add replay doc for windows evt log (#686)

blotus · web-flow · commit babf9a0b7940 · 2024-11-27T14:14:08.000+01:00
diff --git a/crowdsec-docs/docs/data_sources/introduction.md b/crowdsec-docs/docs/data_sources/introduction.md
@@ -24,7 +24,7 @@ Name | Type | Stream | One-shot
 [Kubernetes Audit](/data_sources/kubernetes_audit.md) | expose a webhook to receive audit logs from a Kubernetes cluster  | yes | no
 [Loki](/data_sources/loki.md) | read logs from loki | yes | yes
 [syslog service](/data_sources/syslog_service.md) | read logs received via syslog protocol | yes | no
-[Windows Event](/data_sources/windows_event_log.md)| read logs from windows event log | yes | no
+[Windows Event](/data_sources/windows_event_log.md)| read logs from windows event log | yes | yes
 
 ## Common configuration parameters
 
diff --git a/crowdsec-docs/docs/data_sources/windows_event_log.md b/crowdsec-docs/docs/data_sources/windows_event_log.md
@@ -65,4 +65,51 @@ You can refer to the Windows documentation for more informations: https://docs.m
 
 Pretty name to use for the datasource in the metrics (`cscli metrics`).
 
-This parameter is optional, but strongly recommanded, as by default the full xpath query will be displayed in the metrics, which can be hard to read.
+This parameter is optional, but strongly recommanded, as by default the full xpath query will be displayed in the metrics, which can be hard to read.
+
+## DSN and command-line
+
+This module supports acquisition directly from the command line, to replay content from event files.
+
+A single wineventlog URI is accepted with the `-dsn` parameter:
+
+```bash
+crowdsec -type sysmon -dsn wineventlog://C:\\path\\to\\file.evtx
+```
+
+### Supported parameters
+
+#### `log_level`
+
+Change the log level for the acquisition:
+
+```bash
+crowdsec -type sysmon -dsn wineventlog://C:\\path\\to\\file.evtx?log_level=debug
+```
+
+#### `event_id`
+
+Only process events with this ID.
+
+This parameter can be specified multiple times to filter on multiple IDs.
+
+```bash
+crowdsec -type sysmon -dsn wineventlog://C:\\path\\to\\file.evtx?event_id=1&event_id=2
+```
+
+#### `event_level`
+
+Only process events with this level.
+
+Must be a number between 0 and 5.
+
+The mapping between the number and the textual representation of the level is:
+
+ Text | Number 
+------|-----------
+ INFORMATION | 0 
+ CRITICAL | 1 
+ ERROR | 2 
+ WARNING | 3 
+ INFORMATION | 4 
+ VERBOSE | 5 
