Commit de7006bc authored by NXLog CI User's avatar NXLog CI User

New Config Samples

parent 0addb301
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_tcp
Host 0.0.0.0
Port 1514
Exec parse_syslog();
</Input>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_tcp
Host 0.0.0.0
Port 1514
InputType Syslog_TLS
Exec parse_syslog_ietf();
</Input>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_ssl
Host 0.0.0.0
Port 6514
CAFile %CERTDIR%/ca.pem
CertFile %CERTDIR%/client-cert.pem
CertKeyFile %CERTDIR%/client-key.pem
InputType Syslog_TLS
Exec parse_syslog_ietf();
</Input>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_udp
Host localhost
Port 514
Exec parse_syslog();
</Input>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input syslog>
Module im_udp
<Exec>
parse_syslog();
$EventTime = $EventReceivedTime;
</Exec>
</Input>
\ No newline at end of file
<Input in>
Module im_aixaudit
DeviceFile /dev/audit
</Input>
\ No newline at end of file
<Input acct>
Module im_acct
AcctOn TRUE
File "/tmp/nxlog.acct"
</Input>
\ No newline at end of file
<Input fim>
Module im_fim
File "/etc/*"
File "/srv/*"
Exclude "*.bak"
Digest sha1
ScanInterval 3600
Recursive TRUE
</Input>
\ No newline at end of file
<Input in>
Module im_file
File "/opt/test/input.log"
</Input>
\ No newline at end of file
<Input exec>
Module im_exec
Command /usr/bin/tail
Arg -f
Arg /var/adm/ras/errlog
</Input>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_file
File "/var/log/messages"
Exec parse_syslog();
</Input>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_syslog_udp>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
<Output file>
Module om_file
File "/var/log/apc.log"
Exec to_json();
</Output>
\ No newline at end of file
define PYDIR /opt/nxlog/lib/nxlog/modules/input/python
<Input oms>
Module im_python
PythonCode %PYDIR%/oms-download.py
</Input>
\ No newline at end of file
define PYCODEDIR /opt/nxlog/lib/nxlog/modules/output/python
<Extension _json>
Module xm_json
</Extension>
<Output oms>
Module om_exec
Command %PYCODEDIR%/oms-pipe.py
Exec to_json();
</Output>
\ No newline at end of file
envvar systemroot
<Input azure_sql>
Module im_exec
Command "%systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe"
# Bypass the system execution policy for this session only.
Arg "-ExecutionPolicy"
Arg "Bypass"
# Skip loading the local PowerShell profile.
Arg "-NoProfile"
# This specifies the path to the PowerShell script.
Arg "-File"
Arg "%systemroot%\azure_sql.ps1"
<Exec>
# Parse JSON
parse_json();
# Convert $EventTime field to datetime
$event_time = parsedate($event_time);
</Exec>
</Input>
\ No newline at end of file
<Input sql>
Module im_python
PythonCode azure_sql.py
Exec $EventTime = parsedate($EventTime);
</Input>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_syslog_tcp>
Module im_tcp
Host 0.0.0.0
Port 1514
Exec parse_syslog();
</Input>
<Output out>
Module om_file
File "/var/log/f5.log"
Exec to_json();
</Output>
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
<Extension snmp>
Module xm_snmp
MIBDir /usr/share/mibs/bigip
# The following <User> section is required for SNMPv3
#<User snmp_user>
# AuthProto sha1
# AuthPasswd q1w2e3r4
# EncryptPasswd q1w2e3r4
# EncryptProto aes
#</User>
</Extension>
<Input in>
Module im_udp
Host 0.0.0.0
Port 162
InputType snmp
</Input>
<Output out>
Module om_file
File "/var/log/f5.log"
Exec to_json();
</Output>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in>
Module im_tcp
Host 0.0.0.0
Port 1514
Exec parse_syslog();
</Input>
<Output out>
Module om_file
File "/var/log/f5.log"
Exec to_json();
</Output>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in_syslog_udp>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
define REGEX_BIND_QUERIES /(?x)(?<Date>\d+\-\w+\-\d+)\s+ \
(?<Time>\d+\:\d+\:\d+\.\d+)\s+ \
(?<Severity>\w+)\:\s+ \
\w+\s+ \
(?<RemoteIP>(?:[0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4}| \
(?:[0-9]{1,3}\.){3}[0-9]{1,3})\#+\d+\s+ \
\((?<QName>[^)]*)\)\:\s+ \
query:\s+\S+\s+\w+\s+ \
(?<QType>\w+)\s+ \
(?<RFlags>\+\w*)/
<Input dns_queries>
Module im_file
File "/var/log/named/queries.log"
<Exec>
if $raw_event =~ %REGEX_BIND_QUERIES%
$EventTime = parsedate($1 + " " + $2);
</Exec>
</Input>
<Output dns_out>
Module om_file
File "/tmp/nxlog-dns.json"
Exec to_json();
</Output>
\ No newline at end of file
<Extension csv_parser_dns>
Module xm_csv
Fields ts, uid id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, \
trans_id, rtt query, qclass, qclass_name, qtype, qtype_name, \
rcode, rcode_name, AA, TC, RD, RA, Z, answers, TTLs, rejected
Delimiter \t
</Extension>
<Extension csv_parser_dhcp>
Module xm_csv
Fields ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, mac, \
assigned_ip, lease_time, trans_id
Delimiter \t
</Extension>
# xm_fileop provides the `file_basename()` function
<Extension _fileop>
Module xm_fileop
</Extension>
<Input bro_in>
Module im_file
File '/usr/local/bro/logs/current/*.log'
<Exec>
if file_basename(file_name()) == 'dhcp.log'
{
csv_parser_dhcp->parse_csv();
}
else if file_basename(file_name()) == 'dns.log'
{
csv_parser_dns->parse_csv();
}
else
{
log_warning('Bro log type not supported, check configuration');
}
</Exec>
</Input>
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
<Extension w3c_parser>
Module xm_w3c
</Extension>
<Input bro_in>
Module im_file
File '/usr/local/bro/logs/current/*.log'
InputType w3c_parser
</Input>
<Output bro_file>
Module om_file
File '/tmp/bro_logs'
Exec to_json();
</Output>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_syslog_udp>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
<Output file>
Module om_file
File "/var/log/brocade.log"
Exec to_json();
</Output>
\ No newline at end of file
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_file
File "/var/log/messages"
Exec parse_syslog();
</Input>
\ No newline at end of file
<Input bsm>
Module im_bsm
DeviceFile /dev/auditpipe
</Input>
\ No newline at end of file
<Input acct>
Module im_acct
AcctOn TRUE
File "/var/account/acct"
</Input>
\ No newline at end of file
<Input fim>
Module im_fim
File "/etc/*"
File "/srv/*"
Exclude "*.bak"
Digest sha1
ScanInterval 3600
Recursive TRUE
</Input>
\ No newline at end of file
<Input in>
Module im_file
File "/opt/test/input.log"
</Input>
\ No newline at end of file
<Input exec>
Module im_exec
Command /usr/bin/tail
Arg -f
Arg /var/log/messages
</Input>
\ No newline at end of file
<Input kernel>
Module im_kernel
</Input>
\ No newline at end of file
<Input in>
Module im_tcp
Host 0.0.0.0
Port 1514
<Exec>
parse_syslog();
cef_header->parse_csv($Message);
cef_extension->parse_kvp($_Extension);
</Exec>
</Input>
\ No newline at end of file
<Output out>
Module om_tcp
Host 192.168.1.1
Port 574
<Exec>
$_Extension = cef_extension->to_kvp();
$Version = 'CEF:0';
$Device_Vendor = 'NXLog';
$Device_Product = 'NXLog';
$Device_Version = '';
$Signature_ID = '0';
$Name = '-';
$Severity = '';
$Message = cef_header->to_csv();
to_syslog_bsd();
</Exec>
</Output>
\ No newline at end of file
<Extension cef_header>
Module xm_csv
Fields $Version, $Device_Vendor, $Device_Product, $Device_Version, \
$Signature_ID, $Name, $Severity, $_Extension
Delimiter |
QuoteMethod None
</Extension>
<Extension cef_extension>
Module xm_kvp
KVDelimiter '='
KVPDelimiter ' '
QuoteMethod None
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
\ No newline at end of file
<Extension _json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_udp
Host 0.0.0.0
Port 1514
<Exec>
parse_syslog_bsd();
if ( $Message =~ /^CisACS_(\d\d)_(\S+) (\S+) (\d+) (\d+) (.*)$/ )
{
$ACSCategoryNumber = $1;
$ACSCategoryName = $2;
$ACSMessageId = $3;
$ACSTotalSegments = $4;
$ACSSegmentNumber = $5;
$ACSMessage = $6;
if ( $ACSMessage =~ /Message-Type=([^\,]+)/ ) $ACSMessageType = $1;
if ( $ACSMessage =~ /User-Name=([^\,]+)/ ) $AccountName = $1;
if ( $ACSMessage =~ /NAS-IP-Address=([^\,]+)/ ) $ACSNASIPAddress = $1;
if ( $ACSMessage =~ /AAA Server=([^\,]+)/ ) $ACSAAAServer = $1;
}
else log_warning("Does not match: " + $raw_event);
</Exec>
</Input>
<Output out>
Module om_file