cdenneen · August 29, 2015 14:06
diff --git a/nxlog.conf b/nxlog.conf
 ## Please set the ROOT to the folder your nxlog was installed into,
 ## otherwise it will not start.
  
 #define ROOT C:\Program Files\nxlog
 define ROOT C:\Program Files (x86)\nxlog
 define ROOT_STRING C:\Program Files (x86)\\nxlog
  
 Moduledir %ROOT%\modules
 CacheDir %ROOT%\data
 Pidfile %ROOT%\data\nxlog.pid
 SpoolDir %ROOT%\data
 LogFile %ROOT%\data\nxlog.log
  
 # Enable json extension
 <Extension json>
    Module      xm_json
 </Extension>

 <Extension syslog>
    Module      xm_syslog
 </Extension>

 <Processor buffer1>
    Module  pm_buffer
    MaxSize 1024
    Type    Mem
    WarnLimit   512
 </Processor>

 <Processor buffer2>
    Module  pm_buffer
    MaxSize 1024
    Type    Mem
    WarnLimit   512
 </Processor>
  
 # Nxlog internal logs
 <Input internal>
   Module im_internal
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
 </Input>
  
 # Windows Event Log
 <Input eventlog>
 # Uncomment im_msvistalog for Windows Vista/2008 and later
   Module im_msvistalog
  
 # Uncomment im_mseventlog for Windows XP/2000/2003
 #   Module im_mseventlog
 
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
 </Input>

 # Select the input folder where logs will be scanned
 # Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
 # Uncomment Extension w3c for IIS logging
 #<Extension w3c>
 #    Module xm_csv
 #    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referrer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
 #    FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
 #    Delimiter ' '
 #</Extension>

 # Convert the IIS logs to JSON and use the original event time
 # Uncomment IIS_IN section if logging for IIS logging
 #<Input IIS_IN>
 #    Module    im_file
 #    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*"
 #    SavePos  TRUE
 
 #    Exec if $raw_event =~ /^#/ drop();				\
 #       else							\
 #       {							\
 #            w3c->parse_csv();					\
 #            $EventTime = parsedate($date + " " + $time);	\
 #            $SourceName = "IIS";				\
 #            $Message = to_json();				\
 #       }
 #</Input>

 # Uncomment vCenter_vpxd section for Windows vCenter logging 
 #<Input vCenter_vpxd>
 #	Module	im_file
 #	File	"C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd-*.log"
 #	Exec	$Message = $raw_event;
 #	SavePos	TRUE
 #	Recursive	TRUE
 #</Input>

 # Uncomment vCenter_vpxd_alert section for Windows vCenter logging
 #<Input vCenter_vpxd_alert>
 #	Module	im_file
 #	File	"C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd-alert-*.log"
 #	Exec	$Message = $raw_event;
 #	SavePos	TRUE
 #	Recursive	TRUE
 #</Input>

 <Processor t>
   	Module pm_transformer
 	OutputFormat syslog_rfc3164
 </Processor>

 # Change Host below to match your naming
 <Output out>
 	Module 		om_tcp
 	Host 		logstash
 	Port 		3515
 </Output>
 
 # Change Host below to match your naming
 # Uncomment IIS_Out section if using IIS logging
 #<Output IIS_Out>
 #	Module om_tcp
 #	Host logstash
 #	Port 3525
 #</Output>

 # Change Host below to match your naming
 # Uncomment vCenter_out section for vCenter logging
 #<Output vCenter_out>
 #	Module om_tcp
 #	Host logstash
 #	Port 1515
 #</Output>

 # Output routing
 <Route 1>
   Path internal, eventlog => buffer1 => out
 </Route>

 # Uncomment Route 2 if using IIS logging
 #<Route 2>
 #	Path IIS_In => IIS_Out
 #</Route>

 # Uncomment Route 3 for vCenter logging
 #<Route 3>
 #	Path vCenter_vpxd, vCenter_vpxd_alert => t => vCenter_out
 #</Route>
	## Please set the ROOT to the folder your nxlog was installed into,
	## otherwise it will not start.

	#define ROOT C:\Program Files\nxlog
	define ROOT C:\Program Files (x86)\nxlog
	define ROOT_STRING C:\Program Files (x86)\\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	# Enable json extension
	<Extension json>
	Module xm_json
	</Extension>

	<Extension syslog>
	Module xm_syslog
	</Extension>

	<Processor buffer1>
	Module pm_buffer
	MaxSize 1024
	Type Mem
	WarnLimit 512
	</Processor>

	<Processor buffer2>
	Module pm_buffer
	MaxSize 1024
	Type Mem
	WarnLimit 512
	</Processor>

	# Nxlog internal logs
	<Input internal>
	Module im_internal
	Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
	</Input>

	# Windows Event Log
	<Input eventlog>
	# Uncomment im_msvistalog for Windows Vista/2008 and later
	Module im_msvistalog

	# Uncomment im_mseventlog for Windows XP/2000/2003
	# Module im_mseventlog

	Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
	</Input>

	# Select the input folder where logs will be scanned
	# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
	# Uncomment Extension w3c for IIS logging
	#<Extension w3c>
	# Module xm_csv
	# Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referrer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
	# FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
	# Delimiter ' '
	#</Extension>

	# Convert the IIS logs to JSON and use the original event time
	# Uncomment IIS_IN section if logging for IIS logging
	#<Input IIS_IN>
	# Module im_file
	# File "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*"
	# SavePos TRUE

	# Exec if $raw_event =~ /^#/ drop(); \
	# else \
	# { \
	# w3c->parse_csv(); \
	# $EventTime = parsedate($date + " " + $time); \
	# $SourceName = "IIS"; \
	# $Message = to_json(); \
	# }
	#</Input>

	# Uncomment vCenter_vpxd section for Windows vCenter logging
	#<Input vCenter_vpxd>
	# Module im_file
	# File "C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd-*.log"
	# Exec $Message = $raw_event;
	# SavePos TRUE
	# Recursive TRUE
	#</Input>

	# Uncomment vCenter_vpxd_alert section for Windows vCenter logging
	#<Input vCenter_vpxd_alert>
	# Module im_file
	# File "C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd-alert-*.log"
	# Exec $Message = $raw_event;
	# SavePos TRUE
	# Recursive TRUE
	#</Input>

	<Processor t>
	Module pm_transformer
	OutputFormat syslog_rfc3164
	</Processor>

	# Change Host below to match your naming
	<Output out>
	Module om_tcp
	Host logstash
	Port 3515
	</Output>

	# Change Host below to match your naming
	# Uncomment IIS_Out section if using IIS logging
	#<Output IIS_Out>
	# Module om_tcp
	# Host logstash
	# Port 3525
	#</Output>

	# Change Host below to match your naming
	# Uncomment vCenter_out section for vCenter logging
	#<Output vCenter_out>
	# Module om_tcp
	# Host logstash
	# Port 1515
	#</Output>

	# Output routing
	<Route 1>
	Path internal, eventlog => buffer1 => out
	</Route>

	# Uncomment Route 2 if using IIS logging
	#<Route 2>
	# Path IIS_In => IIS_Out
	#</Route>

	# Uncomment Route 3 for vCenter logging
	#<Route 3>
	# Path vCenter_vpxd, vCenter_vpxd_alert => t => vCenter_out
	#</Route>