olafhartong/sysmon-logman.xml

## sysmon-logman.xml
<DataCollectorSet><Status>0</Status><Duration>0</Duration><Description/><DescriptionUnresolved/><DisplayName/><DisplayNameUnresolved/><SchedulesEnabled>-1</SchedulesEnabled><LatestOutputLocation>C:\temp\</LatestOutputLocation><Name>sysmon</Name><OutputLocation>D:\temp\</OutputLocation><RootPath>D:\temp</RootPath><Segment>0</Segment><SegmentMaxDuration>0</SegmentMaxDuration><SegmentMaxSize>0</SegmentMaxSize><SerialNumber>7</SerialNumber><Server/><Subdirectory/><SubdirectoryFormat>1</SubdirectoryFormat><SubdirectoryFormatPattern/><Task/><TaskRunAsSelf>0</TaskRunAsSelf><TaskArguments/><TaskUserTextArguments/><UserAccount>SYSTEM</UserAccount><Security>O:BAG:DUD:AI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LU)(A;;0x1301ff;;;S-1-5-80-2661322625-712705077-2999183737-3043590567-590698655)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200ab;;;LU)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)</Security><StopOnCompletion>0</StopOnCompletion><PerformanceCounterDataCollector><DataCollectorType>0</DataCollectorType><Name>System Monitor Log</Name><FileName>System Monitor Log</FileName><FileNameFormat>3</FileNameFormat><FileNameFormatPattern>\-dd\-MM\-yy\-HHMM</FileNameFormatPattern><LogAppend>-1</LogAppend><LogCircular>0</LogCircular><LogOverwrite>0</LogOverwrite><LatestOutputLocation>D:\temp\NL010VN0574_Sysmon Event Trace-06-08-18-1008.etl</LatestOutputLocation><DataSourceName/><SampleInterval>1</SampleInterval><SegmentMaxRecords>0</SegmentMaxRecords><LogFileFormat>3</LogFileFormat><Counter>\Process(Sysmon)\% Processor Time</Counter><Counter>\Process(Sysmon)\IO Data Operations/sec</Counter><Counter>\Process(Sysmon)\Private Bytes</Counter><Counter>\Process(Sysmon)\Virtual Bytes</Counter><CounterDisplayName>\Process(Sysmon)\% Processor Time</CounterDisplayName><CounterDisplayName>\Process(Sysmon)\IO Data Operations/sec</CounterDisplayName><CounterDisplayName>\Process(Sysmon)\Private Bytes</CounterDisplayName><CounterDisplayName>\Process(Sysmon)\Virtual Bytes</CounterDisplayName></PerformanceCounterDataCollector>
	<TraceDataCollector><DataCollectorType>1</DataCollectorType><Name>Sysmon Event Trace</Name><FileName>Sysmon Event Trace</FileName><FileNameFormat>3</FileNameFormat><FileNameFormatPattern>\-dd\-MM\-yy\-HHMM</FileNameFormatPattern><LogAppend>-1</LogAppend><LogCircular>0</LogCircular><LogOverwrite>0</LogOverwrite><LatestOutputLocation>c:\temp\xxx_System Monitor Log-06-08-18-1008.blg</LatestOutputLocation><Guid>{00000000-0000-0000-0000-000000000000}</Guid><BufferSize>64</BufferSize><BuffersLost>0</BuffersLost><BuffersWritten>0</BuffersWritten><ClockType>1</ClockType><EventsLost>0</EventsLost><ExtendedModes>0</ExtendedModes><FlushTimer>1</FlushTimer><FreeBuffers>0</FreeBuffers><MaximumBuffers>26</MaximumBuffers><MinimumBuffers>4</MinimumBuffers><NumberOfBuffers>0</NumberOfBuffers><PreallocateFile>0</PreallocateFile><ProcessMode>0</ProcessMode><RealTimeBuffersLost>0</RealTimeBuffersLost><SessionName>Sysmon Event Trace</SessionName><SessionThreadId>0</SessionThreadId><StreamMode>1</StreamMode><TraceDataProvider><DisplayName>Microsoft-Windows-Sysmon</DisplayName><FilterEnabled>0</FilterEnabled><FilterType>0</FilterType><Level><Description>Events up to this level are enabled</Description><ValueMapType>1</ValueMapType><Value>0</Value><ValueMapItem><Key>win:Error</Key><Description>Error</Description><Enabled>0</Enabled><Value>0x2</Value></ValueMapItem><ValueMapItem><Key>win:Informational</Key><Description>Information</Description><Enabled>0</Enabled><Value>0x4</Value></ValueMapItem><ValueMapItem><Key/><Description/><Enabled>-1</Enabled><Value>0x0</Value></ValueMapItem></Level><KeywordsAny><Description>Events with any of these keywords are enabled</Description><ValueMapType>2</ValueMapType><Value>0x0</Value><ValueMapItem><Key>Microsoft-Windows-Sysmon/Operational</Key><Description/><Enabled>0</Enabled><Value>0x8000000000000000</Value></ValueMapItem></KeywordsAny><KeywordsAll><Description>Events with all of these keywords are enabled</Description><ValueMapType>2</ValueMapType><Value>0x0</Value><ValueMapItem><Key>Microsoft-Windows-Sysmon/Operational</Key><Description/><Enabled>0</Enabled><Value>0x8000000000000000</Value></ValueMapItem></KeywordsAll><Properties><Description>These additional data fields will be collected with each event</Description><ValueMapType>2</ValueMapType><Value>0</Value><ValueMapItem><Key>sid</Key><Description>Security Identifier</Description><Enabled>0</Enabled><Value>0x1</Value></ValueMapItem><ValueMapItem><Key>sessionid</Key><Description>Session Identifier</Description><Enabled>0</Enabled><Value>0x2</Value></ValueMapItem></Properties><Guid>{5770385F-C22A-43E0-BF4C-06F5698FFBD9}</Guid></TraceDataProvider></TraceDataCollector>
	<DataManager><Enabled>0</Enabled><CheckBeforeRunning>0</CheckBeforeRunning><MinFreeDisk>0</MinFreeDisk><MaxSize>0</MaxSize><MaxFolderCount>0</MaxFolderCount><ResourcePolicy>0</ResourcePolicy><ReportFileName>report.html</ReportFileName><RuleTargetFileName>report.xml</RuleTargetFileName><EventsFileName/></DataManager></DataCollectorSet>
ml
	<DataCollectorSet><Status>0</Status><Duration>0</Duration><Description/><DescriptionUnresolved/><DisplayName/><DisplayNameUnresolved/><SchedulesEnabled>-1</SchedulesEnabled><LatestOutputLocation>C:\temp\</LatestOutputLocation><Name>sysmon</Name><OutputLocation>D:\temp\</OutputLocation><RootPath>D:\temp</RootPath><Segment>0</Segment><SegmentMaxDuration>0</SegmentMaxDuration><SegmentMaxSize>0</SegmentMaxSize><SerialNumber>7</SerialNumber><Server/><Subdirectory/><SubdirectoryFormat>1</SubdirectoryFormat><SubdirectoryFormatPattern/><Task/><TaskRunAsSelf>0</TaskRunAsSelf><TaskArguments/><TaskUserTextArguments/><UserAccount>SYSTEM</UserAccount><Security>O:BAG:DUD:AI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LU)(A;;0x1301ff;;;S-1-5-80-2661322625-712705077-2999183737-3043590567-590698655)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200ab;;;LU)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)</Security><StopOnCompletion>0</StopOnCompletion><PerformanceCounterDataCollector><DataCollectorType>0</DataCollectorType><Name>System Monitor Log</Name><FileName>System Monitor Log</FileName><FileNameFormat>3</FileNameFormat><FileNameFormatPattern>\-dd\-MM\-yy\-HHMM</FileNameFormatPattern><LogAppend>-1</LogAppend><LogCircular>0</LogCircular><LogOverwrite>0</LogOverwrite><LatestOutputLocation>D:\temp\NL010VN0574_Sysmon Event Trace-06-08-18-1008.etl</LatestOutputLocation><DataSourceName/><SampleInterval>1</SampleInterval><SegmentMaxRecords>0</SegmentMaxRecords><LogFileFormat>3</LogFileFormat><Counter>\Process(Sysmon)\% Processor Time</Counter><Counter>\Process(Sysmon)\IO Data Operations/sec</Counter><Counter>\Process(Sysmon)\Private Bytes</Counter><Counter>\Process(Sysmon)\Virtual Bytes</Counter><CounterDisplayName>\Process(Sysmon)\% Processor Time</CounterDisplayName><CounterDisplayName>\Process(Sysmon)\IO Data Operations/sec</CounterDisplayName><CounterDisplayName>\Process(Sysmon)\Private Bytes</CounterDisplayName><CounterDisplayName>\Process(Sysmon)\Virtual Bytes</CounterDisplayName></PerformanceCounterDataCollector>
	<TraceDataCollector><DataCollectorType>1</DataCollectorType><Name>Sysmon Event Trace</Name><FileName>Sysmon Event Trace</FileName><FileNameFormat>3</FileNameFormat><FileNameFormatPattern>\-dd\-MM\-yy\-HHMM</FileNameFormatPattern><LogAppend>-1</LogAppend><LogCircular>0</LogCircular><LogOverwrite>0</LogOverwrite><LatestOutputLocation>c:\temp\xxx_System Monitor Log-06-08-18-1008.blg</LatestOutputLocation><Guid>{00000000-0000-0000-0000-000000000000}</Guid><BufferSize>64</BufferSize><BuffersLost>0</BuffersLost><BuffersWritten>0</BuffersWritten><ClockType>1</ClockType><EventsLost>0</EventsLost><ExtendedModes>0</ExtendedModes><FlushTimer>1</FlushTimer><FreeBuffers>0</FreeBuffers><MaximumBuffers>26</MaximumBuffers><MinimumBuffers>4</MinimumBuffers><NumberOfBuffers>0</NumberOfBuffers><PreallocateFile>0</PreallocateFile><ProcessMode>0</ProcessMode><RealTimeBuffersLost>0</RealTimeBuffersLost><SessionName>Sysmon Event Trace</SessionName><SessionThreadId>0</SessionThreadId><StreamMode>1</StreamMode><TraceDataProvider><DisplayName>Microsoft-Windows-Sysmon</DisplayName><FilterEnabled>0</FilterEnabled><FilterType>0</FilterType><Level><Description>Events up to this level are enabled</Description><ValueMapType>1</ValueMapType><Value>0</Value><ValueMapItem><Key>win:Error</Key><Description>Error</Description><Enabled>0</Enabled><Value>0x2</Value></ValueMapItem><ValueMapItem><Key>win:Informational</Key><Description>Information</Description><Enabled>0</Enabled><Value>0x4</Value></ValueMapItem><ValueMapItem><Key/><Description/><Enabled>-1</Enabled><Value>0x0</Value></ValueMapItem></Level><KeywordsAny><Description>Events with any of these keywords are enabled</Description><ValueMapType>2</ValueMapType><Value>0x0</Value><ValueMapItem><Key>Microsoft-Windows-Sysmon/Operational</Key><Description/><Enabled>0</Enabled><Value>0x8000000000000000</Value></ValueMapItem></KeywordsAny><KeywordsAll><Description>Events with all of these keywords are enabled</Description><ValueMapType>2</ValueMapType><Value>0x0</Value><ValueMapItem><Key>Microsoft-Windows-Sysmon/Operational</Key><Description/><Enabled>0</Enabled><Value>0x8000000000000000</Value></ValueMapItem></KeywordsAll><Properties><Description>These additional data fields will be collected with each event</Description><ValueMapType>2</ValueMapType><Value>0</Value><ValueMapItem><Key>sid</Key><Description>Security Identifier</Description><Enabled>0</Enabled><Value>0x1</Value></ValueMapItem><ValueMapItem><Key>sessionid</Key><Description>Session Identifier</Description><Enabled>0</Enabled><Value>0x2</Value></ValueMapItem></Properties><Guid>{5770385F-C22A-43E0-BF4C-06F5698FFBD9}</Guid></TraceDataProvider></TraceDataCollector>
	<DataManager><Enabled>0</Enabled><CheckBeforeRunning>0</CheckBeforeRunning><MinFreeDisk>0</MinFreeDisk><MaxSize>0</MaxSize><MaxFolderCount>0</MaxFolderCount><ResourcePolicy>0</ResourcePolicy><ReportFileName>report.html</ReportFileName><RuleTargetFileName>report.xml</RuleTargetFileName><EventsFileName/></DataManager></DataCollectorSet>
	ml