Commit e076fb88 authored by NXLog CI User's avatar NXLog CI User

New Config Samples

parent 5daa5176
define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102
define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724, \
4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816, \
4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896, \
4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976, \
4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037, \
5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483, \
5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279, \
6280, 24586, 24592, 24593, 24594
define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, \
4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698, \
4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720, \
4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733, \
4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, \
4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774, \
4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788, \
4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, \
4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
4891, 4893, 4894, 4895, 4898, 5136, 5137
<Input events>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Directory Service">
<Select Path="Directory Service">*[System[Provider[
@Name='Microsoft-Windows-ActiveDirectory_DomainService']]]
</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if $EventID NOT IN (%HighEventIds%) and
$EventID NOT IN (%MediumEventIds%) and
$EventID NOT IN (%LowEventIds%) drop();
</Exec>
</Input>
\ No newline at end of file
<Input SecurityAuditEvents>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
-Security-Auditing'] and (Level=1 or Level=2 or Level=3) and
((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
\ No newline at end of file
<Input ad>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Active Directory Web Services">*</Select>
<Select Path="Microsoft-Windows-DirectoryServices-Deployment/Operational">
*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
\ No newline at end of file
......@@ -20,6 +20,6 @@
# Additional rules can be added here
# ...
# Optionally, update the $raw_event field
#raw_event = $EventTime + ' ' + $Message;
#$raw_event = $EventTime + ' ' + $Message;
</Exec>
</Input>
\ No newline at end of file
envvar systemroot
<Input dcpromo>
Module im_file
File "%systemroot%\debug\DCPROMO.log"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment