From 9b588bf83b96cce61785476f7e31f1e9db62160a Mon Sep 17 00:00:00 2001
From: Sebastien Blot <sebastien@crowdsec.net>
Date: Wed, 27 Nov 2024 14:05:08 +0100
Subject: [PATCH] add replay doc for windows evt log

---
 .../docs/data_sources/introduction.md         |  2 +-
 .../docs/data_sources/windows_event_log.md    | 49 ++++++++++++++++++-
 2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/crowdsec-docs/docs/data_sources/introduction.md b/crowdsec-docs/docs/data_sources/introduction.md
index 2541a21a8..591ab2c6d 100644
--- a/crowdsec-docs/docs/data_sources/introduction.md
+++ b/crowdsec-docs/docs/data_sources/introduction.md
@@ -24,7 +24,7 @@ Name | Type | Stream | One-shot
 [Kubernetes Audit](/data_sources/kubernetes_audit.md) | expose a webhook to receive audit logs from a Kubernetes cluster  | yes | no
 [Loki](/data_sources/loki.md) | read logs from loki | yes | yes
 [syslog service](/data_sources/syslog_service.md) | read logs received via syslog protocol | yes | no
-[Windows Event](/data_sources/windows_event_log.md)| read logs from windows event log | yes | no
+[Windows Event](/data_sources/windows_event_log.md)| read logs from windows event log | yes | yes
 
 ## Common configuration parameters
 
diff --git a/crowdsec-docs/docs/data_sources/windows_event_log.md b/crowdsec-docs/docs/data_sources/windows_event_log.md
index a6665fc0d..34d98c9d1 100644
--- a/crowdsec-docs/docs/data_sources/windows_event_log.md
+++ b/crowdsec-docs/docs/data_sources/windows_event_log.md
@@ -65,4 +65,51 @@ You can refer to the Windows documentation for more informations: https://docs.m
 
 Pretty name to use for the datasource in the metrics (`cscli metrics`).
 
-This parameter is optional, but strongly recommanded, as by default the full xpath query will be displayed in the metrics, which can be hard to read.
\ No newline at end of file
+This parameter is optional, but strongly recommanded, as by default the full xpath query will be displayed in the metrics, which can be hard to read.
+
+## DSN and command-line
+
+This module supports acquisition directly from the command line, to replay content from event files.
+
+A single wineventlog URI is accepted with the `-dsn` parameter:
+
+```bash
+crowdsec -type sysmon -dsn wineventlog://C:\\path\\to\\file.evtx
+```
+
+### Supported parameters
+
+#### `log_level`
+
+Change the log level for the acquisition:
+
+```bash
+crowdsec -type sysmon -dsn wineventlog://C:\\path\\to\\file.evtx?log_level=debug
+```
+
+#### `event_id`
+
+Only process events with this ID.
+
+This parameter can be specified multiple times to filter on multiple IDs.
+
+```bash
+crowdsec -type sysmon -dsn wineventlog://C:\\path\\to\\file.evtx?event_id=1&event_id=2
+```
+
+#### `event_level`
+
+Only process events with this level.
+
+Must be a number between 0 and 5.
+
+The mapping between the number and the textual representation of the level is:
+
+ Text | Number 
+------|-----------
+ INFORMATION | 0 
+ CRITICAL | 1 
+ ERROR | 2 
+ WARNING | 3 
+ INFORMATION | 4 
+ VERBOSE | 5 
\ No newline at end of file