Skip to content

Instantly share code, notes, and snippets.

@mrlesmithjr
Last active November 7, 2019 16:59
Show Gist options
  • Save mrlesmithjr/cf212836b9ce162373ed to your computer and use it in GitHub Desktop.
Save mrlesmithjr/cf212836b9ce162373ed to your computer and use it in GitHub Desktop.
Windows nxlog.conf for Logstash
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Enable json extension
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Processor buffer1>
Module pm_buffer
MaxSize 1024
Type Mem
WarnLimit 512
</Processor>
<Processor buffer2>
Module pm_buffer
MaxSize 1024
Type Mem
WarnLimit 512
</Processor>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Select the input folder where logs will be scanned
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
# Uncomment Extension w3c for IIS logging
#<Extension w3c>
# Module xm_csv
# Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referrer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
# FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
# Delimiter ' '
#</Extension>
# Convert the IIS logs to JSON and use the original event time
# Uncomment IIS_IN section if logging for IIS logging
#<Input IIS_IN>
# Module im_file
# File "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*"
# SavePos TRUE
# Exec if $raw_event =~ /^#/ drop(); \
# else \
# { \
# w3c->parse_csv(); \
# $EventTime = parsedate($date + " " + $time); \
# $SourceName = "IIS"; \
# $Message = to_json(); \
# }
#</Input>
# Uncomment vCenter_vpxd section for Windows vCenter logging
#<Input vCenter_vpxd>
# Module im_file
# File "C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd-*.log"
# Exec $Message = $raw_event;
# SavePos TRUE
# Recursive TRUE
#</Input>
# Uncomment vCenter_vpxd_alert section for Windows vCenter logging
#<Input vCenter_vpxd_alert>
# Module im_file
# File "C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd-alert-*.log"
# Exec $Message = $raw_event;
# SavePos TRUE
# Recursive TRUE
#</Input>
<Processor t>
Module pm_transformer
OutputFormat syslog_rfc3164
</Processor>
# Change Host below to match your naming
<Output out>
Module om_tcp
Host logstash
Port 3515
</Output>
# Change Host below to match your naming
# Uncomment IIS_Out section if using IIS logging
#<Output IIS_Out>
# Module om_tcp
# Host logstash
# Port 3525
#</Output>
# Change Host below to match your naming
# Uncomment vCenter_out section for vCenter logging
#<Output vCenter_out>
# Module om_tcp
# Host logstash
# Port 1515
#</Output>
# Output routing
<Route 1>
Path internal, eventlog => buffer1 => out
</Route>
# Uncomment Route 2 if using IIS logging
#<Route 2>
# Path IIS_In => IIS_Out
#</Route>
# Uncomment Route 3 for vCenter logging
#<Route 3>
# Path vCenter_vpxd, vCenter_vpxd_alert => t => vCenter_out
#</Route>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment