From d44ba39d7fdf0cb24389d23839b972f4be448644 Mon Sep 17 00:00:00 2001
From: lahoucine BENLAHMR <lbenlahmr@wallix.com>
Date: Fri, 22 Feb 2013 15:08:52 +0100
Subject: [PATCH] IssueID #4444 - Adds eventID (French version)  4720, 4726,
 4738,  4741, 4742, 4743

---
 ...entlog_security_audit_windows2008_en_2.xml |  66 ++
 ...entlog_security_audit_windows2008_fr_2.xml | 872 ++++++++++++++++++
 2 files changed, 938 insertions(+)
 create mode 100644 normalizers/eventlog_security_audit_windows2008_fr_2.xml

diff --git a/normalizers/eventlog_security_audit_windows2008_en_2.xml b/normalizers/eventlog_security_audit_windows2008_en_2.xml
index e7cc09c..ecde474 100644
--- a/normalizers/eventlog_security_audit_windows2008_en_2.xml
+++ b/normalizers/eventlog_security_audit_windows2008_en_2.xml
@@ -807,6 +807,72 @@ Additional Information:
         				<expectedTag name="additional_info">-</expectedTag>
 					</expectedTags>
             	</example>
+            	<example>
+            		<text>A computer account was changed.
+Subject:
+   Security ID:  ACME-FR\administrator
+   Account Name:  administrator
+   Account Domain:  ACME-FR
+   Logon ID:  0x20f9d
+Computer Account That Was Changed:
+   Security ID:  ACME-FR\John.Locke
+   Account Name:  John.Locke
+   Account Domain:  ACME-FR
+Changed Attributes:
+   SAM Account Name: -
+   Display Name:  -
+   User Principal Name: -
+   Home Directory:  -
+   Home Drive:  -
+   Script Path:  -
+   Profile Path:  -
+   User Workstations: -
+   Password Last Set: -
+   Account Expires:  -
+   Primary Group ID: -
+   AllowedToDelegateTo: -
+   Old UAC Value:  0x10
+   New UAC Value:  0x4010
+   User Account Control: 
+   'Not Delegated' - Enabled
+   User Parameters: -
+   SID History:  -
+   Logon Hours:  -
+   DNS Host Name:  -
+   Service Principal Names: -
+   
+Additional Information:
+   Privileges:  -</text>
+					<expectedTags>
+						<expectedTag name="security_id">ACME-FR\administrator</expectedTag>
+						<expectedTag name="user">administrator</expectedTag>
+						<expectedTag name="domain">ACME-FR</expectedTag>
+						<expectedTag name="logon_id">0x20f9d</expectedTag>
+						<expectedTag name="target_security_id">ACME-FR\John.Locke</expectedTag>
+						<expectedTag name="target_user">John.Locke</expectedTag>
+						<expectedTag name="target_domain">ACME-FR</expectedTag>
+						<expectedTag name="sam_account_name">-</expectedTag>
+						<expectedTag name="display_name">-</expectedTag>
+						<expectedTag name="principal_name">-</expectedTag>
+						<expectedTag name="home_directory">-</expectedTag>
+						<expectedTag name="home_drive">-</expectedTag>
+						<expectedTag name="script_path">-</expectedTag>
+						<expectedTag name="profile_path">-</expectedTag>
+						<expectedTag name="workstations">-</expectedTag>
+						<expectedTag name="password_last_set">-</expectedTag>
+						<expectedTag name="expiry_date">-</expectedTag>
+						<expectedTag name="primary_gid">-</expectedTag>
+						<expectedTag name="old_uac">0x10</expectedTag>
+						<expectedTag name="new_uac">0x4010</expectedTag>
+						<expectedTag name="uac">'Not Delegated' - Enabled</expectedTag>
+        				<expectedTag name="user_parameters">-</expectedTag>
+        				<expectedTag name="sid_history">-</expectedTag>
+        				<expectedTag name="logon_hours">-</expectedTag>
+        				<expectedTag name="dns_host_name">-</expectedTag>
+        				<expectedTag name="service_names">-</expectedTag>
+        				<expectedTag name="additional_info">-</expectedTag>
+					</expectedTags>
+            	</example>
     		</examples>
     	</pattern>
     </patterns>
diff --git a/normalizers/eventlog_security_audit_windows2008_fr_2.xml b/normalizers/eventlog_security_audit_windows2008_fr_2.xml
new file mode 100644
index 0000000..3237327
--- /dev/null
+++ b/normalizers/eventlog_security_audit_windows2008_fr_2.xml
@@ -0,0 +1,872 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
+<!--                                                            -->
+<!-- pylogparser - Logs parsers python library                  -->
+<!-- Copyright (C) 2012 Wallix Inc.                             -->
+<!--                                                            -->
+<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
+<!--                                                            -->
+<!-- This package is free software; you can redistribute        -->
+<!-- it and/or modify it under the terms of the GNU Lesser      -->
+<!-- General Public License as published by the Free Software   -->
+<!-- Foundation; either version 2.1 of the License, or (at      -->
+<!-- your option) any later version.                            -->
+<!--                                                            -->
+<!-- This package is distributed in the hope that it will be    -->
+<!-- useful, but WITHOUT ANY WARRANTY; without even the implied -->
+<!-- warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR    -->
+<!-- PURPOSE.  See the GNU Lesser General Public License for    -->
+<!-- more details.                                              -->
+<!--                                                            -->
+<!-- You should have received a copy of the GNU Lesser General  -->
+<!-- Public License along with this package; if not, write      -->
+<!-- to the Free Software Foundation, Inc., 59 Temple Place,    -->
+<!-- Suite 330, Boston, MA  02111-1307  USA                     -->
+<!--                                                            -->
+<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
+<!DOCTYPE normalizer SYSTEM "normalizer.dtd">
+<normalizer name="EventLog-Security-Windows2008[FR]_2"
+            version="0.99"
+            unicode="yes"
+            ignorecase="yes"
+            matchtype="search"
+            appliedTo="eventlog_description"
+            taxonomy="access control"
+            expandWhitespaces="yes">
+    <description>
+        <localized_desc language="en">This normalizer parses common security audit logs from the Windows 2008 Event Log, localized in English.
+The following event IDs are covered: 
+* 4720, 4726, 4738, 4741, 4742, 4743 (Account Management  events),
+</localized_desc>
+        <localized_desc language="fr">Ce normaliseur traite les logs d'audit de sécurité communs du Journal d'Événéments de Windows 2008, en version anglaise.
+Les codes d'événements suivants sont normalisés :
+* 4720, 4726, 4738, 4741, 4742, 4743 (événements de gestion de compte),
+</localized_desc>
+    </description>
+    <authors>
+        <author>lbenlahmr@wallix.com</author>
+    </authors>
+    <callbacks>
+    	<callback name="strip_values">
+for t in log:
+	if isinstance(log[t], basestring):
+		try:
+			log[t] = log[t].strip()
+		except:
+			pass
+    	</callback>
+    	<callback name="decode_logon_type">
+decoder = { '2' : 'Interactive', '3' : 'Network', '4' : 'Batch', '5' : 'Service', '6' : 'Proxy', '7' : 'UnlockWorkstationLogon', '8' : 'NetworkCleartext', '9' : 'NewCredentials', '10' : 'RemoteInteractive', '11' : 'CachedInteractive' }
+log['method'] = decoder.get(value, 'UNKNOWN')
+        </callback>
+         <callback name="decode_password_last_set">
+try:
+	a = long(value)
+	log['password_last_set'] = extras.winUTC2UnixTimestamp(a)
+except:
+	log['password_last_set'] = value
+		</callback>
+		<callback name="decode_expiry_date">
+try:
+	a = long(value)
+	log['expiry_date'] = extras.winUTC2UnixTimestamp(a)
+except:
+	log['expiry_date'] = value
+		</callback>
+    </callbacks>
+    <patterns>
+    	<pattern name="eventID-4720-4741">
+    		<text>Un compte (?:d’utilisateur|d'ordinateur) a été créé. Sujet : ID de sécurité : _SID_ Nom du compte : _ACCOUNTNAME_ Domaine du compte : _ACCOUNTDOMAIN_ ID d’ouverture de session : _LID_ Nouveau compte : ID de sécurité : _NEWSID_ Nom du compte : _NEWUSER_ Domaine du compte : _NEWDOMAIN_ Attributs : Nom du compte SAM : _SAMACCT_ Nom complet : _DISPLAYNAME_ Nom principal de l’utilisateur : _DN_ Répertoire de base : _HOMEDIR_ Lecteur de base : _HOMEDRIVE_ Chemin d’accès au script : _SCRIPTPATH_ Chemin d’accès au profil : _PROFILEPATH_ Stations de travail des utilisateurs : _WORKSTATIONS_ Dernière modification du mot de passe le : _PWDLASTSET_ Le compte expire le : (?:_EXPIRYDATE_ )?ID de groupe principal : _PGID_ Délégué autorisé : _DELEGATETO_ Ancienne valeur UAC : _OLDUAC_ Nouvelle valeur UAC : _NEWUAC_ Contrôle du compte d’utilisateur \(UAC\) : (?:_ACCTCONTROL_ )?Paramètres d’utilisateur : _USERPARAMS_ Historique SID : _SIDHISTORY_ Horaire d’accès : (?:_LOGONHOURS_ )?(?:Nom de l’hôte DNS : _DNS_ Noms principaux des services : _SPN_ )?Informations supplémentaires : Privilèges _ADDINFO_</text>
+    		<tags>
+    			<tag name="security_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The security ID</localized_desc>
+                        <localized_desc language="fr">L'identifiant de sécurité</localized_desc>
+                    </description>
+                    <substitute>_SID_</substitute>
+            	</tag>
+            	<tag name="user" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the account that requested the logon</localized_desc>
+                        <localized_desc language="fr">Identifie le nom du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_ACCOUNTNAME_</substitute>
+            	</tag>
+            	<tag name="domain" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the domaine of the account that requested the logon</localized_desc>
+                        <localized_desc language="fr">Identifie le domaine du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_ACCOUNTDOMAIN_</substitute>
+            	</tag>
+            	<tag name="logon_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The account ID that requested the logon</localized_desc>
+                        <localized_desc language="fr">L'identifiant de connexion du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_LID_</substitute>
+            	</tag>
+            	<tag name="target_security_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The target user name</localized_desc>
+                        <localized_desc language="fr">Le nom d'utilisateur cible</localized_desc>
+                    </description>
+                    <substitute>_NEWSID_</substitute>
+            	</tag>
+            	<tag name="target_user" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The target user name</localized_desc>
+                        <localized_desc language="fr">Le nom d'utilisateur cible</localized_desc>
+                    </description>
+                    <substitute>_NEWUSER_</substitute>
+            	</tag>
+            	<tag name="target_domain" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The domain of the target user</localized_desc>
+                        <localized_desc language="fr">Le domaine de l'utilisateur cible</localized_desc>
+                    </description>
+                    <substitute>_NEWDOMAIN_</substitute>
+            	</tag>
+            	<tag name="sam_account_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the legacy logon name</localized_desc>
+                        <localized_desc language="fr">le nom de compte utilisé par les clients de version antérieure à windows 2003</localized_desc>
+                    </description>
+                    <substitute>_SAMACCT_</substitute>
+            	</tag>
+            	<tag name="display_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the display name</localized_desc>
+                        <localized_desc language="fr">le nom affiché</localized_desc>
+                    </description>
+                    <substitute>_DISPLAYNAME_</substitute>
+            	</tag>
+            	<tag name="principal_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the full user name, in an email format, with either the domain address or the domain's distinguished name</localized_desc>
+                        <localized_desc language="fr">le nom d'utilisateur complet, au format email, accompagné soit de l'adresse de domaine, soit du nom distingué du domaine</localized_desc>
+                    </description>
+                    <substitute>_DN_</substitute>
+            	</tag>
+            	<tag name="home_directory" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the home directory</localized_desc>
+                        <localized_desc language="fr">le répertoire d'accueil</localized_desc>
+                    </description>
+                    <substitute>_HOMEDIR_</substitute>
+            	</tag>
+            	<tag name="home_drive" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the home drive</localized_desc>
+                        <localized_desc language="fr">le disque d'accueil</localized_desc>
+                    </description>
+                    <substitute>_HOMEDRIVE_</substitute>
+            	</tag>
+            	<tag name="script_path" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the path to the user's logon script</localized_desc>
+                        <localized_desc language="fr">le chemin vers le script de démarrage de l'utilisateur</localized_desc>
+                    </description>
+                    <substitute>_SCRIPTPATH_</substitute>
+            	</tag>
+            	<tag name="profile_path" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the path to the user's profile</localized_desc>
+                        <localized_desc language="fr">le chemin vers le profil de l'utilisateur</localized_desc>
+                    </description>
+                    <substitute>_PROFILEPATH_</substitute>
+            	</tag>
+            	<tag name="workstations" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the workstations from which the user can log on</localized_desc>
+                        <localized_desc language="fr">les postes de travail depuis lesquels l'utilisateur peut se connecter</localized_desc>
+                    </description>
+                    <substitute>_WORKSTATIONS_</substitute>
+            	</tag>
+            	<tag name="__password_last_set" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the date at which the password was last set</localized_desc>
+                        <localized_desc language="fr">la date de dernier changement du mot de passe</localized_desc>
+                    </description>
+                    <substitute>_PWDLASTSET_</substitute>
+                    <callbacks>
+                    	<callback>decode_password_last_set</callback>
+                    </callbacks>
+            	</tag>
+            	<tag name="__expiry_date" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the expiry date of the account</localized_desc>
+                        <localized_desc language="fr">la date d'expiration du compte</localized_desc>
+                    </description>
+                    <substitute>_EXPIRYDATE_</substitute>
+                    <callbacks>
+                    	<callback>decode_expiry_date</callback>
+                    </callbacks>
+            	</tag>
+            	<tag name="primary_gid" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the primary group ID</localized_desc>
+                        <localized_desc language="fr">l'identifiant de groupe primaire</localized_desc>
+                    </description>
+                    <substitute>_PGID_</substitute>
+            	</tag>
+            	<tag name="allowed_to_delegate_to" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the list of Service Principal Names to which the user can forward credentials</localized_desc>
+                        <localized_desc language="fr">la liste des Noms Principaux de Services auxquels l'utilisateur peut transférer ses crédences</localized_desc>
+                    </description>
+                    <substitute>_DELEGATETO_</substitute>
+            	</tag>
+            	<tag name="old_uac" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the bitwise value of User Account Control options (old)</localized_desc>
+                        <localized_desc language="fr">l'ancienne valeur en bits des options d'UAC (User Account Control)</localized_desc>
+                    </description>
+                    <substitute>_OLDUAC_</substitute>
+            	</tag>
+            	<tag name="new_uac" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the bitwise value of User Account Control options (new)</localized_desc>
+                        <localized_desc language="fr">la nouvelle valeur en bits des options d'UAC (User Account Control)</localized_desc>
+                    </description>
+                    <substitute>_NEWUAC_</substitute>
+            	</tag>
+            	<tag name="uac" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the User Account Control options</localized_desc>
+                        <localized_desc language="fr">les options d'UAC (User Account Control)</localized_desc>
+                    </description>
+                    <substitute>_ACCTCONTROL_</substitute>
+                </tag>
+                <tag name="user_parameters" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the optional, specific user parameters</localized_desc>
+                        <localized_desc language="fr">les paramètres utilisateurs spécifiques et optionnels</localized_desc>
+                    </description>
+                    <substitute>_USERPARAMS_</substitute>
+            	</tag>
+            	<tag name="sid_history" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the previous SID of the user, in case it was moved from a domain</localized_desc>
+                        <localized_desc language="fr">les précédents SID de l'utilisateur, si celui-ci provient d'un autre domaine</localized_desc>
+                    </description>
+                    <substitute>_SIDHISTORY_</substitute>
+            	</tag>
+            	<tag name="logon_hours" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the allowed logon hours</localized_desc>
+                        <localized_desc language="fr">les heures de connexion autorisées</localized_desc>
+                    </description>
+                    <substitute>_LOGONHOURS_</substitute>
+            	</tag>
+            	<tag name="additional_info" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Additionnal information</localized_desc>
+                        <localized_desc language="fr">Information additionnelle</localized_desc>
+                    </description>
+                    <substitute>_ADDINFO_</substitute>
+            	</tag>
+            	<tag name="dns_host_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">DNS host name</localized_desc>
+                        <localized_desc language="fr">Nom de l'hote DNS</localized_desc>
+                    </description>
+                    <substitute>_DNS_</substitute>
+            	</tag>
+            	<tag name="service_names" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Service principal names</localized_desc>
+                        <localized_desc language="fr">Noms des services</localized_desc>
+                    </description>
+                    <substitute>_SPN_</substitute>
+            	</tag>
+    		</tags>
+    		<examples>
+            	<example>
+            		<text>Un compte d’utilisateur a été créé.
+Sujet :
+	ID de sécurité : ACME-FR\administrator
+	Nom du compte : administrator
+	Domaine du compte : ACME-FR
+	ID d’ouverture de session : 0x20f9d
+	
+Nouveau compte :
+	ID de sécurité : ACME-FR\John.Locke
+	Nom du compte : Naruto
+	Domaine du compte : KONOHA
+
+Attributs :
+	Nom du compte SAM : Naruto
+	Nom complet : Naruto Uzumaki
+	Nom principal de l’utilisateur : Naruto@dc=konoha,dc=shinobi
+	Répertoire de base : -
+	Lecteur de base : -
+	Chemin d’accès au script : -
+	Chemin d’accès au profil : -
+	Stations de travail des utilisateurs : -
+	Dernière modification du mot de passe le : &lt;never&gt;
+	Le compte expire le : &lt;never&gt;
+	ID de groupe principal : 513
+	Délégué autorisé : -
+	Ancienne valeur UAC : 0x0
+	Nouvelle valeur UAC : 0x15
+	Contrôle du compte d’utilisateur (UAC) : Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled
+	Paramètres d’utilisateur : -
+	Historique SID : -
+	Horaire d’accès : &lt;value not set&gt;
+Informations supplémentaires :
+	Privilèges -</text>
+					<expectedTags>
+						<expectedTag name="security_id">ACME-FR\administrator</expectedTag>
+						<expectedTag name="user">administrator</expectedTag>
+						<expectedTag name="domain">ACME-FR</expectedTag>
+						<expectedTag name="logon_id">0x20f9d</expectedTag>
+						<expectedTag name="target_security_id">ACME-FR\John.Locke</expectedTag>
+						<expectedTag name="target_user">Naruto</expectedTag>
+						<expectedTag name="target_domain">KONOHA</expectedTag>
+						<expectedTag name="sam_account_name">Naruto</expectedTag>
+						<expectedTag name="display_name">Naruto Uzumaki</expectedTag>
+						<expectedTag name="principal_name">Naruto@dc=konoha,dc=shinobi</expectedTag>
+						<expectedTag name="home_directory">-</expectedTag>
+						<expectedTag name="home_drive">-</expectedTag>
+						<expectedTag name="script_path">-</expectedTag>
+						<expectedTag name="profile_path">-</expectedTag>
+						<expectedTag name="workstations">-</expectedTag>
+						<expectedTag name="password_last_set">&lt;never&gt;</expectedTag>
+						<expectedTag name="expiry_date">&lt;never&gt;</expectedTag>
+						<expectedTag name="primary_gid">513</expectedTag>
+						<expectedTag name="old_uac">0x0</expectedTag>
+						<expectedTag name="new_uac">0x15</expectedTag>
+						<expectedTag name="uac">Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled</expectedTag>
+        				<expectedTag name="user_parameters">-</expectedTag>
+        				<expectedTag name="sid_history">-</expectedTag>
+        				<expectedTag name="logon_hours">&lt;value not set&gt;</expectedTag>
+        				<expectedTag name="additional_info">-</expectedTag>
+					</expectedTags>
+            	</example>
+            	<example>
+            		<text>Un compte d’utilisateur a été créé.
+Sujet :
+	ID de sécurité : ACME-FR\administrator
+	Nom du compte : administrator
+	Domaine du compte : ACME-FR
+	ID d’ouverture de session : 0x20f9d
+	
+Nouveau compte :
+	ID de sécurité : ACME-FR\John.Locke
+	Nom du compte : Naruto
+	Domaine du compte : KONOHA
+
+Attributs :
+	Nom du compte SAM : Naruto
+	Nom complet : Naruto Uzumaki
+	Nom principal de l’utilisateur : Naruto@dc=konoha,dc=shinobi
+	Répertoire de base : -
+	Lecteur de base : -
+	Chemin d’accès au script : -
+	Chemin d’accès au profil : -
+	Stations de travail des utilisateurs : -
+	Dernière modification du mot de passe le : &lt;never&gt;
+	Le compte expire le : &lt;never&gt;
+	ID de groupe principal : 513
+	Délégué autorisé : -
+	Ancienne valeur UAC : 0x0
+	Nouvelle valeur UAC : 0x15
+	Contrôle du compte d’utilisateur (UAC) : Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled
+	Paramètres d’utilisateur : -
+	Historique SID : -
+	Horaire d’accès : &lt;value not set&gt;
+	Nom de l’hôte DNS : -
+	Noms principaux des services : -
+Informations supplémentaires :
+	Privilèges -</text>
+					<expectedTags>
+						<expectedTag name="security_id">ACME-FR\administrator</expectedTag>
+						<expectedTag name="user">administrator</expectedTag>
+						<expectedTag name="domain">ACME-FR</expectedTag>
+						<expectedTag name="logon_id">0x20f9d</expectedTag>
+						<expectedTag name="target_security_id">ACME-FR\John.Locke</expectedTag>
+						<expectedTag name="target_user">Naruto</expectedTag>
+						<expectedTag name="target_domain">KONOHA</expectedTag>
+						<expectedTag name="sam_account_name">Naruto</expectedTag>
+						<expectedTag name="display_name">Naruto Uzumaki</expectedTag>
+						<expectedTag name="principal_name">Naruto@dc=konoha,dc=shinobi</expectedTag>
+						<expectedTag name="home_directory">-</expectedTag>
+						<expectedTag name="home_drive">-</expectedTag>
+						<expectedTag name="script_path">-</expectedTag>
+						<expectedTag name="profile_path">-</expectedTag>
+						<expectedTag name="workstations">-</expectedTag>
+						<expectedTag name="password_last_set">&lt;never&gt;</expectedTag>
+						<expectedTag name="expiry_date">&lt;never&gt;</expectedTag>
+						<expectedTag name="primary_gid">513</expectedTag>
+						<expectedTag name="old_uac">0x0</expectedTag>
+						<expectedTag name="new_uac">0x15</expectedTag>
+						<expectedTag name="uac">Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled</expectedTag>
+        				<expectedTag name="user_parameters">-</expectedTag>
+        				<expectedTag name="sid_history">-</expectedTag>
+        				<expectedTag name="logon_hours">&lt;value not set&gt;</expectedTag>
+        				<expectedTag name="dns_host_name">-</expectedTag>
+        				<expectedTag name="service_names">-</expectedTag>
+        				<expectedTag name="additional_info">-</expectedTag>
+					</expectedTags>
+            	</example>
+    		</examples>
+    	</pattern>
+    	<pattern name="eventID-4726-4743">    		
+    		<text>Un compte (?:d’utilisateur|d’ordinateur) a été supprimé. Sujet : ID de sécurité : _SID_ Nom du compte : _ACCOUNTNAME_ Domaine du compte : _ACCOUNTDOMAIN_ ID d’ouverture de session : _LID_ (?:Compte|Ordinateur) cible :  ID de sécurité : _TSID_ Nom du compte : _TACCOUNTNAME_ Domaine du compte : _TACCOUNTDOMAIN_ Informations supplémentaires : Privilèges _ADDINFO_</text>
+    		<tags>
+    			<tag name="security_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The security ID</localized_desc>
+                        <localized_desc language="fr">L'identifiant de sécurité</localized_desc>
+                    </description>
+                    <substitute>_SID_</substitute>
+            	</tag>
+            	<tag name="user" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the account that requested the logon</localized_desc>
+                        <localized_desc language="fr">Identifie le nom du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_ACCOUNTNAME_</substitute>
+            	</tag>
+            	<tag name="domain" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the domaine of the account that requested the logon</localized_desc>
+                        <localized_desc language="fr">Identifie le domaine du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_ACCOUNTDOMAIN_</substitute>
+            	</tag>
+            	<tag name="logon_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The account ID that requested the logon</localized_desc>
+                        <localized_desc language="fr">L'identifiant de connexion du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_LID_</substitute>
+            	</tag>
+            	<tag name="target_security_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The security ID</localized_desc>
+                        <localized_desc language="fr">L'identifiant de sécurité</localized_desc>
+                    </description>
+                    <substitute>_TSID_</substitute>
+            	</tag>
+            	<tag name="target_user" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the targeted account</localized_desc>
+                        <localized_desc language="fr">Identifie le nom du compte cible</localized_desc>
+                    </description>
+                    <substitute>_TACCOUNTNAME_</substitute>
+            	</tag>
+            	<tag name="target_domain" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the domaine of the targeted account</localized_desc>
+                        <localized_desc language="fr">Identifie le domaine du compte cible</localized_desc>
+                    </description>
+                    <substitute>_TACCOUNTDOMAIN_</substitute>
+            	</tag>
+            	<tag name="additional_info" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Additional information</localized_desc>
+                        <localized_desc language="fr">Information aditionnelle</localized_desc>
+                    </description>
+                    <substitute>_ADDINFO_</substitute>
+            	</tag>
+    		</tags>
+    		<examples>
+    			<example>
+    				<text>Un compte d’utilisateur a été supprimé.
+Sujet :
+	ID de sécurité : WIN-R9H529RIO4Y\Administrator
+	Nom du compte : Administrator
+	Domaine du compte : WIN-R9H529RIO4Y
+	ID d’ouverture de session : 0x1fd23
+Compte cible :
+	ID de sécurité : WIN-R9H529RIO4Y\bob
+	Nom du compte : bob
+	Domaine du compte : WIN-R9H529RIO4Y
+Informations supplémentaires :
+	Privilèges -</text>
+    				<expectedTags>
+    					<expectedTag name="security_id">WIN-R9H529RIO4Y\Administrator</expectedTag>
+    					<expectedTag name="user">Administrator</expectedTag>
+    					<expectedTag name="domain">WIN-R9H529RIO4Y</expectedTag>
+    					<expectedTag name="logon_id">0x1fd23</expectedTag>
+    					<expectedTag name="target_security_id">WIN-R9H529RIO4Y\bob</expectedTag>
+    					<expectedTag name="target_user">bob</expectedTag>
+    					<expectedTag name="target_domain">WIN-R9H529RIO4Y</expectedTag>
+    					<expectedTag name="additional_info">-</expectedTag>
+    				</expectedTags>
+    			</example>
+    			<example>
+    				<text>Un compte d’ordinateur a été supprimé.
