I hereby claim:
- I am deruke on github.
- I am derekbanks (https://keybase.io/derekbanks) on keybase.
- I have a public key ASAOau90RIe9f3aw2svuIabRL7emSd9uVmtko-F05pmmWQo
To claim this, I am signing this object:
*filter | |
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -d 127.0.0.0/8 -j REJECT | |
# Accept all established inbound connections | |
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Allow all outbound traffic - you can modify this to only allow certain traffic |
# define ROOT dir | |
define ROOT C:\Program Files (x86)\nxlog | |
Moduledir %ROOT%\modules | |
CacheDir %ROOT%\data | |
Pidfile %ROOT%\data\nxlog.pid | |
SpoolDir %ROOT%\data | |
LogFile %ROOT%\data\nxlog.log | |
#<Extension _syslog> |
@echo off | |
:install_nxlog | |
sc query "nxlog" | Find "RUNNING" >NUL | |
If NOT "%ERRORLEVEL%" EQU "1" ( | |
goto install_sysmon | |
) | |
echo Installing NXLOG | |
\\domain.local\SYSVOL\software\nxlog-ce-2.9.1716.msi /quiet | |
copy /z /y “\\domain.local\SYSVOL\software\nxlog.conf" "C:\Program Files (x86)\nxlog\conf" |
# capture windows events over JSON | |
# expects to be sent by the NXLOG package | |
# author: Joff Thyer, 2017 | |
input { | |
tcp { | |
port => 3515 | |
codec => json | |
} | |
} |
if not exist "C:\windows\sysmon_config.xml" ( | |
copy /z /y "\\lab.local\SYSVOL\lab.local\scripts\sysmon\sysmon_config.xml" "C:\windows\" | |
) | |
sc query "Sysmon" | Find "RUNNING" | |
If "%ERRORLEVEL%" EQU "1" ( | |
goto startsysmon | |
) | |
:startsysmon | |
net start Sysmon |
# define ROOT dir | |
define ROOT C:\Program Files (x86)\nxlog | |
Moduledir %ROOT%\modules | |
CacheDir %ROOT%\data | |
Pidfile %ROOT%\data\nxlog.pid | |
SpoolDir %ROOT%\data | |
LogFile %ROOT%\data\nxlog.log | |
#<Extension _syslog> |
input { | |
tcp { | |
port => 3515 | |
codec => json | |
} | |
} | |
filter { | |
mutate { | |
add_tag => "forwardedevtx" | |
} |
I hereby claim:
To claim this, I am signing this object: