Last active
November 16, 2016 22:06
-
-
Save LVLAaron/8085923 to your computer and use it in GitHub Desktop.
Config files used to send Windows Eventlog data with NXLOG to Logstash
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "_index": "logstash-2013.12.23", | |
| "_type": "logs", | |
| "_id": "eMsyB2q4TA6sH0bW3kCBZA", | |
| "_score": null, | |
| "_source": { | |
| "EventTime": "2013-12-22 22:45:27", | |
| "Hostname": "aapc", | |
| "Keywords": -9187343239835812000, | |
| "EventType": "INFO", | |
| "SeverityValue": 2, | |
| "Severity": "INFO", | |
| "EventID": 7036, | |
| "SourceName": "Service Control Manager", | |
| "ProviderGuid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}", | |
| "Version": 0, | |
| "Task": 0, | |
| "OpcodeValue": 0, | |
| "RecordNumber": 57035, | |
| "ProcessID": 632, | |
| "ThreadID": 5772, | |
| "Channel": "System", | |
| "Message": "The nxlog service entered the stopped state.", | |
| "param1": "nxlog", | |
| "param2": "stopped", | |
| "EventReceivedTime": "2013-12-22 22:45:29", | |
| "SourceModuleName": "in", | |
| "SourceModuleType": "im_msvistalog", | |
| "@timestamp": "2013-12-23T03:45:40.544Z", | |
| "@version": "1", | |
| "type": "WindowsEventLog", | |
| "host": "10.10.1.2", | |
| "tags": [ | |
| "_grokparsefailure" | |
| ], | |
| "priority": 13, | |
| "severity": 5, | |
| "facility": 1, | |
| "facility_label": "user-level", | |
| "severity_label": "Notice" | |
| }, | |
| "sort": [ | |
| 1387770340544 | |
| ] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| define ROOT C:\Program Files (x86)\nxlog | |
| Moduledir %ROOT%\modules | |
| CacheDir %ROOT%\data | |
| Pidfile %ROOT%\data\nxlog.pid | |
| SpoolDir %ROOT%\data | |
| LogFile %ROOT%\data\nxlog.log | |
| <Extension syslog> | |
| Module xm_syslog | |
| </Extension> | |
| <Extension json> | |
| Module xm_json | |
| </Extension> | |
| <Input in> | |
| Module im_msvistalog | |
| Exec $raw_event = to_json(); | |
| </Input> | |
| <Processor buffer> | |
| Module pm_buffer | |
| MaxSize 1024 | |
| Type Mem | |
| WarnLimit 512 | |
| </Processor> | |
| <Output out> | |
| Module om_tcp | |
| Host 10.1.150.59 | |
| Port 1514 | |
| </Output> | |
| <Route r> | |
| Path in => buffer => out | |
| </Route> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| syslog { | |
| type => "WindowsEventLog" | |
| port => 1514 | |
| codec => json { | |
| charset => [ "CP1252" ] | |
| } | |
| } | |
| } | |
| filter { | |
| if [type] == "WindowsEventLog" { | |
| mutate { remove_field => [ "Keywords","SourceModuleType","facility","facility_label","host","priority","severity","severity_label","SourceModuleName","RecordNumber","ProviderGuid","Task","ThreadID","ProcessID","Severity","SeverityValue","OpcodeValue","Opcode","ThreadID" ] } | |
| } | |
| } | |
| output { | |
| elasticsearch { | |
| cluster => "Mint16ES" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be better to do the field remove in the NXlog side, to avoid to transfer everything all over the network only to drop it on the logstash side. It is what I am looking for right now.