tianchao-haohan/logstash.conf

## logstash.conf
input {
    tcp {
        port => 3515
        host => "192.168.168.168"
        type => "WindowsEventLog"
        codec => "line"
    }
    tcp {
        port => 3516
        host => "192.168.168.168"
        type => "Exchange"
    }
    tcp {
        port => 3517
        host => "192.168.168.168"
        type => "EXIIS"
    }
}
filter {

if [type] == "WindowsEventLog" {
  json{
    source => "message"
  }
  mutate {
    replace => [ "message", "%{Message}" ]
    }
  mutate {
    lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
  }
  mutate {
    rename => [ "Hostname", "logsource" ]
  }
  date {
    match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
  }

  if [SubjectUserName] =~ "." {
    mutate {
      replace => [ "AccountName", "%{SubjectUserName}" ]
    }
  }
  if [TargetUserName] =~ "." {
     mutate {
       replace => [ "AccountName", "%{TargetUserName}" ]
     }
  }
  if [FileName] =~ "." {
     mutate {
       replace => [ "eventlog_channel", "%{FileName}" ]
     }
  }
  mutate {
    lowercase => [ "AccountName", "eventlog_channel" ]
  }

  mutate {
    remove => [ "SourceModuleType", "EventTimeWritten", "EventReceivedTime", "EventType" ]
  }
 }
# For Exchange Message Tracking
  if [type] == "Exchange" {
    csv {
            add_tag => [ 'exh_msg_trk' ]
            columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ]
        remove_field => [ "date-time" ]
        }
    grok {
        match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}" ]
        }
    mutate {
        convert => [ "total-bytes", "integer" ]
        convert => [ "recipient-count", "integer" ]
        split => ["recipient-address", ";"]
        split => [ "source-context", ";" ]
        split => [ "custom-data", ";" ]
          }
    date {
        match => [ "timestamp", "ISO8601" ]
        timezone => "America/Los_Angeles"
        remove_field => [ "timestamp" ]
        }
    if "_grokparsefailure" in [tags] {
          drop { }
        }
    }
# For Exchange IIS
  if [type] == "EXIIS" {
    csv {
        separator => [ " " ]
        add_tag => [ 'exh_iis' ]
        columns => [ 'date', 'time', 's-ip', 'cs-method', 'cs-uri-stem', 'cs-uri-query', 's-port', 'cs-username', 'c-ip', 'csUser-Agent', 'sc-status', 'sc-substatus', 'sc-win32-status', 'time-taken' ]
    }
  }
}

output {
  rabbitmq {
    host = "192.168.168.168"
    exchange_type => direct
    key => "logstash"
    durable => "true"
    persistent => "true"
    exchange => "logstash"
    user => "billy"
    password => "badass"
  }
}

## nxlog.conf
define ROOT c:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
    Module  xm_json
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

define IISDIR C:\inetpub\logs\LogFiles\W3SVC1

<Input IIS_IN>
    Module    im_file
    File    '%IISDIR%\\*.log'
    SavePos  TRUE
</Input>

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

<Input in>
    Module  im_msvistalog
    Exec    $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

<Input in_exchange>
   Module     im_file
   File       '%BASEDIR%\\*.LOG' # Exports all logs in Directory
   SavePos    TRUE
   Exec       if $raw_event =~ /journaling\@tld.com/ drop();
   Exec       if $raw_event =~ /^#/ drop();
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.168.168
    Port    3515
</Output>

<Route 1>
    Path    in => out
</Route>

<Output out_exchange>
    Module  om_tcp
    Host    192.168.168.168
    Port    3516
</Output>


<Output out_iis>
    Module  om_tcp
    Host    192.168.168.168
    Port    3517
</Output>

<Route exchange>
    Path    in_exchange => out_exchange
</Route>

<Route iis>
    Path    IIS_IN => out_iis
</Route>
	input {
	tcp {
	port => 3515
	host => "192.168.168.168"
	type => "WindowsEventLog"
	codec => "line"
	}
	tcp {
	port => 3516
	host => "192.168.168.168"
	type => "Exchange"
	}
	tcp {
	port => 3517
	host => "192.168.168.168"
	type => "EXIIS"
	}
	}
	filter {

	if [type] == "WindowsEventLog" {
	json{
	source => "message"
	}
	mutate {
	replace => [ "message", "%{Message}" ]
	}
	mutate {
	lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
	}
	mutate {
	rename => [ "Hostname", "logsource" ]
	}
	date {
	match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
	}

	if [SubjectUserName] =~ "." {
	mutate {
	replace => [ "AccountName", "%{SubjectUserName}" ]
	}
	}
	if [TargetUserName] =~ "." {
	mutate {
	replace => [ "AccountName", "%{TargetUserName}" ]
	}
	}
	if [FileName] =~ "." {
	mutate {
	replace => [ "eventlog_channel", "%{FileName}" ]
	}
	}
	mutate {
	lowercase => [ "AccountName", "eventlog_channel" ]
	}

	mutate {
	remove => [ "SourceModuleType", "EventTimeWritten", "EventReceivedTime", "EventType" ]
	}
	}
	# For Exchange Message Tracking
	if [type] == "Exchange" {
	csv {
	add_tag => [ 'exh_msg_trk' ]
	columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ]
	remove_field => [ "date-time" ]
	}
	grok {
	match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}" ]
	}
	mutate {
	convert => [ "total-bytes", "integer" ]
	convert => [ "recipient-count", "integer" ]
	split => ["recipient-address", ";"]
	split => [ "source-context", ";" ]
	split => [ "custom-data", ";" ]
	}
	date {
	match => [ "timestamp", "ISO8601" ]
	timezone => "America/Los_Angeles"
	remove_field => [ "timestamp" ]
	}
	if "_grokparsefailure" in [tags] {
	drop { }
	}
	}
	# For Exchange IIS
	if [type] == "EXIIS" {
	csv {
	separator => [ " " ]
	add_tag => [ 'exh_iis' ]
	columns => [ 'date', 'time', 's-ip', 'cs-method', 'cs-uri-stem', 'cs-uri-query', 's-port', 'cs-username', 'c-ip', 'csUser-Agent', 'sc-status', 'sc-substatus', 'sc-win32-status', 'time-taken' ]
	}
	}
	}

	output {
	rabbitmq {
	host = "192.168.168.168"
	exchange_type => direct
	key => "logstash"
	durable => "true"
	persistent => "true"
	exchange => "logstash"
	user => "billy"
	password => "badass"
	}
	}
	define ROOT c:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension json>
	Module xm_json
	</Extension>

	<Extension syslog>
	Module xm_syslog
	</Extension>

	define IISDIR C:\inetpub\logs\LogFiles\W3SVC1

	<Input IIS_IN>
	Module im_file
	File '%IISDIR%\\*.log'
	SavePos TRUE
	</Input>

	define BASEDIR C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

	<Input in>
	Module im_msvistalog
	Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
	</Input>

	<Input in_exchange>
	Module im_file
	File '%BASEDIR%\\*.LOG' # Exports all logs in Directory
	SavePos TRUE
	Exec if $raw_event =~ /journaling\@tld.com/ drop();
	Exec if $raw_event =~ /^#/ drop();
	</Input>

	<Output out>
	Module om_tcp
	Host 192.168.168.168
	Port 3515
	</Output>

	<Route 1>
	Path in => out
	</Route>

	<Output out_exchange>
	Module om_tcp
	Host 192.168.168.168
	Port 3516
	</Output>


	<Output out_iis>
	Module om_tcp
	Host 192.168.168.168
	Port 3517
	</Output>

	<Route exchange>
	Path in_exchange => out_exchange
	</Route>

	<Route iis>
	Path IIS_IN => out_iis
	</Route>