oerd/logstash.conf

## logstash.conf
input {

}

filter {

}

output {

}

## nxlog.example.conf
# put your here, probably C:\Program Files\nxlog
define ROOT C:\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension json>
    Module       xm_json
</Extension>

<Input in>
    Module      im_msvistalog
# this kinda works for me, put * to get everything
    Query	<QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
    Exec        $Message = to_json(); to_syslog_bsd();
</Input>

<Output out>
    Module      om_tcp
# obviously put your rsyslog ip here
    Host        192.168.x.xxx
    Port        514
</Output>

<Route 1>
    Path        in => out
</Route>

## rsyslog.example.conf
#this should(!) be big enough
$MaxMessageSize 64k

#### MODULES ####

# where we're getting logs from
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514

# set some access rights to written log files
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

# do NOT escape control chars
$EscapeControlCharactersOnReceive off

# templates
$template TraditionalRFC3164,"<%PRI%>%timereported% %timegenerated% %HOSTNAME% %syslogtag:1:32% %msg:::drop-last-lf%\n"
$template DailyPerHostLogs,"/var/log/remote/%HOSTNAME:::lower%/messages.log"

# json template for logstash
# generic template (cisco, firewall, etc)
$template generic_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":\"%msg:::json%\",\"@fields\":{%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%app-name:::jsonf%,%procid:::jsonf%}}"
# windows hosts template (nxlog json)
$template win_nxlog_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":%msg%,\"@fields\":{%app-name:::jsonf%,%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%procid:::jsonf%}}\n"

# NB: I'm sending to UDP locally, use @@localhost:55514 if need TCP
# generic hosts to logstash:
if ($fromhost-ip == '...' or $fromhost-ip == '...' or $fromhost-ip == '...' ) then @localhost:55514;generic_json
# windows hosts to logstash:
if ($fromhost-ip == '...' or $fromhost-ip == '...' or $fromhost-ip == '...' ) then @localhost:55514;win_nxlog_json

# Everything from remote hosts to files goes to disk in folders named by host
if ($fromhost-ip != '127.0.0.1') then -?DailyPerHostLogs;TraditionalRFC3164
& ~

# NOTE: use your system's rules for local messages:
# Standard log files.  Log by facility.
*.*  -/var/log/messages
	# put your here, probably C:\Program Files\nxlog
	define ROOT C:\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension syslog>
	Module xm_syslog
	</Extension>

	<Extension json>
	Module xm_json
	</Extension>

	<Input in>
	Module im_msvistalog
	# this kinda works for me, put * to get everything
	Query <QueryList>\
	<Query Id="0">\
	<Select Path="Application">*</Select>\
	<Select Path="System">*</Select>\
	<Select Path="Security">*</Select>\
	</Query>\
	</QueryList>
	Exec $Message = to_json(); to_syslog_bsd();
	</Input>

	<Output out>
	Module om_tcp
	# obviously put your rsyslog ip here
	Host 192.168.x.xxx
	Port 514
	</Output>

	<Route 1>
	Path in => out
	</Route>
	#this should(!) be big enough
	$MaxMessageSize 64k

	#### MODULES ####

	# where we're getting logs from
	$ModLoad imuxsock
	$ModLoad imklog
	$ModLoad imudp
	$UDPServerRun 514
	$ModLoad imtcp
	$InputTCPServerRun 514

	# set some access rights to written log files
	$FileOwner root
	$FileGroup adm
	$FileCreateMode 0640
	$DirCreateMode 0755
	$Umask 0022

	# do NOT escape control chars
	$EscapeControlCharactersOnReceive off

	# templates
	$template TraditionalRFC3164,"<%PRI%>%timereported% %timegenerated% %HOSTNAME% %syslogtag:1:32% %msg:::drop-last-lf%\n"
	$template DailyPerHostLogs,"/var/log/remote/%HOSTNAME:::lower%/messages.log"

	# json template for logstash
	# generic template (cisco, firewall, etc)
	$template generic_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":\"%msg:::json%\",\"@fields\":{%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%app-name:::jsonf%,%procid:::jsonf%}}"
	# windows hosts template (nxlog json)
	$template win_nxlog_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":%msg%,\"@fields\":{%app-name:::jsonf%,%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%procid:::jsonf%}}\n"

	# NB: I'm sending to UDP locally, use @@localhost:55514 if need TCP
	# generic hosts to logstash:
	if ($fromhost-ip == '...' or $fromhost-ip == '...' or $fromhost-ip == '...' ) then @localhost:55514;generic_json
	# windows hosts to logstash:
	if ($fromhost-ip == '...' or $fromhost-ip == '...' or $fromhost-ip == '...' ) then @localhost:55514;win_nxlog_json

	# Everything from remote hosts to files goes to disk in folders named by host
	if ($fromhost-ip != '127.0.0.1') then -?DailyPerHostLogs;TraditionalRFC3164
	& ~

	# NOTE: use your system's rules for local messages:
	# Standard log files. Log by facility.
	. -/var/log/messages