Skip to content

Instantly share code, notes, and snippets.

@grenade

grenade/bootstrap.ps1

Forked from leonsodhi/nxlog_config_template.conf
Last active January 15, 2020 18:24
Show Gist options
  • Save grenade/3bbb336209a8859af9d1 to your computer and use it in GitHub Desktop.
Save grenade/3bbb336209a8859af9d1 to your computer and use it in GitHub Desktop.
Download ZIP
nxlog eventlog forwarding configuration, broken into GPO friendly chunks
Raw
bootstrap.ps1
Import-Module GroupPolicy
Copy-GPO -SourceDomain releng.ad.mozilla.com -SourceName DC_Security_Logging -TargetDomain releng.ad.mozilla.com -TargetName install_nxlog
New-Item -ItemType Directory -Path \\releng.ad.mozilla.com\SysVol\releng.ad.mozilla.com\files\nxlog
Copy-Item *.conf \\releng.ad.mozilla.com\SysVol\releng.ad.mozilla.com\files\nxlog
Raw
install.ps1
function Write-Log {
param (
[string] $message,
[string] $logPath = [IO.Path]::Combine([IO.Path]::Combine(('{0}\' -f $env:SystemDrive), 'gpo_files'), 'log'),
[string] $logFile = [IO.Path]::Combine($logPath, 'update-nxlog.log'),
[string] $severity = 'INFO'
)
if (!(Test-Path $logPath)){
New-Item -ItemType Directory -Force -Path $logPath
}
Add-Content -Path $logFile ('{0} [{1}] {2}' -f [DateTime]::Now.ToString("yyyy-MM-dd HH:mm:ss"), $severity, $message)
}
function Configuration-Required {
$installDir = Get-InstallDir
$confDir = [IO.Path]::Combine($installDir, 'conf')
$sourceConfigs = Get-SourceConfigFilenames
foreach ($sourceConfig in $sourceConfigs) {
if (($sourceConfig -eq 'nxlog_32.conf') -or ($sourceConfig -eq 'nxlog_64.conf')){
$configFile = [IO.Path]::Combine($confDir, 'nxlog.conf')
} else {
$configFile = [IO.Path]::Combine($confDir, $sourceConfig)
}
if(!(Test-Path $configFile)){
Write-Log ("Missing configuration detected: '{0}'." -f $configFile) -s 'ERROR'
return $true
}
}
if (((Get-Content ([IO.Path]::Combine($confDir, 'nxlog.conf'))) | % { $_ -Match '192.168.1.1' }) -Contains $true) {
Write-Log ("Misconfiguration detected.") -s 'ERROR'
return $true
}
$logFile = [IO.Path]::Combine($installDir, 'data', 'nxlog.log')
if(!(Test-Path $logFile)){
Write-Log ("Missing runtime log detected.") -s 'ERROR'
return $true
}
Write-Log ("Valid configuration assumed.") -s 'INFO'
return $false
}
function Get-Flavour {
if (($env:ComputerName).StartsWith('WDS')) {
return 'wds'
}
return ($env:ComputerName).Split('-')[1].ToLower()
}
function Get-Bitness {
if (${env:ProgramFiles(x86)} -ne $null) {
return '64'
} else {
return '32'
}
}
function Get-InstallDir {
if (${env:ProgramFiles(x86)} -ne $null) {
return [IO.Path]::Combine(${env:ProgramFiles(x86)}, 'nxlog')
} else {
return [IO.Path]::Combine($env:ProgramFiles, 'nxlog')
}
}
function Get-SourceConfigFilenames {
return @(('nxlog_{0}.conf' -f (Get-Bitness)), ('nxlog_{0}_eventlog.conf' -f (Get-Flavour)), 'nxlog_tcpforward.conf')
}
function Configure-Nxlog {
param (
[string] $flavour = (Get-Flavour),
[string] $source = '\\releng.ad.mozilla.com\sysvol\releng.ad.mozilla.com\files\nxlog'#,
)
$confDir = [IO.Path]::Combine((Get-InstallDir), 'conf')
Write-Log ("Removing configuration files from '{0}'." -f $confDir) -s 'WARN'
Remove-Item ([IO.Path]::Combine($confDir, '*.conf')) -Force
$sourceConfigs = (Get-SourceConfigFilenames)
foreach ($sourceConfig in $sourceConfigs) {
$s = [IO.Path]::Combine($source, $sourceConfig)
if (($sourceConfig -eq 'nxlog_32.conf') -or ($sourceConfig -eq 'nxlog_64.conf')){
$t = [IO.Path]::Combine($confDir, 'nxlog.conf')
} else {
$t = [IO.Path]::Combine($confDir, $sourceConfig)
}
Write-Log ("Restoring '{0}' to '{1}'." -f $s, $t) -s 'INFO'
Copy-Item $s $t
}
}
function Install-Nxlog {
param (
[string] $msi = [IO.Path]::Combine([IO.Path]::Combine([IO.Path]::Combine(('{0}\' -f $env:SystemDrive), 'gpo_files'), 'nxlog'), 'nxlog-ce-2.8.1248.msi'),
[string] $logPath = [IO.Path]::Combine([IO.Path]::Combine([IO.Path]::Combine(('{0}\' -f $env:SystemDrive), 'gpo_files'), 'log'), ('install-nxlog-{0}.log' -f [DateTime]::Now.ToString("yyyyMMddHHmmss")))
)
if (Test-Path $msi) {
Write-Log ("Local MSI '{0}' found." -f $msi) -s 'INFO'
