Last active
February 1, 2018 23:26
-
-
Save neu5ron/681f467bafc9c29eacd89867c7c7298c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define ROOT C:\Program Files\nxlog | |
| define ROOT C:\Program Files (x86)\nxlog | |
| Moduledir %ROOT%\modules | |
| CacheDir %ROOT%\data | |
| Pidfile %ROOT%\data\nxlog.pid | |
| SpoolDir %ROOT%\data | |
| LogFile %ROOT%\data\nxlog.log | |
| <Extension _json> | |
| Module xm_json | |
| </Extension> | |
| <Extension fileop> | |
| Module xm_fileop | |
| </Extension> | |
| <Input in> | |
| Module im_msvistalog | |
| Query <QueryList> \ | |
| <Query Id="0"> \ | |
| <Select Path="Security">*</Select> \ | |
| <Select Path="System">*</Select> \ | |
| <Select Path="Application">*</Select> \ | |
| <Select Path="Microsoft-Windows-Application-Experience/Problem-Steps-Recorder">*</Select> \ | |
| <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select> \ | |
| <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select> \ | |
| <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select> \ | |
| <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select> \ | |
| <Select Path="Microsoft-Windows-Applocker/EXE and DLL">*</Select> \ | |
| <Select Path="Microsoft-Windows-Applocker/MSI and Script">*</Select> \ | |
| <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*</Select> \ | |
| <Select Path="Microsoft-Windows-Kernel-Power/Thermal-Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Kernel-StoreMgr/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Kernel-WDI/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Kernel-WHEA/Errors">*</Select> \ | |
| <Select Path="Microsoft-Windows-Kernel-WHEA/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Kernel-StoreMgr/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> \ | |
| <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*</Select> \ | |
| <Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-UAC/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-UAC-FileVirtualization/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select> \ | |
| <Select Path="Microsoft-Windows-WER-Diag/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> \ | |
| <Select Path="Microsoft-Windows-Windows-WinRM/Operational">*</Select> \ | |
| <Select Path="Microsoft-Windows-WMI-Activity/Operational">*</Select> \ | |
| <Select Path="Windows PowerShell">*</Select> \ | |
| </Query> \ | |
| </QueryList> | |
| </Input> | |
| <Output out> | |
| Module om_udp | |
| Host $LogstashHost #TODO:Change | |
| Port $LogstashPort #TODO:Change | |
| Exec $submission_id = file_read($WindowsFileContaingAnalysisID);#TODO:Change | |
| Exec to_json(); $message = $raw_event; | |
| </Output> | |
| <Route 1> | |
| Path in => out | |
| </Route> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment