Skip to main content

Predefined pipelines reference

AI summary
Describes predefined pipelines in Imply Lumi for common log formats like FortiGate, VPC flow, and Windows events. Explains how pipelines automatically extract fields and create searchable attributes. Details the specific conditions and log types each pipeline processes.

About AI summaries.

Imply Lumi offers predefined pipelines for the log formats described in this topic. A predefined pipeline extracts fields from the raw event message and creates user attributes you can search. Predefined pipelines are enabled by default.

The following diagram shows a raw log event and how its fields appear in Lumi after processing by the predefined pipeline:

VPC flow log pipeline

Like other pipelines, the predefined pipeline only operates on incoming events that satisfy the pipeline conditions. If you want to change the conditions or processors, you can use the predefined pipeline as a template for your own custom pipeline.

To learn how to use and manage predefined pipelines, see Work with predefined pipelines.

AWS CloudTrail logs

Pipeline conditions: sourcetype=aws:cloudtrail

AWS CloudTrail events record actions taken in AWS accounts, including management, data, network activity, and insights events. See the AWS documentation for example events.

This predefined pipeline provides parity with the Splunk Add-on for Amazon Web Services (AWS).

Example of extracted user attributes
{
"app": "AwsCloudTrailInsight",
"awsRegion": "us-east-1",
"errorCode": "success",
"eventCategory": "Insight",
"eventID": "258de2fb-e2a9-4fb5-aeb2-EXAMPLE449a4",
"eventTime": "2026-04-29T00:22:00Z",
"eventType": "AwsCloudTrailInsight",
"eventVersion": "1.08",
"filename": "s3://example-backfill/260427_cloudtrail-predefined/cloudtrail2_260429.json",
"index": "main",
"insightDetails": "{state=End, eventSource=ssm.amazonaws.com, eventName=UpdateInstanceInformation, insightType=ApiCallRateInsight, insightContext={statistics={baseline={average=74.156423842}, insight={average=657}, insightDuration=1}}}",
"insightDetails.eventName": "UpdateInstanceInformation",
"insightDetails.eventSource": "ssm.amazonaws.com",
"insightDetails.insightContext.statistics.baseline.average": "74.156423842",
"insightDetails.insightContext.statistics.insight.average": "657",
"insightDetails.insightContext.statistics.insightDuration": "1",
"insightDetails.insightType": "ApiCallRateInsight",
"insightDetails.state": "End",
"msg": "success",
"product": "CloudTrail",
"recipientAccountId": "123456789012",
"region": "us-east-1",
"sharedEventID": "8b74a7bc-d5d3-4d19-9d60-EXAMPLE08b51",
"sourcetype": "aws:cloudtrail",
"start_time": "2026-04-29T00:22:00Z",
"vendor": "Amazon Web Services",
"vendor_account": "123456789012",
"vendor_product": "AWS CloudTrail",
"vendor_region": "us-east-1"
}

AWS VPC flow logs

Pipeline condition: sourcetype=aws:cloudwatchlogs:vpcflow

Amazon VPC flow logs are a feature of AWS Virtual Private Cloud (VPC) that capture metadata about the IP traffic going to and from network interfaces in your VPC. Extracted user attributes in Lumi include source and destination IP addresses, ports, protocol, and action. See the AWS documentation for example events.

This predefined pipeline provides parity with the Splunk Add-on for Amazon Web Services (AWS).

Example of extracted user attributes
{
"message": "2 422682147474 eni-0635052fdd001dbfa 198.51.100.205 192.0.2.105 57752 9997 17 20 3303 1756736406 1756736427 REJECT OK",
"account_id": "422682147474",
"action": "blocked",
"app": "AWS VPC Flow Logs",
"aws_account_id": "422682147474",
"bytes": 3303,
"dst": "192.0.2.105",
"dst_ip": "192.0.2.105",
"dst_port": 9997,
"duration": 21,
"dvc": "eni-0635052fdd001dbfa",
"end_time": 1756736427,
"eventtype": "vpcflow ( cloud communicate network )",
"host": "web-01",
"index": "main",
"interface_id": "eni-0635052fdd001dbfa",
"log_status": "OK",
"packets": 20,
"protocol": "ip",
"protocol_code": 17,
"protocol_full_name": "User Datagram",
"protocol_version": "IPV4",
"source": "vpc-example.log",
"sourcetype": "aws:cloudwatchlogs:vpcflow",
"src": "198.51.100.205",
"src_ip": "198.51.100.205",
"src_port": 57752,
"start_time": 1756736406,
"transport": "udp",
"user_id": "422682147474",
"vendor_account": "422682147474",
"vendor_product": "AWS VPC Flow Logs",
"version": 2,
"vpcflow_action": "REJECT",
"eventId": "e_h5cc5116a-1757079660000-11-952-709-2",
"receiver": "splunk.s3",
"team": "Unassigned",
"env": "Unknown",
"iamKeyId": "75700224-47b0-498a-b76e-4f0aab3a73e7",
"processor": "ec 20250905.1661.0",
"collector": "ec 20250905.1661.0"
}

FortiGate event logs

Pipeline condition: sourcetype="fgt_event"

FortiGate event logs records system and administrative events, including admin logins, reboots, or VPN status. See the FortiGate documentation for example events.

This predefined pipeline provides parity with the Fortinet FortiGate Add-On for Splunk.

Example of extracted user attributes
{
"action": "success",
"body": "Administrator admin logged in successfully from ssh(203.0.113.254)",
"change_type": "auth",
"date": "2026-02-17",
"dest": "203.0.113.2",
"dest_ip": "203.0.113.2",
"dstip": "203.0.113.2",
"eventtime": "1557771654587081441",
"eventtype": "ftnt_fortigate",
"id": "0100032001",
"index": "docs-fortigate",
"level": "information",
"log_action": "login",
"logdesc": "Admin login successful",
"logid": "0100032001",
"method": "ssh",
"msg": "Administrator admin logged in successfully from ssh(203.0.113.254)",
"product": "Firewall",
"product_version": "50",
"profile": "super_admin",
"reason": "none",
"result": "Admin login successful",
"severity": "informational",
"severity_id": "6",
"sn": "1557771654",
"source": "http:docs-fortigate",
"sourcetype": "fortigate_event",
"src": "203.0.113.254",
"src_ip": "203.0.113.254",
"src_ip_from_ui": "203.0.113.254",
"src_user": "admin",
"src_user_name": "admin",
"src_user_type": "Admin",
"srcip": "203.0.113.254",
"status": "success",
"subtype": "system",
"time": "11:20:54",
"type": "event",
"ui": "ssh(203.0.113.254)",
"user": "admin",
"user_name": "admin",
"user_type": "Admin",
"vd": "vdom1",
"vendor": "Fortinet",
"vendor_action": "login",
"vendor_product": "Fortinet Firewall",
"vendor_status": "success"
}

FortiGate traffic logs

Pipeline condition: sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic"

FortiGate traffic logs records traffic flow information for the traffic that passes through FortiGate to your network. See the FortiGate documentation for example events.

This predefined pipeline provides parity with the Fortinet FortiGate Add-On for Splunk.

Example of extracted user attributes
{
"action": "allowed",
"app": "HTTP.BROWSER_Firefox",
"appcat": "Web.Client",
"appid": "34050",
"applist": "g-default",
"apprisk": "elevated",
"bytes": "2412",
"bytes_in": "1224",
"bytes_out": "1188",
"countapp": "1",
"date": "2026-02-18",
"dest": "192.0.2.35",
"dest_interface": "port11",
"dest_ip": "192.0.2.35",
"dest_port": "80",
"dest_zone": "undefined",
"dstcountry": "Canada",
"dstintf": "port11",
"dstintfrole": "undefined",
"dstip": "192.0.2.35",
"dstport": "80",
"dstuuid": "ae28f494-5735-51e9-f247-d1d2ce663f4b",
"duration": "116",
"eventtime": "1557513467369913239",
"eventtype": "ftnt_fortigate",
"ftnt_action": "allow",
"index": "docs-fortigate",
"level": "notice",
"logid": "0000000013",
"mastersrcmac": "a2:e9:00:ec:40:01",
"osname": "Ubuntu",
"packets": "33",
"packets_in": "16",
"packets_out": "17",
"policyid": "1",
"policytype": "policy",
"poluuid": "ccb269e0-5735-51e9-a218-a397dd08b7eb",
"product": "Firewall",
"product_version": "50",
"proto": "6",
"protocol": "ip",
"protocol_version": "ipv4",
"rcvdbyte": "1224",
"rcvdpkt": "16",
"rule": "ccb269e0-5735-51e9-a218-a397dd08b7eb",
"rule_id": "1",
"sentbyte": "1188",
"sentpkt": "17",
"service": "HTTP",
"session_id": "105048",
"sessionid": "105048",
"source": "http:docs-fortigate",
"sourcetype": "fortigate_traffic",
"src": "198.51.100.11",
"src_interface": "port12",
"src_ip": "198.51.100.11",
"src_mac": "a2:e9:00:ec:40:01",
"src_port": "58012",
"src_translated_ip": "203.0.113.2",
"src_translated_port": "58012",
"src_zone": "undefined",
"srccountry": "Reserved",
"srcintf": "port12",
"srcintfrole": "undefined",
"srcip": "198.51.100.11",
"srcmac": "a2:e9:00:ec:40:01",
"srcport": "58012",
"srcserver": "0",
"srcuuid": "ae28f494-5735-51e9-f247-d1d2ce663f4b",
"subtype": "forward",
"time": "11:37:47",
"trandisp": "snat",
"transip": "203.0.113.2",
"transport": "tcp",
"type": "traffic",
"utmaction": "allow",
"utmref": "65500-742",
"vd": "vdom1",
"vendor": "Fortinet",
"vendor_action": "close",
"vendor_product": "Fortinet Firewall",
"vendor_transport": "58012"
}

FortiGate UTM logs

Pipeline condition: sourcetype="fgt_utm" OR sourcetype="fortigate_utm"

FortiGate UTM logs records security information from Unified Threat Management (UTM) events. See the FortiGate documentation for example events.

This predefined pipeline provides parity with the Fortinet FortiGate Add-On for Splunk.

Example of extracted user attributes
{
"action": "blocked",
"agent": "curl/7.47.0",
"analyticscksum": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"analyticssubmit": "false",
"app": "HTTP",
"category": "EICAR_TEST_FILE",
"craction": "2",
"crlevel": "critical",
"crscore": "50",
"date": "2026-02-18",
"dest": "203.0.113.55",
"dest_interface": "port11",
"dest_ip": "203.0.113.55",
"dest_port": "80",
"dest_zone": "undefined",
"direction": "incoming",
"dstintf": "port11",
"dstintfrole": "undefined",
"dstip": "203.0.113.55",
"dstport": "80",
"dtype": "Virus",
"eventtime": "1557773103767393505",
"eventtype": "infected",
"file_hash": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"file_name": "eicar.com",
"file_path": "http://203.0.113.55/virus/eicar.com",
"filename": "eicar.com",
"ftnt_action": "blocked",
"http_user_agent": "curl/7.47.0",
"ids_type": "network",
"index": "docs-fortigate",
"level": "warning",
"logid": "0211008192",
"msg": "File is infected.",
"policyid": "4",
"product": "Firewall",
"product_version": "50",
"profile": "g-default",
"proto": "6",
"protocol": "ip",
"protocol_version": "ipv4",
"quarskip": "File-was-not-quarantined.",
"ref": "http://www.fortinet.com/ve?vn=EICAR_TEST_FILE",
"rule_id": "4",
"service": "HTTP",
"session_id": "359260",
"sessionid": "359260",
"severity": "critical",
"signature": "EICAR_TEST_FILE",
"source": "http:docs-fortigate",
"sourcetype": "fortigate_utm",
"src": "192.0.2.11",
"src_interface": "port12",
"src_ip": "192.0.2.11",
"src_port": "60446",
"src_zone": "undefined",
"srcintf": "port12",
"srcintfrole": "undefined",
"srcip": "192.0.2.11",
"srcport": "60446",
"subtype": "virus",
"time": "11:45:03",
"transport": "tcp",
"type": "utm",
"url": "http://203.0.113.55/virus/eicar.com",
"vd": "vdom1",
"vendor": "Fortinet",
"vendor_action": "blocked",
"vendor_eventtype": "infected",
"vendor_product": "Fortinet Firewall",
"vendor_url": "http://203.0.113.55/virus/eicar.com",
"virus": "EICAR_TEST_FILE",
"virusid": "2172"
}

PAN firewall logs

Pipeline condition: PAN-specific sourcetype values, listed as follows:

PAN predefined pipeline conditions
sourcetype IN ("pan:config", "pan:config:cloud", "pan:correlation", "pan:data:security", "pan:decryption", "pan:decryption:cloud", "pan:firewall", "pan:firewall:cloud", "pan:globalprotect", "pan:globalprotect:cloud", "pan:hipmatch", "pan:iot_alert", "pan:iot_device", "pan:iot_vulnerability", "pan:log", "pan:system", "pan:system:cloud", "pan:threat", "pan:threat:cloud", "pan:traffic", "pan:traffic:cloud", "pan:userid", "pan_config", "pan_decryption", "pan_globalprotect", "pan_log", "pan_system", "pan_threat", "pan_traffic")

Palo Alto Networks (PAN) Next-Generation Firewall logs store details about system events on the firewall and network traffic events that the firewall monitors. There are multiple formats of PAN firewall logs, each representing a specific event type, such as traffic, threat, or system events. See the PAN documentation to learn about log types and field descriptions.

This predefined pipeline provides parity with the Splunk Add-on for Palo Alto Networks.

Example event

Incoming log:

1,2026/06/03 14:22:35,015351000012345,TRAFFIC,end,2816,2026/06/03 14:22:35,192.168.10.45,203.0.113.46,203.0.113.10,203.0.113.46,Allow-Outbound-Web,corp\jsmith,,ssl,vsys1,trust,untrust,ethernet1/1,ethernet1/2,default-log-profile,,987654,1,54321,443,54321,443,0x400000,tcp,allow,125430,48200,77230,312,2026/06/03 14:22:10,25,computer-and-internet-security,,8472819203,0x8000000000000000,United States,United States,,198,114,tcp-fin,0,0,0,0,vsys1,PA-5250,from-policy,,,,0,,2026/06/03 14:22:10,N/A,0,0,0,0,e3c1f2a4-91d7-4b2e-b3f5-1a2c3d4e5f67,0,0,,,,,,,,,,,,,,,,,,,,,,Windows,corp-workstation,192.168.10.45,aa:bb:cc:11:22:33,,,,web-server,,,,,,0,,,browsing,general-internet,browser-based,3,has-known-vulnerability capable-of-circumventing-policy,web-browsing,0,no,yes,no,0,N/A,,,,,,,,,,,,0,0,0,0,0,0,,

Lumi user attributes:

