Last active
June 1, 2020 11:26
-
-
Save blakeblackshear/5719506 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| define ROOT C:\Program Files (x86)\nxlog | |
| Moduledir %ROOT%\modules | |
| CacheDir %ROOT%\data | |
| Pidfile %ROOT%\data\nxlog.pid | |
| SpoolDir %ROOT%\data | |
| LogFile %ROOT%\data\nxlog.log | |
| <Extension json> | |
| Module xm_json | |
| </Extension> | |
| <Extension w3c> | |
| #map iis log fields to Field Types | |
| Module xm_csv | |
| Fields $date, $time, $serverip, $verb, $url, $querystring, $port, $username, $clientip, $useragent, $status, $substatus, $win32status, $timetaken | |
| FieldTypes string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer | |
| Delimiter ' ' | |
| </Extension> | |
| <Input internal> | |
| Module im_internal | |
| </Input> | |
| <Input eventlog> | |
| Module im_msvistalog | |
| # this kinda works for me, put * to get everything | |
| Query <QueryList>\ | |
| <Query Id="0">\ | |
| <Select Path="Application">*</Select>\ | |
| <Select Path="System">*</Select>\ | |
| <Select Path="Security">*</Select>\ | |
| </Query>\ | |
| </QueryList> | |
| Exec if $raw_event =~ /AUDIT_SUCCESS\s+468(8|9)/ and $raw_event =~ /C:\\Windows\\System32\\cmd\.exe/ and $raw_event =~ /Account Name:\s+PROD-WEB-01\$/ drop(); | |
| </Input> | |
| <Input iis> | |
| Module im_file | |
| File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" | |
| ReadFromLast TRUE | |
| Exec if $raw_event =~ /^#/ drop(); | |
| Exec if $raw_event =~ /(NewRelicPinger|YandexBot|mon\.itor\.us|SemrushBot|bingbot|Googlebot|AdsBot|TweetmemeBot|Sogou\+web\+spider)/ drop(); | |
| Exec if not dropped() \ | |
| { \ | |
| w3c->parse_csv(); \ | |
| $EventTime = parsedate($date + " " + $time); \ | |
| } | |
| </Input> | |
| <Output iis_out> | |
| Module om_http | |
| Url https://ec2-23-20-203-57.compute-1.amazonaws.com/iis | |
| HTTPSAllowUntrusted TRUE | |
| Exec to_json(); | |
| </Output> | |
| <Output eventlog_out> | |
| Module om_http | |
| Url https://ec2-23-20-203-57.compute-1.amazonaws.com/eventlog | |
| HTTPSAllowUntrusted TRUE | |
| Exec to_json(); | |
| </Output> | |
| <Output nxlog_out> | |
| Module om_http | |
| Url https://ec2-23-20-203-57.compute-1.amazonaws.com/nxlog | |
| HTTPSAllowUntrusted TRUE | |
| Exec to_json(); | |
| </Output> | |
| <Route 1> | |
| Path eventlog => eventlog_out | |
| </Route> | |
| <Route 2> | |
| Path internal => nxlog_out | |
| </Route> | |
| <Route 3> | |
| Path iis => iis_out | |
| </Route> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment