...
| Code Block |
|---|
#Windows Server AD Server logs from Line no. 3 to 56
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
#Extension for MSSQL
<Extension mssql_csv>
Module xm_csv
Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
FieldTypes string, string, string, string, string, string, string, string
Delimiter ;
</Extension>
define aisiem \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">* </Select>\
<Select Path="Application">* </Select>\
<Select Path="Setup">* </Select>\
<Select Path="System">* </Select>\
</Query>\
</QueryList>
<Exec>
if ($EventID NOT IN (%aisiem%)) drop();
</Exec>
</Input>
#Windows Server act as DNS Server logs from Line no. 50 to 69
<Input DNS_In>
Module im_file
File "C:\\Windows\\Sysnative\\dns\dns*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
#Windows Server act as DHCP Server logs from Line no. 70 to 79
<Input DHCP_In>
Module im_file
File "C:\Windows\Sysnative\dhcp\DhcpSrvLog*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
#Windows Server act as IIS Server logs from Line no. 80 to 90
<Input in_iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\u_ex*"
SavePos TRUE
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
#Windows Server act as mssql Server logs from Line no. 90 to 109
<Input in_mssql>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
Exec $Message = $raw_event;
# Finding some values:
Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
Exec if $raw_event =~ /AUDIT_SUCCESS/\
{\
$Result = 'Success';\
}\
else\
$Result = 'Failure';
# Replace white spaces
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>
#Windows Server act as IIS Server logs from Line no. 111 to 118
<Input in_exchange>
Module im_file
File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>
#Output command line of AD Server from Line no. 120 to 126
<Output out>
Module om_udp
Host CCE_IP_ADDRESS
Port 5154
Exec to_json();
</Output>
#Output command line of DNS Server from Line no. 128 to 139
<Output DNS_Out>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dns_logs';
Exec to_syslog_bsd();
</Output>
#Output command line of DHCP Server from Line no. 142 to 151
<Output DHCP_Out>
Module om_udp
Host {CCE_IP ADDRESS}
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dhcp_logs';
Exec to_syslog_bsd();
</Output>
#Output command line of IIS Server from Line no. 153 to 160
<Output out_iis>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_iis_logs';
Exec to_syslog_bsd();
</Output>
#Output command line of mssql Server from Line no. 163 to 176
<Output out_mssql>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
# Ensure we send in the proper format:
Exec $Hostname = hostname_fqdn();
Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>
<Extension mssql_csv>
Module xm_csv
Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
FieldTypes string, string, string, string, string, string, string, string
Delimiter ;
</Extension>
#Output command line of exchange Server from Line no. 179 to 187
<Output out_exchange>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();
</Output>
#Rout command line of AD Server from Line no. 190 to 192
<Route 1>
Path in => out
</Route>
#Rout command line of DNS Server from Line no. 195 to 197
<Route DNS>
Path DNS_In => DNS_Out
</Route>
#Rout command line of DHCP Server from Line no. 199 to 202
<Route DHCP>
Path DHCP_In=> DHCP_Out
</Route>
#Rout command line of IIS Server from Line no. 205 to 207
<Route in-to-out>
Path in_iis => out_iis
</Route>
#Rout command line of mssql Server from Line no. 210 to 212
<Route mssql>
Path in_mssql => out_mssql
</Route>
#Rout command line of exchange Server from Line no. 215 to 217
<Route 1>
Path in_exchange => out_exchange
</Route> |
...