Ioan-Popovici/nxlog.conf

## nxlog.conf
Define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
</Extension>

# Include fileop while debugging, also enable in the output module below
# <Extension fileop>
# Module xm_fileop
# </Extension>

<Extension json>
    Module xm_json
</Extension>

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension SCEP_CSV>
    Module xm_csv
    Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware
    FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string
    Delimiter       ','
    QuoteChar       '"'
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Extension SCCM_CSV>
    Module xm_csv
    Fields $Message,$Component,$Date,$Thread
    FieldTypes string,string,string,string
    Delimiter       '>'
    QuoteChar       '''
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Input EVENTLOG>
    Module im_msvistalog
    # For windows 2003 and earlier use the following:
    # Module im_mseventlog

    Query <QueryList>\
        <Query Id="0">\
            <Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\
        </Query>\
    </QueryList>
</Input>

<Input SCEP>
    Module im_file
    # Location of the SCEPDetectionLog.csv
    File "CSV_File_Location\\Get-SCEPDetectionLogs.csv"
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop();                      \
        else {                                              \
            SCEP_CSV->parse_csv();                          \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";                            \
            $Message = to_json();                           \
        }
</Input>

<Input SCCM>
    Module im_file
    # SCCM Log Location
    File "D:\\CM\\Logs\\\*.log"
    SavePos TRUE
    Exec    $event = $raw_event;
</Input>

<Output out>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    OutputType  GELF
</Output>

<Output out_e>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    Exec        to_json();
    OutputType  GELF
</Output>

<Route 1>
    Path        SCCM => out
</Route>

<Route 2>
    Path        EVENTLOG => out_e
</Route>

<Route 3>
    Path        SCEP => out
</Route>
	Define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension gelf>
	Module xm_gelf
	</Extension>

	# Include fileop while debugging, also enable in the output module below
	# <Extension fileop>
	# Module xm_fileop
	# </Extension>

	<Extension json>
	Module xm_json
	</Extension>

	<Extension syslog>
	Module xm_syslog
	</Extension>

	<Extension SCEP_CSV>
	Module xm_csv
	Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware
	FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string
	Delimiter ','
	QuoteChar '"'
	EscapeControl FALSE
	UndefValue -
	</Extension>

	<Extension SCCM_CSV>
	Module xm_csv
	Fields $Message,$Component,$Date,$Thread
	FieldTypes string,string,string,string
	Delimiter '>'
	QuoteChar '''
	EscapeControl FALSE
	UndefValue -
	</Extension>

	<Input EVENTLOG>
	Module im_msvistalog
	# For windows 2003 and earlier use the following:
	# Module im_mseventlog

	Query <QueryList>\
	<Query Id="0">\
	<Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\
	</Query>\
	</QueryList>
	</Input>

	<Input SCEP>
	Module im_file
	# Location of the SCEPDetectionLog.csv
	File "CSV_File_Location\\Get-SCEPDetectionLogs.csv"
	SavePos TRUE
	Exec if $raw_event =~ /^#/ drop(); \
	else { \
	SCEP_CSV->parse_csv(); \
	$EventTime = parsedate($date + " " + $time); \
	$SourceName = "IIS"; \
	$Message = to_json(); \
	}
	</Input>

	<Input SCCM>
	Module im_file
	# SCCM Log Location
	File "D:\\CM\\Logs\\\*.log"
	SavePos TRUE
	Exec $event = $raw_event;
	</Input>

	<Output out>
	Module om_udp
	Host your_host_ip_or_fqdn
	Port 12202
	OutputType GELF
	</Output>

	<Output out_e>
	Module om_udp
	Host your_host_ip_or_fqdn
	Port 12202
	Exec to_json();
	OutputType GELF
	</Output>

	<Route 1>
	Path SCCM => out
	</Route>

	<Route 2>
	Path EVENTLOG => out_e
	</Route>

	<Route 3>
	Path SCEP => out
	</Route>