DarkAllien/nxlog.conf

## nxlog.conf
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf
</Extension>

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
 Module xm_json
</Extension>

<Extension syslog>
 Module xm_syslog
</Extension>

<Extension scep_csv>
  Module xm_csv
  Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware
  FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string
  Delimiter ','
    QuoteChar   '"'
    EscapeControl FALSE
    UndefValue  -
</Extension>

<Extension sccm_csv>
  Module xm_csv
  Fields $Message,$Component,$Date,$Thread
  FieldTypes string,string,string,string
  Delimiter '>'
    QuoteChar   '''
    EscapeControl FALSE
    UndefValue  -
</Extension>

<Input EVENTLOG>
    	Module      im_msvistalog
	# For windows 2003 and earlier use the following:
	#Module      im_mseventlog

       Query <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\
                    </Query>\
             </QueryList>


</Input>


<Input SCEP>
    Module im_file
    File "your_chosen_location\\scep.csv"
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop();    \
        else    \
        {    \
            scep_csv->parse_csv();    \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";    \
            $Message = to_json();    \
        }
</Input>


<Input SCCM>
    Module im_file
    #Replace bellow path to SCCM logs
    File "D:\\CM\\Logs\\\*.log"
    SavePos TRUE
    Exec    $event = $raw_event;
</Input>

<Output out>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    OutputType  GELF
</Output>

<Output out_e>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    Exec        to_json();
    OutputType  GELF
</Output>


<Route 1>
    Path        SCCM => out
</Route>

<Route 2>
    Path        EVENTLOG => out_e
</Route>

<Route 3>
    Path        SCEP => out
</Route>
	define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension gelf>
	Module xm_gelf
	</Extension>

	# Include fileop while debugging, also enable in the output module below
	#<Extension fileop>
	# Module xm_fileop
	#</Extension>

	<Extension json>
	Module xm_json
	</Extension>

	<Extension syslog>
	Module xm_syslog
	</Extension>

	<Extension scep_csv>
	Module xm_csv
	Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware
	FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string
	Delimiter ','
	QuoteChar '"'
	EscapeControl FALSE
	UndefValue -
	</Extension>

	<Extension sccm_csv>
	Module xm_csv
	Fields $Message,$Component,$Date,$Thread
	FieldTypes string,string,string,string
	Delimiter '>'
	QuoteChar '''
	EscapeControl FALSE
	UndefValue -
	</Extension>

	<Input EVENTLOG>
	Module im_msvistalog
	# For windows 2003 and earlier use the following:
	#Module im_mseventlog

	Query <QueryList>\
	<Query Id="0">\
	<Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\
	</Query>\
	</QueryList>



	</Input>


	<Input SCEP>
	Module im_file
	File "your_chosen_location\\scep.csv"
	SavePos TRUE
	Exec if $raw_event =~ /^#/ drop(); \
	else \
	{ \
	scep_csv->parse_csv(); \
	$EventTime = parsedate($date + " " + $time); \
	$SourceName = "IIS"; \
	$Message = to_json(); \
	}
	</Input>


	<Input SCCM>
	Module im_file
	#Replace bellow path to SCCM logs
	File "D:\\CM\\Logs\\\*.log"
	SavePos TRUE
	Exec $event = $raw_event;
	</Input>

	<Output out>
	Module om_udp
	Host your_host_ip_or_fqdn
	Port 12202
	OutputType GELF
	</Output>

	<Output out_e>
	Module om_udp
	Host your_host_ip_or_fqdn
	Port 12202
	Exec to_json();
	OutputType GELF
	</Output>



	<Route 1>
	Path SCCM => out
	</Route>

	<Route 2>
	Path EVENTLOG => out_e
	</Route>

	<Route 3>
	Path SCEP => out
	</Route>