Commit 5daa5176 authored by NXLog CI User's avatar NXLog CI User

New Config Samples

parent 2d781d06
<Exec>
log_info("first");
log_info("second");
</Exec>
\ No newline at end of file
Exec if $Message =~ /something interesting/ \
log_info("found something interesting"); \
else \
log_debug("found nothing interesting");
\ No newline at end of file
<Input etw>
Module im_etw
Provider Windows Kernel Trace
Provider Microsoft-Windows-DNSServer
</Input>
\ No newline at end of file
<Input audit>
Module im_linuxaudit
FlowControl FALSE
Module im_linuxaudit
<Rules>
# Watch /etc/passwd for modifications and tag with 'passwd'
-w /etc/passwd -p wa -k passwd
......
<Input audit>
Module im_linuxaudit
FlowControl FALSE
LoadRule 'im_linuxaudit_*.rules'
</Input>
\ No newline at end of file
SuppressRepeatingLogs FALSE
<Extension json>
Module xm_json
</Extension>
<Input wseventin>
Module im_wseventing
Address http://LINUX.DOMAIN.COM:80/wsman
ListenAddr 0.0.0.0
Port 80
SubscriptionName test
Exec log_info(to_json());
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
<Select Path="ForwardedEvents">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
\ No newline at end of file
Define EVENT_REGEX /(?x)(?<Date>\d+(?:\/\d+){2})\s \
(?<Time>\d+(?:\:\d+){2}\s\w+)\s \
(?<ThreadId>\w+)\s+ \
(?<Context>\w+)\s+ \
(?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ \
(?<Protocol>\w+)\s+ \
(?<SendReceiveIndicator>\w+)\s \
(?<RemoteIP>[[:xdigit:].:]+)\s+ \
(?<Xid>[[:xdigit:]]+)\s \
(?<QueryType>\s|R)\s \
(?<Opcode>[A-Z]|\?)\s \
(?<QFlags>\[(.*?)\])\s+ \
(?<QuestionType>\w+)\s+ \
(?<QuestionName>.*)\s+ \
(?<LogInfo>.+)\s+.+=\s \
(?<Socket>\d+)\s+ Remote\s+ addr\s \
(?<RemoteAddr>.+),\sport\s \
(?<PortNum>\d+)\s+Time\sQuery= \
(?<TimeQuery>\d+),\sQueued= \
(?<Queued>\d+),\sExpire= \
(?<Expire>\d+)\s+.+\( \
(?<BufLen>\d+)\)\s+.+\( \
(?<MsgLen>\d+)\)\s+Message:\s+ \
(?<Message>(?s).*)/
Define HEADER_REGEX /(?x)(?<Date>\d+(?:\/\d+){2})\s \
(?<Time>\d+(?:\:\d+){2}\s\w+)\s \
(?<ThreadId>\w+)\s+ \
(?<Context>\w+)\s+ \
(?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ \
(?<Protocol>\w+)\s+ \
(?<SendReceiveIndicator>\w+)\s \
(?<RemoteIP>[[:xdigit:].:]+)\s+ \
(?<Xid>[[:xdigit:]]+)\s \
(?<QueryType>\s|R)\s \
(?<Opcode>[A-Z]|\?)\s \
(?<QFlags>\[(.*?)\])\s+ \
(?<QuestionType>\w+)\s+ \
(?<QuestionName>.*)/
<Extension multiline>
Module xm_multiline
HeaderLine %HEADER_REGEX%
</Extension>
<Input filein>
Module im_file
File 'C:\Server\dns.log'
InputType multiline
<Exec>
if $raw_event =~ %EVENT_REGEX%
{
$EventTime = parsedate($Date + " " + $Time);
delete($Date);
delete($Time);
}
</Exec>
</Input>
\ No newline at end of file
<Input etw>
Module im_etw
Provider Microsoft-Windows-Firewall
</Input>
<Input etw2>
Module im_etw
Provider Microsoft-Windows-Windows Firewall With Advanced Security
</Input>
\ No newline at end of file
define EMPTY_EVENT_REGEX /(^$|^\s+$)/
<Extension w3c_parser>
Module xm_w3c
</Extension>
<Input pfirewall>
Module im_file
File 'C:\Windows\system32\LogFiles\Firewall\pfirewall.log'
InputType w3c_parser
Exec if $raw_event =~ %EMPTY_EVENT_REGEX% drop();
</Input>
\ No newline at end of file
<ACL conf>
Directory /var/run/nxlog/configs
AllowRead TRUE
AllowWrite TRUE
</ACL>
\ No newline at end of file
......@@ -21,7 +21,7 @@
Module om_udp
Host 192.168.1.1
Port 12201
OutputType GELF
OutputType GELF_UDP
</Output>
<Route eventlog_to_udp>
......
......@@ -19,7 +19,7 @@
Module om_udp
Host 192.168.1.1
Port 12201
OutputType GELF
OutputType GELF_UDP
</Output>
<Route csv_to_gelf>
......
......@@ -38,7 +38,7 @@
Module om_udp
Host 192.168.1.1
Port 12201
OutputType GELF
OutputType GELF_UDP
</Output>
<Route file_to_gelf>
......
<Extension gelf>
Module xm_gelf
</Extension>
<Input tcpin>
Module im_tcp
Host 0.0.0.0
Port 12001
InputType GELF_TCP
</Input>
\ No newline at end of file
......@@ -9,7 +9,7 @@
<Extension python>
Module xm_python
PythonCode modules/extension/python/processlogs2.py
PythonCode modules/extension/python/py/processlogs2.py
</Extension>
<Output out>
......
<ACL conf>
Directory /var/run/nxlog/configs
AllowRead TRUE
AllowWrite TRUE
</ACL>
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment