzlOQ7R5eEC22oyN310zla2g5uz1cCa9oYywWaigqQSywjJZrVVCFZck0EY4U9cMJx4N5wCUBPrLms7OAzJavOepzNiJDEHypYAjxt/pGcGSZIyWaGsKo2q2xoo2dS9rfY7t4utvjTqr5hi/2RtsCJNnSlCS2X9j9h7e0Fr1GYCFs/XUW80N6GWbpUIrCnsOrt+0uA5YaZsvYV4NV8ZokjAbeeUBIiqWi+4IINL7sD0V97Xuxi5X8S/NeGEV7Ym3DGmcJtsMcJ1uAJn8HFDbe7ftrZlyBlWYaNDB6+XfpdAHbOi8GpvqLHs+fjcdGfKqsXrGKKlpdDk2afDRMFK+438bd+jLvOHdmOFVxVRcty5S4WTWiupLZaiDZUWeHB8oAJkjUvJuEm2rQos69SCSkveU9Eeh0/205GOnWALBco2AxkM4pHiAtuODUSFoESwcxSqisrRAkGWgKyRZR9FJtTVcCtZ28/KfQoehOvxikvuMIHtCSzUi6JYrlVcPB+//T63IFD7tRi1kPHPrCvR8gAl9dMFPj6xV8+kJrmV8w80U8RPgrJtZJG5rLsDYK6pN23znAKVGRmlQsvXvjFMIoKTQGBjFzIigXpwMri9k3DVEX2vNIr1Z69fBSbMZUMLzrT0Si1uJ+dnId7OGVBsIvkVxiWWFTE3O9gCzzGGXVHRywetOVKjW5g+q0UyYVF6ZdG4BKDUOnERGeKIANw2oW00lULzZILbsk+HNxU4bZ/HKwDP4hitWJWCIOrEW9pqz1qVlFheA4SPfts3IXOPuOJG7l7k+twoRtJrrmdH/+NtfK/nR9ToBNobhrqVv5sRlayUQH6jJalxmUEScKwuVSrkX3J3y/a8LIkTFjR2JGibFSOd1DBtLG7b9fQLtCMl6U9Z3WtZK04Naxc3UH8o0WhmNa74odAzqgDOEJyA7pLLLCLasrnjWx0uUKideYZXpYJPC0rBvYpUnJt7H6dnY8IJYWs7AZIRShpBP9MtNXPTUbIX9r1xTs3hWeVfdhLRZceN0/sk8w9mOD69cUHMA610kHRoMED1eNJxuuJRWmSIXoTq/rVTBROvgMCS0DaewGUk2zgpq63vKmTFzfszdl5mLDjhrhFnWk6w4tFTaqgqZOz8+tj++Ds/PpFu6kDeNdSmS0xL6WYb4f7uVRmLdbB+ELzXQg3709f37hwHgXc+F1g4dgcDhCN/DV5z4ziue7hMl0ZNnDQt9kJVHj7IIKAcfjqeDu0/2ghoE5slYz4ijESbyGnyfYJCdj+HWfQYnq0JYXhaHdDdc5iEd5JVt8nDzui1Q3YfM9kMEBRq14otYrNT5TomuV8xnNSSjS5EsVKz4rsvXbdinX4RyqLZ2rOYIpf21vWzheYq+d83eWNLxcydMFENmWHUDL48NYF6Exe1pJ3EN6wPoS8k2LOTVPgbVlSA/9IFbNABN/8F9krpdg7Ifsvn2UvDo9fPRuPyF5Jzd4JOX6ePR8///bwFfmfb4bmY290Lpgwlx3bxE2z6p/vG+YU2yjCqGum9EEqsyCnFVM8p8NoN8Ko1c6Rfo3jwKhrcH1NBS0GkVRszqXYOY4fYZhNKP5rw6YsH1xHbr7AInKzcQXfS2EUo+WmjeZaXuay+CKbfXbxI7Fjrdvw0w2b/SXwdBt+I5r7//p6CNN12z0gJN8ZxZ80U/teHo7eRM3ZM9ERccYk1H7kjMwVFU1JlaUY5yZRDK+FjiQH24WSajDcIXfhCi+TnAnDlNNqZ6WUioimmjIFvgwwYnj9UXdAI4olqRcrze1fvBMk96Sse+h8kGB6s6+XK3QrcUFoY2QFN9ecST/vNTs2ldpIsV/kXcOGbIquXaN9tJ1Z4zu8b6NrFCUA2YAfg4uZotqoJjdN7OxoF8buQ2JQxcc3+DdmToBDk5+ODcJUkLevj9DdYm+5GTP5gmncO7izeTQ8epFanO1Fn7oCE/8V18GEmCIRAKpGOP+TYpU0weRIZGM0L1g01jB2lDh3Sgwy9rjAx476Us8lgm1BgRfJDR87ctwA6cLdrBf7z4OsqeQ1L5jaSi8O1Mjyo/sJ9cmFDzP2iARvX+yqZvnRiMxzNiJSpYyGz7mhpcwZFQPiKb2mvKRTXtqr7DcpBqzvm6bZ6H1Gtdk/zO8329MIDfIb6L7eWwHkCHTebuTARPAG2Qr7dfj1Z7Ud8u5GuS3G3oaf3dMGHdDm+4dHz46fv3j56tsxneYFm423VP8dJuTsjSc5QD/4EdbjPuyTexiLUUArup5uQsz/MuxIusuqmqOsYgVvqi1NAp4TRR6nG3CmOchpD0YHL168ePny5atXr7799tvtkP7UcmvEBVz4ak4F/825EYsQ6+HcGas2wCO9kO1lzyEUgVA0Eu0bJqgwhIlrrqSo+pal9tI7/fkiIMGLEfleynnJ8M4mP378npwVGC2BISrgXUpAtd6WThCIu0ACJ/fSQOfxdhJB+Cq1eDuzdC8cKbKse+W8iw5BO69zTzhzr5zFYMAeqpkfcsHK2orFKJbgjTilOiKWMIb2evzKMiTDW23iFgZi9+WujvtHBE8qKujc3tbAR8MUBr1ZGHv1hX2ZASXCiyHeWNH5bhljLBvAaMEsgGgtqSbThpcGBJ41CBo63xV+7eFw2NGh+2+XK9RigJpzb/AkunGb4ZNIRxKCBi/vcq/BogwGCUaunZRLven9sB2fir7bwu0Xe5ZA10RD64GLD90A9BYOP+Rsbewx+b26qRI/26Ov6nfrq4r26X+bw2oY9S/vtdqMx+5cVzEn+b/gv4pZhvcMAb/7nTqxboPvoyfr0ZPVn9WjJ+vRk7XtIj56sh49WY+erLt6slgQhJLcTrK1LvieGbof34zhejXSAvs7pIwMJoveQFVvX1/4cXH3XFChhJlpYmRGJizXmXtpgrkbKs3StBdq1WiDwdewRd2cTf/nZ6sx/dowtYJgWIy+DsoEFwXPmSb7+878X9GVR8YurC75fGHKVXpoQm5cNBuAATNCFEsrr3Fh2Fy5gFVa/GJRRkkt1QjzBatoWBd3vw5OB4y9jcLMPPc+1+QQEm+mzNAjMmhri17oEKZSsmNUfRs92jq7rrVs5pDM4oJ1ET6oKlSsyBUXRWYZi51hhUHj+IJZRB5KzDOzW1Iy9D/azfOpdRB5jbmN3QQ1bjQrZ6270YqZFn5Yxe1dh18qo2LmculSPNelnt6ETJSCegMmsMsDGaTtpV3sJJsHx7XQPedGc3G6AoE8r3uZDW+v75L8ifQxZO/3kd3DJv9Szgk6BRTPEyrLyCn8mmZLeMXG06CdXJR7CcakBc6YtgmVGXnXJv4CZ/O5oJA3wCtmb1nvobRPLYj265BCKmdxCrEHQn0qIoGsEx+G4EIL2nwO1GrJlGHyhlc2qbf7WcUtVjtHaP0aSAeZMrNkzI7h48VF4eIGmHIDuLQKTCfNS6ntTE79Ut+8rN4yJBWzQgHoGSXAwqh8+GeSdGuRGF7Q4UzWZF1jEmiXtmKVVCti2R3E+ztARScD+LopBVPoJOdtLrB7TedU2IlCPvDtL/KdsqqzN3bbg9058NpbZm1Zzt/H8mHMvvZ8W/jJzTmUkDXn1+Db7B70pT2L3umbVCLw0BJY/noZgVHcAnAnJhLJvIaMV1aMV+swTYBanjSBNyYjMtGGGmb/QkuqqklGfqbKEj0kTs8aCFUKkoecWUlkRJapWFGXFAxDLvbECsSumATNc1YbyDZ1YSh4C3npZUTqklENTDIBCU6AnDZdATgQAOA9cJm4PJmdXCjIF9wIQ9sexIEFny9cvtEwt1+zY2fp/nONTAeSm+x2L6hwe5dhAthk5A36mgntsoBaxYKm5ORQb/EM8in1CWBbbH+6UewBtj+B2GjW2f6h/W+szghOYOClQ/ESZkdp6pAGjLdPTmsD3NVl+K5lCEF3dHl+LU1wkRJA2PT2kC9oakF0FOC3cxJdH3C4gZfv06Kw59pdyPtwIbNikm7fZMZLtp8rZq/HCbqnsJ4K121Oqb8f3Sy5HasChXnwbMLe1FRru6b7mB7X3yDZmFzuzrlrZ+KG2MSuz6Kfol2iwm3xKCJXnUZDttBTI4g9gj49s73X8WW3Q7rJc/C9QTmYGeVlo1jKfBOY6xnxbU5fCnItI97i9Dn8v1xq/kcGEh0K0m41mo5CYf+c4yzotYRYpBAg0hZdssQJJp8hFUgWTbnz6hE4irMp3VhHARO8Y4aRvB1B1MGOhDnwUoWqH4PHtFrpX8sBPx41VLNtPZp3XgU3zJDZQQpLuGj9m7j3JuSJZVWaGXLgJGTNzFO7GumsrQyfGj2aqf3KCta4TMBlk5McL2/I4nXWj45NxlV74qJFAivHgKkoPHJ7bIkVsc66Ju1Ekhk4SZpdM8XNtpLMOs/f3su97fbmwo3Xuao8Gh1B5eeFM8YOh/eFr9y1XzFw3QnLwaKQwKC9hSJSdm++0aSpiZEdrprcO5bjVfSKEdCF3HDcsddcCs21AW0Q7XA9E1e4hDBHvrwztX9NfrLEYxoBGdXO1uhCrznW+tELuRQYg5ebckVWzFgy/W9SSKwaJ9VVAtLKBJZva7JkSZDI1+RMk//n68Oj43/yMYBpurrdpv+GCnRSXVlE4CSB9aG1YyUAMWCT51d6kDr3LlhNDr8l41cnRy9ODscYpvr67XcnY8TjguWN3Wr8V7JndtesZIFimsI3DjP34eF4PPjNUqrKXzCzxoof2si6ZoX/DP+rVf6Hw3Fm/3fYgVBo84ej7DA7yo50bf5wePTsaMtDQMhHugTbVqhkJmdgz1eB9H9yEa4Fq6TQRlGDxhu0wXLT1QwcC8cbyFEEFwX7zNC+XMj8MorRL7i2W18gl6LCvj5lHYhYDo0VWNWDh0pDyjIgFvzYk0u0p0zirYWxT8iMlong3aLhf+sdlgXVi3uJay1VtTHoQ387/ePrN1vv2A9UL8iTmqkFrTVU9YI6VzMu5kzVigvz1G6ioku3B0bapQK5qMNkyFabGi7KRnW9+3cIMRmAwkXdmEv/gqBCapZLUejtluSNg5iwbMtTIkh9KRipG7QEIEv8NxMFUOWVsCwMmBuqB21gWNfJ4Ll7zgJ7BywEkjuOgMHFffGRV2zr/JI7KQXhJLYTiArYJcU+v9EklDZtC7c5e1x6OTm0U2W/VIwWK/KEZfPMqlC0KQ25WGlLVwGwfopXXgJPAvK0xPj1JdddMfe0Fe3D2DgyMJETQi1HkAIsk2dvHA57bxsla3ZwWmnDVEGrvaepNkinU8Wu0VTqP7n4tPcUrK+C/PDDSVW1tzenpX9rf/z8ZDzeezpk3kfdcstDUsS1ITdupdOBEXovTW2wcKt7eUjAbjfaCuVcGy5yZ5T+l+g3V40leuQH7gkrTu+Gy9W9nPnKm4CmxrJuLSV4Jj4sUrnyOh1kkEuVXKAA2pk0xyq0cSm5BOZ0FVUTUwzpGzxGOS0zMmnnOUFnQVzMMvyWbstno2hu/A0UYzjq7FlANkyB+6q56f64gmU5BrrWtRWzJPgQ7AWNNhirD6GTbmBzejyqfWUA39hJYQdouWEX8z5BbqAzX+UN1i7deLv2Yd1H8QxaLoVl4/pqgmWnt2CXtz1gyK5vPF7OumQZxeDi0Nzwa6sQ2PWZcaWNL/45NCl2KxP+badkb6IbJwRDxdMJU0jNn1STkm6ejeL66lJ32N0mJjgrJd3SufqR6ysCsLEOKJc9Zc3xaO3kdKJlCZYd/TQ9Zz9phhWosKzXNzooR+7Kt6dr4/QuhVTVLTbuFvP8AKZI/hsrYLwbpjwK3q4SBPix5ReH4/Gakp0V5QKjcLAMJ9TYsipphQH0VIAL0JU7Q/ue1nze4fotYhoqgwOYJcXyL5oxQp1FFaaBa+r0U1qWvohbxy8944Fnd3zQzkv9XfvCuvU7BShdRydxVpHUDQW+Yk2mVmzz7M75X+1ziIPx3kQwbQDWGaDhS2T7i4xqLXPelgYG1dEX20sqw+GCHThziXd9AuGOiFlIzVyhcDRCw2BnXjQn76XgRsIV8B/fnb3/T19UHExgLsEb6vFBlAdacr25tJ/eQmczhheCfb07BxPVlHf2nq0dqW1Mt2n1qHWHZFi6Tbb4nFqEpEt/L9vD2daRV3NmLh9qvE8ADtAHkUKvqpKLK90bF4AnIV/3GDVmBLCDAXpynOEwh2SYUi4Jo3pl18UwII3pyhGX/zwyeATFtBbz3iLGJu17zANwB98vWDJHpOAKzpVbxqe9ZSxYUvvgHmO/AUhrckfXkg8XcWjOPYY/s4BaS5WPw0GuJMLfHS/potFEYQcPREdWpgRHgNWNfjp78xQ5hbsho6CpJxfwY7tIRC5FVMIr2BGXcY7ufakEoH0Dlm2VpCaGLIuHWZJzxSuqVsizYC2+70y3P3KS/fBgY8fJ+4PjVncnxXC4xy+Ox8PIvLf0Ge8yF0TmhpYd82oPLc1/2xatxP4znGDUpwQL3yID71nG4YyI0gostCi8MjKxY0wITyUS8O5O+oylSjK0N6OdSNcJgu+s3AsRTrBkLqQBROJKFvb8FL2R812MXDFDMYgbXM1FR4SKSdYnJEWPtg/tQ1KNQvsq5qS7NgwV3tFOSFSW6ZXsmopeOG4S2nTPEKyHsY2tjxjFefva4cCkD+qSGkvEXzhlO/YgAlqdvY4q37ut/qF9sm11al+VJZGWXYFhksuqbgyGFbryJhCeDSF1UXeMAeti3B6jlTexGYaIYgTTHhhYyELcHENoZwpr2gYNLqgqllSxEbnmyjS09AVG9Ii8gaoIUfUHVFr+1EyZEsyAubNgd0m+tjMaJoL7u5B/cLDjqildQ4uJqqF7PX/pHZYTj93EbmVlp6yYaRSWqtqiEMuuZvbhxllB/qOzwMF8orlEc/gJcsRRm3T5LE3ZcWP/2tASOLTPLrdQfJStRcRFH7VBP1YWwfggbc9xp34Uy3kRmvegamuk/WYo2XuXUaR4dru2t1MdiNK74FxDBawNMwJ133nhAu+27J2L+axJ8/S5QDvJjYVqTpIsisa7EyfQjgC2LesvzkNnwgNX4LXP5f5yCeQ/uGO0YeRdN/IYOEbfSeXKBPlKaa5ZhLNZJHXiLBjouDMJ9Z0mndYdM3JdjXwRmijFLLDVUWx9j4oSRWaXBGJLdDcQWgh0VPmCGwZVBe+8mK1n9vOrF5cvjrf0vv5YM0VN23coQWYo3CKWT90F3cK4ABjRG7fLFLeH7ceLbt+t4fhb2UE83lXFGnDBnyTQjawv3Zp2Xed2+WqwGaWf7IcGV53Hvf48+8BeL+MOZOQuCedeKkuA7yBjs7fvfmDyBBpO5UwYqUekmTbCNCOy5KKQy67FuS3QRNWSix2mn7bk/Z7mlkj+be8ek8W70ofkW3JygZnZ0BTs5buLKbyXv9Brdv95oKzobTIhN9ClTnUqI0XTohXvCBX3nVjBppyK28zowqHhyA66bhYLakYEYY2gf+BUFzEJDkymn6F6/9kcjrPD4+zwPhvkNwMUEEWXRBuVlomM8l6s1P6whHacHWfj/cPDo32XgHCfuSB+W0zpsZLIwO4+VhJ5rCSS4vpYSeSxkshjJZEOio+VRB6uksjCmI7V/IdPn87dk7tWxLcgQiTNXarLYlO8rGJmIXdmCv/BmNoPRXCogTwVdMagsQui46YsDvAwkpRyyRQEfc2kCsVBMnLB0pOw9y68+JrW3FgIsGN73j26d+ZzH6xI9fb1xR4hGlPgB8P258yMSA1J4XUzkB3p13Eqi1XmPDe7Ws1PzgIJFBWWFUYeQh37mC+lKgeyuz3e0MxQbVlv/075Zgi/TZMDyvXDD+FtZ6dPDg6mpZxn7mmWy+pgaBa6lkKzTBtqGt3l3DfNZPsqko6QcTSCo/WYd5jB8fh4A65/D1JxiN+NVtaWHXpAJhEU/wHkDrPDbcpUhqM4XK5yWypYV7Jy02pLQ8uOi9lJyv6UPrFLD9rAgtGCqdSE0071+NnLG5jMl5/exaaJrSWpV68GZ+IPwe9rk9z5uOcuxQf8d7NNNx39sE+tijxPxZV34cFm8QSdVjRJuZdRdZs7iCmwav1VvL9n452ct1Krj50fymvHCtVJWYCfTz9+mIzI5O3Hj/Y/Zx+++3EyuLRvP37cQabk+pRCEHrBcfd+ZScUm5m2zlZbu3ydCwZDfsEH4MOb7Rr6dD/aDQ6H6yh6IwE3ZTMs1VBygzEBhjSQmhEqa9RU9YqrnaEfV9FQpo1MHHhXjtsRZezxhV7DPlmhTqP+SUwODlJcuaBTuMBNfNSbXMe5hS7nBb1mIZtJW7rC8J7c15ur65KzAj1lTOQSa4ArItgyVfi4YBp6QV2jfJyXjApI9k1RH4rTvm3+JNHSJUZ+00ugtJI4uLa9+R5k+BtzKBN24+KXU5bzIXm4fWSRD4buN0TPZVU1wq01ht7Ka6Y803LRIyoNp3axI66ft/vpTsEpHmzI3+jGQ3ur6B2Y5M7jhOb8mtl7xXn7oPqf9GqTbtV2v0BDzOp7kBZ+5jP+5dzXZ6jz/XhxBoGJJR7kZWx3cIRG3tEVUxnh9fXxyP7/C/v/muUjUvNqRJjJf3d66ya11c5jIGCECnqJNpRd0QshZ6cfTsm569NPPsBo5IlX6pbLZWbRyKSaH2DyB1R6O/Cd/fcRv/6D7PPCVGXH80nIhaGioKqAJfcVW/y3cHC5JrTkc4FFAPC0fWDmu1IuLd/rwNPw3FtaIMcQWUTjUs6G5je4By8GCF1RoW/R5uB2vTSgeoYOpzDabZfeLrRhtC3nwsifEH5sfUtABnxJac8HedIU9YiYvMYzss/zqobDkT393R2PjefD5PVAAEiNnTl2qOue4lIjQ0VfWDSqo1af9aOm3CiqeLlyaVJYtifdoQUXc40iQ8VzJX2aDm45LbVsMz3jl/XVqmYjwvNf09TlGc3ZVMqrETFLbgzGqsVc01tGNTeNE1zaoq7XTBQdDNvUoZCXy3JZWMHCuZpDwigKCAeFvSnOzjF6X6foWWLUEP2z5Mrnav/+bIqbaI/yqk97nmPtRNd5Ga45Pwy6cwj7nIGFaERK4BO/0NxufDj1/vX/XQsMBvfeChdcsZ2VsnvjgXv9wct7RtHZjOedBfzIrDiKqbGtyH3SuYr+gXAxlU3vivoHIhsz/AMXhqlUucQfLPsa/KERUJJioAZ3Res6quLsCstaOXkf+t6Rqk0XdCV5R0EQBlErZSxYOcyfdQvnG03AsW4X7Zqz5VAl8GEs/PJKRWqmeMUMU+ux6nCQCMMuVgk69r8QNxgS2f1QwzKX26we5c2kWlJVsOJyN0GpUY+mkGTtstKin5yyXiv5edgQdPjtUXaYHWZHQ6WlQXkyq8vdpU2cQlkcLLkMuINOGnXMOTvHesDuCqBOnqNhXl0GSlovXqr+ZcF8QYmRstyncyG14TnRTpqMO2+mVFzKZdcK8Y5RJTDHmZrgvphzs2im4LiwWwx16Q/CQu7zYl/XLB/ciW8OTxY//qP+cPzDP77//vn7vxy8Wpypfzv/NT/+93/9bfyHb7axhu+gadONxlW0PML1AV4fWPuptAqx548DBXMmrgcSfO0qOcYdsvxzXz1nRCZexHU/IWlzRXRTDS7osxevBq7c+3SEunEtHPQ7r4b7fmA92l8GViT8eOOaHB2ndphOiK0PKk6fbpn5IwK0frJ8zXJOS89TRyFbFJMmWmHYZe2GRrgFMyw3Iw8ZXsfE+pth7Xt9zt0iUY1BL3N78ZaSvNFGViHlB+FAZ2TI6nDz6mT4SzHjc6hgayRRjbjFPLWcGTtQVOTUpx3NuGJLWpZ6ZG921WhcF4PUc1ArmA8A8Wkq/q6KrkHNhJZKj8iSTZORI/AQcVFKrckQULtep+fv3dydOcxvcWwPo2W5wRzmZCMEC1EcVKxGuJQ4Kx32V/tCBrjHur30Nyxlt6AAee+s0b82rEGQ5O2nd5B7JgWQgr8iXJmhtG2Fo5FQ0wcKIhYMysC72UMjyK3auXT5z5frN9iLnv+C7SIDlfQG/5LZbeux6GmsD4ZDYIE4RNJaegCN+7X22ZRb0uLR8bG3JVIVp+WOLYMBDRzNxXL1kdlZLtMibRMftscX0b2pfDBTLufNskh/p3mLYwttVTOd9d2GCbCJVwnUZEQmng3bv/NCw39q7WqOf17BX2RZ4svIzO3fWoY87H30YB+zhx6zhx6zhx6zh7ad2GP20GP20GP20GP20GP20GP20EMs4mP20GP20GP20F2zh6SaU+Ecou5Dr7H1f9k+UC4G669jJhTPF7h8YLdb13KtqqlY2UsXFyYAjjXpTnxblracXbCyhrKuVCkq5r7Bi3EthaLuMFRgkCKEn7n+kS4kNIwbT+YuUca7DKCLd6krxv89a5HFa5alFNdpfL3GMrA9rd3XGtC3BKy1AgxZAAb1/572P6D734KCBjT+h6WiB9D01+r5D3YMNuv3t5neNrr9Gs3+AdDu6/S3x/1W+vxabf4+k+nr8ZtmcT8d/iFTxTbq7rfZiO2V3J7Wfh+sN+rrt8F/K109CiCDToIOS2Td58nDu7SGX8uwQ4fqbM2XVLS3PLTsgqAb71FLOsVB/HvoeM2Lg4QTuZCfOK0B7xXfkjOreTEhcmaYINrQlfZxY74xNfaYt8p0FJOUy5qjSQFqYJZySsuovaFHORLYbnMfbF2bb/u4gvOwPilXd93v9OLLCjYenZ5pEnOmoPUGseIwgxJxc0UrJ6cronnFSzocRjU4kXpwQR8gsdfPoqZQW5AP9Z2gan6bTL47rSJV86bq9Nazf97TlVVyUDZGcq2VNCw34Nbnhl+zYc9itKT/saf1Ym9E9vZL+/9W0LH/9V3fXuz9Z3/S7DPLG+iMtKupn06hgwbDZBx3Dj0TaIcfnNFBo9XBlIuDQWoB7rfrHYNBBgJj7QzgtxHmeOFBML75DtVhjhiD+5oKDNOOOxalHqyo8CGhZKrkUoMf1afKOWT8Gi7ZlNTQ0cd33rSitRjsqQKNBYvsPqerTXs/Ot7aRwjtlM7ePHwjnvYePhofvtgfP98/evZp/Opk/Pzk2XH26vmzf9/yOv7kWjMlZOna8wygvZTqiov5JcZ2DXZOv4s0cbCQFTugZdy/4Ea0HS4k4OItr+HKTkQHZ11PRYePycNtRYe2KxzDBty+sPeM5rzkxooANb+WQLhUyUYU9ubnDDsoYDthDw586PCb7vZXcZkEmjFo/F1RsbIqUc5COA75FA8aYGLDR/DxoyJcjQjk+IVAbDxE3EkAupYCpHiXNtmKthO3bFnkfT+FnruKGRa3Lm2DYpgeRQmpU0YaUTAFqmgIfFIjFwA7iqNfRyQvOXTk8S9ZccZH/cURxhk5w8Y7blq0LCF01sgWZV5PRiiYUZCUhFsXWBTq0lPOzolR/JrTslyNiJCkosZAxiREQhgYgCponrkK8f3xICc0m2Z5VkzuUp99IDRp7QHaNjzptAz53nZJgHykLw4bJX9HgTG9iMiLO8RDuo8G0lIdhUEd2yiuPZdCuIQCYP4YkabYnKoCQ/o0dF4ZRW9iWsyUh+hSK89iMlsuVaGxa96n1+ehVRD2JfaYITo54/bfbpW44NCe8OIvH1xE6xMd+lpYUO3wCB5r8ob8u+4Yrvh7uepPvpM1IbRv/Q5swIUiEpqbxptYsQMcUxXZC5D2sIvAzMX1+JFFB1ntK3DDz05l8fbggfRdX5U3R8alO8Bj3F1324sENIU264h5GxzJIXD0l0bkrR6Ex9x9NwSmXUIhTQTM0glu0T4a1Hu9ml8j6AOPeNqSA1U2WljeXVFheO7zJ7zb9TO2hRi1rb2tgjdrSvvCNbfT47+xyAosSM4U6I9tsphnTypAn9Gy1KElZE4Nm0u1Qv7kMqy14WVJmIAm1fDamhwBu0AzDjoHrWsla8WhnfQdGJBj2bsSIzFADHv+4XaEOwLT7z2fqKZ83shGlyukWdcekXfCWXTQuSAkDTzeI0J9WXrg6w0UtJeWRjJC/tKuL9ZwT+EZ6XL6FF22SSRI65PMPZh4p3pXBhH2gmjz44sGg3RRg5nYC8iiNMkQvYm96+xtBQUPXIuGBCQ0hbUixZD5fPdRrD56NHntNd7hHa8EOTu/PrYPzs6vX7SbOoD3LRKBb6HQSmXWYv3lQ4/XooAbvwssHMvEAbK/U65Mm1X16ng7tP8IyTPQ+6ZNiHUxpajX4dUwREj3yWRpMd1SeTt3mS13QvUxnOgxnKg/q8dwosdwom0X8TGc6DGc6DGc6K7hRK4UR9+k0T7cPrDD1/Xo6s8m/k0qCO6x92bbeQ1jjGjsjStLiNxYFyg046JwReW8LxGK86DFyt/xkZ0Ph7dfdPKe7tkk8ME6bEVBOb5YYyMEWncA+cEu24XXqrDhVhm6rK6QCv23+HpFr5i2ilMtteapM4dA5bh0NaPEWNw5ERVzHEYr9OjyZkfFIAxHcSZy8E9o3TCN1g0LT7HCTsQ1/QM9PwFoxTgXC+Y7afPCt/4OGZmiaPcfLQJczKHhqGsm+NWQjFs8e8mes+mMjSl7kR9/+/KomLJvZ+PDl8f08MWzl9Ppq6Pjl7OB0k33ylRsnRKspNrwHM2t+242W3okYqHH03ebuObOz5rctZinhY8hm801+IMuvmD4DTWzSrnUwN2WMgHnl7hV8qDRnT9xqiVk3+rS/u6agaUEiFxZJL4vDBp03fImnugEtnlLPj8tsTahQ9WSQsG1UXzaWBC+FBLSh2rA1hvU9IXURhOTTq09Dmif9HY6P2EsMeKmNeD5dhXnoJiNnJG38W7HSw/TcUnnPsYC9aZGm06iGroJv5OK/JFRo/tguLarVbAZbUoDtS7q4PEJ62dJc5LAdR6NGRGSeDihW+FDN5lbcwJu44uLcjdvTf3wsfe5uIIC2I114EpJmKC9t2SHbP3wFuoGbgjAOlnkKaYpgYw6uxVqbiUjTJIFnAx7UM1OUmhfuw6MMEBnL24TDHZrmnmWHWXbttL7sw+1S0klljpuopeW+0EZK3llRUvqIpOZwabRqeDRRvjNCB0iloH1YfWCVUzRcodVdd76MXriRisrkCd8Bjcz+8y16eTmtXJH2wsW3ACa0FxJrYli4BV3FecCCfNiQgoJ3W+H6/y/osez5+PxrCOggmG/I5/Gz7YTT/GTbTw7oX0/dXa0g6QOaxfU9p6c2C/h3Dm3l0C/oBfCeVQevRC/Xy8Elgb63+aF6GL9d/BCrENhh14IPE7/J7wQOBVn2o9LUf1OXRG3wPfRH/Hoj+jP6tEf8eiP2HYRH/0Rj/6IR3/EbfwRib7XqDJV9n76+G6zavfTx3f+hq2VvOYFw/qudckMs79i4iDRuVV9Ry66FirHUrO4gw62vmPPQyXpYh8YVrStdBoFlW19gLNZpGpaZ4M+SOPi4rgYqAA5igueFbCAFeaVUOxcYxctAQgxvhQ0LZpD5Hsp547a7Odcu3yrXxpt2kBCX+QTF7pvRQi9Z0JcePg0gKbgr1hSHRAehd3tSkXrTAvp+sa9J5zxLMvlyfHxswM0ov3zr39IjGpfG1lb8Gt+3kEK6iY1cBb2CHVyXlmVza0fRFI2Gk3OI2QrrcIb0ugTiJNGlZmFORnZjYaIXZNsj2K5FNqoBmxkUhG/SUiK6QlPyHJgM+60/ANWTTjOOzOEAPROc7tRaFGwB5PYGzh2J5iKeDLxLZVqGqm+AHX9qmyvkD7MLN84M8y6WaZb1J3umcCMJktq9pR7PuLCraXTQ1zdVmgggLHo5arN5U6No84uhC4OcJ5A/wtHykllc6DpuQx9vpzNpq/2hCVOZ7Ot5WN9koEwbJ74ZrY0gPTW+fj42XDf0ONnQxq1WeyKHs6hDdY6anDHc29AbYZsj11hZQ8UDOAYUhBkAE/8BXOgu7gnYMI8OuylS9Zwfv8Zzi/7DHWXo4YA8WgQuo5k79vAJYCEtHCAckOp0Gge8Hn4jcKY08aEt1LsTWcR0Dbf9gqratPiBVPAN1IfH0LoOL4STyuZMrNkrmuAWUo83UO1CRSdVztsWWtPTOS3AQFoZlwex+TrSUSYRtaDm/j1IBP2iA/MqdFM7TJH+icHv0Ong3YzrTtwH/ikI/xhTOL16Ejj+pa5TnYjIJag63oZrvkCr6LkCv3N2TWNSMxI0oq+me8zGnopgs8KtNrY8m2fcIaJJu1tAwMtqMY+DWZBBVrzi1GrRQgoR7TykjTwAnAFEjlrcVpsWZnGqOamwjQYJp08isyVyfNeuZqBkjap7+zvHeb0Y8cj0XTDnoJ53u7NwJl4mJAbWk5Zcs9vkgIX9tr2VQpKOW+FpTU4WjG6a2O6R7rvKSBL3kKrtkQOvIHLfKNRS3DFZ2aEXlNeYv58D2lWUb47bdYeNBjBy24DGCyo3plQ48Lr/IFfpGFuMRtCFz68CJXGpFhV0L3KvtK5YH7SbNaUdmUnQApQckS5f0BwUgjkgWYQQOW0TNlep2NTToW9rNzVPOSd6NjuvX+i8/j2Bbox9iVyaQ8o5PCOC56CoC7HnZ0E3lcC7+R7WMOFNlPFJsq4YfZkY1U0XBcftgZJnwe+1FY2jHbP4rhDxGM3A6A6cH+nJczaW5zEz293lyNITy5tHIhVBl11Hl+UwssV9tsV2ogCOL2QS9fVecmmIfoEwqSiwvtYqYAqK602AfFQ9ShexN+J+c4he51GHrUrN6js7b2Xv/GypAfPszF5ws8XUrB/Iq/PfyL4d/LjBTk8ujzEdo2+oNpTclrXJfuZTf/EzcGL8fPsMDt8Tp786YdP79+N8N3vWX4ln/pAqIPDo2xM3sspL9nB4fO3h8evyAWdUcUPXoyhutaWF+9d7jMcaLt1jIm73fdbtMp4mO38c38Xu5gknupsPGDFYSE682HWEUni9uvoEBk4FI8tIB5bQESr9tgC4rEFxGMLiLUb9P+7FhBfhxaZVkOJW5x9TT79+ObHk6E+l87MesByfYBZPweHL18lEirepJ3WX0NLsGZO3cZe7mb+at9+fkKmjFq27S60P+K/BkC9dvZb6AsqBXwX1CGvOYNSWLpCKq6x01dpP7cQu8eoyQyv2G/tNY2zoiUPaW41NYsTpyt1Xq74XFHEEOxGCXQcMQErp7+w3N9Q+I/LWyxjmD+IN757IUzahyonGDClQpO0/l24ZpC39qOOFADlc4qCu/pEViaA4GmXMAPjhDjpdZ3zOpkodwmLB9Si/I1kI3uk2d9ES8Hxexv3D4AO0nwf8OAB6UJ31J6Xsilacn9t/+mtmZB2Qgtq6PAJeO9+RZUrTz7VdovaHCxaFJfwwqUH6QvJSRUfiGTO8EFWK2lJs60vGHia+2X/82YaioVZ94mll++lnJcMZxw41qldTExbLIv40ISAY2ZoFhCDqd6wG4Mvb9zraAyfNtamd2weJqQuhvdvPdIWBNYZa1sajkZzmXyX0THcPJj7IIs+2HYsx4x5yc3qcgvmuvmrbUd1lLbtxvWofNtxMK5uqzGSV9fwg0LmV0CljiG88f8eOFz4G6RydfOh3G/2aOuFVOYS74dW3aIiX0jlx9sPzGDN5RjQIhsNN/7Ix9G7lAuwtfa4fbxM0VINfzK4HWuGqui8f7fcOJr9qqvu32LUzpfbDXr34Uo6ZaVuRbkf5JIYSSpaWz6r2T/3cEnEDbJZ5CA3xDPZtSKIQuYp1+nhjm5/wH8NADmz8kJErc5saz/3CcZZRKD2+RB5kv/6Hz/yVTO18jDmTbjx/xQ/G8Ci/T1csumN2QIl8eibT1P70Y0nKkH6dqeqlsUwud1qE6MVqGWBxoHBoZqBs3vXkc5lQX46ezNsr9Q1zR9uUi3E/mCy6B31ew7m1fv+YHhMbj6O2w3kzn1FB8LrwBWFJRofargI5PCYNzDAu65nALtmUW/i9vcfF+E6DtN2Zuh1ZRiA68uLB8YS5NghRtDp+rA1F2Cft71vfMnowXrw6/QSUKrbCe+9Ri37Zy5KObfa0N52avk9NPJI1lTs14YrViQhGRtcXgi9lHNyen6GpQN86BSULXeFcqXCYjWhtoqvIB13e95bcgHwSjnfC/fVz2gCI29hpHduJKnInn93zkX7fqtR+/ftz/abyABlMen9DnHUBdN8Ltx16Yd2VRKPxuNnAUT089F4PO7Z5jXEaPpX/sy1oaMoNN2hHcBxMVMUo4gbxQAVxTwyGfmxAwpCLiiUffHjBlBu/NGG1ePYyz+LqMwnKGDawlftaTYsN9qVI4I9lhBDbdfH7rCdcZiSzr4K5iW/Oy1pvw20ghRxA123GjcN02AdEOsomuaGX1uFpqOVpOyqJfbYObK2MDX2PSlX/egcX3nH/RuDL11HgYALHIAAzpWpDhEDdTMtuV64FnAY3BsNAK/E0dLxJRBG6JgVZFU3hqm+prtuGbY78yJJ4MMxcCJYbxnSM6Nz//OCCdJoSyluH9NVIK4ku8u+4ChSQOgahl+2ru5JYh6adC1vFtqls+OQW9v/bkUOgfnthxxVqMjfTd5oXA1uCJfV/JrB/gYwEBMDKE+yuCpUTmvTqPZwwWGQwluirazMZeuhM3KI1dRU0YoZpiA5ZdIuzwTGsItWkAm8dThpQ2rxydEEE4G0JFKMyJTl1J779gRG0KHQg0B4USQWo6q0xBuQljOP5uDOdQ5rlPF8t2upPT94+cCdE5XuyX2AfFvYoo2gTBF0lKIfiptYdDxMVycDb828pFrz2SpkN3cQKeV8l+e53d6kCp3Lc1GFu5lo4QjdL2l7L4oACxSD6OziJttrYuL1Ui5DylYwrEfZ52HS7Dp4iR5k6UOeYRQx+wnCzbEq+rV7BUg2ZtUYHh5g2WvcDnvRQObXCJRu57gfkZ+pEsDUwIQ+IqdNwU37rj1d8CiA+47yslFdO7vr5HXZdyzcl3+hZd/OS+ZwXRV2x0sWbnaLIk7IeF+rwwb2teU/C4hN6jVLsSRzicmWD0iwjhQRbp9yY3lzxhUk3SHtKm7iIKuohgB82FK5A32Im4SNGlxrCGSd8HvkndTs1wajGMuVT17oAFOM5gsnG1T0M6+ayh2fJ0d/e3b0twDLS759CdUic/S3F8d/2ywdPx0lGyPYZ9PBZcnLkkwZGQ+3t7n8PchPHge7TWl5Gas8KlkCL4L2FzOmsOFX5ugDa0S4g4vpUNC6BULhLTtrBe9IxtIua3gSTX8S3yLpYsk6SvB+kAOJEEMloTiZNSOfqL5CcsS3LB128oyjCn1RpUvWVs9wEGmNxX0gsBf5PHO1g1yxoki7RR7Xb6EIbp7LefN3JJHgv4MfEdGE9IduUKelbyVtbLlvLcgBDLEDWl88HmyiA4LIQ1/wA+JNxCjJky5JSBWVgqOmQwkRa3vaQd9QffWQ58HC+32eBkDP91/B4Zw9u8+1n0hBasVSCb0VmLqGg6f2HnJXFQqoXqHorjZ0hntIOg4Qu2SMP2xLxUGn+YJqGLmfGhbpRgOTyVo+dGvybuN79w/3n+8fHe4/e358ePxs/O3Rq/2j8fPDl4eHR4fj/cNn3x4+e3X87MW3+4fj8eHN0/bkpFneQJ2MiFk+uTh7E3pP0RyKp3TbzEeMkuuwj+Hp2Sy2Drn0C8W0LK/xbFycvQEJykXkwf0Kcn6b5jFK9dy2dpw9uPgIq3c646UXS2RlqT9KLe3kTDhFueA6l9dMxYi2WEJw7tkbPSKKXXO29EKqlZ1aUQKtkBqFDFeFpFZyWrLKFX4Yoock9fxBiNhldxuPw5pNizYLM2Mr5oTgITR7UQf35ceuruzNyHWwSUMV78KoPkVhngOC/zeuWxwf0B4/V6nuaNhnc9cVUHRJ/u39u04/sPRqlVNwbTjy9QYP4EitjO85E9RHbY32Flb3QiC6qWupggbWNaKltt0n73mupJYz0zEZYxPEJVNPu9xRyPaOd6mcRVImWRSkajRkXzFh8YSffVPVifvm8nPlUjnbxGqImExUeyLrNqHM3sEFv+ZFQ8tWMInZkF30mxYczdmzpkS1SMlmWjK9kDKxi9eNqqVmrp2d77oGWc/IfRSzq4xzS1mfnXguq5rGKp+vmRcBsohC0jidC6kDI9HZV/9fAAAA//99N1Er" + return "eJzsvftzHDdyAPy7/woUXfVZSpbDh6iHmbov4UmyzTpJZkT5nEsux8XOYHdhzgBjAMPVOsn//hW6AQwwM/vgY3VOPuqqztLsTKMBNBr97n1yzZanhOX6K0IMNyU7JW9fX35FSMF0rnhtuBSn5P/9ihBifyBTzspCZ18R97fTr+CnfSJoxU7J3r8YXjFtaFXvwQ+EmGXNTklBDXMPSnbDylOSS+WfKPZrwxUrTolRjX/IPtOqtvjsHR8evdg/fL5//OzT4avTw+enz06yV8+f/bsfYQBV++cNNezAokMWcyaImTPCbpgwRCo+44IaVmRfhbe/k4qUcoavaGLmXBOu4atiFaAF1WTGBFMW1ohQUQRwQhp8m+NritF4tI9uxriKZCoVoWXpBs/SNTV0plcuHa7uNVsupCp6K/cff92rlSya3K7NX/dG5K97TNwc/3XvPzes3TuuDZFTD1iTRrOCGGmRIYzmc0S1g2lJJ6zchKuc/MJy00X1v5i4OSUtsiNC67rkOUXMplLuT6j6n/VY/4ktD25o2TBSU650tN6vqSATFmZBi4JUzFDCxVSqCgaxz936k8u5bMoCNjGXwlAuiGDasHZ/cRY6I2dlSWBMTahiRBtpt5Vqv3QREm/9ZMeFzK+ZGluKIePrV3rslq6znhXTms5WnxtcUMM+95Zz7wdWlpL8LFVZbNjqHuEzP64jTrcC+JN90/0czexcEGnmTNkFJjnVbBBOuge5FDk1TLSMgZCCT6dM2aPllnQx5/kcFtbYwzRVjJVLohlV+ZxOSpaR8ympmtLwumzBuHE1YZ+5NiP77dIPn8tqwgUrCBdGEilYZzp+7emMCb+sjjGeRY9mSjb1KTlev7af5gwBOW4ZqMmxFUroRDYG/qnl1CzsTJkw3CxHhE8JFUuLPbVkWJaW4EakYAb/IhWRE83UjZ0obp4UhJK5tHOWihh6zTSpGNWNYlX6QuapURMu8rIpGPkjo0DQM3izoktCSy2JaoT9zA2ldAb3AMwq+wc/Lz237GvCSC3rprTskCy4mVtkKS+1ZSUmrIVqhOBiZqHahxadaDLK8k3ccMdm57Sumd0yOycgqzAj4K12niJziz6V0ghpWLwNfqqnllAtBEuiFieYMnDfUs70qMUxs0Rg+f+Ul2zCqMngnJxdvB9Zjo4XQ4CfTsttL63rAzshnrMsIoSY4xSSaWQycypmjPBpexIscXBNtP3GzJVsZnPya8MaO4JeasMqTUp+zcif6PSajshHVnAkilrJnGkdvRig6saeJk3eyZk2VM8JzolcwsJnCVsBCveLGt/18SmxBMGlCM+HuBRZcU2tOTf2z58RdEI6EcuJmN2L7DA73Ff5cR8/+/+7QO6DJY+VmNmDj+IDBQzcEUYGNOM3DC4bKtyn+Lb7ec7KetqUMS0gWSs/YWIWknzn6JJwoQ0Vubt+OkdL28Ht+UpgTRpjuUBTUQFyiWWkRLOaKiRLrolgrLAHTjgO3BsuAeiJNZeVHXyqZNVZj/MpEZL4QwVLgKfNP5JTwwQp2dQQVtVmmQ1t9FTK/hbb3dvFFn9a1hu22B9pC5xoQ5ea0HJh/xPW3l7wGoWJsPWTZcQL7W2YpUslAnsKq96+vwBYbpgJa18BXs2nljgScKsJJSGSiuZzLtjwsjsQ/bXnxS5W/ifBf20Y4YW9CaecKdwGe5xgDZ7wKVzccLvrp519CVKWZdjI4OHbhd8FYOe8GJzqK3oyfX54WPSnyuo5q5ii5dXQpNlnw0TBivtN/K0f465zR7ZjBVdV0bJcuotFE5orqa0Wog1VVniwPGCMZM2LcbiJ1i3K9KtUQspL3hORXsfPtpORzhwgywUKNgXZjOIR4oIbTo2ERaBEMLOQ6toKUYKBloBsEWUfxWZUFXDr2dtPCj2K3sSrccILrvABLcm0lAuiWG4VHLzfP72+cOCQO7WY9dCxD+zrETLA5TUTBb5++ZcPpKb5NTNP9FOEj0JyraSRuSx7g6AuafetM5wCFZlZ5cKLF34xjKJCU0AgI5eyYkE6sLK4fdMwVZE9r/RKtWcvH8WmTCXDi850NEot7mcn5+EeTlgQ7CL5FYYlFhUx8zvYAo9xRt3REYsHbblSoxuYfitFcmFR+qURuMQgVDox0ZkiyACcdiGtdNVCs+SCW7IPBzdVuO0fB+vAD6JYrZgVwuBqxFvaao+aVVQYnoNEzz4bd6Gzz3jiRu7e5Dpc6EaSG27nx39jrfxv58cU6ASam4a6lT+fkqVsVIA+pWWpcRlBkjBsJtVyZF/y94s2vCwJE1Y0dqQoG5XjHVQwbezu2zW0CzTlZWnPWV0rWStODSuXdxD/aFEopvWu+CGQM+oAjpDcgO4SC+yimvBZIxtdLpFonXmGl2UCT8uKgX2KlFwbu1/nFyNCSSEruwFSEUoawT8TbfVzkxHyl3Z98c5N4VllH/ZS0YXHzRP7OHMPxrh+ffEBjEOtdFA0aPBA9Xic8XpsURpniN7Yqn41E4WT74DAEpD2XgDlJBu4qestb+rkxTV7c34RJuy4IW5RZ5rO8GJRkypo6uT84ubEPji/uHnRbuoA3rVUZkvMSylm2+F+IZVZiXUwvtB8F8LN+7PXGxfOo4AbvwssHJvDAaKRvybvmVE81z1cJkvDBg76NjuBCm8fRBAwjl6dbIf2Hy0E1ImtkhFfMUbiLeQ02T4hAdu/4wxaTI+3pDAc7W6ozlgswjvJ6vvkYUe02oDN90wGAxS16oVSy9j8RImuWc6nPCelRJMrUaz0rMjeazetWId/pLJ4puYMpviNvWXtfIG5es7XXd74ciFDF0xkU3YIJYMPb12AzuRVLXkH4TXrQ8g7KWbcNAXeliU18I9UMQtE8M1/kb1Sir1Tsv/yWfbi6OTVs8MR2Sup2TslJ8+z54fPvz16Rf7nm6H52BudCybMVcc2sWlW/fO9YU6xjSKMumJKH6Qyc3JWMcVzOox2I4xa7hzp1zgOjLoC19dU0GIQScVmXIqd4/gRhlmH4r82bMLywXXk5gssIjdrV/C9FEYxWq7baK7lVS6LL7LZ55c/EjvWqg0/W7PZXwJPt+Eb0dz/19dDmK7a7gEh+c4o/qSZ2vfycPQmas6eiY6IMyah9iOnZKaoaEqqLMU4N4lieC10JDnYLpRUg+EOuQtXeJnkTBimnFY7LaVURDTVhCnwZYARw+uPugMaUSxJPV9qbv/inSC5J2XdQ+eDBNObfb1coluJC0IbIyu4uWZM+nmv2LGJ1EaK/SLvGjZkU3TtGu2j7cwa3+F9G12jKAHIBvwYXEwV1UY1uWliZ0e7MHYfEoMqPt7g35g6AQ5Nfjo2CFNB3r4+RneLveWmzORzpnHv4M7m0fDoRWpxthd96gpM/FdcBxNiikQAqBrh/E+KVdIEkyORjdG8YNFYw9hR4twpMcjY4wIfO+pLPZcItgUFXiQ3fOzIcQOkC7dZL/afB1lTyRteMLWVXhyokeXH9xPqkwsfZuwRCd6+2FXN8uMRmeVsRKRKGQ2fcUNLmTMqBsRTekN5SSe8tFfZb1IMWN/XTbPR+4xqs3+U32+2ZxEa5DfQfb23AsgR6LzdyIGJ4A2yFfar8OvPajvk3Y1yW4y9DT+7pw06oM33j46fnTx/8fLVt4d0khdseril+u8wIedvPMkB+sGPsBr3YZ/cw1iMAlrR9bQJMf/LsCPpLqtqjrOKFbyptjQJeE4UeZw24ExzkNMejA5evHjx8uXLV69effvtt9sh/anl1ogLuPDVjAr+m3MjFiHWw7kzlm2AR3oh28ueQygCoWgk2jdMUGEIEzdcSVH1LUvtpXf282VAghcj8r2Us5LhnU1+/Pg9OS8wWgJDVMC7lIBqvS2dIBB3gQRO7qWBzuPtJILwVWrxdmbpXjhSZFn3ynkXHYJ2XueecOZeOY3BgD1UMz/knJW1FYtRLMEbcUJ1RCxhDO31+KVlSIa32sQtDMTuy10d948InlRU0Jm9rYGPhikMerMw9uoL+zIDSoQXQ7yxorPdMsZYNoDRglkA0VpQTSYNLw0IPCsQNHS2K/zaw+Gwo0P33y5XqMUANefe4El04zbDJ5GOJAQNXt3lXoNFGQwSjFw7KZd60/thOz4VfbeF2y/2LIGuiYbWAxcfugboLRx+yNna2GPye3VTJX62R1/V79ZXFe3T/zaH1TDqX95rtR6P3bmuYk7yf8F/FbMM7xkCfvc7dWLdBt9HT9ajJ6s/q0dP1qMna9tFfPRkPXqyHj1Zd/VksSAIJbmdZGtd8D0zdD++GcP1aqQF9ndIGRlMFt1AVW9fX/pxcfdcUKGEmWliZEbGLNeZe2mMuRsqzdK0F2rVaIPB17BF3ZxN/+dnqzH92jC1hGBYjL4OygQXBc+ZJvv7zvxf0aVHxi6sLvlsbsplemhCblw0G4ABM0IUSyuvcWHYTLmAVVr8YlFGSS3VCPM5q2hYF3e/Dk4HjL2Nwsw89z7X5AgSbybM0GMyaGuLXugQplKyY1R9Gz3aOruutWzmkMzignURPqgqVCzJNRdFZhmLnWGFQeP4gplHHkrMM7NbUjL0P9rN86l1EHmNuY3dBDVuNCunrbvRipkWfljF7V2HXyqjYupy6VI8V6WebkImSkHdgAns8kAGaXtpFzvJ5sFxLXTPudFcnK5AIM+bXmbD25u7JH8ifQzZ+31k97DJv5Qzgk4BxfOEyjJyBr+m2RJesfE0aCcX5V6CMWmOM6ZtQmVG3rWJv8DZfC4o5A3witlb1nso7VMLov06pJDKaZxC7IFQn4pIIOvEhyG40II2nwO1WjJhmLzhlU3q7X5WcYvVzhFavwbSQSbMLBizY/h4cVG4uAGm3AAurQLTSfNSajuTM7/Um5fVW4akYlYoAD2jBFgYlQ//TJJuLRLDCzqcyZqsa0wC7dJWrJJqSSy7g3h/B6joZADfNKVgCp3kvM0Fdq/pnAo7UcgHvv1FvlNWdf7GbnuwOwdee8usLcv5+1g+jNnXnm8LP7k5hxKyZvwGfJvdg76wZ9E7fZNKBB5aAstfLyMwilsA7sREIpnXkPHKivFqHaYJUMuTxvDGeETG2lDD7F9oSVU1zsjPVFmih8TpaQOhSkHykFMriYzIIhUr6pKCYcjFnliB2BWToHnOagPZpi4MBW8hL72MSF0yqoFJJiDBCZDTpisABwIAvAcuE5cns5MLBfmCG2Fo24M4MOezucs3Gub2K3bsPN1/rpHpQHKT3e45FW7vMkwAG4+8QV8zoV0WUKtY0JScHOotnkE+pT4BbIvtTzeKPcD2JxAbzTrbP7T/jdUZwQkMvHQoXsLsKE0d0oDx9slpbYC7ugzflQwh6I4uz6+lCS5SAgib3h7yOU0tiI4C/HaOo+sDDjfw8n1aFPZcuwt5Hy5kVozT7RtPecn2c8Xs9ThG9xTWU+G6zSn196ObJbdjVaAwD55N2Juaam3XdB/T4/obJBuTy905d+1M3BDr2PV59FO0S1S4LR5F5KrTaMgWemoEsUfQp2e29zq+7HZIN3kOvjcoBzOlvGwUS5lvAnM1I77N6UtBrmTEW5w+h/+XS83/yECiQ0HarUbTUSjsnwucBb2REIsUAkTaokuWOMHkM6QCyaIpd149AkdxNqWNdRQwwTtmGMnbEUQd7EiYAy9VqPoxeEyrpf61HPDjUUM129ajeedVcMMMmR2ksISL1r+xe29MnlhWpZkhB05C1sw8tauRztrK8KnRo5nYr6xgjcsEXDY5yfHyhixeZ/3o2GRctScuWiSwcgyYisIjt8eWWBHrrGvSTiSZgZOk2Q1T3Gwryazy/O293Ntuby7deJ2ryqPREVR+njtj7HB4X/jKXfsVA9edsBwsCgkM2lsoImX35htNmpoY2eGqyb1jOV5FrxkBXcgNxx17zaXQXBvQBtEO1zNxhUsIc+TLO1P71+QnSzymEZBR7WyNLvSaY60fPZcLgTF4uSmXZMmMJdP/JoXEqnFSXScgrUxg+bYmC5YEiXxNzjX5f74+Oj75Jx8DmKar2236b6hAJ9W1RQROElgfWjtWAhADNnl+rQepc++S1eToW3L46vT4xenRIYapvn773ekh4nHJ8sZuNf4r2TO7a1ayQDFN4RtHmfvw6PBw8JuFVJW/YKaNFT+0kXXNCv8Z/ler/A9Hh5n931EHQqHNH46zo+w4O9a1+cPR8bPjLQ8BIR/pAmxboZKZnII9XwXS/8lFuBaskkIbRQ0ab9AGy01XM3AsHG8gRxFcFOwzQ/tyIfOrKEa/4NpufYFcigr7+oR1IGI5NFZgVQ8eKg0py4BY8GOPr9CeMo63FsY+JVNaJoJ3i4b/rXdY5lTP7yWutVTVxqAP/e3sj6/fbL1jP1A9J09qpua01lDVC+pcTbmYMVUrLsxTu4mKLtweGGmXCuSiDpMhW21quCgb1fXu3yHEZAAKF3VjrvwLggqpWS5FobdbkjcOYsKyLU+JIPWlYKRu0BKALPHfTBRAldfCsjBgbqgetIFhXSeD5+45C+wdsBBI7jgCBhf3xUdesa3zS+6kFIST2E4gKmCXFPv8RpNQ2rQt3Obscenl5NBOlf1SMVosyROWzTKrQtGmNORyqS1dBcD6KV55CTwJyNMS49cXXHfF3LNWtA9j48jARE4JtRxBCrBMnr9xOOy9bZSs2cFZpQ1TBa32nqbaIJ1MFLtBU6n/5PLT3lOwvgryww+nVdXe3pyW/q39w+enh4d7T4fM+6hbbnlIirg25NqtdDowQu+lqQ0WbnUvDwnY7UZboZxrw0XujNL/Ev3mqrFEj/zAPWHF6d1wubqXM195E9DUWNatpQTPxIdFKldep4MMcqmSCxRAO5PmWIU2LiWXwJwso2piiiF9g8cop2VGxu08x+gsiItZht/SbflsFM2Nv4FiDEedPQvIhilwXzU33R9XsCzHQNe6tmKWBB+CvaDRBmP1IXTSDWxOj0e1rwzgGzsp7AAtN+xi3ifINXTmq7zB2qUbb9c+rPsonkHLpbBsXF9NsOz0FuzytgcM2fXG4+WsS5ZRDC4OzQ2/sQqBXZ8pV9r44p9Dk2K3MuHfdkr2Jto4IRgqnk6YQmr+pJqUdP1sFNfXV7rD7tYxwWkp6ZbO1Y9cXxOAjXVAuewpa45HayenEy1LsOzop+k5+0kzrECFZb2+0UE5cle+PV1rp3clpKpusXG3mOcHMEXy31gB422Y8ih4u0oQ4A8tvzg6PFxRsrOiXGAUDpbhhBpbViWtMICeCnABunJnaN/Tms86XL9FTENlcACzoFj+RTNGqLOowjRwTZ1+SsvSF3Hr+KWnPPDsjg/aeam/a19YtX5nAKXr6CTOKpK6ocBXrMnEim2e3Tn/q30OcTDemwimDcA6AzR8iWx/kVGtZc7b0sCgOvpie0llOFywA2cu8a5PINwRMXOpmSsUjkZoGOzci+bkvRTcSLgC/uO78/f/6YuKgwnMJXhDPT6I8kBLrjeX9tNb6HTK8EKwr3fnYKKa8s7es7UjtY3pNq0eteqQDEu3yRZfUIuQdOnvZXs42zryasbM1UON9wnAAfogUuhlVXJxrXvjAvAk5Oseo8aMAHYwQE+OMxzmkAxTygVhVC/tuhgGpDFZOuLyn0cGj6CY1mLWW8TYpH2PeQDu4PsFS+aIFFzBuXLL+LS3jAVLah/cY+w3AGlF7uhK8uEiDs25x/DnFlBrqfJxOMiVRPi74yVdNJoo7OCB6MjKlOAIsLrRT+dvniKncDdkFDT15BJ+bBeJyIWISngFO+IiztG9L5UAtG/Asq2S1MSQZfEwS3KheEXVEnkWrMX3nen2R06yHx5s7Dh5f3Dc6u6kGA734YuTw2Fk3lv6jHeZCyJzQ8uOebWHlua/bYtWYv8ZTjDqU4KFb5GB9yzjcEZEaQUWWhReGRnbMcaEpxIJeHfHfcZSJRna69FOpOsEwXdW7oUIJ1gyF9IAInElC3t+it7I+S5GrpihGMQNruaiI0LFJOsTkqJH24f2IalGoX0Vc9JdG4YK72gnJCrL9Ep2Q0UvHDcJbbpnCNbD2MZWR4zivH3tcGDSB3VJjSXiL5yyHXsQAa3OXkeV791W/9A+2bY6ta/KkkjLrsAwyWVVNwbDCl15EwjPhpC6qDvGgHUxbo/RypvYDENEMYJpDwwsZCE2xxDamcKatkGDc6qKBVVsRG64Mg0tfYERPSJvoCpCVP0BlZY/NROmBDNg7izYXZKv7YyGieD+LuQfHOy4akrX0GKiauhez194h+XYYze2W1nZKStmGoWlqrYoxLKrmX3YOCvIf3QWOJhPNJdoDj9Bjjhqky6fpSk7buxfG1oCh/bZ5RaKj7K1iLjoozbox8oiGB+k7Tnu1I9iOS9C8x5UbY203wwle+8yihTPbtf2dqYDUXoXnGuogLVhRqDuOy9c4N2WvXMxmzZpnj4XaCfZWKjmNMmiaLw7cQztCGDbsv7iPHQmPHAFXvtc7i+XQP6DO0ZrRt51I4+BY/SdVK5MkK+U5ppFOJtFUifOgoGOO+NQ32ncad0xJTfVyBehiVLMAlsdxdb3qChRZHZJILZEt4HQQqCjyufcMKgqeOfFbD2zn1+9uHpxsqX39ceaKWravkMJMkPhFrF86i7oFsYlwIjeuF2muD1sP152+24Nx9/KDuLxrirWgAv+NIFuZH3l1rTrOrfLV4PNKP1kPzS46jzu9efZB/Z6FXcgI3dJOPdSWQJ8BxmbvX33A5Mn0HAqZ8JIPSLNpBGmGZEFF4VcdC3ObYEmqhZc7DD9tCXv9zS3RPJve/eYLN6VPiTfkpMLzMyGpmAv311M4b38hd6w+88DZUVvkwm5gS51qlMZKZoWrXhHqLjvxAo24VTcZkaXDg1HdtB1s5hTMyIIawT9Aye6iElwYDL9DNX7z+boMDs6yY7us0F+M0ABUXRBtFFpmcgo78VK7Q9LaCfZSXa4f3R0vO8SEO4zF8Rviyk9VhIZ2N3HSiKPlURSXB8riTxWEnmsJNJB8bGSyMNVEpkb07Ga//Dp04V7cteK+BZEiKS5S3VZbIqXVczM5c5M4T8YU/uhCA41kKeCzhg0dkF03ITFAR5GklIumIKgr6lUoThIRi5ZehL23oUXX9OaGwsBdmzPu0f3zn3ugxWp3r6+3CNEYwr8YNj+jJkRqSEpvG4GsiP9Ok5kscyc52ZXq/nJWSCBosKywshDqGMf84VU5UB2t8cbmhmqLevt3ynfDOG3aXJAuX74Ibzt7PTpwcGklLPMPc1yWR0MzULXUmiWaUNNo7uce9NMtq8i6QgZRyM4Wo95hxmcHJ6swfXvQSoO8bvRysqyQw/IJILiP4DcUXa0TZnKcBSHy1VuSwWrSlauW21paNlxMTtJ2Z/SJ3bpQRuYM1owlZpw2qmePHu5gcl8+eldrpvYSpJ69WpwJv4Q/L42yZ2Pe+5SfMB/N9u06eiHfWpV5FkqrrwLD9aLJ+i0oknKvYyq29xBTIFV66/i/T0b7+SslVp97PxQXjtWqE7KAvx89vHDeETGbz9+tP85//Ddj+PBpX378eMOMiVXpxSC0AuOu/dLO6HYzLR1ttrK5etcMBjyCz4AH95s19Cn+9FucDhcR9EbCbgJm2KphpIbjAkwpIHUjFBZo6aqV1ztHP24ioYybWTswLty3I4oY48v9Br2yQp1GvVPYnJwkOLKBZ3CBW7io97kOs4tdDnP6Q0L2Uza0hWG9+S+3lxdl5wV6CljIpdYA1wRwRapwscF09AL6gbl47xkVECyb4r6UJz2bfMniZYuMfKbXgKllcTBte3N9yDDb8yhTNiNi19OWc6H5OH2kUU+GLrfED2XVdUIt9YYeitvmPJMy0WPqDSc2sWOuH7e7qc7Bad4sCF/oxsP7a2id2CSO48TmvEbZu8V5+2D6n/Sq026Vdv9Ag0xq+9BWviZT/mXc1+fo8734+U5BCaWeJAXsd3BERp5R5dMZYTXNycj+/8v7P9rlo9IzasRYSb/3emt69RWO4+BgBEq6BXaUHZFL4Scn304IxeuTz/5AKORJ16pWywWmUUjk2p2gMkfUOntwHf230f8+g+yz3NTlR3PJyGXhoqCqgKW3Fds8d/CweWa0JLPBBYBwNP2gZnvSrmwfK8DT8Nzb2mBHENkEY1LORua3+AevBggdEWFvkWbg9v10oDqGTqcwmi3XXq70IbRtpwLI39C+LH1LQEZ8CWlPR/kSVPUI2LyGs/IPs+rGg5H9vR3dzzWng+T1wMBIDV25tihrnuGS40MFX1h0aiOWn3Wj5pwo6ji5dKlSWHZnnSH5lzMNIoMFc+V9Gk6uOW01LLN9Ixf1tfLmo0Iz39NU5enNGcTKa9HxCy4MRirFnNNbxnV3DROcGmLut4wUXQwbFOHQl4uy2VhBQvnag4JoyggHBT2pji/wOh9naJniVFD9M+CK5+r/fuzKa6jPcqrPu15jrUTXedluOb8MOjOIexzBhaiESmBT/xCc7vx4dT71/93LTAY3HsrXHDFdlbK7o0H7vUHL+8ZRadTnncW8COz4iimxrYi92nnKvoHwsVENr0r6h+IbMzwD1wYplLlEn+w7Gvwh0ZASYqBGtwVreuoirMrLGvl5H3oe0eqNl3QleQdBUEYRK2UsWDlMH/WLZxvNAHHul20G84WQ5XAh7HwyysVqZniFTNMrcaqw0EiDLtYJejY/0LcYEhk90MNy1xus3qUN5VqQVXBiqvdBKVGPZpCkrXLSot+csp6reTnYUPQ0bfH2VF2lB0PlZYG5cksr3aXNnEGZXGw5DLgDjpp1DHn/ALrAbsrgDp5joZ5dRkoab14qfqXBfMFJUbKcp/OhNSG50Q7aTLuvJlScSkXXSvEO0aVwBxnaoL7YsbNvJmA48JuMdSlPwgLuc+LfV2zfHAnvjk6nf/4j/rDyQ//+P775+//cvBqfq7+7eLX/OTf//W3wz98s401fAdNmzYaV9HyCNcHeH1g7SfSKsSePw4UzBm7HkjwtavkGHfI8s999ZwRGXsR1/2EpM0V0U01uKDPXrwauHLv0xFq41o46HdeDff9wHq0vwysSPhx45ocn6R2mE6IrQ8qTp9umfkjArR+snzNck5Lz1NHIVsUkyZaYdhl7YZGuAUzLDcjDxlex8T6zbD2vT7nbpGoxqCXub14S0neaCOrkPKDcKAzMmR1uHl1MvylmPIZVLA1kqhG3GKeWk6NHSgqcurTjqZcsQUtSz2yN7tqNK6LQeo5qBXMB4D4NBV/V0XXoGZCS6VHZMEmycgReIi4KKXWZAioXa+zi/du7s4c5rc4tofRslxjDnOyEYKFKA4qliNcSpyVDvurfSED3GPdXvprlrJbUIC8d9boXxvWIEjy9tM7yD2TAkjBXxGuzFDatsLRSKjpAwURCwZl4N3soRHkVu1cuvzny/Ub7EXPf8F2kYFKeoN/yey21Vj0NNYHwyGwQBwiaS09gMb9Wvusyy1p8ej42NsSqYrTcseWwYAGjuZiufrI7CyXaZ62iQ/b44vobiofzJTLebMs0t9p3uLYQlvWTGd9t2ECbOxVAjUekbFnw/bvvNDwn1q7muOfl/AXWZb4MjJz+7eWIQ97Hz3Yx+yhx+yhx+yhx+yhbSf2mD30mD30mD30mD30mD30mD30EIv4mD30mD30mD101+whqWZUOIeo+9BrbP1ftg+Ui8H665gJxfM5Lh/Y7Va1XKtqKpb20sWFCYBjTboT35alLWfnrKyhrCtVioqZb/BiXEuhqDsMFRikCOFnrn+kCwkN48aTuUuU8S4D6OJd6orxf89aZPGaZSnFdRpfr7AMbE9r97UG9C0BK60AQxaAQf2/p/0P6P63oKABjf9hqegBNP2Vev6DHYP1+v1tpreNbr9Cs38AtPs6/e1xv5U+v1Kbv89k+nr8ulncT4d/yFSxtbr7bTZieyW3p7XfB+u1+vpt8N9KV48CyKCToMMSWfdF8vAureFXMuzQoTpb8SUV7S0PLbsg6MZ71JJOcRD/Hjpe8+Ig4UQu5CdOa8B7xbfkzGpejImcGiaINnSpfdyYb0yNPeatMh3FJOWy5mhSgBqYpZzQMmpv6FGOBLbb3Adb1+bbPq7gIqxPytVd9zs9/7KCjUenZ5rEnClovUGsOMygRNxM0crJ6YpoXvGSDodRDU6kHlzQB0js9bOoKdQW5EN9J6ia3SaT706rSNWsqTq99eyf93RplRyUjZFcayUNyw249bnhN2zYsxgt6X/saT3fG5G9/dL+vxV07H9917cXe//ZnzT7zPIGOiPtaupnE+igwTAZx51DzwTa4QdndNBodTDh4mCQWoD77XrHYJCBwFg7A/hthDleeBCMb75DdZgjxuC+pgLDtOOORakHKyp8SCiZKLnQ4Ef1qXIOGb+GCzYhNXT08Z03rWgtBnuqQGPBIrvP6WrT3o9PtvYRQjul8zcP34invYePD49e7B8+3z9+9unw1enh89NnJ9mr58/+fcvr+JNrzZSQpWvPM4D2QqprLmZXGNs12Dn9LtLEwVxW7ICWcf+CjWg7XEjAxVtew5WdiA7Oup6KDh+Th9uKDm1XOIYNuH1h7ynNecmNFQFqfiOBcKmSjSjszc8ZdlDAdsIeHPjQ4Tfd7a/iMgk0Y9D4u6JiaVWinIVwHPIpHjTAxIaP4ONHRbgaEcjxC4HYeIi4kwB0LQVI8S5tshVtx27Zssj7fgY9dxUzLG5d2gbFMD2KElInjDSiYApU0RD4pEYuAHYUR7+OSF5y6MjjX7LijI/6iyOMM3KOjXfctGhZQuiskS3KvB6PUDCjICkJty6wKNSlp5xfEKP4DadluRwRIUlFjYGMSYiEMDAAVdA8cxni++NBTmk2yfKsGN+lPvtAaNLKA7RteNJZGfK97ZIA+UhfHDZK/o4CY3oRkZd3iId0Hw2kpToKgzq2UVx7LoVwCQXA/DEiTbEZVQWG9GnovDKK3sS0mAkP0aVWnsVktlyqQmPXvE+vL0KrIOxL7DFDdHLG7b/dKnHBoT3h5V8+uIjWJzr0tbCg2uERPNbkDfl33TFc8fdy2Z98J2tCaN/6HdiAC0UkNDeNN7FiBzimKrIXIO1hF4Gpi+vxI4sOstpX4Iafncri7cED6bu+Km+OjEt3gMe4u+62lwloCm3WEfM2OJJD4OgvjchbPQiPuftuCEy7hEKaCJilE9yifTSo93o1v0bQBx7xtCUHqmy0sLy7osLw3OdPeLfrZ2wLMWpbe1sFb9qU9oUbbqfHf2ORFViQnCnQH9tkMc+eVIA+pWWpQ0vInBo2k2qJ/MllWGvDy5IwAU2q4bUVOQJ2gaYcdA5a10rWikM76TswIMeydyVGYoAY9vzD7Qh3BKbfez5RTfiskY0ul0izrj0i74Sz6KBzQUgaeLxHhPqy9MDXGyhoLy2NZIT8pV1frOGewjPS5fQpumiTSJDWx5l7MPZO9a4MIuwF0ebHFw0G6aIGM7YXkEVpnCF6Y3vX2dsKCh64Fg0JSGgKa0WKIfP57qNYffRo8tprvMM7XglyfnFzYh+cX9y8aDd1AO9bJALfQqGVyqzE+suHHq9EATd+F1g4lokDZH+nXJk2q+rVyXZo/xGSZ6D3TZsQ62JKUa/Dq2GIkO6TydJiuqXyduEyW+6E6mM40WM4UX9Wj+FEj+FE2y7iYzjRYzjRYzjRXcOJXCmOvkmjfbh9YIev69HVn038m1QQ3GPvzbbzGsYY0dgbV5YQubEqUGjKReGKynlfIhTnQYuVv+MjOx8Ob7/o5D3ds0ngg3XYioJyfLHGRgi07gDyg122C69VYcOtMnRZXSIV+m/x9YpeM20Vp1pqzVNnDoHKcelqRomxuHMiKuY4jFbo0eXNjopBGI7iTOTgn9C6YRqtGxaeYoWdiGv6B3p+AtCKcS4WzHfS5oVv/R0yMkXR7j9aBLiYQcNR10zwqyEZt3j2kj1nkyk7pOxFfvLty+Niwr6dHh69PKFHL569nExeHZ+8nA6UbrpXpmLrlGAl1YbnaG7dd7PZ0iMRCz2evtvENXd+VuSuxTwtfAzZbK7BH3TxBcNvqJlVyoUG7raQCTi/xK2SB43u/IlTLSH7Vpf2d9cMLCVA5Moi8X1h0KDrljf2RCewzVvy+VmJtQkdqpYUCq6N4pPGgvClkJA+VAO23qCmz6U2mph0au1xQPukt9P5CWOJETetAc+3qzgHxWzklLyNdzteepiOSzr3MRaoNzXadBLV0E34nVTkj4wa3QfDtV2tgk1pUxqodVEHj09YP0ua4wSu82hMiZDEwwndCh+6ydyKE3AbX1yUu3lr6oePvc/FFRTAbqwDV0rCBO29JTtk64e3UNdwQwDWySJPMU0JZNTZrVBzKxlhnCzgeNiDanaSQvvadWCEATp7cZtgsFvTzLPsONu2ld6ffahdSiqx1LGJXlruB2Ws5LUVLamLTGYGm0angkcb4TcldIhYBtaH1XNWMUXLHVbVeevH6IkbraxAnvAp3MzsM9emk5vXyh1tL1hwA2hCcyW1JoqBV9xVnAskzIsxKSR0vx2u8/+KnkyfHx5OOwIqGPY78mn8bDvxFD/ZxrMT2vdTZ0c7SOqwdkFt78mJ/RLOnXN7CfQLeiGcR+XRC/H79UJgaaD/bV6ILtZ/By/EKhR26IXA4/R/wguBU3Gm/bgU1e/UFXELfB/9EY/+iP6sHv0Rj/6IbRfx0R/x6I949Efcxh+R6HuNKlNl76eP79ardj99fOdv2FrJG14wrO9al8ww+ysmDhKdW9V35KJroXIsNfM76GCrO/Y8VJIu9oFhRdtKp1FQ2dYHOJt5qqZ1NuiDNC4ujouBCpCjuOBZAQtYYV4Jxc41dtESgBDjS0HTojlEvpdy5qjNfs61y7f6pdGmDST0RT5xoftWhNB7JsSFh08DaAr+igXVAeFR2N2uVLTKtJCub9x7whnPslyenpw8O0Aj2j//+ofEqPa1kbUFv+LnHaSgrlMDp2GPUCfnlVXZ3PpBJGWj0eQ8QrbSKrwhjT6BOG5UmVmY45HdaIjYNcn2KJZLoY1qwEYmFfGbhKSYnvCELAc2407LP2DVhOO8M0MIQO80txuFFgV7MIm9gWN3iqmIp2PfUqmmkeoLUFevyvYK6cPM8o0zw6yaZbpF3emeC8xosqRmT7nnIy7cWjo9xNVthQYCGIteLttc7tQ46uxC6OIA5wn0v3CknFQ2B5qeydDny9ls+mpPWOJ0NttaPlYnGQjDZolvZksDSG+dT06eDfcNPXk2pFGb+a7o4QLaYK2iBnc89wbUZsj22BVW9kDBAI4hBUEG8MRfMAe6i3sCJsyjw166ZA3n95/h/LLPUHc5aggQjwah60j2vg1cAkhICwcoN5QKjeYBn4ffKIw5aUx4K8XedBYBbfNtr7CqNi1eMAV8I/XxIYSO4yvxtJIJMwvmugaYhcTTPVSbQNFZtcOWtfbERH4bEICmxuVxjL8eR4RpZD24iV8PMmGP+MCcGs3ULnOkf3LwO3Q6aDfTugP3gU86wh/GJF6PjjSub5nrZDcCYgm6rpfhmi/wKkqu0N+c3dCIxIwkreib+T6joZci+KxAq40t3/YJZ5ho0t42MNCcauzTYOZUoDW/GLVahIByREsvSQMvAFcgkdMWp/mWlWmMajYVpsEw6eRRZK5MnvfK1QyUtEl9Z3/vMKcfOx6Jphv2FMzzdm8GzsTDhNzQcsKSe36dFDi317avUlDKWSssrcDRitFdG9M90n3PAFnyFlq1JXLgBi7zjUYtwRWfmRJ6Q3mJ+fM9pFlF+e60WXvQYAQvuw1gMKd6Z0KNC6/zB36ehrnFbAhd+PAiVBqTYllB9yr7SueC+UmzaVPalR0DKUDJEeX+AcFJIZAHmkEAldMyZXudjk05FfayclfzkHeiY7v3/onO49sX6MbYl8ilPaCQwzsueAqCuhx3dhJ4Xwm8k+9hBRdaTxXrKGPD7Mnaqmi4Lj5sDZI+D3yprWwY7Z7FcYeIx24GQHXg/k5LmLW3OImf3+4uR5CeXNo4EKsMuuo8viiFlyvst0u0EQVwei4Xrqvzgk1C9AmESUWF97FSAVVWWm0C4qHqUbyIvxPznUP2Jo08alduUNnbey9/42VJD55nh+QJv5hLwf6JvL74ieDfyY+X5Oj46gjbNfqCak/JWV2X7Gc2+RM3By8On2dH2dFz8uRPP3x6/26E737P8mv51AdCHRwdZ4fkvZzwkh0cPX97dPKKXNIpVfzgxSFU19ry4r3LfYYDbbeOMXG3+36LVhkPs51/7u9iF5PEU50dDlhxWIjOfJh1RJK4/To6RAYOxWMLiMcWENGqPbaAeGwB8dgCYuUG/f+uBcTXoUWm1VDiFmdfk08/vvnxdKjPpTOzHrBcH2DWz8HRy1eJhIo3aaf119ASrJhTt7GXu5m/2refn5IJo5Ztuwvtj/ivAVCvnf0W+oJKAd8FdchrzqAUlq6Qimvs9FXazy3E7jFqMsMr9lt7TeOsaMlDmltNzfzU6Uqdlys+UxQxBLtRAh1HTMDKyS8s9zcU/uPqFssY5g/ije9eCJP2ocoJBkyp0CStfxeuGOSt/agjBUD5nKLgrj6RlQkgeNolzMA4IU56Vee8TibKXcLiAbUofyPZyB5p9jfRUnD83tr9A6CDNN8HPHhAutAdteelbIqW3F/bf3prJqSd0IIaOnwC3rtfUeXKk0+13aI2B4sWxRW8cOVB+kJyUsUHIpkzfJDVSlrSbOsLBp7mftn/vJ6GYmHWfWLp5XspZyXDGQeOdWYXE9MWyyI+NCHgmBmaBcRgqht2Y/DltXsdjeHTxtr0jvXDhNTF8P6tR9qCwDpjbUvD0Wguk+8qOobrB3MfZNEH247lmDEvuVlebcFc13+17aiO0rbduB6VbzsOxtVtNUby6gp+UMj8GqjUMYQ3/t8Dhwt/g1Subj6U+80ebT2Xylzh/dCqW1Tkc6n8ePuBGay4HANaZK3hxh/5OHqXcgG21h63j5cpWqrhTwa3Y8VQFZ3175aNo9mvuur+LUbtfLndoHcfrqQTVupWlPtBLoiRpKK15bOa/XMPl0TcIOtFDrIhnsmuFUEUMk+5Tg93dPsD/msAyLmVFyJqdWZb+7lPMM4iArXPh8iT/Nf/+JGvm4mVhzFvwo3/p/jZABbt7+GSTW/MFiiJR19/mtqPNp6oBOnbnapaFsPkdqtNjFaglgUaBwaHagbO7l1HupAF+en8zbC9Utc0f7hJtRD7g8mid9TvOZhX7/uD4THZfBy3G8id+4oOhNeBKwpLND7UcBHI4TE3MMC7rmcAu2JRN3H7+4+LcB2HaTsz9LoyDMD15cUDYwly7BAj6HR92JoLsM/b3je+ZPRgPfgVcsiCi1LO2gnv/YwmH/IWNOl3chZaTlXcuGoPP8NHVlXaG14ZF/0RXEQ9oF3l/GvymoqCF1DOQUJpUyPJ29eXqWoL6niU1jBEBIr92nDFitTkvMZtBiY7vJ64jntXkCcebzQrnL952tW1AaGO10reMLVQ3LAkrmQNAoouyL+9f9cp8upVKdcofwL06qQ+hxeW/wiwQkwwJL23thELq2NZ0kQ3dS2V8SZMB7E1CITtP7s4J0/e81xJLacmbOWfubZXKVS2XjD1NOuEjQvZciEXn1MktS9EQapGg0udCYsn/Owr5Y/dN1efKxef00bLgRksGEJwreo2SgC6kPEbXjTUG4RKGdv/7JpvWm8O9pZpUyJlKNlMSqbnEsqhB0h1o2qpmStR7CvpQiQbngDF7CJ3T42P8oP2bCoyMvo8yAiQRRQCAelMSA2a9aRkVdfqE87xMHNZVe26LD2mIdXR4dDnA3GS+Zwp1jX99DhXx/bTHswk3GqjeypsIZAilAfx4ZHQmsAVw5YKC1KF+km+Sny3o/vegguAWcrZXpBL+/O1o0lF9vy7My7a9xOI4Rv7iv1uIOKx9w7kTRRM85lw4rFHwVVFPT48fJaAiV45Pjw87B9qiMtODugoImk3hQQkF1NFMXugUQxQUswjlZEfO+Ag1IpCuSc/dgLO4TFas6J4sIosPg4uOQlTlhKABTMsN9qVI4P9l5BDYdfL7r6dfZjeUPgSzQ2/4WZ5tZV0O3x5bCDSM9eSqFz2A+d8USz3b4yLds0+Am5AtwlIV0U+BPTUzaTkeu46NOJNFQ0Cr8TJDF0PYBhpSMSq6sYw1Q2N27xEtzvGIsm7xTFxglgmHbKqo6P885wJ0mi7wd3LKawQcd0UXOIUR20A2CtGTuN1OU4ttUOFeADclbPBpktwW4X6TjQUGN1+YMTQYaObjNW4mvoQ/q75DQOCSEBBnBtMZZzFld5yWptGtQcGbhkpvHfJ6r9cpl53I4fYSU0VrZhhCpLOxu3SjWEcu6AFGcNbR+M0VB6fHo8xyU9LIsWITFhO7ZluGX00AhRxEQizkxzFqCot9YcJyGmQjFbt8C25wF1uqvZc4n0E11BUsStcsW09mzZwuo+3Q6+v6j0g5fkxXMkcvFzzkmrNp8tQ6GCIecypSD2oO2UbOFpaodLlwKnC3V60cIfGr3t6h4oADQwHrY7i6NheI2Nvt7JioS/3FsubAyuBOOyWvtw8z9+ksqo9MbEANOUKMj1xUZRV20T3WPs9hY/bJcTEZHKE5xM7hLieJHi24feOW1yzXxsMoS2XPnOmA1Axms/d7VfRz7xqKrc/T47/9uz4bwk8L5L1RSaL1PHfXpz8bb3Y9rSfnyPYZ9PBacHL0krhh4O7CWU+rn6P0oPHyW5jv+5RLoVRsoTDAL1ZpkxhN7rM0RAWMHESBubqQV8hyNMw886BiaUM7dLax9GyjGN+NxC8VneqEDw478IRgmYSZ2Bn5BPV10jK+Jal4U5yfKesZFSilbVlXxxUWmNVKtA1kQkxV/TKVdmi6epZmXswXNz7Ka9m25ldvwxpBYc0/IjI947SqrsgavHZm1CnetCdN9uNccVDdpTrlON0po+NgEZwF0n3tMGF37G4O3C5R4yaPOmSk1RR/UNqBqgoYqtD/XwN1de7PGcW/u/7lKE1zzUlwmGdk6d/kzyRgtSKpeJtKil0teun9p501ymKcF4yX3MYhpo2bnUkehCDVP93VlDI/RWUSGNYkemZtYzqXjTdRrfvH+0/3z8+2n/2/OTo5Nnht8ev9o8Pnx+9PDo6PjrcP3r27dGzVyfPXny7f3R4eLT9knj60SxvoFpMxGGfXJ6/CR3YaA4lhAjVWuZYN7m3MEBRnr0mv5xPO+ZDIa04o2V5gwfj8vwNiHUuPhUudJBq26SnUV9LbKsp2tOLj7CerbMKehlJOuN/kJZ7WUTEq5oF17m0vDhCuMUWQtbP3+gRUeyGs4VjANDjMZVj0HanUcpx9Xmc8dOVRFlFO73CDA9+EFwtBOPxWrG50YZiHnnFQPKU01Wobxkud3cm7iozb0Z4qyLB97ncP0WB004ijy/Lb1z/Re70LRczxnQQ/aPIMefM8pba1p31tnPvbggxbaPsKEl9P5GOtcK/t0WIFRrpM1r7NJu1wUd93WMT3N4Ha+EPGf42jDD0ydoxOkaXDeA7b6+F3DGLbIDceXst5FLObrMkiQVkQzQZuBWv+hG6A5HH9p3MfbENcGd/wJO0Hepdk8UG+Ks04o2jrPpw7XiJ4rhhiOTdtVCH1K4NwIc+2TSG01G2HqCjN60Fj4rFLSh0SONZO0KkSWwAHb25HiJIwbdeka7wvHaMYbFx1Uh+qOGvNg+UyBgbptP/YDP87W+T7utrYadX+AbI6ctr4X6uyk0MbShUogvz/wsAAP//zv2IoA==" } diff --git a/winlogbeat/tests/system/test_eventlogging.py b/winlogbeat/tests/system/test_eventlogging.py index 2cc635bdc4e..455d154ecc0 100644 --- a/winlogbeat/tests/system/test_eventlogging.py +++ b/winlogbeat/tests/system/test_eventlogging.py @@ -61,7 +61,7 @@ def test_read_unknown_event_id(self): evts = self.read_events() self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], eventID=event_id) - self.assertEqual(evts[0]["message_error"].lower(), + self.assertEqual(evts[0]["error.message"].lower(), ("The system cannot find message text for message " "number 1111 in the message file for " "C:\\Windows\\system32\\EventCreate.exe.").lower()) @@ -88,7 +88,7 @@ def test_fields_under_root(self): self.write_event_log(msg) evts = self.read_events(config={ "tags": ["global"], - "fields": {"global": "field", "env": "prod", "level": "overwrite"}, + "fields": {"global": "field", "env": "prod", "log.level": "overwrite"}, "fields_under_root": True, "event_logs": [ { @@ -126,6 +126,7 @@ def test_fields_not_under_root(self): }) self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ + "log.level": "information", "fields.global": "field", "fields.env": "dev", "fields.level": "overwrite", @@ -151,7 +152,8 @@ def test_ignore_older(self): ] }, expected_events=1) self.assertTrue(len(evts), 1) - self.assertEqual(evts[0]["event_id"], 10) + self.assertEqual(evts[0]["winlog.event_id"], 10) + self.assertEqual(evts[0]["event.code"], 10) def test_unknown_eventlog_config(self): """ diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index fc71c9d1693..df649fd1453 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -30,8 +30,8 @@ def test_read_one_event(self): evts = self.read_events() self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ - "keywords": ["Classic"], - "opcode": "Info", + "winlog.keywords": ["Classic"], + "winlog.opcode": "Info", }) def test_resume_reading_events(self): @@ -43,8 +43,8 @@ def test_resume_reading_events(self): evts = self.read_events() self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ - "keywords": ["Classic"], - "opcode": "Info", + "winlog.keywords": ["Classic"], + "winlog.opcode": "Info", }) # remove the output file, otherwise there is a race condition @@ -57,8 +57,8 @@ def test_resume_reading_events(self): evts = self.read_events() self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ - "keywords": ["Classic"], - "opcode": "Info", + "winlog.keywords": ["Classic"], + "winlog.opcode": "Info", }) def test_read_unknown_event_id(self): @@ -71,11 +71,11 @@ def test_read_unknown_event_id(self): evts = self.read_events() self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], eventID=event_id, extra={ - "keywords": ["Classic"], - "opcode": "Info", + "winlog.keywords": ["Classic"], + "winlog.opcode": "Info", }) # Oddly, no