if (($env:ComputerName).Split('-')[1].StartsWith('XP')) {
if (${env:ProgramFiles(x86)} -ne $null) {
$installDir = [IO.Path]::Combine(${env:ProgramFiles(x86)}, 'nxlog')
} else {
$installDir = [IO.Path]::Combine($env:ProgramFiles, 'nxlog')
}
if (!(Test-Path $installDir)) {
Write-Log ("Installation folder created '{0}'" -f $installDir) -s 'WARN'
New-Item -ItemType Directory -Force -Path $installDir
}
}
& msiexec.exe /quiet /log $logPath /i $msi
Write-Log ("MSI install log written to '{0}'" -f $logPath) -s 'INFO'
} else {
Write-Log ("Failed to find local msi '{0}'." -f $msi) -s 'ERROR'
}
}
$nxlogService = (Get-Service -Name nxlog -ErrorAction SilentlyContinue)
if (!$nxlogService) {
Write-Log ("Service 'nxlog' not found.") -s 'WARN'
Install-Nxlog
Configure-Nxlog
Write-Log ("Starting service 'nxlog'.") -s 'INFO'
Start-Service -InputObject = (Get-Service -Name nxlog -ErrorAction SilentlyContinue)
} else {
Write-Log ("Service 'nxlog' found. Status: '{0}'" -f $nxlogService.Status) -s 'INFO'
if (Configuration-Required) {
Write-Log ("Stopping service 'nxlog'.") -s 'WARN'
Stop-Service -InputObject $nxlogService
Configure-Nxlog
Write-Log ("Starting service 'nxlog'.") -s 'INFO'
Start-Service -InputObject $nxlogService
}
}
Raw
nxlog.conf
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
include %ROOT%\conf\nxlog_*.conf
Raw
nxlog_2008_eventlog.conf
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="PreEmptive">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Security">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3 or EventID=1074]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
Raw
nxlog_dc.conf
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#LogLevel DEBUG
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Processor syslog_transform>
Module pm_transformer
Exec $Hostname = hostname_fqdn();
OutputFormat syslog_rfc5424
</Processor>
<Input filtered_eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Active Directory Web Services">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="DFS Replication">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Directory Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="ThinPrint Diagnostics">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
<Input security_eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[EventID!=4624 and EventID!=4634]]</Select>\
</Query>\
</QueryList>
</Input>
<Output scl3_aggregator>
Module om_tcp
Host log-aggregator.srv.releng.scl3.mozilla.com
Port 514
</Output>
<Output mozdef>
Module om_http
URL http://mozdef2.private.scl3.mozilla.com:8080/events/
Exec to_json();
</Output>
<Route filtered_eventlog_scl3_aggregator>
Path filtered_eventlog => syslog_transform => scl3_aggregator
</Route>
<Route security_eventlog_mozdef>
Path security_eventlog => mozdef
</Route>
Raw
nxlog_kms_eventlog.conf
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Security">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3 or EventId=1074]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-IIS-Configuration/Administrative">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="ThinPrint Diagnostics">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
Raw
nxlog_tcpforward.conf
<Extension syslog>
Module xm_syslog
</Extension>
<Processor syslog_transform>
Module pm_transformer
Exec $Hostname = hostname_fqdn();
OutputFormat syslog_rfc5424
</Processor>
<Output scl3_aggregator>
Module om_tcp
Host log-aggregator.srv.releng.scl3.mozilla.com
Port 514
</Output>
<Route filtered_eventlog_scl3_aggregator>
Path filtered_eventlog => syslog_transform => scl3_aggregator
</Route>
Raw
nxlog_w732_eventlog.conf
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Security">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Media Center">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-BitLocker-DrivePreparationTool/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-IIS-Configuration/Administrative">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteAssistance/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-WindowsBackup/ActionCenter">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
