Add options : delimiter for CSV, stop recursion, file pattern

docs/Advanced.md

@@ -71,6 +71,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
 - `--dbfile <FILE>` allows you to export all the logs in a SQLite 3 database file. You can query the logs with SQL statements to find more things than what the Sigma rules could have found
 - `--keeptmp` allows you to keep the source logs (EVTX/Auditd/Evtxtract/XML...) converted in JSON format
 - `--keepflat` allow you to keep the source logs (EVTX/Auditd/Evtxtract/XML...) converted in a flattened JSON format
+
 ---
 
 ### Filtering
@@ -238,14 +239,14 @@ Zircolite is able to forward all events and not just the detected events to Splu
 
 ### Templating and Formatting
 
-Zircolite provides a templating system based on Jinja 2. It allows you to change the output format to suits your needs (Splunk or ELK integration, Grep-able output...). There are some templates available in the [Templates directory](../templates) of the repository : CSV, Splunk, Mini-GUI. To use the template system, use these arguments :
+Zircolite provides a templating system based on Jinja 2. It allows you to change the output format to suits your needs (Splunk or ELK integration, Grep-able output...). There are some templates available in the [Templates directory](../templates) of the repository : Splunk, Timesketch, ... To use the template system, use these arguments :
 
 - `--template <template_filename>`
 - `--templateOutput <output_filename>`
 
 ```shell
 python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon.json \
---template templates/exportCSV.tmpl --templateOutput test.csv
+--template templates/exportForSplunk.tmpl --templateOutput exportForSplunk.json
 ```
 
 It is possible to use multiple templates if you provide for each `--template` argument there is a `--templateOutput` argument associated.
@@ -261,7 +262,7 @@ The Mini-GUI can be used totally offline, it allows the user to display and sear
 
 #### Automatic generation
 
-As of Zircolite 2.1.0, with the non-embedded versions, the easier way to use the Mini-GUI is to generate a package with the `--package` option. A zip file containing all the necessary data will be generated at the root of the repository.  
+As of Zircolite 2.1.0, the easier way to use the Mini-GUI is to generate a package with the `--package` option. A zip file containing all the necessary data will be generated at the root of the repository.  
 
 #### Manual generation
 

docs/Usage.md

@@ -45,11 +45,14 @@ python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json
 
 It also works directly on an unique EVTX file.
 
+:information_source: `--evtx`, `--events` and `-e` are equivalent
+
 By default : 
 
 - `--ruleset` is not mandatory but the default ruleset will be `rules/rules_windows_generic.json`
 - Results are written in the `detected_events.json` in the same directory as Zircolite
 - There is a `zircolite.log`file that will be created in the current working directory
+- `Zircolite` will automatically choose a file extension, you can change it with `--fileext`. This option can be used with wildcards or [Python Glob syntax](https://docs.python.org/3/library/glob.html) but with `*.` added before the given parameter value : `*.<FILEEXT PARAMETER VALUE>`. For example `--fileext log` will search for `*.log` files in the given path and `--fileext log.*` will search for `*.log.*` which can be useful when handling linux log files (auditd.log.1...).
 
 #### XML logs : 
 
@@ -116,13 +119,11 @@ python3 zircolite.py --events sysmon.log --ruleset rules/rules_linux.json --sysm
 It is possible to use Zircolite directly on JSONL/NDJSON files (NXLog files) with the `--jsononly` or `-j` arguments : 
 
 ```shell
-python3 zircolite.py --events <EVTX_FOLDER> --ruleset <RULESET> --jsononly
+python3 zircolite.py --events <LOGS_FOLDER> --ruleset <RULESET> --jsononly
 ```
 
 A simple use case is when you have already run Zircolite and use the `--keeptmp` option. Since it keeps all the converted EVTX in a temp directory, if you need to re-execute Zircolite, you can do it directly using this directory as the EVTX source (with `--evtx <EVTX_IN_JSON_DIRECTORY>` and `--jsononly`) and avoid to convert the EVTX again.
 
-:information_source: You can change the file extension with `--fileext`.
-
 #### SQLite database files
 
 Since everything in Zircolite is stored in a in-memory SQlite database, you can choose to save the database on disk for later use. It is possible with the option `--dbfile <db_filename>`.