Commit b7e82477 authored by NXLog CI User's avatar NXLog CI User

New Config Samples

parent 92b54acc
import json, base64, zlib, ssl, http.client
print('Loading function')
def lambda_handler(event, context):
compressed_logdata = base64.b64decode(event['awslogs']['data'])
logdata = zlib.decompress(compressed_logdata, 16+ zlib.MAX_WBITS)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_verify_locations("ca.pem")
# For more details regarding the SSLContext.load_cert_chain()
# function, please refer to Python's ssl module documentation at
# <https://docs.python.org/3/library/ssl.html#ssl.SSLContext>
context.load_cert_chain("client.pem")
conn = http.client.HTTPSConnection("<HOST>:<PORT>", context=context)
conn.set_debuglevel(3)
headers = {"Content-type": "application/json"}
conn.request('POST', "", logdata, headers)
conn.close()
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
<Input perl>
Module im_perl
PerlCode perl-input.pl
</Input>
<Output out>
Module om_file
File "/tmp/out.json"
Exec to_json();
</Output>
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
define REGEX_BIND_QUERIES /(?x)(?<Date>\d+\-\w+\-\d+)\s+ \
(?<Time>\d+\:\d+\:\d+\.\d+)\s+ \
(?<Severity>\w+)\:\s+ \
\w+\s+ \
(?<RemoteIP>(?:[0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4}| \
(?:[0-9]{1,3}\.){3}[0-9]{1,3})\#+\d+\s+ \
\((?<QName>[^)]*)\)\:\s+ \
query:\s+\S+\s+\w+\s+ \
(?<QType>\w+)\s+ \
(?<RFlags>\+\w*)/
<Input dns_queries>
Module im_file
File "/var/log/named/queries.log"
<Exec>
if $raw_event =~ %REGEX_BIND_QUERIES%
$EventTime = parsedate($1 + " " + $2);
</Exec>
</Input>
<Output dns_out>
Module om_file
File "/tmp/nxlog-dns.json"
Exec to_json();
</Output>
\ No newline at end of file
<Input kernel>
Module im_kernel
</Input>
\ No newline at end of file
import nxlog, requests
def request_metadata(item):
"""Gets value of metadata attribute 'item', returns text string"""
# Set metadata URL
metaurl = 'http://169.254.169.254/latest/meta-data/{0}'.format(item)
# Send HTTP GET request
r = requests.get(metaurl)
# If present, get text payload from the response
if r.status_code != 404:
value = r.text
else:
value = None
# Return text value
return value
def get_attribute(event):
"""Reads metadata and stores as an event field"""
# Get nxlog module object
module = event.module
# Set an attribute to retrieve; in this case: AWS EC2 instance-id
attribute = 'instance-id'
# Request for metadata only if not already present in the module
if 'metadata' not in module:
module['metadata'] = request_metadata(attribute)
# Save metadata as an event field
event.set_field(attribute, module['metadata'])
\ No newline at end of file
import json, nxlog, requests
def request_metadata():
"""Gets all metadata values for compute instance, returns dict"""
# Set metadata URL
metaurl = 'http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01'
# Set header required to retrieve metadata
metaheader = {'Metadata':'true'}
# Send HTTP GET request
r = requests.get(metaurl, headers=metaheader)
# If present, get text payload from the response
if r.status_code != 404:
value = r.text
else:
value = None
# Load JSON data into Python dictionary and return
return json.loads(value)
def get_attribute(event):
"""Reads metadata and stores as event fields"""
# Get nxlog module object
module = event.module
# Request for metadata only if not already present in the module
if 'metadata' not in module:
module['metadata'] = request_metadata()
# Get metadata stored in module object
metadata = module['metadata']
# Save attributes and their values as event fields
for attribute in metadata:
event.set_field(attribute, metadata[attribute])
\ No newline at end of file
import nxlog, requests
def request_metadata(item):
"""Gets value of metadata attribute 'item', returns text string"""
# Set metadata URL
metaurl = 'http://metadata.google.internal/computeMetadata/v1/instance/{0}'.format(item)
# Set header require to retrieve metadata
metaheader = {'Metadata-Flavor':'Google'}
# Send HTTP GET request
r = requests.get(metaurl, headers=metaheader)
# If present, get text payload from the response
if r.status_code != 404:
value = r.text
else:
value = None
# Return text value
return value
def get_attribute(event):
"""Reads metadata and stores as an event field"""
# Get nxlog module object
module = event.module
# Set an attribute to retrieve; in this case: GCE instance id
attribute = 'id'
# Request for metadata only if not already present in the module
if 'metadata' not in module:
module['metadata'] = request_metadata('id')
# Save metadata as an event field
event.set_field(attribute, module['metadata'])
\ No newline at end of file
@( Set "_= (
REM " ) <#
)
@Echo Off
SetLocal EnableExtensions DisableDelayedExpansion
powershell.exe -ExecutionPolicy Bypass -NoProfile ^
-Command "iex ((gc '%~f0') -join [char]10)"
EndLocal & Exit /B %ErrorLevel%
#>
$AuditLog = Get-DhcpServerAuditLog
if ($AuditLog.Enable) {
Write-Output "File '$($AuditLog.Path)\Dhcp*SrvLog-*.log'"
}
else {
[Console]::Error.WriteLine(@"
DHCP audit logging is disabled. To enable, run in PowerShell:
> Set-DhcpServerAuditLog -Enable $True
"@)
exit 1
}
\ No newline at end of file
define ROOT C:\Program Files (x86)\nxlog
define CONFDIR %ROOT%\conf
include %CONFDIR%\eventlog.conf
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
<Input etw_in>
Module im_etw
Provider Microsoft-Windows-DNSServer
</Input>
<Output etw_out>
Module om_file
File 'C:\etw_dns.json'
Exec to_json();
</Output>
<Route r>
Path etw_in => etw_out
</Route>
\ No newline at end of file
import datetime
import json
import requests
import adal
import nxlog
class LogReader:
def __init__(self, time_interval):
# Details of workspace. Fill in details for your workspace.
resource_group = '<YOUR_RESOURCE_GROUP>'
workspace = '<YOUR_WORKSPACE>'
# Details of query. Modify these to your requirements.
query = "Type=*"
end_time = datetime.datetime.utcnow()
start_time = end_time - datetime.timedelta(seconds=time_interval)
num_results = 100000 # If not provided, a default of 10 results will be used.
# IDs for authentication. Fill in values for your service principal.
subscription_id = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
tenant_id = 'xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx'
application_id = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
application_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
# URLs for authentication
authentication_endpoint = 'https://login.microsoftonline.com/'
resource = 'https://management.core.windows.net/'
# Get access token
context = adal.AuthenticationContext('https://login.microsoftonline.com/' + tenant_id)
token_response = context.acquire_token_with_client_credentials('https://management.core.windows.net/', application_id, application_key)
access_token = token_response.get('accessToken')
# Add token to header
headers = {
"Authorization": 'Bearer ' + access_token,
"Content-Type":'application/json'
}
# URLs for retrieving data
uri_base = 'https://management.azure.com'
uri_api = 'api-version=2015-11-01-preview'
uri_subscription = 'https://management.azure.com/subscriptions/' + subscription_id
uri_resourcegroup = uri_subscription + '/resourcegroups/'+ resource_group
uri_workspace = uri_resourcegroup + '/providers/Microsoft.OperationalInsights/workspaces/' + workspace
uri_search = uri_workspace + '/search'
#store log data for NXLog here
self.lines = ""
# Build search parameters from query details
search_params = {
"query": query,
"top": num_results,
"start": start_time.strftime('%Y-%m-%dT%H:%M:%S'),
"end": end_time.strftime('%Y-%m-%dT%H:%M:%S')
}
# Build URL and send post request
uri = uri_search + '?' + uri_api
response = requests.post(uri,json=search_params,headers=headers)
# Response of 200 if successful
if response.status_code == 200:
# Parse the response to get the ID and status
data = response.json()
search_id = data["id"].split("/")
id = search_id[len(search_id)-1]
status = data["__metadata"]["Status"]
# If status is pending, then keep checking until complete
while status == "Pending":
# Build URL to get search from ID and send request
uri_search = uri_search + '/' + id
uri = uri_search + '?' + uri_api
response = requests.get(uri,headers=headers)
# Parse the response to get the status
data = response.json()
status = data["__metadata"]["Status"]
else:
# Request failed
print (response.status_code)
response.raise_for_status()