{
"action": "allowed",
"src_zone": "trust",
"src_translated_port": "54321",
"client_ip": "192.168.10.45",
"is_saas_of_app": "no",
"src_ip": "192.168.10.45",
"dvc_name": "PA-5250",
"signature": "Allow-Outbound-Web",
"protocol_version": "ipv4",
"cluster_name": "N/A",
"category_of_app": "general-internet",
"dest_port": "443",
"tunnel_id": "",
"dest_ip": "203.0.113.46",
"src_category": "",
"app:used_by_malware": "yes",
"sdwan_cluster_type": "",
"tunnel_start_time": "2026/06/03 14:22:10",
"app": "ssl",
"vendor_action": "allow",
"tunnel_session_id": "",
"tunnel_monitor_tag": "0",
"sdwan_device_type": "",
"app:risk": "4",
"tunnel_type": "N/A",
"app:pervasive_use": "yes",
"duration": "25",
"dst_dag": "",
"log_type": "TRAFFIC",
"app:able_to_transfer_file": "yes",
"chunks_sent": "0",
"dst_profile": "",
"packets": "312",
"app:is_saas": "no",
"src_interface": "ethernet1/1",
"policy_id": "",
"src_profile": "",
"subcategory_of_app": "browsing",
"http2_connection": "0",
"nssai_sst": "",
"src_dag": "",
"dst_host": "docs-workstation",
"sdwan_cluster": "",
"serialnumber": "",
"dst_osfamily": "",
"dest_zone": "untrust",
"src_vendor": "",
"src": "192.168.10.45",
"tunneled_app": "0",
"session_flags": "0x400000",
"src_user": "corp\\jsmith",
"dynusergroup_name": "",
"vendor_product": "Palo Alto Networks Firewall",
"transport": "tcp",
"chunks_received": "0",
"rule": "Allow-Outbound-Web",
"flow_type": "0",
"action_source": "from-policy",
"dst_mac": "192.168.10.45",
"virtual_system": "vsys1",
"vendor": "Palo Alto Networks",
"dest_location": "United States",
"src_osversion": "",
"src_mac": "",
"start_time": "2026/06/03 14:22:10",
"session_owner": "",
"dest_translated_ip": "203.0.113.46",
"app:tunnels_other_application": "yes",
"version": "2816",
"session_id": "987654",
"xff_ip": "",
"app:default_ports": "tcp/443",
"risk_of_app": "3",
"src_location": "United States",
"user": "corp\\jsmith",
"src_host": "",
"dst_edl": "web-server",
"dest_user": "",
"bytes_in": "77230",
"dvc": "PA-5250",
"client_location": "United States",
"dst_category": "",
"src_edl": "",
"dest_interface": "ethernet1/2",
"dst_osversion": "Windows",
"app:has_known_vulnerability": "yes",
"app:technology": "browser-based",
"app:prone_to_misuse": "no",
"src_translated_ip": "203.0.113.10",
"http_category": "computer-and-internet-security",
"vsys": "vsys1",
"session_end_reason": "tcp-fin",
"src_vm": "",
"link_switches": "",
"sanctioned_state_of_app": "yes",
"container_id": "aa:bb:cc:11:22:33",
"sourcetype": "pan:traffic",
"serial_number": "015351000012345",
"dest_vm": "",
"server_location": "United States",
"technology_of_app": "browser-based",
"assoc_id": "0",
"rule_uuid": "e3c1f2a4-91d7-4b2e-b3f5-1a2c3d4e5f67",
"app:is_sanctioned_saas": "no",
"dest": "203.0.113.46",
"dst_model": "",
"_indextime": "1780679067",
"bytes_out": "48200",
"app:evasive": "no",
"src_port": "54321",
"dest_translated_port": "443",
"offloaded": "no",
"sdwan_site": "",
"nssai_sd": "",
"receive_time": "2026/06/03 14:22:35",
"src_osfamily": "",
"hostid": "",
"src_model": "",
"dest_class": "unknown",
"app:category": "networking",
"protocol": "ip",
"app:subcategory": "encrypted-tunnel",
"product": "Firewall",
"flags": "nat",
"sequence_number": "8472819203",
"bytes": "125430",
"log_subtype": "end",
"high_res_timestamp": "0",
"packets_out": "198",
"dst_vendor": "",
"action_flags": "0x8000000000000000",
"pod_name": "",
"chunks": "0",
"generated_time": "2026/06/03 14:22:35",
"packets_in": "114",
"characteristic_of_app": "has-known-vulnerability capable-of-circumventing-policy",
"app:excessive_bandwidth": "no",
"link_change_count": "0",
"repeat_count": "1",
"vsys_name": "vsys1",
"container_of_app": "web-browsing",
"src_class": "private",
"server_ip": "203.0.113.46",
"log_forwarding_profile": "default-log-profile",
"pod_namespace": ""
}

PAN Traps logs

Pipeline conditions: sourcetype IN ("pan:analytics_traps", "pan:config_traps", "pan:system_traps", "pan:threat_traps", "pan:traps")

Palo Alto Networks (PAN) Traps logs originate from the Traps endpoint detection and response agent, now part of Cortex XDR. Traps logs come in several formats (analytics, config, system, and threat) and track information including agent configuration and malware prevention events. See the Cortex XDR documentation to learn about log types and field descriptions.

This predefined pipeline provides parity with the Palo Alto Networks Add-on for Splunk.

Example event

Incoming log:

analytics,agent_log,,hash_execution,agentFlow,2026-06-03T14:15:42Z,2026-06-03T14:15:55Z,2026-06-03T14:15:42Z,-420,,TrapsAgent,a1b2c3d4-1234-5678-abcd-ef0123456789,ext-tenant-99871,xdr-us-prod-01.paloaltonetworks.com,3.7.2.14102,10,1,9f8e7d6c-abcd-4321-ef12-0a1b2c3d4e5f,1,0,10.0.19045.3803,1,192.168.1.112,CORP-WKSTN-042,corp.example.com,5,7.2.4.44320,120-45678,0,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,1,d9f8e7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8,2026-06-03T12:00:00Z,updater,C:\Users\jsmith\AppData\Local\Temp\updater,245760,{"contentVersion":"120-45678","laModuleVersion":"3.7.0","verdict":"benign","fileSigner":"Microsoft Corporation","trustedSignerResult":1},1,0,3

Lumi user attributes:

{
"is_64bit": "1",
"file_path": "C:\\Users\\jsmith\\AppData\\Local\\Temp\\updater",
"dest_name": "CORP-WKSTN-042",
"ids_type": "host",
"tzoffset": "-420",
"severity": "unknown",
"category": "agentFlow",
"_indextime": "1780679179",
"dest_nt_domain": "corp.example.com",
"sourcetype": "pan:analytics_traps",
"reported": "laModuleVersion\":\"3.7.0",
"is_vdi": "0",
"server_time": "2026-06-03T14:15:55Z",
"agent_id": "9f8e7d6c-abcd-4321-ef12-0a1b2c3d4e5f",
"class": "agent_log",
"region_id": "10",
"os_version": "10.0.19045.3803",
"file_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"vendor_product": "Palo Alto Networks Traps",
"traps_id": "ext-tenant-99871",
"src": "ext-tenant-99871",
"agent_version": "7.2.4.44320",
"os_type": "windows",
"is_endpoint": "1",
"log_subtype": "hash_execution",
"facility": "TrapsAgent",
"blocked": "verdict\":\"benign",
"file_size": "245760",
"last_seen": "2026-06-03T12:00:00Z",
"log_severity": "unknown",
"content_version": "120-45678",
"generated_time": "2026-06-03T14:15:42Z",
"server_host": "docs-us-prod-01.paloaltonetworks.com",
"execution_count": "fileSigner\":\"Microsoft Corporation",
"file_type": "1",
"product": "Traps",
"dest_ip": "192.168.1.112",
"file_name": "updater",
"record_type": "analytics",
"server_component_version": "3.7.2.14102",
"vendor": "Palo Alto Networks",
"src_host": "docs-tenant-12345",
"local_analysis_result": "{\"contentVersion\":\"120-45678\"",
"customer_id": "a1b2c3d4-1234-5678-abcd-ef0123456789",
"parent_hash": "d9f8e7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8",
"protection_status": "0",
"agent_time": "2026-06-03T14:15:42Z"
}

Unix and Linux logs

Pipeline conditions: sourcetype IN ("bash_history", "linux_secure")

Unix and Linux logs store information about events that occur on the operating system, such as system activity, kernel errors, and cron jobs. Logging is decentralized on Unix and Linux systems, although core system events typically follow the syslog protocol. For details and examples on the syslog format, see RFC 5424 as well as the older RFC 3164

This predefined pipeline provides parity with the Splunk Add-on for Unix and Linux.

Example event

Incoming log:

Aug 13 22:10:03 stor sudo: pam_unix(sudo:session): session closed for user root Aug 13 22:10:11 stor sudo: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl --scan

Lumi user attributes:

{
"bash_command": "Aug 13 22:10:03 stor sudo: pam_unix(sudo:session): session closed for user root Aug 13 22:10:11 stor sudo: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/smartctl --scan",
"USER": "root",
"_indextime": "1780679883",
"PWD": "/",
"sourcetype": "bash_history",
"COMMAND": "/usr/sbin/smartctl"
}

Windows event logs

Pipeline condition: Windows-specific sourcetype and source values, listed as follows:

Windows predefined pipeline conditions
sourcetype = "ActiveDirectory" OR
sourcetype = "DhcpSrvLog" OR
sourcetype = "WinEventLog" OR
sourcetype = "WinEventLog:*" OR
sourcetype = "XmlWinEventLog" OR
sourcetype = "XmlWinEventLog:*" OR
sourcetype = "WindowsUpdateLog" OR
sourcetype = "WinRegistry" OR
sourcetype = "WinHostMon" OR
sourcetype = "wmi" OR
sourcetype = "WMI:*" OR
sourcetype = "Perfmon:*" OR
sourcetype = "PerfmonMk:*" OR
sourcetype = "MSAD:*" OR
sourcetype = "Script:*" OR
source = "*WindowsUpdate.Log" OR
source = "WMI*" OR
source = "WinEventLog*" OR
source = "XmlWinEventLog*" OR
host = "WinEventLogForwardHost"

Windows event logs capture events for the Microsoft Windows operating system and applications that run on it. Extracted user attributes in Lumi include computer name, error code, and event code.

The predefined pipeline operates on a general set of Windows event logs which can have different attributes depending on their origin and purpose. This is the same set of logs processed by the Splunk® Add-on for Microsoft Windows. For example:

  • Core logs (sourcetype=WinEventLog)
  • XML-formatted logs (sourcetype=XmlWinEventLog)
  • Performance metrics (sourcetype=Perfmon:*)

For an end-to-end example of using Windows event logs with Lumi, see How to send Windows event logs with S3 routing.

This predefined pipeline provides parity with the Splunk Add-on for Microsoft Windows.

Example event

Incoming log:

10/01/2025 04:47:46 PM LogName=System EventCode=7036 EventType=4 ComputerName=EC2AMAZ-EXAMPLE SourceName=Microsoft-Windows-Service Control Manager Type=Information RecordNumber=145454 Keywords=Classic TaskCategory=None OpCode=The operation completed successfully. Message=The Microsoft Account Sign-in Assistant service entered the stopped state.

Lumi user attributes:

{
"message": "10/01/2025 04:47:46 PM LogName=System EventCode=7036 EventType=4 ComputerName=EC2AMAZ-EXAMPLE SourceName=Microsoft-Windows-Service Control Manager Type=Information RecordNumber=145454 Keywords=Classic TaskCategory=None OpCode=The operation completed successfully. Message=The Microsoft Account Sign-in Assistant service entered the stopped state.",
"ComputerName": "EC2AMAZ-EXAMPLE",
"Error_Code": null,
"EventCode": 7036,
"EventType": 4,
"Keywords": "Classic",
"LogName": "System",
"Message": "The Microsoft Account Sign-in Assistant service entered the stopped state.",
"OpCode": "The operation completed successfully.",
"RecordNumber": 145454,
"Service_Name": "Microsoft Account Sign-in Assistant",
"SourceName": "Microsoft-Windows-Service Control Manager",
"TaskCategory": "None",
"Type": "Information",
"_cooked": "_cooked",
"_path": "C:\\Program Files\\MyApplication\\bin\\myapp.exe",
"_pre_msg": "10/01/2025 04:47:46 PM LogName=System EventCode=7036 EventType=4 ComputerName=EC2AMAZ-EXAMPLE SourceName=Microsoft-Windows-Service Control Manager Type=Information RecordNumber=145454 Keywords=Classic TaskCategory=None OpCode=The operation completed successfully.",
"_savedHost": "host::198.0.2.144",
"_savedPort": 9998,
"_sourcetype": "WinEventLog:System",
"body": "The Microsoft Account Sign-in Assistant service entered the stopped state.",
"category": "None",
"dest": "EC2AMAZ-EXAMPLE",
"dvc": "EC2AMAZ-EXAMPLE",
"dvc_nt_host": "EC2AMAZ-EXAMPLE",
"event_id": 145454,
"hf_proxy": "meta_test",
"host": "EC2AMAZ-EXAMPLE",
"id": 145454,
"index": "wineventlog",
"package": 7036,
"product": "Windows",
"remoteport": 51391,
"service": "Microsoft Account Sign-in Assistant",
"service_name": "Microsoft Account Sign-in Assistant",
"severity_id": 4,
"signature_id": 7036,
"source": "WinEventLog:System",
"sourcetype": "WinEventLog",
"status": "stopped",
"vendor": "Microsoft",
"vendor_product": "Microsoft Windows"
}

Zscaler NSS logs

Pipeline conditions: sourcetype IN ("zscalernss-fw", "zscalernss-web")

Zscaler Nanolog Streaming Service (NSS) collects and forwards event logs from a Nanolog. The predefined pipeline in Lumi processes Web and Firewall logs from Zscaler NSS. Incoming events must be in key-value pair format using the equality (=) separator. For example, log_subtype=nss_web.

This predefined pipeline provides parity with the Zscaler Technical Add-On for Splunk.

Example event

Incoming log:

Jun 19 08:00:04 10.100.30.13 datetime=Fri Jun 19 07:59:00 2026 log_subtype=nss_fw user=012345678 locationname=Remote cdport=443 csport=8000 sdport=1234 ssport=12345 csip=192.0.2.0 cdip=192.0.2.0 ssip=192.0.2.0 sdip=192.0.2.0 tsip=0.0.0.0 tunsport=0 tuntype=ZscalerClientConnector action=Drop dnat=No stateful=Yes aggregate=No nwsvc=TCP_ANY nwapp=google proto=TCP ipcat=Web Search destcountry=United States avgduration=113 rulelabel=Default Firewall Filtering Rule inbytes=7890 outbytes=3456 duration=0 durationms=113 numsessions=1 vendor=Zscaler product=fw department=Admin

Lumi user attributes:

{
"rulelabel": "Default Firewall Filtering Rule",
"tunsport": "0",
"src_zone": "Remote",
"src_ip": "192.0.2.0",
"stateful": "Yes",
"csip": "192.0.2.0",
"dest_translated_ip": "192.0.2.0",
"cdip": "192.0.2.0",
"tuntype": "ZscalerClientConnector",
"dest": "192.0.2.0",
"outbytes": "3456",
"app": "Zscaler",
"duration": "0",
"department": "Admin",
"durationms": "113",
"protocol": "TCP",
"dest_ip": "192.0.2.0",
"action": "Drop",
"bytes": 11346,
"vendor_product": "Zscaler_ZIA_Firewall",
"bytes_in": "7890",
"product": "fw",
"avgduration": "113",
"dnat": "No",
"proto": "TCP",
"destcountry": "United States",
"csport": "8000",
"nwsvc": "TCP_ANY",
"bytes_out": "3456",
"cdport": "443",
"vendor": "Zscaler",
"aggregate": "No",
"numsessions": "1",
"inbytes": "7890",
"nwapp": "google",
"locationname": "Remote",
"user": "012345678",
"_indextime": "1780679673",
"dest_translated_port": "1234",
"transport": "TCP",
"ssport": "12345",
"sdip": "192.0.2.0",
"dest_port": "443",
"ssip": "192.0.2.0",
"ipcat": "Web Search",
"tsip": "0.0.0.0",
"src_translated_ip": "0.0.0.0",
"sdport": "1234",
"log_subtype": "nss_fw",
"src": "192.0.2.0",
"sourcetype": "zscalernss-fw",
"src_port": "8000",
"src_translated_port": "8000"
}

Learn more

See the following topics for more information: