tianweiliu/cinder.conf

## cinder.conf
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
	Module      	xm_syslog
</Extension>

<Extension json>
	Module		xm_json
</Extension>

<Input eventlog>
	Module		im_msvistalog
	# For windows 2003 and earlier use the following:
	# Module      	im_mseventlog
	Query <QueryList> \
		<Query Id="0"> \
			<Select Path="Application">*</Select> \
			<Select Path="System">*</Select> \
			<Select Path="Security">*</Select> \
		</Query> \
	</QueryList>
	Exec		to_syslog_bsd();
</Input>

<Input nxlog>
	Module		im_internal
	Exec		to_syslog_bsd();
</Input>

<Input cinder>
	Module		im_file
	# Put the path to you cinder log here
	File		""
	# Change SavePos to TRUE if the log is continuous
	SavePos		FALSE
	Exec		if ( $raw_event=~ /\|(.+)\|[\s,\t](\d\d\d\d-\d\d-\d\d\.\d\d\:\d\d:\d\d)[\s,\t](.+\])[\s,\t](.+)/ ) \
	{ \
		$Level 		= $1; \
		$Timestamp	= $2; \
		$Metadata 	= $3; \
		$Message	= $4; \
		to_json(); \
	} \
	else 		log_warning("Invalid cinder log: " + to_json());
</Input>

<Output syslog_out>
  # TCP Port 601: (Reliable Syslog Service) for Windows Event Log and nxlog internal log
	Module      	om_tcp
	Host        	192.168.2.1
	Port        	601
</Output>

<Output cinder_out>
  # TCP Port 514: (Syslog Service on UDP) for parsed cinder log as json
	Module		om_tcp
	Host		192.168.2.1
	Port		514
</Output>

<Route cinder>
	Path		cinder => cinder_out
</Route>
<Route 1>
	Path		eventlog, nxlog => syslog_out
</Route>
	## This is a sample configuration file. See the nxlog reference manual about the
	## configuration options. It should be installed locally and is also available
	## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

	## Please set the ROOT to the folder your nxlog was installed into,
	## otherwise it will not start.

	#define ROOT C:\Program Files\nxlog
	define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension _syslog>
	Module xm_syslog
	</Extension>

	<Extension json>
	Module xm_json
	</Extension>

	<Input eventlog>
	Module im_msvistalog
	# For windows 2003 and earlier use the following:
	# Module im_mseventlog
	Query <QueryList> \
	<Query Id="0"> \
	<Select Path="Application">*</Select> \
	<Select Path="System">*</Select> \
	<Select Path="Security">*</Select> \
	</Query> \
	</QueryList>
	Exec to_syslog_bsd();
	</Input>

	<Input nxlog>
	Module im_internal
	Exec to_syslog_bsd();
	</Input>

	<Input cinder>
	Module im_file
	# Put the path to you cinder log here
	File ""
	# Change SavePos to TRUE if the log is continuous
	SavePos FALSE
	Exec if ( $raw_event=~ /\\|(.+)\\|[\s,\t](\d\d\d\d-\d\d-\d\d\.\d\d\:\d\d:\d\d)[\s,\t](.+\])[\s,\t](.+)/ ) \
	{ \
	$Level = $1; \
	$Timestamp = $2; \
	$Metadata = $3; \
	$Message = $4; \
	to_json(); \
	} \
	else log_warning("Invalid cinder log: " + to_json());
	</Input>

	<Output syslog_out>
	# TCP Port 601: (Reliable Syslog Service) for Windows Event Log and nxlog internal log
	Module om_tcp
	Host 192.168.2.1
	Port 601
	</Output>

	<Output cinder_out>
	# TCP Port 514: (Syslog Service on UDP) for parsed cinder log as json
	Module om_tcp
	Host 192.168.2.1
	Port 514
	</Output>

	<Route cinder>
	Path cinder => cinder_out
	</Route>
	<Route 1>
	Path eventlog, nxlog => syslog_out
	</Route>