rendering error is being given. - self.assertTrue("message_error" not in evts[0]) + self.assertTrue("error.message" not in evts[0]) def test_read_unknown_sid(self): """ @@ -90,8 +90,8 @@ def test_read_unknown_sid(self): evts = self.read_events() self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, sid=accountIdentifier, extra={ - "keywords": ["Classic"], - "opcode": "Info", + "winlog.keywords": ["Classic"], + "winlog.opcode": "Info", }) def test_fields_under_root(self): @@ -102,7 +102,7 @@ def test_fields_under_root(self): self.write_event_log(msg) evts = self.read_events(config={ "tags": ["global"], - "fields": {"global": "field", "env": "prod", "level": "overwrite"}, + "fields": {"global": "field", "env": "prod", "log.level": "overwrite"}, "fields_under_root": True, "event_logs": [ { @@ -116,8 +116,8 @@ def test_fields_under_root(self): }) self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, level="overwrite", extra={ - "keywords": ["Classic"], - "opcode": "Info", + "winlog.keywords": ["Classic"], + "winlog.opcode": "Info", "global": "field", "env": "dev", "local": "field", @@ -142,8 +142,9 @@ def test_fields_not_under_root(self): }) self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ - "keywords": ["Classic"], - "opcode": "Info", + "log.level": "information", + "winlog.keywords": ["Classic"], + "winlog.opcode": "Info", "fields.global": "field", "fields.env": "dev", "fields.level": "overwrite", @@ -169,9 +170,10 @@ def test_include_xml(self): }) self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg) - self.assertTrue("xml" in evts[0]) - self.assertTrue(evts[0]["xml"].endswith(''), - 'xml value: "{}"'.format(evts[0]["xml"])) + self.assertTrue("event.original" in evts[0]) + original = evts[0]["event.original"] + self.assertTrue(original.endswith(''), + 'xml value should end with : "{}"'.format(original)) def test_query_event_id(self): """ @@ -195,10 +197,10 @@ def test_query_event_id(self): ] }, expected_events=4) self.assertTrue(len(evts), 4) - self.assertEqual(evts[0]["event_id"], 50) - self.assertEqual(evts[1]["event_id"], 100) - self.assertEqual(evts[2]["event_id"], 175) - self.assertEqual(evts[3]["event_id"], 200) + self.assertEqual(evts[0]["winlog.event_id"], 50) + self.assertEqual(evts[1]["winlog.event_id"], 100) + self.assertEqual(evts[2]["winlog.event_id"], 175) + self.assertEqual(evts[3]["winlog.event_id"], 200) def test_query_level_single(self): """ @@ -220,7 +222,7 @@ def test_query_level_single(self): ] }) self.assertTrue(len(evts), 1) - self.assertEqual(evts[0]["level"], "Warning") + self.assertEqual(evts[0]["log.level"], "warning") def test_query_level_multiple(self): """ @@ -244,8 +246,8 @@ def test_query_level_multiple(self): ] }, expected_events=2) self.assertTrue(len(evts), 2) - self.assertEqual(evts[0]["level"], "Error") - self.assertEqual(evts[1]["level"], "Warning") + self.assertEqual(evts[0]["log.level"], "error") + self.assertEqual(evts[1]["log.level"], "warning") def test_query_ignore_older(self): """ @@ -264,11 +266,12 @@ def test_query_ignore_older(self): ] }) self.assertTrue(len(evts), 1) - self.assertEqual(evts[0]["event_id"], 10) + self.assertEqual(evts[0]["winlog.event_id"], 10) + self.assertEqual(evts[0]["event.code"], 10) def test_query_provider(self): """ - wineventlog - Query by provider (event source) + wineventlog - Query by provider name (event source) """ self.write_event_log("selected", source=self.otherAppName) self.write_event_log("filtered") @@ -282,7 +285,7 @@ def test_query_provider(self): ] }) self.assertTrue(len(evts), 1) - self.assertEqual(evts[0]["source_name"], self.otherAppName) + self.assertEqual(evts[0]["winlog.provider_name"], self.otherAppName) def test_query_multi_param(self): """ diff --git a/winlogbeat/tests/system/winlogbeat.py b/winlogbeat/tests/system/winlogbeat.py index 3c278e6399e..abf31a7ec59 100644 --- a/winlogbeat/tests/system/winlogbeat.py +++ b/winlogbeat/tests/system/winlogbeat.py @@ -128,34 +128,35 @@ def read_registry(self, requireBookmark=False): return event_logs def assert_common_fields(self, evt, msg=None, eventID=10, sid=None, - level="Information", extra=None): + level="information", extra=None): - assert host_name(evt["computer_name"]).lower() == host_name(platform.node()).lower() - assert "record_number" in evt + assert host_name(evt["winlog.computer_name"]).lower() == host_name(platform.node()).lower() + assert "winlog.record_id" in evt self.assertDictContainsSubset({ - "event_id": eventID, - "level": level, - "log_name": self.providerName, - "source_name": self.applicationName, - "type": self.api, + "winlog.event_id": eventID, + "event.code": eventID, + "log.level": level.lower(), + "winlog.channel": self.providerName, + "winlog.provider_name": self.applicationName, + "winlog.api": self.api, }, evt) if msg == None: assert "message" not in evt else: self.assertEquals(evt["message"], msg) - self.assertDictContainsSubset({"event_data.param1": msg}, evt) + self.assertDictContainsSubset({"winlog.event_data.param1": msg}, evt) if sid == None: - self.assertEquals(evt["user.identifier"], self.get_sid_string()) - self.assertEquals(evt["user.name"].lower(), + self.assertEquals(evt["winlog.user.identifier"], self.get_sid_string()) + self.assertEquals(evt["winlog.user.name"].lower(), win32api.GetUserName().lower()) - self.assertEquals(evt["user.type"], "User") - assert "user.domain" in evt + self.assertEquals(evt["winlog.user.type"], "User") + assert "winlog.user.domain" in evt else: - self.assertEquals(evt["user.identifier"], sid) - assert "user.name" not in evt - assert "user.type" not in evt + self.assertEquals(evt["winlog.user.identifier"], sid) + assert "winlog.user.name" not in evt + assert "winlog.user.type" not in evt if extra != None: self.assertDictContainsSubset(extra, evt)