Skip to content

Instantly share code, notes, and snippets.

@blakeblackshear
Last active June 1, 2020 11:26
Show Gist options
  • Save blakeblackshear/5719506 to your computer and use it in GitHub Desktop.
Save blakeblackshear/5719506 to your computer and use it in GitHub Desktop.
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension w3c>
#map iis log fields to Field Types
Module xm_csv
Fields $date, $time, $serverip, $verb, $url, $querystring, $port, $username, $clientip, $useragent, $status, $substatus, $win32status, $timetaken
FieldTypes string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer
Delimiter ' '
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
# this kinda works for me, put * to get everything
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec if $raw_event =~ /AUDIT_SUCCESS\s+468(8|9)/ and $raw_event =~ /C:\\Windows\\System32\\cmd\.exe/ and $raw_event =~ /Account Name:\s+PROD-WEB-01\$/ drop();
</Input>
<Input iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();
Exec if $raw_event =~ /(NewRelicPinger|YandexBot|mon\.itor\.us|SemrushBot|bingbot|Googlebot|AdsBot|TweetmemeBot|Sogou\+web\+spider)/ drop();
Exec if not dropped() \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
}
</Input>
<Output iis_out>
Module om_http
Url https://ec2-23-20-203-57.compute-1.amazonaws.com/iis
HTTPSAllowUntrusted TRUE
Exec to_json();
</Output>
<Output eventlog_out>
Module om_http
Url https://ec2-23-20-203-57.compute-1.amazonaws.com/eventlog
HTTPSAllowUntrusted TRUE
Exec to_json();
</Output>
<Output nxlog_out>
Module om_http
Url https://ec2-23-20-203-57.compute-1.amazonaws.com/nxlog
HTTPSAllowUntrusted TRUE
Exec to_json();
</Output>
<Route 1>
Path eventlog => eventlog_out
</Route>
<Route 2>
Path internal => nxlog_out
</Route>
<Route 3>
Path iis => iis_out
</Route>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment