Commit 92b54acc authored by NXLog CI User's avatar NXLog CI User

New Config Samples

parent 736c86f3
<Extension _json>
Module xm_json
</Extension>
<Input perl>
Module im_perl
PerlCode perl-input.pl
</Input>
<Output out>
Module om_file
File "/tmp/out.json"
Exec to_json();
</Output>
\ No newline at end of file
<Extension _json>
Module xm_json
Module xm_json
</Extension>
<Input in>
......@@ -8,14 +8,18 @@
Command "C:\Program Files (x86)\VMware\VMware vSphere CLI\Perl\bin\perl.exe"
# For Linux and regular Perl users this would be sufficient:
#Command perl
Arg "C:\scripts\getlogs.pl"
Arg "C:\scripts\vcenter.pl"
Arg -u
Arg <username>
Arg -p
Arg <password>
Arg -s
Arg <server_ip_addr>
<Exec>
# Parse JSON into fields for later processing if required
parse_json();
# Parse JSON into fields for later processing if required
Exec parse_json();
# Parse EventTime field as timestamp
$EventTime = parsedate($EventTime);
</Exec>
</Input>
\ No newline at end of file
......@@ -7,6 +7,7 @@
<Input perl>
Module im_perl
PerlCode modules/input/perl/perl-input.pl
Call read_data1
</Input>
<Input perl2>
......
......@@ -4,7 +4,7 @@
<Extension multiline>
Module xm_multiline
HeaderLine /^\[{|},{/
HeaderLine /^\[{|^},{/
</Extension>
<Input in>
......@@ -15,8 +15,8 @@
Arg --type=log
InputType multiline
<Exec>
$raw_event =~ s/^\[{|},{/{/;
$raw_event =~ s/}\]|}$//;
$raw_event =~ s/^\[{|^},{/{/;
$raw_event =~ s/\}]$//;
$raw_event = $raw_event + "\n}";
parse_json();
</Exec>
......
<Extension multiline_parser>
Module xm_multiline
HeaderLine /^<ReportItem/
EndLine /^</ReportItem>/
</Extension>
<Extension _xml>
Module xm_xml
ParseAttributes TRUE
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in>
Module im_file
File "nessus_report.xml"
InputType multiline_parser
<Exec>
# Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<ReportItem/ drop();
# Parse the xml event
parse_xml();
# Convert to JSON
to_json();
</Exec>
</Input>
<Output out>
Module om_file
File "nessus_report.json"
</Output>
\ No newline at end of file
<Extension multiline_parser>
Module xm_multiline
HeaderLine /^<ReportItem/
EndLine /^</ReportItem>/
</Extension>
<Extension _xml>
Module xm_xml
ParseAttributes TRUE
</Extension>
<Extension _json>
Module xm_json
Module xm_json
</Extension>
<Input perl>
Module im_perl
PerlCode /opt/nxlog/bin/perl-input.pl
<Input in>
Module im_file
File "nessus_report.xml"
InputType multiline_parser
<Exec>
# Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<ReportItem/ drop();
# Parse the xml event
parse_xml();
# Convert to JSON
to_json();
</Exec>
</Input>
<Output out>
Module om_file
File "/opt/nxlog/tmp/nessus_report.json"
Exec to_json();
Module om_file
File "nessus_report.json"
</Output>
\ No newline at end of file
<Output out>
Module om_perl
PerlCode modules/output/perl/perl-output.pl
Call write_data1
</Output>
\ No newline at end of file
Define EVENT_REGEX /(?x)(?<Date>\d+(?:\/\d+){2})\s \
define EVENT_REGEX /(?x)(?<Date>\d+(?:\/\d+){2})\s \
(?<Time>\d+(?:\:\d+){2}\s\w+)\s \
(?<ThreadId>\w+)\s+ \
(?<Context>\w+)\s+ \
......@@ -23,7 +23,7 @@ Define EVENT_REGEX /(?x)(?<Date>\d+(?:\/\d+){2})\s \
(?<MsgLen>\d+)\)\s+Message:\s+ \
(?<Message>(?s).*)/
Define HEADER_REGEX /(?x)(?<Date>\d+(?:\/\d+){2})\s \
define HEADER_REGEX /(?x)(?<Date>\d+(?:\/\d+){2})\s \
(?<Time>\d+(?:\:\d+){2}\s\w+)\s \
(?<ThreadId>\w+)\s+ \
(?<Context>\w+)\s+ \
......
<Input in>
Module im_file
File 'C:\WINDOWS\system32\wbem\Logs\wmiprov.log'
File 'C:\WINDOWS\system32\wbem\Logs\ntevt.log'
File 'C:\WINDOWS\system32\wbem\Logs\dsprovider.log'
<Exec>
file_name() =~ /(?<Filename>[^\\]+)$/;
if $raw_event =~ /^\((?<EventTime>.+)\.\d{7}\) : (?<Message>.+)$/
$EventTime = strptime($EventTime, "%a %b %d %H:%M:%S %Y");
</Exec>
</Input>
\ No newline at end of file
<Extension _xml>
Module xm_xml
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-WMI-Activity/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $UserData parse_xml($UserData);
</Input>
\ No newline at end of file
<Input etw_in>
Module im_etw
Provider Microsoft-Windows-WMI-Activity
</Input>
\ No newline at end of file
......@@ -19,6 +19,6 @@ envvar systemroot
parse_json();
# Convert $EventTime field to datetime
$event_time = parsedate($event_time);
$EventTime = parsedate($event_time);
</Exec>
</Input>
\ No newline at end of file
......@@ -4,7 +4,7 @@
<Extension pattern>
Module xm_pattern
PatternFile modules/extension/pattern/patterndb2,3.xml
PatternFile modules/extension/pattern/patterndb2-3.xml
</Extension>
<Input in>
......
......@@ -4,7 +4,7 @@
<Extension pattern>
Module xm_pattern
PatternFile modules/extension/pattern/patterndb2,3.xml
PatternFile modules/extension/pattern/patterndb2-3.xml
</Extension>
<Input in>
......
</Input>
<Extension _json>
Module xm_json
DateFormat YYYY-MM-DD hh:mm:ss
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment