diff --git a/docs/_coverpage.md b/docs/_coverpage.md
index 0ce7e9821..ea203143c 100755
--- a/docs/_coverpage.md
+++ b/docs/_coverpage.md
@@ -4,7 +4,7 @@
   <img src='logo.png'></img>
 </div>
 
-# fibratus <small>1.4.2</small>
+# fibratus <small>1.5.0</small>
 
 > A modern tool for the Windows kernel exploration and observability
 
diff --git a/docs/_sidebar.md b/docs/_sidebar.md
index 47e4a736d..034e1a6a5 100755
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -37,6 +37,8 @@
   * [Null](outputs/null.md)
   * [RabbitMQ](outputs/rabbitmq.md)
   * [Elasticsearch](outputs/elasticsearch.md)
+  * [HTTP](outputs/http.md)
+  * [Eventlog](outputs/eventlog.md)
 * <ion-icon name="color-wand-outline"></ion-icon> Transformers
   * [Parsing, Enriching, Transforming](transformers/introduction.md)
   * <ion-icon name="remove-circle-outline"></ion-icon> [Remove](transformers/remove.md)
diff --git a/docs/filters/fields.md b/docs/filters/fields.md
index b0eeba3ba..9e1ee9d15 100755
--- a/docs/filters/fields.md
+++ b/docs/filters/fields.md
@@ -47,7 +47,12 @@ The following tables summarize available field names that can be used in filter
 | ps.args         | Process command line arguments | `ps.args in ('/cdir', '/-C')`   |
 | ps.cwd          | Process current working directory | `ps.cwd = 'C:\\Users\\Default'`   |
 | ps.sid          | Security identifier under which this process is run | `ps.sid contains 'SYSTEM'`   |
+| ps.domain       | Process domain name  | `ps.domain = 'NT AUTHORITY'`   |
+| ps.username     | Process user name  | `ps.username = 'SYSTEM'`   |
 | ps.sessionid    | Unique identifier for the current session | `ps.sessionid = 1`   |
+| ps.access.mask  | Process access rights | `ps.access.mask = '0x1000'`   |
+| ps.access.mask.names  | Process access human-readable rights | `ps.access.mask.names in ('TERMINATE', 'QUERY_INFORMATION')`   |
+| ps.access.status  | Process access status | `ps.access.status = 'success'`   |
 | ps.envs         | Process environment variables | `ps.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')`  |
 | ps.envs[]       | Accesses a specific environment variable. Prefix matches are supported | `ps.envs['MOZ_CRASHREPORTER'] = 'C:\\Program Files\\Firefox'`  |
 | ps.dtb          | Process directory table base address | `ps.dtb = '7ffe0000'` |
@@ -56,16 +61,27 @@ The following tables summarize available field names that can be used in filter
 | ps.modules      | Modules loaded by the process | `ps.modules in ('crypt32.dll', 'xul.dll')`   |
 | ps.modules[]    | Accesses a specific process module. Prefix matches are supported  | `ps.modules['crypt'].size > 1024`   |
 | ps.parent.name    | Parent process name  | `ps.parent.name = 'powershell.exe'`   |
+| ps.parent.pid    | Parent process identifier  | `ps.parent.pid = 2340`   |
 | ps.parent.comm    | Parent process command line  | `ps.parent.comm contains 'attrib'`   |
 | ps.parent.exe    | Full name of the parent process executable  | `ps.parent.exe = 'C:\\Windows\\system32\\cmd.exe'`   |
 | ps.parent.cwd    | Parent process current working directory  | `ps.parent.cwd = 'C:\\Users\\Default'`   |
 | ps.parent.sid    | Security identifier under which the parent process is run  | `ps.parent.sid contains 'SYSTEM'`   |
+| ps.parent.domain    | Parent process domain name  | `ps.parent.domain = 'NT AUTHORITY'`   |
+| ps.parent.username  | Parent process user name  | `ps.parent.username = 'SYSTEM'`   |
 | ps.parent.sessionid    | Unique identifier for the current session of the parent process  | `ps.parent.session = 1`   |
 | ps.parent.dtb    | Parent process directory table base address  | `ps.parent.dtb = 'powershell.exe'`   |
 | ps.parent.envs    | Parent process environment variables   | `ps.parent.envs in ('PROCESSOR_LEVEL')'`   |
 | ps.parent.handles    | Allocated parent process handles  | `ps.parent.handles in ('\\...\\Cor_SxSPublic_IPCBlock')`   |
 | ps.parent.handle.types    | Allocated parent process handles types  | `ps.parent.handle.types in ('Key', 'Mutant', 'Section')`   |
 | ps.ancestor[]    | Process ancestry traversing  | `ps.ancestor[2].name in ('winword.exe', 'powershell.exe')`   |
+| ps.sibling.name    | Sibling process name  | `ps.sibling.name = 'cmd.exe'`   |
+| ps.sibling.pid     | Sibling process identifier  | `ps.sibling.id = 6050`   |
+| ps.sibling.comm    | Sibling process command line  | `ps.sibling.name contains '/k /v'`   |
+| ps.sibling.exe     | Sibling process executable full path  | `ps.sibling.exe = 'C:\\Windows\\system32\\cmd.exe'`   |
+| ps.sibling.sid     | Sibling process security identifier  | `ps.sibling.sid contains 'SYSTEM'`   |
+| ps.sibling.sessionid   | Sibling process session identifier  | `ps.sibling.sessionid = 1`   |
+| ps.sibling.domain    | Sibling process domain name  | `ps.sibling.domain = 'NT AUTHORITY'`   |
+| ps.sibling.username  | Sibling process user name  | `ps.sibling.username = 'SYSTEM'`   |
 
 ### Thread
 | Field Name  | Description | Example     |
@@ -78,6 +94,10 @@ The following tables summarize available field names that can be used in filter
 | thread.ustack.base | Base address of the thread's user space stack | `thread.ustack.base = '7ffe0000'`   |
 | thread.ustack.limit | Limit of the thread's user space stack | `thread.ustack.limit = '8ffe0000'`   |
 | thread.entrypoint | Starting address of the function to be executed by the thread | `thread.entrypoint = '7efe0000'`   |
+| thread.access.mask | Thread access rights | `thread.access.mask = '0x1800'`   |
+| thread.access.mask.names | Thread access human-readable rights | `thread.access.mask.names in ('QUERY_LIMITED_INFORMATION')`   |
+| thread.access.status | Thread access status | `thread.access.status = 'success'`   |
+
 
 ### Image
 | Field Name  | Description | Example     |
diff --git a/docs/filters/functions.md b/docs/filters/functions.md
index fd2495c24..0aeba1170 100644
--- a/docs/filters/functions.md
+++ b/docs/filters/functions.md
@@ -1,6 +1,8 @@
 # Functions
 
-Functions expand the scope of the filtering language by bringing a plethora of capabilities. The function can return a primitive value, including integers, strings, and booleans. Additionally, some functions may return a collection of values. Function names are case insensitive.
+Functions expand the scope of the filtering language by bringing a plethora of capabilities. The function can return a primitive value, including integers, strings, and booleans. Function calls can be nested where the result of one function is used as an input in another function. For example, `lower(ltrim(file.name, 'C:'))`, removes the `C` drive letter from the file path and converts it to a lower case string.
+
+Additionally, some functions may return a collection of values. Function names are case insensitive.
 
 ### Network functions
 
@@ -18,7 +20,7 @@ Functions expand the scope of the filtering language by bringing a plethora of c
 
 - **Examples**
 
-    Assuming the `net.sip` contains the `192.168.1.20` IP address, the following filter
+    Assuming the `net.sip` field contains the `192.168.1.20` IP address, the following filter
     would match on this event.
 
     ```
@@ -40,8 +42,249 @@ Functions expand the scope of the filtering language by bringing a plethora of c
 
 - **Examples**
 
-    Assuming the `registry.key.name` contains `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, the following would filter events for the matching md5 hash.
+    Assuming the `registry.key.name` field contains `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, the following would filter events for the matching md5 hash.
 
     ```
     fibratus run kevt.category = 'net' and md5(registry.key.name) = 'eab870b2a516206575d2ffa2b98d8af5'
-    ```
\ No newline at end of file
+    ```
+
+### String functions
+
+#### concat
+
+`concat` concatenates string/integer input arguments.
+
+- **Specification**
+    ```
+    concat(args: <string|int>...) :: <string>
+    ```
+    - `args`: Strings or integers to be concatenated. This function requires at least 2 input arguments
+    - `return` a concatenated string of all input arguments
+
+- **Examples**
+
+    Assuming the `ps.domain` field contains `NT_AUTHORITY` and `ps.username` field contains `admin`, the following would filter events for the matching concatenated string.
+
+    ```
+    fibratus run concat(ps.domain, '-', ps.username) = 'NT_AUTHORITY-admin'
+    ```
+
+#### ltrim
+
+`ltrim` trims the specified prefix from a string.
+
+- **Specification**
+    ```
+    ltrim(string: <string>, prefix: <string>) :: <string>
+    ```
+    - `string`: Input string
+    - `prefix`: Prefix that is removed from the original input string
+    - `return` a string with the specified prefix removed
+
+- **Examples**
+
+    Assuming the `registry.key.name` field contains `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, the following filter expression would match on all events where the resulting string is equal to `SYSTEM\Setup\Pid`
+
+    ```
+    fibratus run ltrim(registry.key.name, 'HKEY_LOCAL_MACHINE\\') = 'SYSTEM\\Setup\\Pid'
+    ```
+
+#### rtrim
+
+`rtrim` trims the specified suffix from a string.
+
+- **Specification**
+    ```
+    rtrim(string: <string>, suffix: <string>) :: <string>
+    ```
+    - `string`: Input string
+    - `prefix`: Suffix that is removed from the original string
+    - `return` a string with the specified suffix removed
+
+- **Examples**
+
+    Assuming the `registry.key.name` field contains `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, the following filter expression would match on all events where the resulting string is equal to `HKEY_LOCAL_MACHINE\SYSTEM\Setup`
+
+    ```
+    fibratus run rtrim(registry.key.name, '\\Pid') = 'HKEY_LOCAL_MACHINE\\SYSTEM\\Setup'
+    ```
+
+#### lower
+
+`lower` converts the string with all Unicode letters mapped to their lower case.
+
+- **Specification**
+    ```
+    lower(string: <string>) :: <string>
+    ```
+    - `string`: Input string
+    - `return` a string converted to lower case
+
+- **Examples**
+
+    Assuming the `registry.key.name` field contains `HKEY_LOCAL_MACHINE\SYSTEM\Setup`, the following filter expression would match on all events where the resulting string is equal to `hkey_local_machine\system\setup`
+
+    ```
+    fibratus run lower(registry.key.name) = 'hkey_local_machine\\system\\setup'
+    ```
+
+#### upper
+
+`upper` converts the string with all Unicode letters mapped to their upper case.
+
+- **Specification**
+    ```
+    upper(string: <string>) :: <string>
+    ```
+    - `string`: Input string
+    - `return` a string converted to upper case
+
+- **Examples**
+
+    Assuming the `registry.key.name` field contains `HKEY_LOCAL_MACHINE\SYSTEM\Setup`, the following filter expression would match on all events where the resulting string is equal to `HKEY_LOCAL_MACHINE\SYSTEM\SETUP`
+
+    ```
+    fibratus run upper(registry.key.name) = 'HKEY_LOCAL_MACHINE\\SYSTEM\\SETUP'
+    ```
+
+#### replace
+
+`replace` replaces all occurrences in the string as given by arbitrary old/new replacement pairs.
+
+- **Specification**
+    ```
+    replace(string: <string>, old: <string>, new: <string>, ..., old-n: <string>, new-n: <string>) :: <string>
+    ```
+    - `string`: Input string
+    - `old`: substring in the original string that is replaced with the `new` string
+    - `new`: the replacement string
+    - `return` a string with all occurrences replaced by old/new pairs
+
+- **Examples**
+
+    Assuming the `registry.key.name` field contains `HKEY_LOCAL_MACHINE\SYSTEM\Setup`, the following filter expression would match on all events where the resulting string is equal to `HKLM\SYS\Setup`
+
+    ```
+    fibratus run replace(registry.key.name, 'HKEY_LOCAL_MACHINE', 'HKLM', 'SYSTEM', 'SYS') = 'HKLM\\SYS\\Setup'
+    ```
+
+#### split
+
+`split` produces a slice of substrings separated by the given delimiter.
+
+- **Specification**
+    ```
+    split(string: <string>, sep: <string>) :: <[]string>
+    ```
+    - `string`: Input string
+    - `prefix`: The separator that is used to split the string
+    - `return` a slice of substrings
+
+- **Examples**
+
+    Assuming the `file.name` field contains `C:\Windows\System32\kernel32.dll`, the following filter expression would match on all events where the `kernel32.dll` or `System32` strings are present in the resulting slice.
+
+    ```
+    fibratus run split(file.name, '\\') in ('kernel32.dll', 'System32')
+    ```
+
+#### length
+
+`length` returns the number of characters for string arguments and the size of the slice for slice arguments.
+
+- **Specification**
+    ```
+    length(string: <string|slice>) :: <int>
+    ```
+    - `string`: Input string or slice
+    - `return` the number of characters or array length
+
+- **Examples**
+
+    Assuming the `ps.domain` field contains `"こんにちは"`, the following would filter events with 5 symbols in the process domain.
+
+    ```
+    fibratus run length(ps.domain) = 5
+    ```
+
+#### indexof
+
+`indexof` returns the index of the instance of substring in a given string depending on the provided search order.
+
+- **Specification**
+    ```
+    indexof(string: <string>, substring: <string>, order: <string>) :: <int>
+    ```
+    - `string`: Input string
+    - `prefix`: Substring for which the search is performed
+    - `order`: Specifies the string index search order. It can be `first`, `any`, `last`, `lastany`. This is an optional argument.
+    - `return` the index of the substring
+
+- **Examples**
+
+    Assuming the `ps.domain` field contains `NT_AUTHORITY`, the following would filter events for the matching substring index.
+
+    ```
+    fibratus run indexof(ps.domain, 'NT') = 0
+    ```
+
+#### substr
+
+`substr` creates a substring of a given string.
+
+- **Specification**
+    ```
+    substr(string: <string>, start: <int>, end: <int>) :: <string>
+    ```
+    - `string`: Input string
+    - `start`: Substring start index
+    - `end`: Substring end index
+    - `return` a substring contained within start and end indices
+
+- **Examples**
+
+    Assuming the `file.name` field contains `\Device\HarddiskVolume2\Windows\system32\user32.dll`, the following filter expression would match on all events where the substring is equal to `\Device`
+
+    ```
+    fibratus run substr(file.name, indexof(file.name, '\\'), indexof(file.name, '\\Hard')) = '\\Device'
+    ```
+
+#### entropy
+
+`entropy` measures the string entropy.
+
+- **Specification**
+    ```
+    entropy(string: <string>, algo: <string>) :: <int>
+    ```
+    - `string`: Input string
+    - `algo`: The algorithm used to calculate the string entropy. `shannon` is the default entropy type. This argument is optional
+    - `return` the string entropy
+
+- **Examples**
+
+    Assuming the `file.name` field contains `\Device\HarddiskVolume2\Windows\system32\user32.dll`, the following filter expression would match on all events where file name entropy is greater than 255.
+
+    ```
+    fibratus run entropy(file.name) > 255
+    ```
+
+#### regex
+
+`regex` applies single/multiple regular expressions on the provided string argument.
+
+- **Specification**
+    ```
+    regex(string: <string>, patterns: <string>...) :: <bool>
+    ```
+    - `string`: Input string
+    - `patterns`: Regular expression patterns
+    - `return` `true` if at least one regular expression matches or `false` otherwise
+
+- **Examples**
+
+    Assuming the `ps.name` field contains `powershell.exe`, the following would filter events matching the regular expressions.
+
+    ```
+    fibratus run regex(ps.name, 'power.*(shell|hell).dll', '.*hell.exe')
+    ```
diff --git a/docs/kevents/process.md b/docs/kevents/process.md
index 7b9a0f9d6..ae8bdb75f 100755
--- a/docs/kevents/process.md
+++ b/docs/kevents/process.md
@@ -1,5 +1,7 @@
 # Process events
 
+#### CreateProcess and TerminateProcess
+
 Process events are fired up as a stimulus to the process' life-cycle changes. When the kernel puts into motion a process or terminates it, the `CreateProcess` and `TerminateProcess` events are emitted respectively. The following list summarizes all the distinct event parameters that are associated with process events.
 
 - `pid` is the process' identifier. This value is valid from the time a process is created until it is terminated.
@@ -15,6 +17,17 @@ Process events are fired up as a stimulus to the process' life-cycle changes. Wh
 - `status` is the exit status of the stopped process.
 - `start_time` designates the instant when the process was started.
 
+#### OpenProcess
+
+`OpenProcess` event is triggered when a process tries to acquire an existing local process object. This event contains the following parameters:
+
+- `desired_access` is the hexadecimal value that represents the desired access to the process object.
+- `desired_access_names` is the list of human-readable desired access strings (e.g. `TERMINATE,QUERY_INFORMATION`). For a full list and detailed explanation of available access rights, head to the official [docs](https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights).
+- `name` is the name of the local process that was opened.
+- `exe` is the full path of the local process object that was open.
+- `pid` is the identifier of the local process that was opened.
+- `status` contains the result of the process object open operation. (e.g. `success`)
+
 ### Process state  {docsify-ignore}
 
 Fibratus keeps a snapshot of all running processes including their state such as basic process attributes, allocated file handles, dynamically-linked libraries, PE (Portable Executable) metadata and other resources. The snapshot is updated dynamically as processes get spawn or die. Each time a kernel event is triggered, its process' state is fetched from the snapshot and attached to the event. This state machine semantically enriches each individual event with the aim on providing a powerful context for [filtering](/filters/introduction.md) and [scripting](/filaments/introduction.md).
diff --git a/docs/kevents/thread.md b/docs/kevents/thread.md
index 7a926f620..1c6fcafcb 100755
--- a/docs/kevents/thread.md
+++ b/docs/kevents/thread.md
@@ -1,5 +1,7 @@
 # Thread events
 
+#### CreateThread and TerminateThread
+
 Thread events notify the creation (`CreateThread`) or termination (`TerminateThread`) of threads within the process' address space. In situations where a process spawns a remote thread that runs in other process' address space, the `CreateThread` event is also triggered.
 Thread events are comprised of the following parameters:
 
@@ -13,3 +15,16 @@ Thread events are comprised of the following parameters:
 - `kstack_base` is the base address of the thread's kernel space stack.
 - `kstack_limit` is the limit of the thread's kernel space stack.
 - `entrypoint` is the starting address of the function to be executed by the thread.
+
+#### OpenThread
+
+`OpenProcess` event is triggered when a process opens an existing local thread object. This event contains the following parameters:
+
+- `desired_access` is the hexadecimal value that represents the desired access to the thread object.
+- `desired_access_names` is the list of human-readable desired access strings (e.g. `QUERY_LIMITED_INFORMATION`). For a full list and detailed explanation of available access rights, head to the official [docs](https://docs.microsoft.com/en-us/windows/win32/procthread/thread-security-and-access-rights).
+- `name` is the name of the local process whose thread object was open.
+- `exe` is the full path of the local process image whose thread object was open.
+- `pid` is the identifier of the local process whose thread object was opened.
+- `tid` is the identifier of the local thread that was opened.
+- `status` contains the result of the thread object open operation. (e.g. `success`)
+
diff --git a/docs/outputs/eventlog.md b/docs/outputs/eventlog.md
new file mode 100644
index 000000000..e1dbc7b4a
--- /dev/null
+++ b/docs/outputs/eventlog.md
@@ -0,0 +1,139 @@
+# Eventlog
+
+Exports events via [Windows Event Log](https://docs.microsoft.com/en-us/windows/win32/wes/windows-event-log) API that can be explored with the [Event Viewer](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766042(v=ws.11)) management tool. The screenshots below illustrate event logs produced by Fibratus. The `General` tab reveals the event type that was generated. Each log event pertains to the specific `Task Category` that directly maps to the internal event category. Similar to [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon), Fibratus classifies each event with a custom `Event ID`. 
+
+<p align="center">
+  <img src="outputs/images/eventlog-general.png"/>
+</p>
+
+The `Details` tab shows extended event data including event parameters, process, and thread information. It is possible to customize the rendering template to influence the constructed event data. This is achieved by changing the [`eventlog.template`](outputs/eventlog?id=template) configuration property.
+
+<p align="center">
+  <img src="outputs/images/eventlog-details.png"/>
+</p>
+
+### Configuration {docsify-ignore}
+
+The Eventlog output configuration is located in the `outputs.eventlog` section.
+
+#### enabled
+
+Indicates whether the Eventlog output is enabled.
+
+**default**: `false`
+
+
+#### level
+
+Specifies the eventlog level associated with the event logs produced by Fibratus. You can specify one of the following values:
+
+- `info`, `INFO`
+- `warn`, `warning`, `WARN`, `WARNING`
+- `erro`, `ERRO`, `error`, `ERROR`
+
+**default**: `info`
+
+#### remote-host
+
+Address of the remote eventlog intake.
+
+#### template
+
+Go [template](https://pkg.go.dev/text/template) for rendering the eventlog message.
+
+**default**:
+
+```
+Name:  		    {{ .Kevt.Name }}
+Sequence: 		{{ .Kevt.Seq }}
+Process ID:		{{ .Kevt.PID }}
+Thread ID: 		{{ .Kevt.Tid }}
+Cpu: 			{{ .Kevt.CPU }}
+Params:			{{ .Kevt.Kparams }}
+Category: 		{{ .Kevt.Category }}
+
+{{- if .Kevt.PS }}
+
+Process:		{{ .Kevt.PS.Name }}
+Exe:			{{ .Kevt.PS.Exe }}
+Pid:  			{{ .Kevt.PS.PID }}
+Ppid: 			{{ .Kevt.PS.Ppid }}
+Cmdline:		{{ .Kevt.PS.Comm }}
+Cwd:			{{ .Kevt.PS.Cwd }}
+SID:			{{ .Kevt.PS.SID }}
+Session ID:		{{ .Kevt.PS.SessionID }}
+{{ if and (.SerializeEnvs) (.Kevt.PS.Envs) }}
+Env:
+			{{- with .Kevt.PS.Envs }}
+			{{- range $k, $v := . }}
+			{{ $k }}: {{ $v }}
+			{{- end }}
+			{{- end }}
+{{ end }}
+{{ if .SerializeThreads }}
+Threads:
+			{{- with .Kevt.PS.Threads }}
+			{{- range . }}
+			{{ . }}
+			{{- end }}
+			{{- end }}
+{{ end }}
+{{ if .SerializeImages }}
+Modules:
+			{{- with .Kevt.PS.Modules }}
+			{{- range . }}
+			{{ . }}
+			{{- end }}
+			{{- end }}
+{{ end }}
+{{ if and (.SerializeHandles) (.Kevt.PS.Handles) }}
+Handles:
+			{{- with .Kevt.PS.Handles }}
+			{{- range . }}
+			{{ . }}
+			{{- end }}
+			{{- end }}
+{{ end }}
+
+{{ if and (.SerializePE) (.Kevt.PS.PE) }}
+Entrypoint:  		{{ .Kevt.PS.PE.EntryPoint }}
+Image base: 		{{ .Kevt.PS.PE.ImageBase }}
+Build date:  		{{ .Kevt.PS.PE.LinkTime }}
+
+Number of symbols: 	{{ .Kevt.PS.PE.NumberOfSymbols }}
+Number of sections: {{ .Kevt.PS.PE.NumberOfSections }}
+
+Sections:
+			{{- with .Kevt.PS.PE.Sections }}
+			{{- range . }}
+			{{ . }}
+			{{- end }}
+			{{- end }}
+{{ if .Kevt.PS.PE.Symbols }}
+Symbols:
+			{{- with .Kevt.PS.PE.Symbols }}
+			{{- range . }}
+			{{ . }}
+			{{- end }}
+			{{- end }}
+{{ end }}
+{{ if .Kevt.PS.PE.Imports }}
+Imports:
+			{{- with .Kevt.PS.PE.Imports }}
+			{{- range . }}
+			{{ . }}
+			{{- end }}
+			{{- end }}
+{{ end }}
+{{ if .Kevt.PS.PE.VersionResources }}
+Resources:
+			{{- with .Kevt.PS.PE.VersionResources }}
+			{{- range $k, $v := . }}
+			{{ $k }}: {{ $v }}
+			{{- end }}
+			{{- end }}
+			{{ end }}
+{{ end }}
+{{- end }}
+
+```
diff --git a/docs/outputs/http.md b/docs/outputs/http.md
new file mode 100644
index 000000000..4c8fdb276
--- /dev/null
+++ b/docs/outputs/http.md
@@ -0,0 +1,83 @@
+# HTTP
+
+Sends events to local/remote endpoints via HTTP protocol. Requests are serialized to the data format specified by the `serializer` property, which by default encodes events as `JSON` payloads. HTTP requests are randomly load-balanced across endpoints defined in the `endpoints` config property.
+
+### Configuration {docsify-ignore}
+
+The HTTP output configuration is located in the `outputs.http` section.
+
+#### enabled
+
+Indicates whether the HTTP output is enabled.
+
+**default**: `false`
+
+#### endpoints
+
+Specifies a list of endpoints to which the events are forwarded. Each of the endpoints must contain the HTTP protocol scheme, that can be `http` or `https`.
+
+#### timeout
+
+Represents the timeout for the HTTP requests.
+
+**default**: `5s`
+
+#### proxy-url
+
+Specifies the HTTP proxy URL. It overrides the HTTP proxy URL as indicated by the environment variables.
+
+#### proxy-username
+
+The username for HTTP proxy authentication.
+
+#### proxy-password
+
+The password for HTTP proxy authentication.
+
+#### method
+
+Determines the HTTP verb to use in requests.
+
+**default**: `POST`
+
+#### serializer
+
+Specifies the event serializer type.
+
+**default**: `json`
+
+#### username
+
+Username for the basic HTTP authentication.
+   
+#### password
+
+Password for the basic HTTP authentication.
+
+#### enable-gzip
+
+If enabled, the HTTP body is compressed with the `gzip` compression.
+
+**default**: `false`
+
+#### headers
+
+Represents a list of arbitrary headers to include in HTTP requests.
+
+#### tls-key
+
+Path to the public/private key file.
+
+#### tls-cert
+
+Path to the certificate file.
+
+#### tls-ca
+
+Represents the path of the certificate file that is associated with the Certification Authority (CA).
+
+#### tls-insecure-skip-verify
+
+Indicates if the chain and host verification stage is skipped.
+
+**default**: `false`
diff --git a/docs/outputs/images/eventlog-details.png b/docs/outputs/images/eventlog-details.png
new file mode 100644
index 000000000..c97b7bcc4
Binary files /dev/null and b/docs/outputs/images/eventlog-details.png differ
diff --git a/docs/outputs/images/eventlog-general.png b/docs/outputs/images/eventlog-general.png
new file mode 100644
index 000000000..3b04497c8
Binary files /dev/null and b/docs/outputs/images/eventlog-general.png differ
diff --git a/docs/setup/installation.md b/docs/setup/installation.md
index dc91c8c9d..81d592ece 100755
--- a/docs/setup/installation.md
+++ b/docs/setup/installation.md
@@ -69,7 +69,7 @@ To build Fibratus directly from source code you have satisfy the following requi
 1. Download the `msys2` installer and follow the instructions [here](https://www.msys2.org/).
   - open the `msys2` shell (by default located in `C:\msys2\msys2.exe`). You can also access it from the `MSYS2 64-bit` Start Menu item.
   - install the `MinGW` compiler toolchain along with other dependencies:
-    - `pacman -S base-devel mingw-w64-x86_64-openssl mingw-w64-x86_64-gcc`
+    - `pacman -S base-devel mingw-w64-x86_64-openssl mingw-w64-x86_64-gcc mingw-w64-x86_64-pkg-config automake libtool autoconf`
 2. [Download](https://www.python.org/ftp/python/3.7.9/python-3.7.9-amd64.exe) and install the `Python 3.7`. Assuming the Python distribution was installed in `C:\Python37`, set the `PKG_CONFIG_PATH` environment variable to the location of the `pkg-config` directory within the `fibratus` directory.
   - `set PKG_CONFIG_PATH=<pkg-config absolute path>`
 3. Build `libyara`
diff --git a/docs/yara/alerts.md b/docs/yara/alerts.md
index 18b5f29e0..29a9a7622 100644
--- a/docs/yara/alerts.md
+++ b/docs/yara/alerts.md
@@ -113,30 +113,30 @@ The `yara.matches` tag contains the JSON array payload where each object represe
 ```json
 [
   {
-    "Rule": "AnglerEKredirector ",
-    "Namespace": "EK",
-    "Tags": null,
-    "Metas": [
+    "rule": "AnglerEKredirector ",
+    "namespace": "EK",
+    "tags": null,
+    "metas": [
       {
-        "Identifier": "description",
-        "Value": "Angler Exploit Kit Redirector"
+        "identifier": "description",
+        "value": "Angler Exploit Kit Redirector"
       }
     ],
-    "Strings": "..."
+    "strings": "..."
   },
   {
-    "Rule": "angler_flash_uncompressed ",
-    "Namespace": "EK",
-    "Tags": [
+    "rule": "angler_flash_uncompressed ",
+    "namespace": "EK",
+    "tags": [
       "exploitkit"
     ],
-    "Metas": [
+    "metas": [
       {
-        "Identifier": "description",
-        "Value": "Angler Exploit Kit Detection"
+        "identifier": "description",
+        "value": "Angler Exploit Kit Detection"
       }
     ],
-    "Strings": "..."
+    "strings": "..."
   }
 ]
 ```