Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## This is a basic configuration file for Windows Server 2008 * 2012
- ## See the nxlog reference manual about the configuration options.
- ## It should be installed locally and is also available
- ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
- ## Please set the ROOT to the folder your nxlog was installed into,
- ## otherwise it will not start.
- define ROOT C:\Program Files (x86)\nxlog
- # define ROOT C:\Program Files\nxlog
- Moduledir %ROOT%\modules
- CacheDir %ROOT%\data
- Pidfile %ROOT%\data\nxlog.pid
- SpoolDir %ROOT%\data
- LogFile %ROOT%\data\nxlog.log
- # Enable convertion to UTF-8
- <Extension charconv>
- Module xm_charconv
- AutodetectCharsets utf-8, utf-16, utf-32, iso8859-15
- </Extension>
- <Extension _syslog>
- Module xm_syslog
- </Extension>
- # Extension JSON
- <Extension json>
- Module xm_json
- </Extension>
- <Input eventlog>
- Module im_msvistalog
- Exec $From = "EventLog";
- Exec to_json();
- </Input>
- <Input pr_mseventlog>
- Module im_msvistalog
- ReadFromLast True
- # http://msdn.microsoft.com/en-us/library/aa385231.aspx
- # http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx
- # Level 1 (ID=30 Critical) severity level events
- # Level 2 (ID=40 Error) severity level events
- # Level 3 (ID=50 Warning) severity level events
- # Level 4 (ID=80 Information) severity level events
- # Level 5 (ID=100 Verbose) severity level events
- # All channels are included by default which are listed in the registry under these:
- # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
- # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System
- #
- # <Select Path='Key Management Service'>*</Select></Query>\
- # <Select Path='Internet Explorer'>*</Select></Query>\
- # <Select Path='HardwareEvents'>*</Select></Query>\
- #
- Query <QueryList>\
- <Query Id="0">\
- <Select Path="Security">*</Select>\
- <Select Path="System">*[System/Level=4]</Select>\
- <Select Path="Application">*[Application/Level=2]</Select>\
- <Select Path="Setup">*[System/Level=3]</Select>\
- <Select Path='Windows PowerShell'>*</Select>\
- </Query>\
- </QueryList>
- # REGEX EXAMPLES:
- # "\s" equals one white space character, and ".*" equals any one char
- # Line Contains both "bubble" and "gum"
- # Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).*
- # Line does Not Contain "boy"
- # Search pattern: ^(?!.*boy).*
- # Line Contains "bubble" but Neither "gum" Nor "bath"
- # Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).*
- # Uncomment next line to view all logs, we can view output to help
- # create the regex, next line shows my $raw_event data to parse:
- # 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information
- # Exec log_info($raw_event) ;
- Exec if ($raw_event =~ /INFO\s+62464/) drop();
- </Input>
- <Output out>
- Module om_udp
- Host 10.247.x.x
- Port 12201
- </Output>
- <Route 1>
- Path pr_mseventlog => out
- </Route>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement