Last active
December 1, 2021 09:17
-
-
Save Ioan-Popovici/ff8e2be69ed418dd0cc06718eb597838 to your computer and use it in GitHub Desktop.
NXLog configuration for SCCM Logging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Define ROOT C:\Program Files (x86)\nxlog | |
Moduledir %ROOT%\modules | |
CacheDir %ROOT%\data | |
Pidfile %ROOT%\data\nxlog.pid | |
SpoolDir %ROOT%\data | |
LogFile %ROOT%\data\nxlog.log | |
<Extension gelf> | |
Module xm_gelf | |
</Extension> | |
# Include fileop while debugging, also enable in the output module below | |
# <Extension fileop> | |
# Module xm_fileop | |
# </Extension> | |
<Extension json> | |
Module xm_json | |
</Extension> | |
<Extension syslog> | |
Module xm_syslog | |
</Extension> | |
<Extension SCEP_CSV> | |
Module xm_csv | |
Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware | |
FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string | |
Delimiter ',' | |
QuoteChar '"' | |
EscapeControl FALSE | |
UndefValue - | |
</Extension> | |
<Extension SCCM_CSV> | |
Module xm_csv | |
Fields $Message,$Component,$Date,$Thread | |
FieldTypes string,string,string,string | |
Delimiter '>' | |
QuoteChar ''' | |
EscapeControl FALSE | |
UndefValue - | |
</Extension> | |
<Input EVENTLOG> | |
Module im_msvistalog | |
# For windows 2003 and earlier use the following: | |
# Module im_mseventlog | |
Query <QueryList>\ | |
<Query Id="0">\ | |
<Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\ | |
</Query>\ | |
</QueryList> | |
</Input> | |
<Input SCEP> | |
Module im_file | |
# Location of the SCEPDetectionLog.csv | |
File "CSV_File_Location\\Get-SCEPDetectionLogs.csv" | |
SavePos TRUE | |
Exec if $raw_event =~ /^#/ drop(); \ | |
else { \ | |
SCEP_CSV->parse_csv(); \ | |
$EventTime = parsedate($date + " " + $time); \ | |
$SourceName = "IIS"; \ | |
$Message = to_json(); \ | |
} | |
</Input> | |
<Input SCCM> | |
Module im_file | |
# SCCM Log Location | |
File "D:\\CM\\Logs\\\*.log" | |
SavePos TRUE | |
Exec $event = $raw_event; | |
</Input> | |
<Output out> | |
Module om_udp | |
Host your_host_ip_or_fqdn | |
Port 12202 | |
OutputType GELF | |
</Output> | |
<Output out_e> | |
Module om_udp | |
Host your_host_ip_or_fqdn | |
Port 12202 | |
Exec to_json(); | |
OutputType GELF | |
</Output> | |
<Route 1> | |
Path SCCM => out | |
</Route> | |
<Route 2> | |
Path EVENTLOG => out_e | |
</Route> | |
<Route 3> | |
Path SCEP => out | |
</Route> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment