## This is a basic configuration file for Windows Server 2008 * 2012## See the

1. ## This is a basic configuration file for Windows Server 2008 * 2012
2. ## See the nxlog reference manual about the configuration options.
3. ## It should be installed locally and is also available
4. ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
5.  
6. ## Please set the ROOT to the folder your nxlog was installed into,
7. ## otherwise it will not start.
8.  
9. define ROOT C:\Program Files (x86)\nxlog
10. # define ROOT C:\Program Files\nxlog
11.  
12. Moduledir %ROOT%\modules
13. CacheDir %ROOT%\data
14. Pidfile %ROOT%\data\nxlog.pid
15. SpoolDir %ROOT%\data
16. LogFile %ROOT%\data\nxlog.log
17.  
18.  
19.  
20. # Enable convertion to UTF-8
21. <Extension charconv>
22. Module xm_charconv
23. AutodetectCharsets utf-8, utf-16, utf-32, iso8859-15
24. </Extension>
25.  
26. <Extension _syslog>
27. Module xm_syslog
28. </Extension>
29.  
30. # Extension JSON
31. <Extension json>
32. Module xm_json
33. </Extension>
34.  
35.  
36. <Input eventlog>
37. Module im_msvistalog
38. Exec $From = "EventLog";
39. Exec to_json();
40. </Input>
41.  
42.  
43. <Input pr_mseventlog>
44. Module im_msvistalog
45. ReadFromLast True
46. # http://msdn.microsoft.com/en-us/library/aa385231.aspx
47. # http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx
48. # Level 1 (ID=30 Critical) severity level events
49. # Level 2 (ID=40 Error) severity level events
50. # Level 3 (ID=50 Warning) severity level events
51. # Level 4 (ID=80 Information) severity level events
52. # Level 5 (ID=100 Verbose) severity level events
53. # All channels are included by default which are listed in the registry under these:
54. # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
55. # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System
56. #
57. # <Select Path='Key Management Service'>*</Select></Query>\
58. # <Select Path='Internet Explorer'>*</Select></Query>\
59. # <Select Path='HardwareEvents'>*</Select></Query>\
60. #
61. Query <QueryList>\
62. <Query Id="0">\
63. <Select Path="Security">*</Select>\
64. <Select Path="System">*[System/Level=4]</Select>\
65. <Select Path="Application">*[Application/Level=2]</Select>\
66. <Select Path="Setup">*[System/Level=3]</Select>\
67. <Select Path='Windows PowerShell'>*</Select>\
68. </Query>\
69. </QueryList>
70.  
71. # REGEX EXAMPLES:
72. # "\s" equals one white space character, and ".*" equals any one char
73. # Line Contains both "bubble" and "gum"
74. # Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).*
75. # Line does Not Contain "boy"
76. # Search pattern: ^(?!.*boy).*
77. # Line Contains "bubble" but Neither "gum" Nor "bath"
78. # Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).*
79.  
80. # Uncomment next line to view all logs, we can view output to help
81. # create the regex, next line shows my $raw_event data to parse:
82. # 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information
83. # Exec log_info($raw_event) ;
84. Exec if ($raw_event =~ /INFO\s+62464/) drop();
85.  
86. </Input>
87.  
88. <Output out>
89. Module om_udp
90. Host 10.247.x.x
91. Port 12201
92. </Output>
93.  
94. <Route 1>
95. Path pr_mseventlog => out
96. </Route>