+Sujet :
+	ID de sécurité : WIN-R9H529RIO4Y\Administrator
+	Nom du compte : Administrator
+	Domaine du compte : WIN-R9H529RIO4Y
+	ID d’ouverture de session : 0x1fd23
+Ordinateur cible :
+	ID de sécurité : WIN-R9H529RIO4Y\bob
+	Nom du compte : bob
+	Domaine du compte : WIN-R9H529RIO4Y
+Informations supplémentaires :
+	Privilèges -</text>
+    				<expectedTags>
+    					<expectedTag name="security_id">WIN-R9H529RIO4Y\Administrator</expectedTag>
+    					<expectedTag name="user">Administrator</expectedTag>
+    					<expectedTag name="domain">WIN-R9H529RIO4Y</expectedTag>
+    					<expectedTag name="logon_id">0x1fd23</expectedTag>
+    					<expectedTag name="target_security_id">WIN-R9H529RIO4Y\bob</expectedTag>
+    					<expectedTag name="target_user">bob</expectedTag>
+    					<expectedTag name="target_domain">WIN-R9H529RIO4Y</expectedTag>
+    					<expectedTag name="additional_info">-</expectedTag>
+    				</expectedTags>
+    			</example>
+    		</examples>
+    	</pattern>
+    	<pattern name="eventID-4738-4742">
+    		<text>Un compte (?:d’utilisateur|d’ordinateur) a été modifié. Sujet : ID de sécurité : _SID_ Nom du compte : _ACCOUNTNAME_ Domaine du compte : _ACCOUNTDOMAIN_ ID d’ouverture de session : _LID_ Compte (?:cible|d’ordinateur modifié) : ID de sécurité : _TSID_ Nom du compte : _TACCOUNTNAME_ Domaine du compte : _TACCOUNTDOMAIN_ Attributs modifiés : Nom du compte SAM : _SAMACCT_ Nom complet : _DISPLAYNAME_ Nom principal de l’utilisateur : _DN_ Répertoire de base : _HOMEDIR_ Lecteur de base : _HOMEDRIVE_ Chemin d’accès au script : _SCRIPTPATH_ Chemin d’accès au profil : _PROFILEPATH_ Stations de travail utilisateurs : _WORKSTATIONS_ Dernière modification du mot de passe le : _PWDLASTSET_ Le compte expire le : _EXPIRYDATE_ ID de groupe principal : _PGID_ Délégué autorisé : _DELEGATETO_ Ancienne valeur UAC : _OLDUAC_ Nouvelle valeur UAC : _NEWUAC_ Contrôle du compte d’utilisateur : _ACCTCONTROL_ Paramètres utilisateur : _USERPARAMS_ Historique SID : _SIDHISTORY_ Horaire d’accès : (?:_LOGONHOURS_ )?(?:Nom de l’hôte DNS : _DNS_ Noms principaux des services : _SPN_ )?Informations supplémentaires : Privilèges: _ADDINFO_</text>
+    		<tags>
+    			<tag name="security_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The security ID</localized_desc>
+                        <localized_desc language="fr">L'identifiant de sécurité</localized_desc>
+                    </description>
+                    <substitute>_SID_</substitute>
+            	</tag>
+            	<tag name="user" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the account that requested the logon</localized_desc>
+                        <localized_desc language="fr">Identifie le nom du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_ACCOUNTNAME_</substitute>
+            	</tag>
+            	<tag name="domain" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the domaine of the account that requested the logon</localized_desc>
+                        <localized_desc language="fr">Identifie le domaine du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_ACCOUNTDOMAIN_</substitute>
+            	</tag>
+            	<tag name="logon_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The account ID that requested the logon</localized_desc>
+                        <localized_desc language="fr">L'identifiant de connexion du compte qui a fait la requête de connexion</localized_desc>
+                    </description>
+                    <substitute>_LID_</substitute>
+            	</tag>
+            	<tag name="target_security_id" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">The security ID</localized_desc>
+                        <localized_desc language="fr">L'identifiant de sécurité</localized_desc>
+                    </description>
+                    <substitute>_TSID_</substitute>
+            	</tag>
+            	<tag name="target_user" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the targeted account</localized_desc>
+                        <localized_desc language="fr">Identifie le nom du compte cible</localized_desc>
+                    </description>
+                    <substitute>_TACCOUNTNAME_</substitute>
+            	</tag>
+            	<tag name="target_domain" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Identifies the domaine of the targeted account</localized_desc>
+                        <localized_desc language="fr">Identifie le domaine du compte cible</localized_desc>
+                    </description>
+                    <substitute>_TACCOUNTDOMAIN_</substitute>
+            	</tag>
+            	<tag name="sam_account_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the legacy logon name</localized_desc>
+                        <localized_desc language="fr">le nom de compte utilisé par les clients de version antérieure à windows 2003</localized_desc>
+                    </description>
+                    <substitute>_SAMACCT_</substitute>
+            	</tag>
+            	<tag name="display_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the display name</localized_desc>
+                        <localized_desc language="fr">le nom affiché</localized_desc>
+                    </description>
+                    <substitute>_DISPLAYNAME_</substitute>
+            	</tag>
+            	<tag name="principal_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the full user name, in an email format, with either the domain address or the domain's distinguished name</localized_desc>
+                        <localized_desc language="fr">le nom d'utilisateur complet, au format email, accompagné soit de l'adresse de domaine, soit du nom distingué du domaine</localized_desc>
+                    </description>
+                    <substitute>_DN_</substitute>
+            	</tag>
+            	<tag name="home_directory" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the home directory</localized_desc>
+                        <localized_desc language="fr">le répertoire d'accueil</localized_desc>
+                    </description>
+                    <substitute>_HOMEDIR_</substitute>
+            	</tag>
+            	<tag name="home_drive" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the home drive</localized_desc>
+                        <localized_desc language="fr">le disque d'accueil</localized_desc>
+                    </description>
+                    <substitute>_HOMEDRIVE_</substitute>
+            	</tag>
+            	<tag name="script_path" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the path to the user's logon script</localized_desc>
+                        <localized_desc language="fr">le chemin vers le script de démarrage de l'utilisateur</localized_desc>
+                    </description>
+                    <substitute>_SCRIPTPATH_</substitute>
+            	</tag>
+            	<tag name="profile_path" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the path to the user's profile</localized_desc>
+                        <localized_desc language="fr">le chemin vers le profil de l'utilisateur</localized_desc>
+                    </description>
+                    <substitute>_PROFILEPATH_</substitute>
+            	</tag>
+            	<tag name="workstations" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the workstations from which the user can log on</localized_desc>
+                        <localized_desc language="fr">les postes de travail depuis lesquels l'utilisateur peut se connecter</localized_desc>
+                    </description>
+                    <substitute>_WORKSTATIONS_</substitute>
+            	</tag>
+            	<tag name="__password_last_set" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the date at which the password was last set</localized_desc>
+                        <localized_desc language="fr">la date de dernier changement du mot de passe</localized_desc>
+                    </description>
+                    <substitute>_PWDLASTSET_</substitute>
+                    <callbacks>
+                    	<callback>decode_password_last_set</callback>
+                    </callbacks>
+            	</tag>
+            	<tag name="__expiry_date" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the expiry date of the account</localized_desc>
+                        <localized_desc language="fr">la date d'expiration du compte</localized_desc>
+                    </description>
+                    <substitute>_EXPIRYDATE_</substitute>
+                    <callbacks>
+                    	<callback>decode_expiry_date</callback>
+                    </callbacks>
+            	</tag>
+            	<tag name="primary_gid" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the primary group ID</localized_desc>
+                        <localized_desc language="fr">l'identifiant de groupe primaire</localized_desc>
+                    </description>
+                    <substitute>_PGID_</substitute>
+            	</tag>
+            	<tag name="allowed_to_delegate_to" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the list of Service Principal Names to which the user can forward credentials</localized_desc>
+                        <localized_desc language="fr">la liste des Noms Principaux de Services auxquels l'utilisateur peut transférer ses crédences</localized_desc>
+                    </description>
+                    <substitute>_DELEGATETO_</substitute>
+            	</tag>
+            	<tag name="old_uac" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the bitwise value of User Account Control options (old)</localized_desc>
+                        <localized_desc language="fr">l'ancienne valeur en bits des options d'UAC (User Account Control)</localized_desc>
+                    </description>
+                    <substitute>_OLDUAC_</substitute>
+            	</tag>
+            	<tag name="new_uac" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the bitwise value of User Account Control options (new)</localized_desc>
+                        <localized_desc language="fr">la nouvelle valeur en bits des options d'UAC (User Account Control)</localized_desc>
+                    </description>
+                    <substitute>_NEWUAC_</substitute>
+            	</tag>
+            	<tag name="uac" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the User Account Control options</localized_desc>
+                        <localized_desc language="fr">les options d'UAC (User Account Control)</localized_desc>
+                    </description>
+                    <substitute>_ACCTCONTROL_</substitute>
+                </tag>
+                <tag name="user_parameters" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the optional, specific user parameters</localized_desc>
+                        <localized_desc language="fr">les paramètres utilisateurs spécifiques et optionnels</localized_desc>
+                    </description>
+                    <substitute>_USERPARAMS_</substitute>
+            	</tag>
+            	<tag name="sid_history" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the previous SID of the user, in case it was moved from a domain</localized_desc>
+                        <localized_desc language="fr">les précédents SID de l'utilisateur, si celui-ci provient d'un autre domaine</localized_desc>
+                    </description>
+                    <substitute>_SIDHISTORY_</substitute>
+            	</tag>
+            	<tag name="logon_hours" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">the allowed logon hours</localized_desc>
+                        <localized_desc language="fr">les heures de connexion autorisées</localized_desc>
+                    </description>
+                    <substitute>_LOGONHOURS_</substitute>
+            	</tag>
+            	<tag name="additional_info" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Additionnal information</localized_desc>
+                        <localized_desc language="fr">Information additionnelle</localized_desc>
+                    </description>
+                    <substitute>_ADDINFO_</substitute>
+            	</tag>
+            	<tag name="dns_host_name" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">DNS host name</localized_desc>
+                        <localized_desc language="fr">Nom de l'hote DNS</localized_desc>
+                    </description>
+                    <substitute>_DNS_</substitute>
+            	</tag>
+            	<tag name="service_names" tagType="Anything">
+                    <description>
+                        <localized_desc language="en">Service principal names</localized_desc>
+                        <localized_desc language="fr">Noms des services</localized_desc>
+                    </description>
+                    <substitute>_SPN_</substitute>
+            	</tag>
+    		</tags>
+    		<examples>
+            	<example>
+            		<text>Un compte d’utilisateur a été modifié.
+
+Sujet :
+   ID de sécurité : ACME-FR\administrator
+   Nom du compte : administrator
+   Domaine du compte :  ACME-FR
+   ID d’ouverture de session : 0x20f9d
+
+Compte cible :
+   ID de sécurité : ACME-FR\John.Locke
+   Nom du compte : John.Locke
+   Domaine du compte : ACME-FR
+
+Attributs modifiés :
+   Nom du compte SAM : -
+   Nom complet : -
+   Nom principal de l’utilisateur : -
+   Répertoire de base : -
+   Lecteur de base : -
+   Chemin d’accès au script : -
+   Chemin d’accès au profil : -
+   Stations de travail utilisateurs : -
+   Dernière modification du mot de passe le : -
+   Le compte expire le : -
+   ID de groupe principal : -
+   Délégué autorisé : -
+   Ancienne valeur UAC : 0x10
+   Nouvelle valeur UAC : 0x4010
+   Contrôle du compte d’utilisateur : 'Not Delegated' - Enabled
+   Paramètres utilisateur : -
+   Historique SID : -
+   Horaire d’accès : -
+
+Informations supplémentaires :
+   Privilèges: -</text>
+					<expectedTags>
+						<expectedTag name="security_id">ACME-FR\administrator</expectedTag>
+						<expectedTag name="user">administrator</expectedTag>
+						<expectedTag name="domain">ACME-FR</expectedTag>
+						<expectedTag name="logon_id">0x20f9d</expectedTag>
+						<expectedTag name="target_security_id">ACME-FR\John.Locke</expectedTag>
+						<expectedTag name="target_user">John.Locke</expectedTag>
+						<expectedTag name="target_domain">ACME-FR</expectedTag>
+						<expectedTag name="sam_account_name">-</expectedTag>
+						<expectedTag name="display_name">-</expectedTag>
+						<expectedTag name="principal_name">-</expectedTag>
+						<expectedTag name="home_directory">-</expectedTag>
+						<expectedTag name="home_drive">-</expectedTag>
+						<expectedTag name="script_path">-</expectedTag>
+						<expectedTag name="profile_path">-</expectedTag>
+						<expectedTag name="workstations">-</expectedTag>
+						<expectedTag name="password_last_set">-</expectedTag>
+						<expectedTag name="expiry_date">-</expectedTag>
+						<expectedTag name="primary_gid">-</expectedTag>
+						<expectedTag name="old_uac">0x10</expectedTag>
+						<expectedTag name="new_uac">0x4010</expectedTag>
+						<expectedTag name="uac">'Not Delegated' - Enabled</expectedTag>
+        				<expectedTag name="user_parameters">-</expectedTag>
+        				<expectedTag name="sid_history">-</expectedTag>
+        				<expectedTag name="logon_hours">-</expectedTag>
+        				<expectedTag name="additional_info">-</expectedTag>
+					</expectedTags>
+            	</example>
+            	<example>
+            		<text>Un compte d’ordinateur a été modifié.
+
+Sujet :
+   ID de sécurité : ACME-FR\administrator
+   Nom du compte : administrator
+   Domaine du compte :  ACME-FR
+   ID d’ouverture de session : 0x20f9d
+
+Compte d’ordinateur modifié :
+   ID de sécurité : ACME-FR\John.Locke
+   Nom du compte : John.Locke
+   Domaine du compte : ACME-FR
+
+Attributs modifiés :
+   Nom du compte SAM : -
+   Nom complet : -
+   Nom principal de l’utilisateur : -
+   Répertoire de base : -
+   Lecteur de base : -
+   Chemin d’accès au script : -
+   Chemin d’accès au profil : -
+   Stations de travail utilisateurs : -
+   Dernière modification du mot de passe le : -
+   Le compte expire le : -
+   ID de groupe principal : -
+   Délégué autorisé : -
+   Ancienne valeur UAC : 0x10
+   Nouvelle valeur UAC : 0x4010
+   Contrôle du compte d’utilisateur : 'Not Delegated' - Enabled
+   Paramètres utilisateur : -
+   Historique SID : -
+   Horaire d’accès : -
+   Nom de l’hôte DNS : -
+   Noms principaux des services : -
+   
+Informations supplémentaires :
+   Privilèges: -</text>
+					<expectedTags>
+						<expectedTag name="security_id">ACME-FR\administrator</expectedTag>
+						<expectedTag name="user">administrator</expectedTag>
+						<expectedTag name="domain">ACME-FR</expectedTag>
+						<expectedTag name="logon_id">0x20f9d</expectedTag>
+						<expectedTag name="target_security_id">ACME-FR\John.Locke</expectedTag>
+						<expectedTag name="target_user">John.Locke</expectedTag>
+						<expectedTag name="target_domain">ACME-FR</expectedTag>
+						<expectedTag name="sam_account_name">-</expectedTag>
+						<expectedTag name="display_name">-</expectedTag>
+						<expectedTag name="principal_name">-</expectedTag>
+						<expectedTag name="home_directory">-</expectedTag>
+						<expectedTag name="home_drive">-</expectedTag>
+						<expectedTag name="script_path">-</expectedTag>
+						<expectedTag name="profile_path">-</expectedTag>
+						<expectedTag name="workstations">-</expectedTag>
+						<expectedTag name="password_last_set">-</expectedTag>
+						<expectedTag name="expiry_date">-</expectedTag>
+						<expectedTag name="primary_gid">-</expectedTag>
+						<expectedTag name="old_uac">0x10</expectedTag>
+						<expectedTag name="new_uac">0x4010</expectedTag>
+						<expectedTag name="uac">'Not Delegated' - Enabled</expectedTag>
+        				<expectedTag name="user_parameters">-</expectedTag>
+        				<expectedTag name="sid_history">-</expectedTag>
+        				<expectedTag name="logon_hours">-</expectedTag>
+        				<expectedTag name="dns_host_name">-</expectedTag>
+        				<expectedTag name="service_names">-</expectedTag>
+        				<expectedTag name="additional_info">-</expectedTag>
+					</expectedTags>
+            	</example>
+    		</examples>
+    	</pattern>
+    </patterns>
+   	<finalCallbacks>
+    	<callback>strip_values</callback>
+    </finalCallbacks>
+</normalizer>
+    	
\ No newline at end of file