title: Logstash Windows common log sources
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
  - ee-outliers
logsources:
  windows:
    product: windows
    index: logstash-windows-*
  windows-application:
    product: windows
    service: application
    conditions:
      Channel: Application
  windows-security:
    product: windows
    service: security
    conditions:
      Channel: Security
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      Channel: Microsoft-Windows-Sysmon
  windows-dns-server:
    product: windows
    service: dns-server
    conditions:
      Channel: 'DNS Server'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      Channel: 'Microsoft-Windows-DHCP-Server/Operational'
  windows-defender:
    product: windows
    service: windefend
    conditions:
      Channel: 'Microsoft-Windows-Windows Defender/Operational'
  windows-ntlm:
    product: windows
    service: ntlm
    conditions:
      Channel: 'Microsoft-Windows-NTLM/Operational'
  windows-applocker:
    product: windows
    service: applocker
    conditions:
      Channel:
        - 'Microsoft-Windows-AppLocker/MSI and Script'
        - 'Microsoft-Windows-AppLocker/EXE and DLL'
        - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
        - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
  windows-msexchange-management:
    product: windows
    service: msexchange-management
    conditions:
      Channel: 'MSExchange Management'
defaultindex: logstash-*