[WinEventLog://Application] disabled = false index = wineventlog sourcetype = wineventlog

[WinEventLog://Security] disabled = false index = wineventlog sourcetype = wineventlog

[WinEventLog://System] disabled = false index = wineventlog sourcetype = wineventlog

[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = true index = sysmon source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = wineventlog