Commit 2d781d06 authored by NXLog CI User's avatar NXLog CI User

New Config Samples

parent c30d6202
<Input in>
Module im_file
File "/var/log/tomcat6/catalina.out"
<Exec>
if $raw_event =~ /(?x)^(\d{4}\-\d{2}\-\d{2}\ \d{2}\:\d{2}\:\d{2}),\d{3}
\ (\S+)\ \[(\S+)\]\ \-\ (.*)/
{
$log4j.time = parsedate($1);
$log4j.loglevel = $2;
$log4j.class = $3;
$log4j.msg = $4;
}
</Exec>
define REGEX /(?x)^(?<EventTime>\d{4}\-\d{2}\-\d{2}\ \d{2}\:\d{2}\:\d{2}),\d{3}\ \
(?<Severity>\S+)\ \[(?<Class>\S+)\]\ \-\ (?<Message>[\s\S]+)/
<Extension multiline>
Module xm_multiline
HeaderLine %REGEX%
</Extension>
<Input log4j>
Module im_file
File "/var/log/tomcat6/catalina.out"
InputType multiline
Exec if $raw_event =~ %REGEX% $EventTime = parsedate($EventTime);
</Input>
\ No newline at end of file
<Input udp>
Module im_udp
Host 0.0.0.0
Port 514
</Input>
<Processor buffer>
Module pm_buffer
# 1 MB buffer
MaxSize 1024
Type Mem
# warn at 512k
WarnLimit 512
</Processor>
<Output tcp>
Module om_tcp
Host 192.168.1.1
Port 1514
</Output>
<Route udp_to_tcp>
Path udp => buffer => tcp
</Route>
\ No newline at end of file
envvar systemroot
<Input dcpromo>
Module im_file
File "%systemroot%\debug\DCPROMO.log"
File "%systemroot%\debug\DCPROMO.*.log"
<Exec>
if $raw_event =~ /^(\S+ \S+) \[(\S+)\] (.+)$/
{
$EventTime = parsedate($1);
$Severity = $2;
$Message = $3;
}
</Exec>
</Input>
\ No newline at end of file
<Input acct>
Module im_acct
# Flow control enabled (default)
FlowControl TRUE
</Input>
<Processor buffer>
Module pm_buffer
WarnLimit 800
MaxSize 1000
Type Mem
MaxSize 1000
WarnLimit 800
Exec if buffer_size() >= 80k drop();
</Processor>
<Input udp>
Module im_udp
Host 0.0.0.0
Port 1514
</Input>
<Output tcp>
Module om_tcp
Host 192.168.1.1
Port 1515
</Output>
<Output file>
Module om_file
File 'out.txt'
File '/tmp/out.log'
</Output>
<Route udp_to_tcp>
Path udp => buffer => tcp
Path acct => buffer => tcp
</Route>
<Route udp_to_file>
Path udp => file
Path acct => file
</Route>
\ No newline at end of file
<Input udp>
Module im_udp
# Never pause this instance
FlowControl FALSE
</Input>
<Output http>
Module om_http
URL http://10.0.0.3:8080/
# Increase the log queue size
LogqueueSize 2000
</Output>
<Output file>
Module om_file
File '/tmp/out.log'
</Output>
<Route udp_to_tcp>
Path udp => http, file
</Route>
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
<Input in>
<Input ad>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
<Select Path="Active Directory Web Services">*</Select>
<Select Path="Microsoft-Windows-DirectoryServices-Deployment/Operational">
*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_file
File 'C:\test\sysmon.json'
Exec to_json();
</Output>
<Route r>
Path in => out
</Route>
\ No newline at end of file
</Input>
\ No newline at end of file
<Input audit>
Module im_linuxaudit
<Rules>
-D
-w /etc/passwd -p wa -k passwd
</Rules>
# Disable flow control to prevent Audit backlog
FlowControl FALSE
</Input>
<Output http>
Module om_http
URL http://192.168.2.1:8080/
</Output>
<Route r>
Path audit => http
</Route>
\ No newline at end of file
<Input eventlog>
Module im_msvistalog
# Flow control enabled (default)
FlowControl TRUE
</Input>
<Output tcp>
Module om_tcp
Host 192.168.1.1
</Output>
<Route r>
Path eventlog => tcp
</Route>
\ No newline at end of file
<Input file>
Module im_file
File '/tmp/in.log'
</Input>
<Output tcp>
Module om_tcp
Host 192.168.1.1
# Keep up to 2000 events in the log queue
LogqueueSize 2000
</Output>
<Route r>
Path file => tcp
</Route>
\ No newline at end of file
<Input file>
Module im_file
File '/tmp/in.log'
# Enable flow control (default)
FlowControl TRUE
# Save file position on exit (default)
SavePos TRUE
</Input>
<Output tcp>
Module om_tcp
Host 10.8.0.2
</Output>
<Route r>
Path file => tcp
</Route>
\ No newline at end of file
<Input acct>
Module im_acct
</Input>
<Output elasticsearch>
Module om_elasticsearch
URL http://192.168.2.2:9200/_bulk
# Set log queue size, in events (default)
LogqueueSize 100
# Use persistent and synced log queue
PersistLogqueue TRUE
SyncLogqueue TRUE
</Output>
<Route r>
Path acct => elasticsearch
</Route>
\ No newline at end of file
<Input eventlog>
Module im_msvistalog
</Input>
<Output batch>
Module om_batchcompress
Host 192.168.2.1
# Set log queue size, in events (default)
LogqueueSize 100
</Output>
<Route r>
Path eventlog => batch
</Route>
\ No newline at end of file
<Input file>
Module im_file
File '/tmp/in.log'
# Set read buffer size, in bytes (default)
BufferSize 65000
</Input>
<Output tcp>
Module om_tcp
Host 192.168.1.1
# Set write buffer size, in bytes (default)
BufferSize 65000
</Output>
<Route r>
Path file => tcp
</Route>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input dev_log>
Module im_uds
UDS /dev/log
Exec parse_syslog();
# This module instance must never be suspended
FlowControl FALSE
</Input>
<Output elasticsearch>
Module om_elasticsearch
URL http://192.168.2.1:9022/_bulk
# Keep up to 5000 events in the log queue
LogqueueSize 5000
</Output>
<Route syslog_to_elasticsearch>
Path dev_log => elasticsearch
# Process events in this route first
Priority 1
</Route>
\ No newline at end of file
<Input udp>
Module im_udp
# Raise socket buffer size
SockBufSize 150000000
</Input>
<Output tcp>
Module om_tcp
Host 192.168.1.1
# Keep up to 5000 events in the log queue
LogqueueSize 5000
</Output>
<Route udp_to_tcp>
Path udp => tcp
# Process events in this route first
Priority 1
</Route>
\ No newline at end of file
<Input udp>
Module im_udp
# Raise socket buffer size
SockBufSize 150000000
</Input>
<Processor buffer>
Module pm_buffer
Type Mem
# 5 MiB buffer
MaxSize 5120
# Warn at 2 MiB
WarnLimit 2048
</Processor>
<Output http>
Module om_http
URL http://10.8.1.1:8080/
</Output>
<Route udp_to_http>
Path udp => buffer => http
# Process events in this route first
Priority 1
</Route>
\ No newline at end of file
<Input eventlog>
Module im_msvistalog
</Input>
<Processor schedule>
Module pm_blocker
<Schedule>
# Start blocking at 7:00
When 0 7 * * *
Exec schedule->block(TRUE);
</Schedule>
<Schedule>
# Stop blocking at 19:00
When 0 19 * * *
Exec schedule->block(FALSE);
</Schedule>
</Processor>
<Output batch>
Module om_batchcompress
Host 10.3.0.211
</Output>
<Route scheduled_batches>
Path eventlog => schedule => batch
</Route>
\ No newline at end of file
<Input udp>
Module im_udp
Host 0.0.0.0
</Input>
<Processor buffer>
Module pm_buffer
# 500 MiB disk buffer
Type Disk
MaxSize 512000
WarnLimit 409600
</Processor>
<Processor schedule>
Module pm_blocker
<Schedule>
# Start blocking Monday morning
When 0 0 * * 1
Exec schedule->block(TRUE);
</Schedule>
<Schedule>
# Stop blocking Saturday morning
When 0 0 * * 6
Exec schedule->block(FALSE);
</Schedule>
</Processor>
<Output batch>
Module om_batchcompress
Host 10.3.0.211
</Output>
<Route scheduled_batches>
Path udp => buffer => schedule => batch
</Route>
\ No newline at end of file
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
\ No newline at end of file
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($EventID in (1, 5) and
$Image == "C:\\Windows\\System32\\conhost.exe") or
($EventID == 3 and
$DestinationPort == 80 and
$DestinationIp == 10.0.0.1)
drop();
</Exec>
</Input>
\ No newline at end of file
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[System[(EventID='1')]]
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
\ No newline at end of file
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[System[(EventID='1')]]
</Select>
</Query>
</QueryList>
</QueryXML>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Output out>
Module om_tcp
Host 10.0.0.1
Port 1514
Exec to_json(); $Message = $raw_event; to_syslog_bsd();
</Output>
\ No newline at end of file
<Input udp>
Module im_udp
</Input>
<Processor buffer>
Module pm_buffer
Type Disk
# 40 MiB buffer
MaxSize 40960
# Generate warning message at 20 MiB
WarnLimit 20480
</Processor>
<Output ssl>
Module om_ssl
Host 10.8.0.2
CAFile %CERTDIR%/ca.pem
CertFile %CERTDIR%/client-cert.pem
CertKeyFile %CERTDIR%/client-key.pem
</Output>
<Route r>
Path udp => buffer => ssl
</Route>
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment