...
| Code Block |
|---|
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
define aisiem \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">* </Select>\
<Select Path="Application">* </Select>\
<Select Path="Setup">* </Select>\
<Select Path="System">* </Select>\
</Query>\
</QueryList>
<Exec>
if ($EventID NOT IN (%aisiem%)) drop();
</Exec>
</Input>
<Output out>
Module om_udp
Host 10.11.23.234
Port 5154
Exec to_json();
</Output>
<Route 1>
Path in => out
</Route>
## DNS Logs
<Input DNS_In>
Module im_file
File "C:\DNS LOG\dns*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output DNS_Out>
Module om_udp
Host 10.11.23.234 <CCE IP Address>
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dns_logs';
Exec to_syslog_bsd();
<Route DNS>
Path DNS_In => DNS_Out
</Route>
## DHCP Logs
<Input DHCP_In>
Module im_file
File "C:\Windows\system32\dhcp\DhcpSrvLog*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output DHCP_Out>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dhcp_logs';
Exec to_syslog_bsd();
</Output>
<Route DHCP>
Path DHCP_In=> DHCP_Out
</Route>
## IIS Logs
<Input in_iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\\u_ex*"
SavePos TRUE
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output out_iis>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_iis_logs';
Exec to_syslog_bsd();
</Output>
<Route in-to-out>
Path in_iis => out_iis
</Route>
## Exchange Logs
<Extension syslog>
Module xm_syslog
</Extension>
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking
<Input in_exchange>
Module im_file
File '%BASEDIR%\MSGTRK*-*.LOG'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>
<Output out_exchange>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();
</Output>
<Route exchange>
Path in_exchange => out_exchange
</Route>
## SQL Logs
<Input in_mssql>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
Exec $Message = $raw_event;
# Finding some values:
Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
Exec if $raw_event =~ /AUDIT_SUCCESS/\
{\
$Result = 'Success';\
}\
else\
$Result = 'Failure';
# Replace white spaces
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>
<Output out_mssql>
Module om_udp
Host 10.11.23.234
Port 514
# Ensure we send in the proper format:
Exec $Hostname = hostname_fqdn();
Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>
<Route mssql>
Path in_mssql => out_mssql
</Route>
## FTP Logs
<Input FTP_In>
Module im_file
File "C:\Program Files (x86)\Ipswitch\WS_FTP Server\Logging Server\Logs*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output FTP_Out>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_ftp_logs';
Exec to_syslog_bsd();
</Output>
<Route FTP>
Path FTP_In => FTP_Out
</Route>
## Apache Logs
<Input Apache_In>
Module im_file
File "C:\Program Files\Apache Software Foundation\Tomcat 9.0_Tomcat9.0\localhost_access_log.*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output Apache_Out>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'apache';
Exec to_syslog_bsd();
</Output>
<Route Apache_Out>
Path Apache_In => Apache_Out
</Route> |
...
For IIS: Enable Logging on Windows IIS server
For MSSQL: Windows-Enabling MSSQL Logs
For DNS: To enable DNS diagnostic logging
...