Raw
nxlog_w864_eventlog.conf
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Security">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-All-User-Install-Agent/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-AppHost/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-AppModel-Runtime/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-ATAPort/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-BitLocker-DrivePreparationTool/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DataIntegrityScan/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DataIntegrityScan/CrashRecovery">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-Disk/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-GenericRoaming/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-IIS-Configuration/Administrative">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PowerShell/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintBRM/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PushNotification-Platform/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteAssistance/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="WitnessClientAdmin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-ClassPnP/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-WS-Licensing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-Storport/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-WindowsBackup/ActionCenter">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
Raw
nxlog_wds_eventlog.conf
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Security">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3 or EventID=1074]]</Select>\
<Select Path="DFS Replication">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Deployment-Services-Diagnostics/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Remote Lab Exchange Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="ThinPrint Diagnostics">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
Raw
nxlog_winadmin_eventlog.conf
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Security">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-All-User-Install-Agent/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-AppHost/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-AppModel-Runtime/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-ATAPort/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DataIntegrityScan/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DataIntegrityScan/CrashRecovery">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-Disk/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-GenericRoaming/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Management-UI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PowerShell/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PushNotification-Platform/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Rdms-UI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-ServerManager-MultiMachine/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-SMBDirect/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="WitnessClientAdmin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-ClassPnP/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-WS-Licensing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Storage-Storport/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
Raw
nxlog_wsus_eventlog.conf
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Security">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="System">*[System[Level=1 or Level=2 or Level=3 or EventId=1074]]</Select>\
<Select Path="HardwareEvents">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Internet Explorer">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Key Management Service">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-DhcpNap/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-IIS-Configuration/Administrative">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-MUI/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[Level=1 or Level=2 or Level=3]]</Select>\
<Select Path="Windows PowerShell">*[System[Level=1 or Level=2 or Level=3]]</Select>\
</Query>\
</QueryList>
</Input>
Raw
start-nxlog.ps1
$searchBase = 'OU=SCL3,OU=2008,OU=windows,OU=machines,DC=releng,DC=ad,DC=mozilla,DC=com'
$nameFilter = 'b-2008-ix-*'
$computers = (Get-ADComputer -SearchBase $searchBase -Filter {Name -like $nameFilter})
foreach ($computer in $computers) {
$nxlogService = (Get-Service -ComputerName $computer.Name -Name nxlog -ErrorAction SilentlyContinue)
if ($nxlogService) {
Write-Host ("{0}: {1}" -f $computer.DNSHostName, $nxlogService.Status) -ForegroundColor Yellow
if($nxlogService.Status -ne 'Running') {
Get-Content ('\\{0}\c$\Program Files (x86)\nxlog\data\nxlog.log' -f $computer.Name)
if (Test-Path ('\\{0}\c$\Program Files (x86)\nxlog\conf\nxlog_new.conf' -f $computer.Name)) {
Write-Host " - removing conf\nxlog_new.conf" -ForegroundColor Red
Remove-Item ('\\{0}\c$\Program Files (x86)\nxlog\conf\nxlog_new.conf' -f $computer.Name)
}
Start-Service -InputObject $nxlogService
Write-Host (" - {0}: {1}" -f $computer.Name, $nxlogService.Status)
}
else {
if($nxlogService.Status -eq 'Running') {
<# check and correct config if required #>
$config = Get-Content ('\\{0}\c$\Program Files (x86)\nxlog\conf\nxlog.conf' -f $computer.Name)
if (($config | % { $_ -Match '192.168.1.1' }) -Contains $true) {
Write-Host " - stopping misconfigured nxlog service" -ForegroundColor Red
Stop-Service -InputObject $nxlogService
if (Test-Path ('\\{0}\c$\Program Files (x86)\nxlog\data\nxlog.log' -f $computer.Name)) {
Write-Host " - removing data\*.log" -ForegroundColor Red
Remove-Item ('\\{0}\c$\Program Files (x86)\nxlog\data\*.log' -f $computer.Name)
}
Write-Host " - removing conf\*.conf" -ForegroundColor Red
Remove-Item ('\\{0}\c$\Program Files (x86)\nxlog\conf\*.conf' -f $computer.Name)
Write-Host " - restoring conf\*.conf" -ForegroundColor Green
Copy-Item '\\releng.ad.mozilla.com\sysvol\releng.ad.mozilla.com\files\nxlog\nxlog_64.conf' ('\\{0}\c$\Program Files (x86)\nxlog\conf' -f $computer.Name)
Copy-Item '\\releng.ad.mozilla.com\sysvol\releng.ad.mozilla.com\files\nxlog\nxlog_2008_eventlog.conf' ('\\{0}\c$\Program Files (x86)\nxlog\conf' -f $computer.Name)
Copy-Item '\\releng.ad.mozilla.com\sysvol\releng.ad.mozilla.com\files\nxlog\nxlog_tcpforward.conf' ('\\{0}\c$\Program Files (x86)\nxlog\conf' -f $computer.Name)
Rename-Item ('\\{0}\c$\Program Files (x86)\nxlog\conf\nxlog_64.conf' -f $computer.Name) ('\\{0}\c$\Program Files (x86)\nxlog\conf\nxlog.conf' -f $computer.Name)
Start-Service -InputObject $nxlogService
if (($nxlogService.Status -eq 'Running') -and (Test-Path ('\\{0}\c$\Program Files (x86)\nxlog\data\nxlog.log' -f $computer.Name))) {
Get-Content ('\\{0}\c$\Program Files (x86)\nxlog\data\nxlog.log' -f $computer.Name)
} else {
Write-Host ("{0}: {1}" -f $computer.DNSHostName, (Get-Service -ComputerName $computer.Name -Name nxlog -ErrorAction SilentlyContinue).Status) -ForegroundColor DarkYellow
}
}
}
}
} else {
Write-Host ("{0}: {1}" -f $computer.DNSHostName, 'Not installed') -ForegroundColor Magenta
}
}
Raw
stop-nxlog.ps1
$searchBase = 'OU=SCL3,OU=2008,OU=windows,OU=machines,DC=releng,DC=ad,DC=mozilla,DC=com'
$nameFilter = 'b-2008-ix-*'
$computers = (Get-ADComputer -SearchBase $searchBase -Filter {Name -like $nameFilter})
foreach ($computer in $computers) {
$nxlogService = (Get-Service -ComputerName $computer.Name -Name nxlog -ErrorAction SilentlyContinue)
if ($nxlogService) {
("{0}: {1}" -f $computer.DNSHostName, $nxlogService.Status)
if($nxlogService.Status -eq 'Running'){
" - Stopping"
Stop-Service -InputObject $nxlogService
}
} else {
("{0}: {1}" -f $computer.DNSHostName, 'Not installed')
}
}
@grenade
Copy link
Author

grenade commented May 11, 2015

See http://get-xablog.fr/?p=678&lang=en for info on creating filters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment