You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spot.apache.org by na...@apache.org on 2018/01/24 20:15:25 UTC
[1/4] incubator-spot git commit: Simple data generator
Repository: incubator-spot
Updated Branches:
refs/heads/SPOT-181_ODM d20c5bf2a -> b7a015c96
Simple data generator
Project: http://git-wip-us.apache.org/repos/asf/incubator-spot/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-spot/commit/a7bdbc42
Tree: http://git-wip-us.apache.org/repos/asf/incubator-spot/tree/a7bdbc42
Diff: http://git-wip-us.apache.org/repos/asf/incubator-spot/diff/a7bdbc42
Branch: refs/heads/SPOT-181_ODM
Commit: a7bdbc42cbc3db4a9e2d9686c8e8e554797fea2c
Parents: 5f25155
Author: Vladimir <Vl...@sstech.us>
Authored: Wed Jun 28 14:00:08 2017 +0300
Committer: Vladimir <Vl...@sstech.us>
Committed: Wed Jun 28 14:00:08 2017 +0300
----------------------------------------------------------------------
spot-gen/README.txt | 5 +
spot-gen/conf/asa.yaml | 33 +++
spot-gen/conf/asa/asa.sample | 13 ++
.../conf/asa/not-supported-by-parser.sample | 40 ++++
spot-gen/conf/common/files.txt | 2 +
spot-gen/conf/common/hosts.txt | 5 +
spot-gen/conf/common/subjects.txt | 14 ++
spot-gen/conf/common/users.txt | 5 +
spot-gen/conf/common/users_info.txt | 5 +
spot-gen/conf/common/utils.py | 19 ++
spot-gen/conf/example.yaml | 35 ++++
.../example/__pycache__/utils.cpython-35.pyc | Bin 0 -> 269 bytes
spot-gen/conf/example/domains.txt | 2 +
spot-gen/conf/example/events1.txt | 2 +
spot-gen/conf/example/utils.py | 2 +
spot-gen/conf/unix.yaml | 14 ++
spot-gen/conf/unix/unix_events.sample | 4 +
spot-gen/conf/windows_nxlog.yaml | 42 ++++
.../conf/windows_nxlog/windows_nxlog.sample | 25 +++
spot-gen/datagen.py | 210 +++++++++++++++++++
20 files changed, 477 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/README.txt
----------------------------------------------------------------------
diff --git a/spot-gen/README.txt b/spot-gen/README.txt
new file mode 100644
index 0000000..c8abe3b
--- /dev/null
+++ b/spot-gen/README.txt
@@ -0,0 +1,5 @@
+Simple data generation
+=======================
+Usage: `python3 datagen.py --help`
+Example of config `conf/example.yaml`
+
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/asa.yaml
----------------------------------------------------------------------
diff --git a/spot-gen/conf/asa.yaml b/spot-gen/conf/asa.yaml
new file mode 100644
index 0000000..101e9a8
--- /dev/null
+++ b/spot-gen/conf/asa.yaml
@@ -0,0 +1,33 @@
+---
+timeformat: "%b %d %Y %H:%M:%S"
+linebreak: "\n"
+templates:
+ - { type: 'file', samples: 'asa/asa.sample', period: 60, min: 1, max: 5 }
+replaces:
+ - [ '%FLAGS%', ['ACK', 'RST ACK', 'SYN ACK', 'RST'] ]
+ - [ '%INTERF%', ['Inside-Trunk', 'Outside', 'Outside_VPN'] ]
+ - [ '%USERNAME%', 'common/users.txt' ]
+ - [ '%RUSERNAME%', 'common/users.txt' ]
+ - [ '%PROTO%', ['TCP', 'UDP']]
+ - [ '%proto%', ['tcp', 'udp']]
+ -
+ - '%SEC%'
+ - !!python/name:random.randint
+ - [0, 59]
+ -
+ - '%INT%'
+ - !!python/name:random.randint
+ - [2, 5000]
+ -
+ - '%CONN_NUM%'
+ - !!python/name:random.randint
+ - [200000000, 500000000]
+ -
+ - '%_IP%'
+ - !!python/name:common.utils.get_random_ip
+ - ['10.0.0.0/8']
+ -
+ - '%_PORT%'
+ - !!python/name:random.randint
+ - [1, 65534]
+...
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/asa/asa.sample
----------------------------------------------------------------------
diff --git a/spot-gen/conf/asa/asa.sample b/spot-gen/conf/asa/asa.sample
new file mode 100644
index 0000000..52d58d2
--- /dev/null
+++ b/spot-gen/conf/asa/asa.sample
@@ -0,0 +1,13 @@
+<162>%TS%: %ASA-2-106001: Inbound TCP connection denied from %_IP%/%_PORT% to %_IP%/%_PORT% flags SYN on interface Inside
+<163>%TS%: %ASA-3-106014: Deny inbound icmp src Inside:%_IP% dst Inside:%_IP% (type 8, code 0)
+<163>%TS%: %ASA-3-313001: Denied ICMP type=3, code=3 from %_IP% on interface Outside
+<164>%TS%: %ASA-4-106023: Deny %proto% src Inside:%_IP%/%_PORT% dst Outside:%_IP%/%_PORT% by access-group "Inside_access_in" [0x962df600, 0x0]
+<164>%TS%: %ASA-4-313005: No matching connection for ICMP error message: icmp src Outside:%_IP% dst identity:%_IP% (type 3, code 3) on Outside interface. Original IP payload: udp src %_IP%/%_PORT% dst %_IP%/%_PORT%.
+<142>%TS%: %ASA-6-106015: Deny TCP (no connection) from %_IP%/%_PORT% to %_IP%/%_PORT% flags %FLAGS% on interface %INTERF%
+<166>%TS%: %ASA-6-110002: Failed to locate egress interface for UDP from Inside:%_IP%/%_PORT% to %_IP%/%_PORT%
+<166>%TS%: %ASA-6-302021: Teardown ICMP connection for faddr %_IP%/%_PORT%(LOCAL\user.name) gaddr %_IP%/%_PORT% laddr %_IP%/0
+<166>%TS%: %ASA-6-305011: Built dynamic TCP translation from inside:%_IP%/%_PORT% to outside:%_IP%/%_PORT%
+<166>%TS%: %ASA-6-305012: Teardown dynamic %PROTO% translation from inside:%_IP%/%_PORT% to outside:%_IP%/%_PORT% duration 0:00:%SEC%
+<167>%TS%: %ASA-7-609001: Built local-host inside:%_IP%
+<167>%TS%: %ASA-7-609002: Teardown local-host inside:%_IP% duration 0:00:00
+<167>%TS%: %ASA-7-710005: UDP request discarded from %_IP%/%_PORT% to outside:%_IP%/%_PORT%
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/asa/not-supported-by-parser.sample
----------------------------------------------------------------------
diff --git a/spot-gen/conf/asa/not-supported-by-parser.sample b/spot-gen/conf/asa/not-supported-by-parser.sample
new file mode 100644
index 0000000..5193bb8
--- /dev/null
+++ b/spot-gen/conf/asa/not-supported-by-parser.sample
@@ -0,0 +1,40 @@
+<163>%TS%: %ASA-3-106010: Deny inbound protocol 47 src Outside:%_IP% dst Outside:%_IP%
+<163>%TS%: %ASA-3-713227: IP = %_IP%, Rejecting new IPSec SA negotiation for peer %_IP%. A negotiation was already in progress for local Proxy %_IP%/%_IP%, remote Proxy %_IP%/%_IP%
+<163>%TS%: %ASA-3-713902: Group = %_IP%, IP = %_IP%, Removing peer from correlator table failed, no match!
+<163>%TS%: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= demap. Map Sequence Number = 1.
+<164>%TS%: %ASA-4-113019: Group = %_IP%, Username = %_IP%, IP = %_IP%, Session disconnected. Session Type: LAN-to-LAN, Duration: 12d 9h:11m:22s, Bytes xmt: %INT%, Bytes rcv: %INT%, Reason: Lost Service
+<164>%TS%: %ASA-4-313004: Denied ICMP type=0, from laddr %_IP% on interface Outside to %_IP%: no matching session
+<164>%TS%: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 500 from %_IP%:%_PORT%
+<164>%TS%: %ASA-4-752010: IKEv2 Doesn't have a proposal specified
+<164>%TS%: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = demap. Map Sequence Number = 1.
+<165>%TS%: %ASA-5-111010: User 'admin', running 'N/A' from IP %_IP%, executed 'service-object object TCP44720-44722'
+<165>%TS%: %ASA-5-500003: Bad TCP hdr length (hdrlen=4, pktlen=74) from %_IP%/%_PORT% to %_IP%/0, flags: INVALID, on interface Outside
+<165>%TS%: %ASA-5-713050: Group = %_IP%, IP = %_IP%, Connection terminated for peer %_IP%. Reason: IPSec SA Idle Timeout Remote Proxy %_IP%, Local Proxy %_IP%
+<165>%TS%: %ASA-5-713202: IP = %_IP%, Duplicate first packet detected. Ignoring packet.
+<165>%TS%: %ASA-5-713259: Group = %_IP%, IP = %_IP%, Session is being torn down. Reason: Lost Service
+<165>%TS%: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = demap. Map Sequence Number = 1.
+<165>%TS%: %ASA-5-713904: IP = %_IP%, Received encrypted packet with no matching SA, dropping
+<166>%TS%: %ASA-6-113009: AAA retrieved default group policy (DefaultPolicyCA) for user = %_IP%
+<166>%TS%: %ASA-6-302013: Built inbound TCP connection %CONN_NUM% for outside:%_IP%/%_PORT% (%_IP%/%_PORT%)(LOCAL\user.name) to inside:%_IP%/%_PORT% (%_IP%/%_PORT%) (user.name)
+<174>%TS%: %ASA-6-302013: Built inbound TCP connection %CONN_NUM% for outside:%_IP%/%_PORT% (%_IP%/%_PORT%) to inside:%_IP%/%_PORT% (%_IP%/%_PORT%) (user.name)
+<166>%TS%: %ASA-6-302013: Built outbound TCP connection %CONN_NUM% for outside:%_IP%/%_PORT% (%_IP%/%_PORT%) to inside:%_IP%/%_PORT% (%_IP%/%_PORT%)
+<166>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for outside:%_IP%/%_PORT% to inside:%_IP%/%_PORT% duration 0:00:%SEC bytes %INT% TCP FINs
+<166>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for outside:%_IP%/%_PORT%(LOCAL\user.name) to inside:%_IP%/%_PORT% duration 0:00:%SEC% bytes %INT% TCP FINs (user.name)
+<166>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for outside:%_IP%/%_PORT%(LOCAL\user.name) to inside:%_IP%/%_PORT% duration 0:00:00 bytes 0 TCP FINs (user.name)
+<166>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for outside:%_IP%/%_PORT%(LOCAL\user.name) to inside:%_IP%/%_PORT% duration 0:00:%SEC% bytes %INT% TCP Reset-I (user.name)
+<142>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for DMZ-Inside:%_IP%/%_PORT% to Inside-Trunk:%_IP%/%_PORT% duration 0:%SEC%:%SEC% bytes %INT% TCP Reset-O
+<142>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for Outside_VPN:%_IP%/%_PORT% to DMZ-Inside:%_IP%/%_PORT% duration 0:%SEC%:%SEC% bytes %INT% TCP Reset-O
+<142>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for Outside_VPN:%_IP%/%_PORT% to Inside-Trunk:%_IP%/%_PORT% duration 0:%SEC%:%SEC% bytes %INT% TCP Reset-O
+<142>%TS%: %ASA-6-302014: Teardown TCP connection %CONN_NUM% for Outside_VPN:%_IP%/%_PORT% to Inside-Trunk:%_IP%/%_PORT% duration 0:%SEC%:%SEC% bytes %INT% TCP FINs
+<166>%TS%: %ASA-6-302015: Built inbound UDP connection %CONN_NUM% for outside:%_IP%/%_PORT% (%_IP%/%_PORT%)(LOCAL\user.name) to inside:%_IP%/%_PORT% (%_IP%/%_PORT%) (user.name)
+<174>%TS%: %ASA-6-302015: Built inbound UDP connection %CONN_NUM% for outside:%_IP%/%_PORT% (%_IP%/%_PORT%) to inside:%_IP%/%_PORT% (%_IP%/%_PORT%) (user.name)
+<166>%TS%: %ASA-6-302016: Teardown UDP connection %CONN_NUM% for outside:%_IP%/%_PORT% to inside:%_IP%/%_PORT% duration 0:%SEC%:%SEC% bytes %INT%
+<166>%TS%: %ASA-6-302016: Teardown UDP connection %CONN_NUM% for outside:%_IP%/%_PORT%(LOCAL\user.name) to inside:%_IP%/%_PORT% duration 0:%SEC%:%SEC% bytes %INT% (user.name)
+<182>%TS%: %ASA-6-302020: Built inbound ICMP connection for faddr %_IP%/%_PORT% gaddr %_IP%/%_PORT% laddr %_IP%/%_PORT%
+<166>%TS%: %ASA-6-302020: Built inbound ICMP connection for faddr %_IP%/%_PORT%(LOCAL\user.name) gaddr %_IP%/%_PORT% laddr %_IP%/%_PORT% (user.name)
+<174>%TS%: %ASA-6-302020: Built inbound ICMP connection for faddr %_IP%/%_PORT% gaddr %_IP%/%_PORT% laddr %_IP%/%_PORT% (user.name)
+<166>%TS%: %ASA-6-302020: Built inbound ICMP connection for faddr %_IP%/%_PORT% gaddr %_IP%/%_PORT% laddr %_IP%/%_PORT%
+<174>%TS%: %ASA-6-302020: Built outbound ICMP connection for faddr %_IP%/%_PORT% gaddr %_IP%/%_PORT% laddr %_IP%/0
+<166>%TS%: %ASA-6-713219: IP = %_IP%, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
+<166>%TS%: %ASA-6-713220: Group = %_IP%, IP = %_IP%, De-queuing KEY-ACQUIRE messages that were left pending.
+<166>%TS%: %ASA-6-713905: INFO: IKE Transform #8 next payload is 3 (should be 0).
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/common/files.txt
----------------------------------------------------------------------
diff --git a/spot-gen/conf/common/files.txt b/spot-gen/conf/common/files.txt
new file mode 100644
index 0000000..80334ea
--- /dev/null
+++ b/spot-gen/conf/common/files.txt
@@ -0,0 +1,2 @@
+C:\\Windows\\System32\\taskhost.exe
+C:\\Windows\\System32\\notepad.exe
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/common/hosts.txt
----------------------------------------------------------------------
diff --git a/spot-gen/conf/common/hosts.txt b/spot-gen/conf/common/hosts.txt
new file mode 100644
index 0000000..348699f
--- /dev/null
+++ b/spot-gen/conf/common/hosts.txt
@@ -0,0 +1,5 @@
+PC-0001
+PC-0002
+PC-0003
+PC-0004
+PC-0005
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/common/subjects.txt
----------------------------------------------------------------------
diff --git a/spot-gen/conf/common/subjects.txt b/spot-gen/conf/common/subjects.txt
new file mode 100644
index 0000000..aaa4e5f
--- /dev/null
+++ b/spot-gen/conf/common/subjects.txt
@@ -0,0 +1,14 @@
+Test
+Cars
+Subject 1
+Subject 2
+Subject 3
+Subject 4
+Subject 5
+Subject 6
+Subject 7
+Subject 8
+Subject 9
+Subject 10
+RE: TEST mail
+FWD: News
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/common/users.txt
----------------------------------------------------------------------
diff --git a/spot-gen/conf/common/users.txt b/spot-gen/conf/common/users.txt
new file mode 100644
index 0000000..387b3b3
--- /dev/null
+++ b/spot-gen/conf/common/users.txt
@@ -0,0 +1,5 @@
+U001
+U002
+U003
+U004
+U005
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/common/users_info.txt
----------------------------------------------------------------------
diff --git a/spot-gen/conf/common/users_info.txt b/spot-gen/conf/common/users_info.txt
new file mode 100644
index 0000000..dc4e74b
--- /dev/null
+++ b/spot-gen/conf/common/users_info.txt
@@ -0,0 +1,5 @@
+U001,PC-0001,Ahmed@example.com
+U002,PC-0002,Arsenio@example.com
+U003,PC-0003,Adrienne@example.com
+U004,PC-0004,Ashely@example.com
+U005,PC-0005,Anastasia@example.com
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/common/utils.py
----------------------------------------------------------------------
diff --git a/spot-gen/conf/common/utils.py b/spot-gen/conf/common/utils.py
new file mode 100644
index 0000000..3788238
--- /dev/null
+++ b/spot-gen/conf/common/utils.py
@@ -0,0 +1,19 @@
+def get_random_ip(cidr):
+ import ipaddress
+ import random
+ net = ipaddress.IPv4Network(cidr)
+ return net[ random.randint(0, net.num_addresses-1) ]
+
+def get_email():
+ import random
+ fn = ['noah','emma','mason','ethan','james','madison','daniel','ray','camille','clark','bruce','diana','flash']
+ ln = ['smith','gold','hunt','knight','fisher','cook','clark','kent','wayne','prince','gordon']
+ dom = ['example.com','outlook.com','skype.com','hotmail.com','yahoo.com','gmail.com','secure.com','cnn.com','nbc.com','news.com']
+ email = fn[random.randrange(0, len(fn))] + '.' + ln[random.randrange(0, len(ln))] + '@' + dom[random.randrange(0, len(dom))]
+ return email
+
+def get_rcpt(min_=1, max_=3):
+ import random
+ cnt = random.randint(min_, max_)
+ rcpt = [ get_email() for x in range(0, cnt) ]
+ return [ ','.join(rcpt), cnt ]
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/example.yaml
----------------------------------------------------------------------
diff --git a/spot-gen/conf/example.yaml b/spot-gen/conf/example.yaml
new file mode 100644
index 0000000..6bbf508
--- /dev/null
+++ b/spot-gen/conf/example.yaml
@@ -0,0 +1,35 @@
+# This is example of configuration file for data generator
+---
+timeformat: "%Y-%m-%d %H:%M:%S"
+linebreak: "\n"
+
+# Templates - sample of events with placeholders that must be replaced
+# Parameters:
+# - samples: source for log samples
+# - period: for N seconds event can be generated from 'min' to 'max' times
+
+templates:
+ # It can be loaded from file or ...
+ - { type: 'file', samples: 'example/events1.txt', period: 60, min: 1, max: 3 }
+ # ... specified inline
+ - { type: 'list', samples: [ '%TS% - Domain is: %DOMAIN%', '%TS% - Random int is: %_INT% random again: %_INT%' ], period: 120, min: 2, max: 4 }
+
+# Replaces
+replaces:
+ # Can be loaded from file (one item per line) or ...
+ - [ '%DOMAIN%', 'example/domains.txt' ]
+ # ... specified inline or ...
+ - [ '%CHAR%', ['a', 'b', 'c'] ]
+ # ... call some python function from module or ...
+ # note on "_" prefix. It means that every occurence in one line
+ # of this parameter will be replaced by another value
+ -
+ - '%_INT%'
+ - !!python/name:random.randint
+ - [ 1, 10 ]
+ # ... call your own function from some module
+ -
+ - '%IP%'
+ - !!python/name:example.utils.get_ip
+ - []
+...
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc
----------------------------------------------------------------------
diff --git a/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc b/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc
new file mode 100644
index 0000000..93103f7
Binary files /dev/null and b/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc differ
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/example/domains.txt
----------------------------------------------------------------------
diff --git a/spot-gen/conf/example/domains.txt b/spot-gen/conf/example/domains.txt
new file mode 100644
index 0000000..4d40246
--- /dev/null
+++ b/spot-gen/conf/example/domains.txt
@@ -0,0 +1,2 @@
+domain1.example.com
+domain2.example.com
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/example/events1.txt
----------------------------------------------------------------------
diff --git a/spot-gen/conf/example/events1.txt b/spot-gen/conf/example/events1.txt
new file mode 100644
index 0000000..dfafa26
--- /dev/null
+++ b/spot-gen/conf/example/events1.txt
@@ -0,0 +1,2 @@
+%TS% - This is IP: %IP%
+%TS% - This is random char: %CHAR%
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/example/utils.py
----------------------------------------------------------------------
diff --git a/spot-gen/conf/example/utils.py b/spot-gen/conf/example/utils.py
new file mode 100644
index 0000000..a5d263b
--- /dev/null
+++ b/spot-gen/conf/example/utils.py
@@ -0,0 +1,2 @@
+def get_ip():
+ return '127.0.0.1'
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/unix.yaml
----------------------------------------------------------------------
diff --git a/spot-gen/conf/unix.yaml b/spot-gen/conf/unix.yaml
new file mode 100644
index 0000000..80cf4d9
--- /dev/null
+++ b/spot-gen/conf/unix.yaml
@@ -0,0 +1,14 @@
+---
+timeformat: "%b %-d %H:%M:%S"
+linebreak: "\n"
+templates:
+ - { type: 'file', samples: 'unix/unix_events.sample', period: 60, min: 1, max: 5 }
+replaces:
+ - [ '%HOST%', 'common/hosts.txt' ]
+ - [ '%USERNAME%', 'common/users.txt' ]
+ - [ '%RUSERNAME%', 'common/users.txt' ]
+ - [ '%TTY%', ['pts/0', 'pts/1', 'pts/2', 'pts/3', 'pts/4', 'pts/5'] ]
+ - [ '%UID%', [0, 99, 600, 1000, 1001, 30432] ]
+ - [ '%PWD%', ['/home/crux', '/', '/var/lib'] ]
+ - [ '%COMMAND%', ['/bin/cat /etc/shadow', '/bin/bash sploit.sh', '/bin/rm -rf /', '/bin/vi /etc/passwd'] ]
+...
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/unix/unix_events.sample
----------------------------------------------------------------------
diff --git a/spot-gen/conf/unix/unix_events.sample b/spot-gen/conf/unix/unix_events.sample
new file mode 100644
index 0000000..90f261f
--- /dev/null
+++ b/spot-gen/conf/unix/unix_events.sample
@@ -0,0 +1,4 @@
+<86>%TS% %HOST% su: pam_unix(su:session): session opened for user %USERNAME% by (uid=%UID%)
+<86>%TS% %HOST% su: pam_unix(su:session): session closed for user %USERNAME%
+<85>%TS% %HOST% sudo: %RUSERNAME% : user NOT in sudoers ; TTY=%TTY% ; PWD=%PWD% ; USER=%USERNAME% ; COMMAND=%COMMAND%
+<85>%TS% %HOST% sudo: %RUSERNAME% : TTY=%TTY% ; PWD=%PWD% ; USER=%USERNAME% ; COMMAND=%COMMAND%
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/windows_nxlog.yaml
----------------------------------------------------------------------
diff --git a/spot-gen/conf/windows_nxlog.yaml b/spot-gen/conf/windows_nxlog.yaml
new file mode 100644
index 0000000..b46cb9b
--- /dev/null
+++ b/spot-gen/conf/windows_nxlog.yaml
@@ -0,0 +1,42 @@
+---
+timeformat: "%Y-%m-%d %H:%M:%S"
+linebreak: "\n"
+templates:
+ - { type: 'file', samples: 'windows_nxlog/windows_nxlog.sample', period: 60, min: 1, max: 5 }
+replaces:
+ - [ '%SUBJECT_ACCOUNT%', 'common/users.txt' ]
+ - [ '%SUBJECT_DOMAIN%', 'common/hosts.txt' ]
+ - [ '%TARGET_ACCOUNT%', 'common/users.txt' ]
+ - [ '%OLD_TARGET_ACCOUNT%', 'common/users.txt' ]
+ - [ '%NEW_TARGET_ACCOUNT%', 'common/users.txt' ]
+ - [ '%TARGET_DOMAIN%', 'common/hosts.txt' ]
+ - [ '%WORKSTATION%', 'common/hosts.txt' ]
+ - [ '%LOGON_TYPE%', ['1', '2', '3', '4'] ]
+ - [ '%OBJECT_SERVER%', ['test1', 'test2']]
+ - [ '%OBJECT_NAME%', ['test1', 'test2']]
+ - [ '%PROCESS_NAME%', 'common/files.txt' ]
+ -
+ - '%SUBJECT_LOGONID%'
+ - !!python/name:random.randint
+ - [1000, 10000]
+ -
+ - '%TARGET_LOGONID%'
+ - !!python/name:random.randint
+ - [1000, 10000]
+ -
+ - '%HANDLEID%'
+ - !!python/name:random.randint
+ - [2, 5000]
+ -
+ - '%PROCESS_ID%'
+ - !!python/name:random.randint
+ - [2, 5000]
+ -
+ - '%IP%'
+ - !!python/name:common.utils.get_random_ip
+ - ['10.0.0.0/8']
+ -
+ - '%PORT%'
+ - !!python/name:random.randint
+ - [1, 65534]
+...
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/conf/windows_nxlog/windows_nxlog.sample
----------------------------------------------------------------------
diff --git a/spot-gen/conf/windows_nxlog/windows_nxlog.sample b/spot-gen/conf/windows_nxlog/windows_nxlog.sample
new file mode 100644
index 0000000..bad42a8
--- /dev/null
+++ b/spot-gen/conf/windows_nxlog/windows_nxlog.sample
@@ -0,0 +1,25 @@
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t%TARGET_DOMAIN%\r\n\tAccount Domain:\t\tSSTECH\r\n\tLogon ID:\t\t0x1da1cdb6\r\n\tLogon GUID:\t\t{FEB50683-C36D-826D-AE56-6D351339049B}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t\r\n\tSource Network Address:\t::1\r\n\tSource Port:\t\t59714\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tKerberos\r\n\tAuthentication Package:\tKerberos\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was acc
essed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used am
ong the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-0-0","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x%SUBJECT_LOGONID%","TargetUserSid":"S-1-5-18","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetLogonId":"0x%TARGET_LOGONID%","LogonType":"%LOGON_TYPE%","LogonProcessName":"Kerberos","AuthenticationPackageName":"Kerberos","WorkstationName'/><Data Name='LogonGuid":"{FEB50683-C36D-826D-AE56-6D351339049B}","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessName":"-","IpAddress":"%IP%","IpPort":"%PORT%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3524\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x1c1124df\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3524\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3524","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-3524","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","EventReceivedTime":"%TS%","SourceModul
eName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x3e7\r\n\r\nLogon Type:\t\t\t4\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tThe user has not been granted the requested logon type at this machine.\r\n\tStatus:\t\t\t0xc000015b\r\n\tSub Status:\t\t0x0\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x91c\r\n\tCaller Process Name:\tC:\\Program Files\\Symantec\\Backup Exec\\RAWS\\beremote.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSSTECHGCDC01\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r
\n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request
.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","TargetUserSid":"S-1-0-0","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","Status":"0xc000015b","FailureReason":"%%2308","SubStatus":"0x0","LogonType":"%LOGON_TYPE%","LogonProcessName":"Advapi ","AuthenticationPackageName":"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0","WorkstationName":"%WORKSTATION%","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessName":"%PROCESS_NAME%","IpAddress":"-","IpPort":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleT
ype":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\tLogon ID:\t\t0x%TARGET_LOGONID%\r\n\r\nLogon Type:\t\t\t0x%TARGET_LOGONID%\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"%TARGET_AC
COUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetLogonId":"0x%TARGET_LOGONID%","LogonType":"%LOGON_TYPE%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4647,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"User initiated logoff:\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\tLogon ID:\t\t0x%TARGET_LOGONID%\r\n\r\nThis event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainNam
e":"%TARGET_DOMAIN%","TargetLogonId":"0x%TARGET_LOGONID%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4648,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A logon was attempted using explicit credentials.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x%SUBJECT_LOGONID%\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nAccount Whose Credentials Were Used:\r\n\tAccount Name:\t\%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\tLogon GUID:\t\t{9B3C56B9-DE3E-959D-5FD6-A495C610221D}\r\n\r\nTarget Server:\r\n\tTarget Server Name:\t%TARGET_DOMAIN%\r\n\tAdditio
nal Information:\t-TargetServerName\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t%PROCESS_ID%\r\n\tProcess Name:\t\t%PROCESS_NAME%\r\n\r\nNetwork Information:\r\n\tNetwork Address:\t-\r\n\tPort:\t\t\t-\r\n\r\nThis event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","LogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetLogonGuid":"{9B3C56B9-DE3E-959D-5FD6-A495C610221D}","TargetServerName":"-TargetServerName","TargetInfo":"-TARGET_INFO","ProcessName":"%PROCESS_NAME%","IpAddress":"-","IpPort":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","Sou
rceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4662,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-2807\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x%SUBJECT_LOGONID%\r\n\r\nObject:\r\n\tObject Server:\t\t%OBJECT_SERVER%\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%OBJECT_NAME%\r\n\tHandle ID:\t\t%HANDLEID%\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\t
Access Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t","Category":"Directory Service Access","Opcode":"Info","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-2807","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","ObjectServer":"%OBJECT_SERVER%","ObjectType":"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}","ObjectName":"%OBJECT_NAME%","OperationType":"Object Access","HandleId":"%HANDLEID%","AccessList":"%%7688\r\n\t\t\t\t","AccessMask":"0x100","Properties":"%%7688\r\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n","AdditionalInfo":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-2807\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x17bcd9476\r\n\r\nPrivileges:\t\tSeSecurityPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeEnableDelegationPrivilege
","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-2807","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"SeSecurityPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeEnableDelegationPrivilege","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4688,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x3e7\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x614\r\n\tNew Process Name:\tC:\\Windows\\System32\\dllhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0x2d8\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with
User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","Category":"Process Cre
ation","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","NewProcessId":"%PROCESS_ID%","NewProcessName":"%PROCESS_NAME%","TokenElevationType":"%%1936","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4689,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x3e7\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xf64\r\n\tProcess Name:\tC:\\Windows\\System32\\taskhost.exe\r\n\tExit Status:\t0x0","Category":"Process Termination","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","Status":"0x0","ProcessName":"%PR
OCESS_NAME%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4720,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x1cbb84b9\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3525\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\r\nAttributes:\r\n\tSAM Account Name:\tBrandy.Zickefoose\r\n\tDisplay Name:\t\tBrandy Zickefoose\r\n\tUser Principal Name:\tBrandy.Zickefo
ose@sstech.internal\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x15\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Normal Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3525","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","SamAccountName":"-
SamAccountName","DisplayName":"-DisplayName","UserPrincipalName":"-UserPrincipalName","HomeDirectory":"-","HomePath":"-","ScriptPath":"-","ProfilePath":"-","UserWorkstations":"-","PasswordLastSet":"%%1794","AccountExpires":"%%1794","PrimaryGroupId":"513","AllowedToDelegateTo":"-","OldUacValue":"0x0","NewUacValue":"0x15","UserAccountControl":"\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084","UserParameters":"-","SidHistory":"-","LogonHours":"%%1793","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4722,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A user account was enabled.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x1cbb84b9\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3525\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":
"S-1-5-21-1086840289-4070117063-4100749663-3525","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4724,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"An attempt was made to reset an account's password.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x1cc1ce42\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3525\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARG
ET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3525","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4725,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A user account was disabled.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x122d25cdb\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-6141\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid
":"S-1-5-21-1086840289-4070117063-4100749663-6141","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4726,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A user account was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0xbbd91f7\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3513\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\r\nAdditional Information:\r\n\tPrivileges\t-","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%",
"TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3513","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4728,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A member was added to a security-enabled global group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x1cbb84b9\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3229\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3237\r\n\tGroup Name:\t\tSSLVPN-Users\r\n\tGroup Domain:\t\t%TARGET_DOMAIN%\r\n\r\n
Additional Information:\r\n\tPrivileges:\t\t-","Category":"Security Group Management","Opcode":"Info","MemberName":"-MemberName","MemberSid":"S-1-5-21-1086840289-4070117063-4100749663-3229","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3237","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4729,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A member was removed from a security-enabled global group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3256\r\n\tAccount Name:\t\%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x2baa0eb6\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3529\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3237\r\n\tGroup Name:\t\tSSLVPN-Users\r\n\tGroup Domain:\t\t%TARGET_DOMAIN%\r\n\
r\nAdditional Information:\r\n\tPrivileges:\t\t-","Category":"Security Group Management","Opcode":"Info","MemberName":"-MemberName","MemberSid":"S-1-5-21-1086840289-4070117063-4100749663-3529","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3237","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-3256","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4737,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A security-enabled global group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-5716\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x1cbb84b9\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3237\r\n\tGroup Name:\t\tSSLVPN-Users\r\n\tGroup Domain:\t\t%TARGET_DOMAIN%\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-","Category
":"Security Group Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3237","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-5716","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","SamAccountName":"-","SidHistory":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4738,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A user account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x3e6\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3525\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tP
rofile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t2/1/2017 9:23:20 AM\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-","Category":"User Account Management","Opcode":"Info","Dummy":"-","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-3525","SubjectUserSid":"S-1-5-7","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","SamAccountName":"-","DisplayName":"-","UserPrincipalName":"-","HomeDirectory":"-","HomePath":"-","ScriptPath":"-","ProfilePath":"-","UserWorkstations":"-","PasswordLastSet":"2/1/2017 9:23:20 AM","AccountExpires":"-","PrimaryGroupId":"-","AllowedToDelegateTo
":"-","OldUacValue":"-","NewUacValue":"-","UserAccountControl":"-","UserParameters":"-","SidHistory":"-","LogonHours":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4740,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x3e7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3353\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\tSSTECHVEMSVR","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","Target
Sid":"S-1-5-21-1086840289-4070117063-4100749663-3353","SubjectUserSid":"S-1-5-18","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4767,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"A user account was unlocked.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-1416\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x18fe1406\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3338\r\n\tAccount Name:\t\t%TARGET_ACCOUNT%\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%","Category":"User Account Management","Opcode":"Info","TargetUserName":"%TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid"
:"S-1-5-21-1086840289-4070117063-4100749663-3338","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-1416","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4781,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"The name of an account was changed:\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-3454\r\n\tAccount Name:\t\t%SUBJECT_ACCOUNT%\r\n\tAccount Domain:\t\t%SUBJECT_DOMAIN%\r\n\tLogon ID:\t\t0x%SUBJECT_LOGONID%\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1086840289-4070117063-4100749663-4661\r\n\tAccount Domain:\t\t%TARGET_DOMAIN%\r\n\tOld Account Name:\t%OLD_TARGET_ACCOUNT%\r\n\tNew Account Name:\t%NEW_TARGET_ACCOUNT%\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-","Category":"User
Account Management","Opcode":"Info","OldTargetUserName":"%OLD_TARGET_ACCOUNT%","NewTargetUserName":"%NEW_TARGET_ACCOUNT%","TargetDomainName":"%TARGET_DOMAIN%","TargetSid":"S-1-5-21-1086840289-4070117063-4100749663-4661","SubjectUserSid":"S-1-5-21-1086840289-4070117063-4100749663-3454","SubjectUserName":"%SUBJECT_ACCOUNT%","SubjectDomainName":"%SUBJECT_DOMAIN%","SubjectLogonId":"0x%SUBJECT_LOGONID%","PrivilegeList":"-","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5024,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"The Windows Firewall service started successfully.","Category":"Other System Events","Opcode":"Info","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5033,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"The Windows Firewall Driver started successfully.","Category":"Other System Events","Opcode":"Info","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
+Feb 1 00:00:01 host.internal Microsoft-Windows-Security-Auditing[580]: {"EventTime":"%TS%","Hostname":"host.internal","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5478,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":24274711,"ProcessID":580,"ThreadID":1452,"Channel":"Security","Message":"The IPsec Policy Agent service was started.","Category":"IPsec Driver","Opcode":"Info","EventReceivedTime":"%TS%","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}#015
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/a7bdbc42/spot-gen/datagen.py
----------------------------------------------------------------------
diff --git a/spot-gen/datagen.py b/spot-gen/datagen.py
new file mode 100755
index 0000000..222f3bd
--- /dev/null
+++ b/spot-gen/datagen.py
@@ -0,0 +1,210 @@
+#!/usr/bin/python3
+
+import argparse
+import os
+import sys
+import re
+import yaml
+from datetime import timedelta, datetime
+import time
+import random
+
+
+class Generator:
+ def __init__(self, config):
+ self.set_default_values()
+ self.config = config
+ self.cache = {}
+ self.load_config()
+
+ def set_default_values(self):
+ self.timeformat = "%Y-%m-%d %H:%M:%S"
+ self.linebreak = "\n"
+ self.model = {}
+ self.templates = []
+ self.replaces = {}
+
+ def load_config(self):
+ if 'timeformat' in self.config:
+ self.timeformat = self.config['timeformat']
+ if 'linebreak' in self.config:
+ self.linebreak = self.config['linebreak']
+
+ if 'model' in self.config:
+ self.model['users'] = self.load_yaml_from_file(self.config['model']['users'])
+ self.model['events'] = self.load_yaml_from_file(self.config['model']['events'])
+ self.model['scenarios'] = self.load_yaml_from_file(self.config['model']['scenarios'])
+ self.model['activity'] = self.load_yaml_from_file(self.config['model']['activity'])
+ return
+ for tmpl in self.config['templates']:
+ if tmpl['type'] == 'file':
+ tmpl['samples'] = self.load_samples_from_file(tmpl['samples'])
+ self.templates.append(tmpl)
+ for rplc in self.config['replaces']:
+ if type(rplc[1]) is str:
+ rplc[1] = self.load_samples_from_file(rplc[1])
+ self.replaces[rplc[0]] = rplc[1:]
+
+ def load_samples_from_file(self, fname):
+ if not os.path.isabs(fname):
+ fname = os.path.join(self.config['conf_abs_path'], fname)
+ with open(fname, 'r') as f:
+ return f.read().splitlines()
+
+ def load_yaml_from_file(self, fname):
+ if not os.path.isabs(fname):
+ fname = os.path.join(self.config['conf_abs_path'], fname)
+ with open(fname, 'r') as f:
+ return yaml.load(f.read())
+
+ def do_replace(self, line, replaces):
+ regexp = '(' + '|'.join(replaces.keys()) + ')'
+ actual_keys = re.findall(regexp, line)
+ already_replaced = []
+ for key_to_replace in actual_keys:
+ replace_to = ''
+ if key_to_replace in already_replaced:
+ continue
+ if key_to_replace in replaces:
+ values = replaces[key_to_replace][0]
+ if callable(values):
+ replace_to = values(*replaces[key_to_replace][1])
+ else:
+ replace_to = values[random.randint(0, len(values)-1)]
+ else:
+ replace_to = 'DEFINE_ME_IN_CONFIG'
+ if key_to_replace.startswith('%_'):
+ line = line.replace(key_to_replace, str(replace_to), 1)
+ else:
+ line = line.replace(key_to_replace, str(replace_to))
+ already_replaced.append(key_to_replace)
+
+ return line
+
+ def generate(self, odf, beg_date, end_date):
+ if self.model:
+ self.generate_model(odf, beg_date, end_date)
+ days = (end_date - beg_date).days
+ if days > 0:
+ for day in range(days, 0, -1):
+ base_day = end_date - timedelta(days=day)
+ end_of_period = base_day + timedelta(days=1) - timedelta(seconds=1)
+ self._generate_for_period(odf, base_day, end_of_period)
+ elif days == 0:
+ self._generate_for_period(odf, beg_date, end_date)
+
+ def generate_model(self, odf, beg_date, end_date):
+ days = (end_date - beg_date).days
+ if days > 0:
+ for day in range(days, 0, -1):
+ base_day = end_date - timedelta(days=day)
+ end_of_period = base_day + timedelta(days=1) - timedelta(seconds=1)
+ for user in self.model['activity']:
+ scenario = self.model['scenarios'][self.model['activity'][user]]
+ for event in scenario:
+ self._generate_event(base_day, self.model['users'][user], event, self.model['events'])
+ self.cache = {}
+
+ elif days == 0:
+ self._generate_for_period(odf, beg_date, end_date)
+
+ def _generate_event(self, dt, user, event, template):
+ weekday = dt.weekday()
+ weekday = '{:%a}'.format(dt)
+ if weekday not in event['weekdays'].split(','):
+ return
+ mintime, maxtime = event['timerange'].split('-')
+ mintime_h, mintime_m = mintime.split(':')
+ maxtime_h, maxtime_m = maxtime.split(':')
+ mintime_h = int(mintime_h)
+ maxtime_h = int(maxtime_h)
+ hours = maxtime_h - mintime_h
+ minutes = 60 * hours
+ start = 0
+ stop = 1
+ if 'frequency' in event:
+ (start, stop) = event['frequency']
+
+ def repl(matchobj):
+ for m in matchobj.groups():
+ (typ, key) = m.split(':')
+ if typ == 'U':
+ return user[key]
+ elif typ == 'M':
+ print(key)
+ login = user['Login']
+ if login not in self.cache:
+ self.cache[login] = {}
+ if key in self.cache[login]:
+ return self.cache[login][key]
+ else:
+ self.cache[login][key] = str(random.randrange(1000, 9000))
+ return self.cache[login][key]
+ else:
+ return 'DEFINE_ME'
+
+ for i in range(start, stop):
+ event_time = dt + timedelta(hours=mintime_h, minutes=random.randrange(0, minutes), seconds=random.randrange(0, 60))
+ ts = event_time.strftime(self.timeformat) + ' ' + user['Timezone']
+ s = re.sub(r'<<([^>]+)>>', repl, template[event['tmpl']])
+ s = s.replace('%TS%', ts)
+ print(s)
+
+ def _generate_for_period(self, odf, beg_of_period, end_of_period):
+ ready_events = []
+ for tmpl in self.templates:
+ beg = beg_of_period
+ end = beg + timedelta(seconds=tmpl['period'])
+ while end < end_of_period:
+ for sample in tmpl['samples']:
+ msg_cnt = random.randint(tmpl['min'], tmpl['max'])
+ for i in range(0, msg_cnt):
+ ts = random.randint(time.mktime(beg.timetuple()), time.mktime(end.timetuple()))
+ result = self.do_replace(sample, self.replaces)
+ ready_events.append([ts, result])
+ beg = end
+ end = beg + timedelta(seconds=tmpl['period'])
+ if self.config['sort']:
+ ready_events.sort()
+ for line in ready_events:
+ res = line[1].replace('%TS%', time.strftime(self.timeformat, time.localtime(line[0])))
+ odf.write(res + self.linebreak)
+
+
+def main():
+ parser = argparse.ArgumentParser(description='Generate sample data')
+ parser.add_argument('config', type=argparse.FileType('r'), help='Config file')
+ parser.add_argument('--write', type=argparse.FileType('w'), default='-', help='Write to file')
+ parser.add_argument('--period', default='1h', help='Generate data for N last days [suffix d] or last N hours [suffix h] or last N minutes [suffix m]')
+ parser.add_argument('--sort', action='store_true', default=False, help='Use timestamp to sort events (slow)')
+ args = parser.parse_args()
+
+ config = {}
+ if args.config:
+ conf_abs_path = os.path.dirname(os.path.abspath(args.config.name))
+ sys.path.append(conf_abs_path)
+ config = yaml.load(args.config)
+ config['conf_abs_path'] = conf_abs_path
+ config['sort'] = args.sort
+
+ matches = re.match('(\d+)([dhm])', args.period)
+ if not matches:
+ parser.print_help()
+
+ period = int(matches.group(1))
+ period_type = matches.group(2)
+ end_date = datetime.now()
+ if period_type == 'h':
+ beg_date = end_date - timedelta(hours=period)
+ elif period_type == 'm':
+ beg_date = end_date - timedelta(minutes=period)
+ if period_type == 'd':
+ end_date = end_date.replace(hour=0, minute=0, second=0, microsecond=0)
+ beg_date = end_date - timedelta(days=period)
+
+ g = Generator(config)
+ g.generate(args.write, beg_date, end_date)
+
+
+if __name__ == '__main__':
+ main()
[2/4] incubator-spot git commit: Removed .pyc file
Posted by na...@apache.org.
Removed .pyc file
Project: http://git-wip-us.apache.org/repos/asf/incubator-spot/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-spot/commit/5a3cadd7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-spot/tree/5a3cadd7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-spot/diff/5a3cadd7
Branch: refs/heads/SPOT-181_ODM
Commit: 5a3cadd774fadaa173256d6d3854808b262e1a94
Parents: a7bdbc4
Author: Vladimir <Vl...@sstech.us>
Authored: Tue Jul 4 03:19:24 2017 +0300
Committer: Vladimir <Vl...@sstech.us>
Committed: Tue Jul 4 03:19:24 2017 +0300
----------------------------------------------------------------------
.../conf/example/__pycache__/utils.cpython-35.pyc | Bin 269 -> 0 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/5a3cadd7/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc
----------------------------------------------------------------------
diff --git a/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc b/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc
deleted file mode 100644
index 93103f7..0000000
Binary files a/spot-gen/conf/example/__pycache__/utils.cpython-35.pyc and /dev/null differ
[4/4] incubator-spot git commit: Merge branch 'pr/68' into
SPOT-181_ODM
Posted by na...@apache.org.
Merge branch 'pr/68' into SPOT-181_ODM
Project: http://git-wip-us.apache.org/repos/asf/incubator-spot/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-spot/commit/b7a015c9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-spot/tree/b7a015c9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-spot/diff/b7a015c9
Branch: refs/heads/SPOT-181_ODM
Commit: b7a015c96cdc9721d4fd37a01749d0745550f9cd
Parents: d20c5bf e6e234b
Author: natedogs911 <na...@gmail.com>
Authored: Tue Jan 23 17:20:39 2018 -0800
Committer: natedogs911 <na...@gmail.com>
Committed: Tue Jan 23 17:20:39 2018 -0800
----------------------------------------------------------------------
spot-gen/README.md | 66 ++++++
spot-gen/conf/asa.yaml | 33 +++
spot-gen/conf/asa/asa.sample | 13 ++
.../conf/asa/not-supported-by-parser.sample | 40 ++++
spot-gen/conf/common/files.txt | 2 +
spot-gen/conf/common/hosts.txt | 5 +
spot-gen/conf/common/subjects.txt | 14 ++
spot-gen/conf/common/users.txt | 5 +
spot-gen/conf/common/users_info.txt | 5 +
spot-gen/conf/common/utils.py | 36 +++
spot-gen/conf/example.yaml | 35 +++
spot-gen/conf/example/domains.txt | 2 +
spot-gen/conf/example/events1.txt | 2 +
spot-gen/conf/example/utils.py | 19 ++
spot-gen/conf/unix.yaml | 14 ++
spot-gen/conf/unix/unix_events.sample | 4 +
spot-gen/conf/windows_nxlog.yaml | 42 ++++
.../conf/windows_nxlog/windows_nxlog.sample | 25 ++
spot-gen/datagen.py | 227 +++++++++++++++++++
19 files changed, 589 insertions(+)
----------------------------------------------------------------------
[3/4] incubator-spot git commit: Added Apache License. Updated README
Posted by na...@apache.org.
Added Apache License. Updated README
Project: http://git-wip-us.apache.org/repos/asf/incubator-spot/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-spot/commit/e6e234ba
Tree: http://git-wip-us.apache.org/repos/asf/incubator-spot/tree/e6e234ba
Diff: http://git-wip-us.apache.org/repos/asf/incubator-spot/diff/e6e234ba
Branch: refs/heads/SPOT-181_ODM
Commit: e6e234ba250b6c6188f6fd6bc251c7f4c80e1e8f
Parents: 5a3cadd
Author: Vladimir <Vl...@sstech.us>
Authored: Tue Jul 11 11:14:07 2017 +0300
Committer: Vladimir <Vl...@sstech.us>
Committed: Tue Jul 11 11:14:07 2017 +0300
----------------------------------------------------------------------
spot-gen/README.md | 66 +++++++++++++++++++++++++++++++++++++
spot-gen/README.txt | 5 ---
spot-gen/conf/common/utils.py | 17 ++++++++++
spot-gen/conf/example/utils.py | 17 ++++++++++
spot-gen/datagen.py | 17 ++++++++++
5 files changed, 117 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/e6e234ba/spot-gen/README.md
----------------------------------------------------------------------
diff --git a/spot-gen/README.md b/spot-gen/README.md
new file mode 100644
index 0000000..40802c9
--- /dev/null
+++ b/spot-gen/README.md
@@ -0,0 +1,66 @@
+Simple data generator
+======================
+
+This tool produces random logs for any preconfigured source.
+It allows to simulate real source and can be used for testing or demonstrating purposes.
+For example, after adding to cron (run every hour and generate logs for last hour) and copying result log files to collector's directory data will be always actual and reports will be non-empty.
+Currently generator works only in batch mode (generate log files for some period).
+
+Included configuration files for generating cisco asa, su/sudo and windows (nxlog format) events.
+
+Usage:
+```
+# datagen.py --help
+usage: datagen.py [-h] [--write WRITE] [--period PERIOD] [--sort] config
+
+Generate sample data
+
+positional arguments:
+ config Config file
+
+optional arguments:
+ -h, --help show this help message and exit
+ --write WRITE Write to file
+ --period PERIOD Generate data for N last days [suffix d] or last N hours
+ [suffix h] or last N minutes [suffix m]
+ --sort Use timestamp to sort events (slow)
+```
+
+Example of configuration file `conf/example.yaml`
+
+```
+---
+timeformat: "%Y-%m-%d %H:%M:%S"
+linebreak: "\n"
+
+# Templates - sample of events with placeholders that must be replaced
+# Parameters:
+# - samples: source for log samples
+# - period: for N seconds event can be generated from 'min' to 'max' times
+
+templates:
+ # It can be loaded from file or ...
+ - { type: 'file', samples: 'example/events1.txt', period: 60, min: 1, max: 3 }
+ # ... specified inline
+ - { type: 'list', samples: [ '%TS% - Domain is: %DOMAIN%', '%TS% - Random int is: %_INT% random again: %_INT%' ], period: 120, min: 2, max: 4 }
+
+# Replaces
+replaces:
+ # Can be loaded from file (one item per line) or ...
+ - [ '%DOMAIN%', 'example/domains.txt' ]
+ # ... specified inline or ...
+ - [ '%CHAR%', ['a', 'b', 'c'] ]
+ # ... call some python function from module or ...
+ # note on "_" prefix. It means that every occurence in one line
+ # of this parameter will be replaced by another value
+ -
+ - '%_INT%'
+ - !!python/name:random.randint
+ - [ 1, 10 ]
+ # ... call your own function from some module
+ -
+ - '%IP%'
+ - !!python/name:example.utils.get_ip
+ - []
+...
+```
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/e6e234ba/spot-gen/README.txt
----------------------------------------------------------------------
diff --git a/spot-gen/README.txt b/spot-gen/README.txt
deleted file mode 100644
index c8abe3b..0000000
--- a/spot-gen/README.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Simple data generation
-=======================
-Usage: `python3 datagen.py --help`
-Example of config `conf/example.yaml`
-
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/e6e234ba/spot-gen/conf/common/utils.py
----------------------------------------------------------------------
diff --git a/spot-gen/conf/common/utils.py b/spot-gen/conf/common/utils.py
index 3788238..5413623 100644
--- a/spot-gen/conf/common/utils.py
+++ b/spot-gen/conf/common/utils.py
@@ -1,3 +1,20 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
def get_random_ip(cidr):
import ipaddress
import random
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/e6e234ba/spot-gen/conf/example/utils.py
----------------------------------------------------------------------
diff --git a/spot-gen/conf/example/utils.py b/spot-gen/conf/example/utils.py
index a5d263b..05a829c 100644
--- a/spot-gen/conf/example/utils.py
+++ b/spot-gen/conf/example/utils.py
@@ -1,2 +1,19 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
def get_ip():
return '127.0.0.1'
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/e6e234ba/spot-gen/datagen.py
----------------------------------------------------------------------
diff --git a/spot-gen/datagen.py b/spot-gen/datagen.py
index 222f3bd..55d2207 100755
--- a/spot-gen/datagen.py
+++ b/spot-gen/datagen.py
@@ -1,5 +1,22 @@
#!/usr/bin/python3
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
import argparse
import os
import sys