ATA 記錄檔提供者

Microsoft.AdvancedThreatAnalytics.LogFileProvider (DataSourceModuleType)

此提供者用於讀取 ATA 記錄檔。

Element properties:

Member Modules:

Source Code:

<DataSourceModuleType ID="Microsoft.AdvancedThreatAnalytics.LogFileProvider" Accessibility="Internal" Batching="false">

  <Configuration>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="LogFileDirectory" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="LogFilePattern" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="PublisherName" type="xsd:string"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="ErrorStringContains" type="xsd:string"/>

  </Configuration>

  <ModuleImplementation Isolation="Any">

    <Composite>

      <MemberModules>

        <DataSource ID="LogReader" TypeID="SAL!System.ApplicationLog.GenericLogReader">

          <LogFileDirectory>$Config/LogFileDirectory$</LogFileDirectory>

          <LogFilePattern>$Config/LogFilePattern$</LogFilePattern>

          <LogIsUTF8>true</LogIsUTF8>

        </DataSource>

        <ConditionDetection ID="EventMapper" TypeID="System!System.Event.GenericDataMapper">

          <EventOriginId>$Target/Id$</EventOriginId>

          <PublisherId>$MPElement$</PublisherId>

          <PublisherName>$Config/PublisherName$</PublisherName>

          <Channel>$Config/LogFilePattern$</Channel>

          <LoggingComputer/>

          <EventNumber>0</EventNumber>

          <EventCategory>0</EventCategory>

          <EventLevel>1</EventLevel>

          <UserName/>

          <Description>$Data/Params/Param[1]$</Description>

          <Params>

            <Param>$Data/Params/Param[1]$</Param>

          </Params>

        </ConditionDetection>

        <ConditionDetection ID="Expression" TypeID="System!System.ExpressionFilter">

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">$Data/Params/Param[1]$</XPathQuery>

              </ValueExpression>

              <Operator>ContainsSubstring</Operator>

              <Pattern>$Config/ErrorStringContains$</Pattern>

            </RegExExpression>

          </Expression>

        </ConditionDetection>

      </MemberModules>

      <Composition>

        <Node ID="EventMapper">

          <Node ID="Expression">

            <Node ID="LogReader"/>

          </Node>

        </Node>

      </Composition>

    </Composite>

  </ModuleImplementation>

  <OutputType>System!System.Event.Data</OutputType>

</DataSourceModuleType>