blakeblackshear/nxlog.conf

## nxlog.conf
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
    Module      xm_json
</Extension>

<Extension w3c>
  #map iis log fields to Field Types
    Module      xm_csv
    Fields      $date, $time, $serverip, $verb, $url, $querystring, $port, $username, $clientip, $useragent, $status, $substatus, $win32status, $timetaken
    FieldTypes  string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer
    Delimiter   ' '
</Extension>

<Input internal>
    Module      im_internal
</Input>

<Input eventlog>
    Module      im_msvistalog
    # this kinda works for me, put * to get everything
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
    Exec    if $raw_event =~ /AUDIT_SUCCESS\s+468(8|9)/ and $raw_event =~ /C:\\Windows\\System32\\cmd\.exe/ and $raw_event =~ /Account Name:\s+PROD-WEB-01\$/ drop();
</Input>

<Input iis>
    Module       im_file
    File         "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
    ReadFromLast TRUE
    Exec         if $raw_event =~ /^#/ drop();
    Exec	 if $raw_event =~ /(NewRelicPinger|YandexBot|mon\.itor\.us|SemrushBot|bingbot|Googlebot|AdsBot|TweetmemeBot|Sogou\+web\+spider)/ drop();
    Exec	 if not dropped()                                 \
                 {                                                \
                    w3c->parse_csv();                             \
                    $EventTime = parsedate($date + " " + $time);  \
                 }
</Input>

<Output iis_out>
    Module      	om_http
    Url			https://ec2-23-20-203-57.compute-1.amazonaws.com/iis
    HTTPSAllowUntrusted	TRUE
    Exec		to_json();
</Output>

<Output eventlog_out>
    Module      	om_http
    Url			https://ec2-23-20-203-57.compute-1.amazonaws.com/eventlog
    HTTPSAllowUntrusted	TRUE
    Exec		to_json();
</Output>

<Output nxlog_out>
    Module      	om_http
    Url			https://ec2-23-20-203-57.compute-1.amazonaws.com/nxlog
    HTTPSAllowUntrusted	TRUE
    Exec		to_json();
</Output>

<Route 1>
    Path        eventlog => eventlog_out
</Route>

<Route 2>
    Path        internal => nxlog_out
</Route>

<Route 3>
    Path        iis => iis_out
</Route>
	define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension json>
	Module xm_json
	</Extension>

	<Extension w3c>
	#map iis log fields to Field Types
	Module xm_csv
	Fields $date, $time, $serverip, $verb, $url, $querystring, $port, $username, $clientip, $useragent, $status, $substatus, $win32status, $timetaken
	FieldTypes string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer
	Delimiter ' '
	</Extension>

	<Input internal>
	Module im_internal
	</Input>

	<Input eventlog>
	Module im_msvistalog
	# this kinda works for me, put * to get everything
	Query <QueryList>\
	<Query Id="0">\
	<Select Path="Application">*</Select>\
	<Select Path="System">*</Select>\
	<Select Path="Security">*</Select>\
	</Query>\
	</QueryList>
	Exec if $raw_event =~ /AUDIT_SUCCESS\s+468(8\|9)/ and $raw_event =~ /C:\\Windows\\System32\\cmd\.exe/ and $raw_event =~ /Account Name:\s+PROD-WEB-01\$/ drop();
	</Input>

	<Input iis>
	Module im_file
	File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
	ReadFromLast TRUE
	Exec if $raw_event =~ /^#/ drop();
	Exec if $raw_event =~ /(NewRelicPinger\|YandexBot\|mon\.itor\.us\|SemrushBot\|bingbot\|Googlebot\|AdsBot\|TweetmemeBot\|Sogou\+web\+spider)/ drop();
	Exec if not dropped() \
	{ \
	w3c->parse_csv(); \
	$EventTime = parsedate($date + " " + $time); \
	}
	</Input>

	<Output iis_out>
	Module om_http
	Url https://ec2-23-20-203-57.compute-1.amazonaws.com/iis
	HTTPSAllowUntrusted TRUE
	Exec to_json();
	</Output>

	<Output eventlog_out>
	Module om_http
	Url https://ec2-23-20-203-57.compute-1.amazonaws.com/eventlog
	HTTPSAllowUntrusted TRUE
	Exec to_json();
	</Output>

	<Output nxlog_out>
	Module om_http
	Url https://ec2-23-20-203-57.compute-1.amazonaws.com/nxlog
	HTTPSAllowUntrusted TRUE
	Exec to_json();
	</Output>

	<Route 1>
	Path eventlog => eventlog_out
	</Route>

	<Route 2>
	Path internal => nxlog_out
	</Route>

	<Route 3>
	Path iis => iis_out
	</Route>