-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathnxlog.conf
127 lines (108 loc) · 7.1 KB
/
nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0" Path="System">\
<Select Path="System">*[System[(Level=4 or Level=0) and (EventID=4740 or EventID=4728 or EventID=4732 or EventID=4756 or EventID=4735 or EventID=4628)]]</Select>\
<Select Path="Microsoft-Windows-Security-Audit-Configuration-Client/Operational">*[System[(Level=4 or Level=0) and (EventID=4740 or EventID=4728 or EventID=4732 or EventID=4756 or EventID=4735 or EventID=4628)]]</Select>\
<Select Path="System">*[System[Provider[@Name='LsaSrv'] and (EventID=40960)]]</Select>\
</Query>\
<Query Id="1" Path="Application">\
<Select Path="Application">*[System[(Level=2 or Level=3 or Level=4 or Level=0) and (EventID=1000 or EventID=1002 or EventID=1001 or EventID=1 or EventID=2)]]</Select>\
<Select Path="System">*[System[(Level=2 or Level=3 or Level=4 or Level=0) and (EventID=1000 or EventID=1002 or EventID=1001 or EventID=1 or EventID=2)]]</Select>\
<Select Path="Application">*[System[Provider[@Name='.NET Runtime'] and (EventID=1026)]]</Select>\
</Query>\
<Query Id="2" Path="Microsoft-Windows-AppLocker/EXE and DLL">\
<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[System[(EventID=8004 or EventID=8003 or EventID=8006 or EventID=8007)]]</Select>\
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*[System[(EventID=8004 or EventID=8003 or EventID=8006 or EventID=8007)]]</Select>\
</Query>\
<Query Id="3" Path="Security">\
<Select Path="Security">*[System[(Level=4 or Level=0) and (EventID=104 or EventID=1102)]]</Select>\
<Select Path="System">*[System[(Level=4 or Level=0) and (EventID=104 or EventID=1102)]]</Select>\
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog'] and (Level=4 or Level=0) and (EventID=6005)]]</Select>\
<Select Path="Setup">*[System[Provider[@Name='Microsoft-Windows-Eventlog'] and (Level=4 or Level=0) and (EventID=6005)]]</Select>\
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Eventlog'] and (Level=4 or Level=0) and (EventID=6005)]]</Select>\
</Query>\
<Query Id="4" Path="System">\
<Select Path="System">*[System[(EventID=43 or EventID=400)]]</Select>\
</Query>\
<Query Id="5" Path="System">\
<Select Path="System">*[System[(Level=2 or Level=3 or Level=4 or Level=0) and (EventID=5038 or EventID=6281 or EventID=3001 or EventID=3002 or EventID=3003 or EventID=3004 or EventID=3010 or EventID=3023 or EventID=219)]]</Select>\
<Select Path="Microsoft-Windows-CodeIntegrity/Operational">*[System[(Level=2 or Level=3 or Level=4 or Level=0) and (EventID=5038 or EventID=6281 or EventID=3001 or EventID=3002 or EventID=3003 or EventID=3004 or EventID=3010 or EventID=3023 or EventID=219)]]</Select>\
</Query>\
<Query Id="6" Path="Security">\
<Select Path="Security">*[System[(Level=4 or Level=0) and (EventID=4624 or EventID=4625)]]</Select>\
<Select Path="Microsoft-Windows-NTLM/Operational">*[System[(Level=4 or Level=0) and (EventID=4624 or EventID=4625)]]</Select>\
</Query>\
<Query Id="7" Path="Application">\
<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=64004 or EventID=4688 or EventID=4697 or EventID=4698 or EventID=4657 or EventID=7035 or EventID=7036 or EventID=7040)]]</Select>\
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=64004 or EventID=4688 or EventID=4697 or EventID=4698 or EventID=4657 or EventID=7035 or EventID=7036 or EventID=7040)]]</Select>\
<Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=64004 or EventID=4688 or EventID=4697 or EventID=4698 or EventID=4657 or EventID=7035 or EventID=7036 or EventID=7040)]]</Select>\
</Query>\
<Query Id="8" Path="Application">\
<Select Path="Application">*[System[(Level=4 or Level=0) and (EventID=6 or EventID=7045 or EventID=1022 or EventID=1033 or EventID=903 or EventID=904 or EventID=905 or EventID=906 or EventID=907 or EventID=908)]]</Select>\
<Select Path="System">*[System[(Level=4 or Level=0) and (EventID=6 or EventID=7045 or EventID=1022 or EventID=1033 or EventID=903 or EventID=904 or EventID=905 or EventID=906 or EventID=907 or EventID=908)]]</Select>\
<Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*[System[(Level=4 or Level=0) and (EventID=6 or EventID=7045 or EventID=1022 or EventID=1033 or EventID=903 or EventID=904 or EventID=905 or EventID=906 or EventID=907 or EventID=908)]]</Select>\
</Query>\
<Query Id="9">\
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
</Query>\
<Query Id="10" Path="System">\
<Select Path="System">*[System[(Level=2) and (EventID=7000 or EventID=7011 or EventID=7022 or EventID=7023 or EventID=7024 or EventID=7026 or EventID=7030 or EventID=7031 or EventID=7032 or EventID=7034 or EventID=7043)]]</Select>\
</Query>\
</QueryList>
# note by tak (3/17/2015)
# $EventTime maps to Windows event log's Event/System/TimeCreated in datetime type (refer to nxlog's manual).
# The time granularity on Windows is microseconds, we divide it by 1000 to get a millisecond epoch.
# The reason we use epoch is because (1) it's a format elasticsearch can easily parse,
# and (2) strftime function in nxlog (which is from libc) can't handle milliseconds.
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec $EventTime = integer($EventTime) / 1000; to_json();
# Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; to_json();
# Exec to_json();
# Exec $Message = to_json();
# Exec to_json();
#Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
</Input>
<Output out2>
Module om_file
File 'C:/logmsg.txt'
</Output>
<Output out>
Module om_tcp
Host 192.168.1.181
Port 3515
</Output>
<Output out3>
Module om_tcp
Host 50.19.98.204
Port 5140
</Output>
<Output out4>
Module om_ssl
Host 192.168.1.181
Port 5141
CAFile %CERTDIR%/loggly_full.crt
AllowUntrusted FALSE
</Output>
<Route 1>
Path internal, eventlog => out3
</Route>