Last active
March 28, 2017 11:24
-
-
Save DarkAllien/d5936912009a493fc25b7d157e2451a2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
define ROOT C:\Program Files (x86)\nxlog | |
Moduledir %ROOT%\modules | |
CacheDir %ROOT%\data | |
Pidfile %ROOT%\data\nxlog.pid | |
SpoolDir %ROOT%\data | |
LogFile %ROOT%\data\nxlog.log | |
<Extension gelf> | |
Module xm_gelf | |
</Extension> | |
# Include fileop while debugging, also enable in the output module below | |
#<Extension fileop> | |
# Module xm_fileop | |
#</Extension> | |
<Extension json> | |
Module xm_json | |
</Extension> | |
<Extension syslog> | |
Module xm_syslog | |
</Extension> | |
<Extension scep_csv> | |
Module xm_csv | |
Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware | |
FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string | |
Delimiter ',' | |
QuoteChar '"' | |
EscapeControl FALSE | |
UndefValue - | |
</Extension> | |
<Extension sccm_csv> | |
Module xm_csv | |
Fields $Message,$Component,$Date,$Thread | |
FieldTypes string,string,string,string | |
Delimiter '>' | |
QuoteChar ''' | |
EscapeControl FALSE | |
UndefValue - | |
</Extension> | |
<Input EVENTLOG> | |
Module im_msvistalog | |
# For windows 2003 and earlier use the following: | |
#Module im_mseventlog | |
Query <QueryList>\ | |
<Query Id="0">\ | |
<Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\ | |
</Query>\ | |
</QueryList> | |
</Input> | |
<Input SCEP> | |
Module im_file | |
File "your_chosen_location\\scep.csv" | |
SavePos TRUE | |
Exec if $raw_event =~ /^#/ drop(); \ | |
else \ | |
{ \ | |
scep_csv->parse_csv(); \ | |
$EventTime = parsedate($date + " " + $time); \ | |
$SourceName = "IIS"; \ | |
$Message = to_json(); \ | |
} | |
</Input> | |
<Input SCCM> | |
Module im_file | |
#Replace bellow path to SCCM logs | |
File "D:\\CM\\Logs\\\*.log" | |
SavePos TRUE | |
Exec $event = $raw_event; | |
</Input> | |
<Output out> | |
Module om_udp | |
Host your_host_ip_or_fqdn | |
Port 12202 | |
OutputType GELF | |
</Output> | |
<Output out_e> | |
Module om_udp | |
Host your_host_ip_or_fqdn | |
Port 12202 | |
Exec to_json(); | |
OutputType GELF | |
</Output> | |
<Route 1> | |
Path SCCM => out | |
</Route> | |
<Route 2> | |
Path EVENTLOG => out_e | |
</Route> | |
<Route 3> | |
Path SCEP => out | |
</Route> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment