-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNXLogConfig.txt
104 lines (90 loc) · 2.98 KB
/
NXLogConfig.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
###############################################################################
# NXLOG Configuration for Threat Analytics Platform (TAP) 2017 #
# Windows Server 2012 Default Configuration - Version 3.0 #
# Created by Occams Reiza - 8 Feb 2017 #
#Based on config by Evan Davison #
# Requires NXLOG Community Version 2.9.x or greater #
###############################################################################
## Specify the TAP Sender IP address to send logs to by replacing X.X.X.X
define TAP_CC_IP X.X.X.X
## If instructed, specify alternate TAP Sender Port to send logs to (defaulted to 514)
define TAP_CC_Port 514
########################################
# Global Directives #
########################################
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
########################################
# Global Extensions #
########################################
<Extension _json>
Module xm_json
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
#################
# Security Logs #
#################
## Must add "SecurityLogs" as INPUT to route below.
## DO NOT MODIFY MODULE NAMES AS IT MAY BREAK TAP FUNCTIONALITY
<Input ms_security>
Module im_msvistalog
#Applies filtering to select SECURITY logs ONLY.
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec $Hostname = hostname_fqdn();\
to_json();
</Input>
#########################
# Application Logs #
#########################
## Must add "ms_application" as INPUT to route below.
## DO NOT MODIFY MODULE NAMES AS IT MAY BREAK TAP FUNCTIONALITY
<Input ms_application>
Module im_msvistalog
#Applies filtering to select Application logs ONLY.
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
</Query>\
</QueryList>
Exec $Hostname = hostname_fqdn();\
to_json();
</Input>
#####################
# MS DNS Logs #
#####################
## Must add "ms_dns" as INPUT to route below.
## DO NOT MODIFY MODULE NAMES AS IT MAY BREAK TAP FUNCTIONALITY
<Input ms_dns>
Module im_msvistalog
Query <QueryList>\
<Query Id="0" Path="DNS Server">\
<Select Path="DNS Server">*</Select>\
</QueryList>
Exec $Hostname = hostname_fqdn();\
to_json();
</Input>
##############################################
# OUTPUT TAP Senders (UNENCRYPTED) #
##############################################
<Output udp_sender>
Module om_udp
Host %TAP_CC_IP%
Port %TAP_CC_Port%
</Output>
########################################
# Default Route #
########################################
<Route primary>
Path ms_security,ms_application,ms_dns => udp_sender
</Route>