mortenya/01-inputs.conf

## 01-inputs.conf
input {
	syslog {
		port => 1514
	}
}

filter {
  #IP Address of Snort
	if [host] =~ /192\.168\.0\.250/ {
		mutate {
			add_tag => [ "snort", "security" ]
		}
	}
	if "security" not in [tags] {
		mutate {
			add_tag => [ "syslog" ]
		}
	}
}

## 10-syslog.conf
filter {
	if "syslog" in [tags] {
		grok {
			match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
			add_field => [ "received_at", "%{@timestamp}" ]
			add_field => [ "received_from", "%{host}" ]
		}
		# Parse the syslog severity and facility
		syslog_pri { }
		date {
			match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
		}
		if !("_grokparsefailure" in [tags]) {
			mutate {
				replace => [ "@source_host", "%{syslog_hostname}" ]
				replace => [ "@message", "%{syslog_message}" ]
			}
		}
		mutate {
			remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
		}
	} # End syslog filter
}

## 11-snort.conf
filter {
	if "snort" in [tags] {
		grok {
			add_tag => [ "IDS" ]
			match => { "message" => "%{SYSLOG5424SD} %{DATA:event} %{SYSLOG5424SD} From %{NOTSPACE} at %{DAY} %{SYSLOGTIMESTAMP:event_timestamp} %{YEAR} %{TZ} %{SYSLOG5424SD:event_classification} %{SYSLOG5424SD} %{NOTSPACE:protocol} %{IP:src_host}:%{POSINT:src_port}->%{IP:dst_host}:%{POSINT:dst_port}" }
		}
		date {
			locale => "en"
			match => [ "event_timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
		}
		mutate {
			replace => [ "@source_host", "%{src_host}" ]
			replace => [ "@message", "%{event}" ]
			remove_field => [ "severity", "severity_label", "syslog_facility", "syslog_facility_code", "syslog_program", "syslog_severity", "syslog_severity_code" ]
		}

		#Geolocate config copied from "http://www.networkassassin.com/elk-for-network-operations/"
		#Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
		if [src_host] and [src_host] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
			geoip {
				database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
				source => "src_host"
				target => "SourceGeo"			}
			#Delete 0,0 in SourceGeo.location if equal to 0,0
			if ([SourceGeo.location] and [SourceGeo.location] =~ "0,0") {
				mutate {
					replace => [ "SourceGeo.location", "" ]
				}
			}
		}

		#Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
		if [dst_host] and [dst_host] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
			geoip {
				database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
				source => "dst_host"
				target => "DestinationGeo"
			}
			#Delete 0,0 in DestinationGeo.location if equal to 0,0
			if ([DestinationGeo.location] and [DestinationGeo.location] =~ "0,0") {
				mutate {
					replace => [ "DestinationGeo.location", "" ]
				}
			}
		}
	} # End snort filter
}

## install-nxlog.bat
@echo off
echo installing nxlog
msiexec /passive /i "\\path\to\nxlog-ce-x.x.xxxx.msi"
echo copying configuration

if exist "%ProgramFiles(x86)%\nxlog\conf" goto :64-bit
if exist "%ProgramFiles%\nxlog\conf" goto :32-bit

:64-bit
move "%ProgramFiles(x86)%\nxlog\conf\nxlog.conf" "%ProgramFiles(x86)%\nxlog\conf\nxlog.conf.default"
copy "\\shareserver\sharename\path\to\nxlog\nxlog.conf" "%ProgramFiles(x86)%\nxlog\conf\nxlog.conf"
goto :start

:32-bit
move "%ProgramFiles%\nxlog\conf\nxlog.conf" "%ProgramFiles%\nxlog\conf\nxlog.conf.default"
copy "\\shareserver\sharename\path\to\nxlog\nxlog.conf" "%ProgramFiles%\nxlog\conf\nxlog.conf"
goto :start

:start
echo starting service
net start nxlog
echo done

## krb5.conf
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc	= FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = DOMAIN.NET
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 24h
    forwardable	= yes

[realms]
    DOMAIN.NET = {
        kdc = dc1.domain.net
        kdc = dc2.domain.net
        admin_server = dc1.domain.net
        default_domain = domain.net
    }

[domain_realm]
    logstash.domain.net = DOMAIN.NET
    .domain.net = DOMAIN.NET
    domain.net = DOMAIN.NET

[appdefaults]
	pam = {
	    ticket_lifetime	= 36000
	    renew_lifetime = 36000
	    forwardable	= true
		krb4_convert = false
	    proxiable = false
	    retain_after_close = false
	    minimum_uid	= 0
	    debug = false
    }

## nxlog.conf
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir		%ROOT%\modules
CacheDir		%ROOT%\data
Pidfile			%ROOT%\data\nxlog.pid
SpoolDir		%ROOT%\data
LogFile			%ROOT%\data\nxlog.log

<Extension json>
	Module		xm_json
</Extension>

<Extension fileop>
    Module      xm_fileop
</Extension>

# Nxlog internal logs
<Input internal>
	Module 		im_internal
	Exec 		$EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

# Windows Event Log, use im_msvistalog for Windows Vista/2008 and later
<Input eventlog>
	Module			im_msvistalog
	ReadFromLast	TRUE
	Query   		<QueryList>								\
					<Query Id="0">							\
					<Select Path="Application">*</Select>	\
					<Select Path="System">*</Select>		\
					</Query>								\
					</QueryList>
	Exec 			$EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

<Processor buffer>
    Module  	pm_buffer
    MaxSize 	1024
    Type 		Mem
    WarnLimit 	512
</Processor>

<Processor norepeat>
    Module		pm_norepeat
    CheckFields	Message, Hostname, SourceName
</Processor>

<Output out>
    Module      om_tcp
    Host        logstash.domain.lab
    Port        3515
	#Exec  		file_write("C:\\Program Files (x86)\\nxlog\data\\nxlog_output.log",  $raw_event);
</Output>

<Route 1>
    Path        internal, eventlog => norepeat => out
</Route>

## smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba_share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
	workgroup = LOGSTASH
	server string = Samba Server Version %v

	netbios name = LOGSTASH

;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;	hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

	# logs split per machine
	log file = /var/log/samba/log.%m
	# max 50KB per log file, then rotate
	max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

;	security = user
;	passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


	security = ads
	passdb backend = tdbsam
	realm = domain.net

	password server = dc1.domain.net

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;	security = user
;	passdb backend = tdbsam

	domain master = no
	domain logons = no

	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
;	logon path =

;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
	local master = no
	os level = 0
	preferred master = no

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one	WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option

;	load printers = yes
;	cups options = raw

;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes

# --------------------------- Winbind Options ------------------------------

	template homedir = /home/%D/%U
	template shell = /bin/bash
;
;	winbind enum groups = yes
;	winbind enum users = yes
;	winbind use default domain = yes
;	winbind nested groups = Yes
;   winbind separator = +
    winbind refresh tickets = yes

;	idmap config *:backend = tdb
;	idmap config *:range = 11000-20000
;	idmap config DOMAIN:backend = rid
;	idmap config DOMAIN:range=10000000-19000000

;	inherit acls = Yes
;   map acl inherit = Yes
;   acl group control = yes

#============================ Share Definitions ==============================

[homes]
;	comment = Home Directories
;	browseable = no
;	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S

[printers]
;	comment = All Printers
;	path = /var/spool/samba
;	browseable = no
;	guest ok = no
;	writable = no
;	printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes


# A publicly accessible directory, but read only, except for people in
# the "staff" group
;	[public]
;	comment = Public Stuff
;	path = /home/samba
;	public = yes
Enter file contents here
	input {
	syslog {
	port => 1514
	}
	}

	filter {
	#IP Address of Snort
	if [host] =~ /192\.168\.0\.250/ {
	mutate {
	add_tag => [ "snort", "security" ]
	}
	}
	if "security" not in [tags] {
	mutate {
	add_tag => [ "syslog" ]
	}
	}
	}
	filter {
	if "syslog" in [tags] {
	grok {
	match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{host}" ]
	}
	# Parse the syslog severity and facility
	syslog_pri { }
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	if !("_grokparsefailure" in [tags]) {
	mutate {
	replace => [ "@source_host", "%{syslog_hostname}" ]
	replace => [ "@message", "%{syslog_message}" ]
	}
	}
	mutate {
	remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
	}
	} # End syslog filter
	}
	filter {
	if "snort" in [tags] {
	grok {
	add_tag => [ "IDS" ]
	match => { "message" => "%{SYSLOG5424SD} %{DATA:event} %{SYSLOG5424SD} From %{NOTSPACE} at %{DAY} %{SYSLOGTIMESTAMP:event_timestamp} %{YEAR} %{TZ} %{SYSLOG5424SD:event_classification} %{SYSLOG5424SD} %{NOTSPACE:protocol} %{IP:src_host}:%{POSINT:src_port}->%{IP:dst_host}:%{POSINT:dst_port}" }
	}
	date {
	locale => "en"
	match => [ "event_timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
	}
	mutate {
	replace => [ "@source_host", "%{src_host}" ]
	replace => [ "@message", "%{event}" ]
	remove_field => [ "severity", "severity_label", "syslog_facility", "syslog_facility_code", "syslog_program", "syslog_severity", "syslog_severity_code" ]
	}

	#Geolocate config copied from "http://www.networkassassin.com/elk-for-network-operations/"
	#Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
	if [src_host] and [src_host] !~ "(^127\.0\.0\.1)\|(^10\.)\|(^172\.1[6-9]\.)\|(^172\.2[0-9]\.)\|(^172\.3[0-1]\.)\|(^192\.168\.)\|(^169\.254\.)" {
	geoip {
	database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
	source => "src_host"
	target => "SourceGeo" }
	#Delete 0,0 in SourceGeo.location if equal to 0,0
	if ([SourceGeo.location] and [SourceGeo.location] =~ "0,0") {
	mutate {
	replace => [ "SourceGeo.location", "" ]
	}
	}
	}

	#Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
	if [dst_host] and [dst_host] !~ "(^127\.0\.0\.1)\|(^10\.)\|(^172\.1[6-9]\.)\|(^172\.2[0-9]\.)\|(^172\.3[0-1]\.)\|(^192\.168\.)\|(^169\.254\.)" {
	geoip {
	database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
	source => "dst_host"
	target => "DestinationGeo"
	}
	#Delete 0,0 in DestinationGeo.location if equal to 0,0
	if ([DestinationGeo.location] and [DestinationGeo.location] =~ "0,0") {
	mutate {
	replace => [ "DestinationGeo.location", "" ]
	}
	}
	}
	} # End snort filter
	}
	@echo off
	echo installing nxlog
	msiexec /passive /i "\\path\to\nxlog-ce-x.x.xxxx.msi"
	echo copying configuration

	if exist "%ProgramFiles(x86)%\nxlog\conf" goto :64-bit
	if exist "%ProgramFiles%\nxlog\conf" goto :32-bit

	:64-bit
	move "%ProgramFiles(x86)%\nxlog\conf\nxlog.conf" "%ProgramFiles(x86)%\nxlog\conf\nxlog.conf.default"
	copy "\\shareserver\sharename\path\to\nxlog\nxlog.conf" "%ProgramFiles(x86)%\nxlog\conf\nxlog.conf"
	goto :start

	:32-bit
	move "%ProgramFiles%\nxlog\conf\nxlog.conf" "%ProgramFiles%\nxlog\conf\nxlog.conf.default"
	copy "\\shareserver\sharename\path\to\nxlog\nxlog.conf" "%ProgramFiles%\nxlog\conf\nxlog.conf"
	goto :start

	:start
	echo starting service
	net start nxlog
	echo done
	[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

	[libdefaults]
	default_realm = DOMAIN.NET
	dns_lookup_realm = true
	dns_lookup_kdc = true
	ticket_lifetime = 24h
	renew_lifetime = 24h
	forwardable = yes

	[realms]
	DOMAIN.NET = {
	kdc = dc1.domain.net
	kdc = dc2.domain.net
	admin_server = dc1.domain.net
	default_domain = domain.net
	}

	[domain_realm]
	logstash.domain.net = DOMAIN.NET
	.domain.net = DOMAIN.NET
	domain.net = DOMAIN.NET

	[appdefaults]
	pam = {
	ticket_lifetime = 36000
	renew_lifetime = 36000
	forwardable = true
	krb4_convert = false
	proxiable = false
	retain_after_close = false
	minimum_uid = 0
	debug = false
	}
	## This is a sample configuration file. See the nxlog reference manual about the
	## configuration options. It should be installed locally and is also available
	## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

	## Please set the ROOT to the folder your nxlog was installed into,
	## otherwise it will not start.

	#define ROOT C:\Program Files\nxlog
	define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension json>
	Module xm_json
	</Extension>

	<Extension fileop>
	Module xm_fileop
	</Extension>

	# Nxlog internal logs
	<Input internal>
	Module im_internal
	Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
	</Input>

	# Windows Event Log, use im_msvistalog for Windows Vista/2008 and later
	<Input eventlog>
	Module im_msvistalog
	ReadFromLast TRUE
	Query <QueryList> \
	<Query Id="0"> \
	<Select Path="Application">*</Select> \
	<Select Path="System">*</Select> \
	</Query> \
	</QueryList>
	Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
	</Input>

	<Processor buffer>
	Module pm_buffer
	MaxSize 1024
	Type Mem
	WarnLimit 512
	</Processor>

	<Processor norepeat>
	Module pm_norepeat
	CheckFields Message, Hostname, SourceName
	</Processor>

	<Output out>
	Module om_tcp
	Host logstash.domain.lab
	Port 3515
	#Exec file_write("C:\\Program Files (x86)\\nxlog\data\\nxlog_output.log", $raw_event);
	</Output>

	<Route 1>
	Path internal, eventlog => norepeat => out
	</Route>
	# This is the main Samba configuration file. You should read the
	# smb.conf(5) manual page in order to understand the options listed
	# here. Samba has a huge number of configurable options (perhaps too
	# many!) most of which are not shown in this example
	#
	# For a step to step guide on installing, configuring and using samba,
	# read the Samba-HOWTO-Collection. This may be obtained from:
	# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
	#
	# Many working examples of smb.conf files can be found in the
	# Samba-Guide which is generated daily and can be downloaded from:
	# http://www.samba.org/samba/docs/Samba-Guide.pdf
	#
	# Any line which starts with a ; (semi-colon) or a # (hash)
	# is a comment and is ignored. In this example we will use a #
	# for commentry and a ; for parts of the config file that you
	# may wish to enable
	#
	# NOTE: Whenever you modify this file you should run the command "testparm"
	# to check that you have not made any basic syntactic errors.
	#
	#---------------
	# SELINUX NOTES:
	#
	# If you want to use the useradd/groupadd family of binaries please run:
	# setsebool -P samba_domain_controller on
	#
	# If you want to share home directories via samba please run:
	# setsebool -P samba_enable_home_dirs on
	#
	# If you create a new directory you want to share you should mark it as
	# "samba_share_t" so that selinux will let you write into it.
	# Make sure not to do that on system directories as they may already have
	# been marked with othe SELinux labels.
	#
	# Use ls -ldZ /path to see which context a directory has
	#
	# Set labels only on directories you created!
	# To set a label use the following: chcon -t samba_share_t /path
	#
	# If you need to share a system created directory you can use one of the
	# following (read-only/read-write):
	# setsebool -P samba_export_all_ro on
	# or
	# setsebool -P samba_export_all_rw on
	#
	# If you want to run scripts (preexec/root prexec/print command/...) please
	# put them into the /var/lib/samba/scripts directory so that smbd will be
	# allowed to run them.
	# Make sure you COPY them and not MOVE them so that the right SELinux context
	# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
	#
	#--------------
	#
	#======================= Global Settings =====================================

	[global]

	# ----------------------- Network Related Options -------------------------
	#
	# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
	#
	# server string is the equivalent of the NT Description field
	#
	# netbios name can be used to specify a server name not tied to the hostname
	#
	# Interfaces lets you configure Samba to use multiple interfaces
	# If you have multiple network interfaces then you can list the ones
	# you want to listen on (never omit localhost)
	#
	# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
	# specifiy it as a per share option as well
	#
	workgroup = LOGSTASH
	server string = Samba Server Version %v

	netbios name = LOGSTASH

	; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
	; hosts allow = 127. 192.168.12. 192.168.13.

	# --------------------------- Logging Options -----------------------------
	#
	# Log File let you specify where to put logs and how to split them up.
	#
	# Max Log Size let you specify the max size log files should reach

	# logs split per machine
	log file = /var/log/samba/log.%m
	# max 50KB per log file, then rotate
	max log size = 50

	# ----------------------- Standalone Server Options ------------------------
	#
	# Scurity can be set to user, share(deprecated) or server(deprecated)
	#
	# Backend to store user information in. New installations should
	# use either tdbsam or ldapsam. smbpasswd is available for backwards
	# compatibility. tdbsam requires no further configuration.

	; security = user
	; passdb backend = tdbsam


	# ----------------------- Domain Members Options ------------------------
	#
	# Security must be set to domain or ads
	#
	# Use the realm option only with security = ads
	# Specifies the Active Directory realm the host is part of
	#
	# Backend to store user information in. New installations should
	# use either tdbsam or ldapsam. smbpasswd is available for backwards
	# compatibility. tdbsam requires no further configuration.
	#
	# Use password server option only with security = server or if you can't
	# use the DNS to locate Domain Controllers
	# The argument list may include:
	# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
	# or to auto-locate the domain controller/s
	# password server = *


	security = ads
	passdb backend = tdbsam
	realm = domain.net

	password server = dc1.domain.net

	# ----------------------- Domain Controller Options ------------------------
	#
	# Security must be set to user for domain controllers
	#
	# Backend to store user information in. New installations should
	# use either tdbsam or ldapsam. smbpasswd is available for backwards
	# compatibility. tdbsam requires no further configuration.
	#
	# Domain Master specifies Samba to be the Domain Master Browser. This
	# allows Samba to collate browse lists between subnets. Don't use this
	# if you already have a Windows NT domain controller doing this job
	#
	# Domain Logons let Samba be a domain logon server for Windows workstations.
	#
	# Logon Scrpit let yuou specify a script to be run at login time on the client
	# You need to provide it in a share called NETLOGON
	#
	# Logon Path let you specify where user profiles are stored (UNC path)
	#
	# Various scripts can be used on a domain controller or stand-alone
	# machine to add or delete corresponding unix accounts
	#
	; security = user
	; passdb backend = tdbsam

	domain master = no
	domain logons = no

	# the login script name depends on the machine name
	; logon script = %m.bat
	# the login script name depends on the unix user used
	; logon script = %u.bat
	; logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
	; logon path =

	; add user script = /usr/sbin/useradd "%u" -n -g users
	; add group script = /usr/sbin/groupadd "%g"
	; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
	; delete user script = /usr/sbin/userdel "%u"
	; delete user from group script = /usr/sbin/userdel "%u" "%g"
	; delete group script = /usr/sbin/groupdel "%g"


	# ----------------------- Browser Control Options ----------------------------
	#
	# set local master to no if you don't want Samba to become a master
	# browser on your network. Otherwise the normal election rules apply
	#
	# OS Level determines the precedence of this server in master browser
	# elections. The default value should be reasonable
	#
	# Preferred Master causes Samba to force a local browser election on startup
	# and gives it a slightly higher chance of winning the election
	local master = no
	os level = 0
	preferred master = no

	#----------------------------- Name Resolution -------------------------------
	# Windows Internet Name Serving Support Section:
	# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
	#
	# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
	#
	# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
	#
	# - WINS Proxy: Tells Samba to answer name resolution queries on
	# behalf of a non WINS capable client, for this to work there must be
	# at least one WINS Server on the network. The default is NO.
	#
	# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
	# via DNS nslookups.

	; wins support = yes
	; wins server = w.x.y.z
	; wins proxy = yes

	; dns proxy = yes

	# --------------------------- Printing Options -----------------------------
	#
	# Load Printers let you load automatically the list of printers rather
	# than setting them up individually
	#
	# Cups Options let you pass the cups libs custom options, setting it to raw
	# for example will let you use drivers on your Windows clients
	#
	# Printcap Name let you specify an alternative printcap file
	#
	# You can choose a non default printing system using the Printing option

	; load printers = yes
	; cups options = raw

	; printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
	; printcap name = lpstat
	; printing = cups

	# --------------------------- Filesystem Options ---------------------------
	#
	# The following options can be uncommented if the filesystem supports
	# Extended Attributes and they are enabled (usually by the mount option
	# user_xattr). Thess options will let the admin store the DOS attributes
	# in an EA and make samba not mess with the permission bits.
	#
	# Note: these options can also be set just per share, setting them in global
	# makes them the default for all shares

	; map archive = no
	; map hidden = no
	; map read only = no
	; map system = no
	; store dos attributes = yes

	# --------------------------- Winbind Options ------------------------------

	template homedir = /home/%D/%U
	template shell = /bin/bash
	;
	; winbind enum groups = yes
	; winbind enum users = yes
	; winbind use default domain = yes
	; winbind nested groups = Yes
	; winbind separator = +
	winbind refresh tickets = yes

	; idmap config *:backend = tdb
	; idmap config *:range = 11000-20000
	; idmap config DOMAIN:backend = rid
	; idmap config DOMAIN:range=10000000-19000000

	; inherit acls = Yes
	; map acl inherit = Yes
	; acl group control = yes

	#============================ Share Definitions ==============================

	[homes]
	; comment = Home Directories
	; browseable = no
	; writable = yes
	; valid users = %S
	; valid users = MYDOMAIN\%S

	[printers]
	; comment = All Printers
	; path = /var/spool/samba
	; browseable = no
	; guest ok = no
	; writable = no
	; printable = yes

	# Un-comment the following and create the netlogon directory for Domain Logons
	; [netlogon]
	; comment = Network Logon Service
	; path = /var/lib/samba/netlogon
	; guest ok = yes
	; writable = no
	; share modes = no


	# Un-comment the following to provide a specific roving profile share
	# the default is to use the user's home directory
	; [Profiles]
	; path = /var/lib/samba/profiles
	; browseable = no
	; guest ok = yes


	# A publicly accessible directory, but read only, except for people in
	# the "staff" group
	; [public]
	; comment = Public Stuff
	; path = /home/samba
	; public = yes
	Enter file contents here