Appendix C. filter.txt used in Chapter 10


appevent.log,Application Event,logip,loghost,loguser,logdate,logtime,line
sysevent.log,System Event,logip,loghost,loguser,logdate,logtime,line
secevent.log,Security Event,logip,loghost,loguser,logdate,logtime,line
alert.ids,Snort,line
snortlite.log,SnortLite,logip,loghost,loguser,logdate,logtime,label,classification,date,time,priority,source,destination,protocol,reference
services.log,Running Services,logip,loghost,loguser,logdate,logtime,message,display,name,state,account,servfilename,startup
shares.log,Open Shares,logip,loghost,loguser,logdate,logtime,message,share,usergroup,rights,path,remark
startup.log,Startup config,logip,loghost,loguser,logdate,logtime,message,location,item
adsscan.log,ADS Scanner,logip,loghost,loguser,logdate,logtime,ads,size
integrity.log,Integrity checker,logip,loghost,loguser,logdate,logtime,message
user.log,Rogue Users,logip,loghost,loguser,logdate,logtime,message,username,script,fullname
processes.log,Running Processes,logip,loghost,loguser,logdate,logtime,message,exename,exepath,username
task.log,Scheduled Tasks,logip,loghost,loguser,logdate,logtime,message,jobid,schdays,schtime,command,flags
*.clg,ComLog,logip,loghost,loguser,logdate,logtime,line
ZAlog.txt,ZoneAlarm,logip,loghost,loguser,logdate,logtime,type,date,time,source,dest,transport
antivirus.log,Antivirus,logip,loghost,loguser,logdate,logtime,date,time,message,username,infectedfile,virusname
* Note that filters for appevent.log, sysevent.log and secevent.log are valid only for LogIDS Pro. Also note that snortlite.log is obtained from LogAgent 5.0 Pro monitoring Snort's alert.ids file.

Appendix B. Security Event ID description table
Appendix D. rules.txt used in Chapter 10