tuklusan · May 19, 2021 16:27
diff --git a/nxlog.conf b/nxlog.conf
 # ---
 # Forward Windows 10 System and Event Logs Securely over stunnel to Remote Centralized Unix Syslog Rsyslog Server on Linux
 # More information: http://supratim-sanyal.blogspot.com/2017/05/forward-windows-10-system-and-event.html
 #
 # This file resides in C:\Program Files (x86)\nxlog\conf\ on 64-bit Windows systems, and
 # C:\Program Files\nxlog\conf\ on 32-bit Windows systems.
 # ---

 ## Please set the ROOT to your nxlog installation directory
 # 32-bit Windows: uncomment the following line
 #define ROOT C:\Program Files\nxlog
 # 64-bit Windows: uncomment the following line
 define ROOT C:\Program Files (x86)\nxlog

 Moduledir %ROOT%\modules
 CacheDir  %ROOT%\data
 Pidfile %ROOT%\data\nxlog.pid
 SpoolDir  %ROOT%\data
 LogFile %ROOT%\data\nxlog.log

 <Extension syslog>
  Module xm_syslog  
 </Extension>

 # Monitor application log files
 <Input watchfile>
  Module im_file
 # Put the location of the Windows temporary file directory in the following line
 # I typically delete user-level TMP and TEMP environment variables and change system-level 
 # TEMP and TMP to point to the folder C:\TEMP\WINTEMP after creating that folder (I do not
 # like temporary files created in the Operating System directory tree)
  File 'C:\\TEMP\\WINTEMP\\*.log'
  Exec $Message = $raw_event;
  Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1;
  SavePos TRUE  
  Recursive TRUE
 </Input>

 # Monitor a single application log file
 #<Input watchfile2>
 #  Module im_file
 #  # File 'C:\\path\\to\\a\\single\\file.log'
 #  Exec $Message = $raw_event;
 #  Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1;
 #  SavePos TRUE  
 #  Recursive TRUE
 #</Input>

 # Monitor Windows event logs
 <Input eventlog>
  # Uncomment for Windows Vista/2008 or later 
  Module im_msvistalog
  
  # Uncomment for Windows 2000 or later
  # Module im_mseventlog
 </Input>

 <Processor eventlog_transformer>
  Module pm_transformer
  Exec $Hostname = hostname();
  OutputFormat syslog_rfc5424  
 </Processor>

 <Processor filewatcher_transformer>
  Module pm_transformer
  
  # Uncomment to override the program name
  # Exec $SourceName = 'PROGRAM NAME';
    
  Exec $Hostname = hostname();
  OutputFormat syslog_rfc5424
 </Processor>

 <Output syslogout>
  #Module om_udp
  Module om_tcp
  # +++
  #Local stunnel server which forwards logs to remote vps over secure tunnel
  # See http://supratim-sanyal.blogspot.com/2016/10/secure-remote-logging-to-central-log.html
  #
  #matches stunnel for windows configuration at C:\Program Files (x86)\stunnel\config
  #stunnel for windows is available from https://www.stunnel.org/config_windows.html
  # ---
  Host 127.0.0.1
  Port 65514  
 </Output>

 <Route 1>
  Path eventlog => eventlog_transformer => syslogout
 </Route>

 <Route 2>
  Path watchfile => filewatcher_transformer => syslogout
 </Route>

 # Replace route 2 with this implementation if watchfile2 is active
 #<Route 2>
 #  Path watchfile, watchfile2 => filewatcher_transformer => syslogout
 #</Route>
	# ---
	# Forward Windows 10 System and Event Logs Securely over stunnel to Remote Centralized Unix Syslog Rsyslog Server on Linux
	# More information: http://supratim-sanyal.blogspot.com/2017/05/forward-windows-10-system-and-event.html
	#
	# This file resides in C:\Program Files (x86)\nxlog\conf\ on 64-bit Windows systems, and
	# C:\Program Files\nxlog\conf\ on 32-bit Windows systems.
	# ---

	## Please set the ROOT to your nxlog installation directory
	# 32-bit Windows: uncomment the following line
	#define ROOT C:\Program Files\nxlog
	# 64-bit Windows: uncomment the following line
	define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension syslog>
	Module xm_syslog
	</Extension>

	# Monitor application log files
	<Input watchfile>
	Module im_file
	# Put the location of the Windows temporary file directory in the following line
	# I typically delete user-level TMP and TEMP environment variables and change system-level
	# TEMP and TMP to point to the folder C:\TEMP\WINTEMP after creating that folder (I do not
	# like temporary files created in the Operating System directory tree)
	File 'C:\\TEMP\\WINTEMP\\*.log'
	Exec $Message = $raw_event;
	Exec if file_name() =~ /.\\(.)/ $SourceName = $1;
	SavePos TRUE
	Recursive TRUE
	</Input>

	# Monitor a single application log file
	#<Input watchfile2>
	# Module im_file
	# # File 'C:\\path\\to\\a\\single\\file.log'
	# Exec $Message = $raw_event;
	# Exec if file_name() =~ /.\\(.)/ $SourceName = $1;
	# SavePos TRUE
	# Recursive TRUE
	#</Input>

	# Monitor Windows event logs
	<Input eventlog>
	# Uncomment for Windows Vista/2008 or later
	Module im_msvistalog

	# Uncomment for Windows 2000 or later
	# Module im_mseventlog
	</Input>

	<Processor eventlog_transformer>
	Module pm_transformer
	Exec $Hostname = hostname();
	OutputFormat syslog_rfc5424
	</Processor>

	<Processor filewatcher_transformer>
	Module pm_transformer

	# Uncomment to override the program name
	# Exec $SourceName = 'PROGRAM NAME';

	Exec $Hostname = hostname();
	OutputFormat syslog_rfc5424
	</Processor>

	<Output syslogout>
	#Module om_udp
	Module om_tcp
	# +++
	#Local stunnel server which forwards logs to remote vps over secure tunnel
	# See http://supratim-sanyal.blogspot.com/2016/10/secure-remote-logging-to-central-log.html
	#
	#matches stunnel for windows configuration at C:\Program Files (x86)\stunnel\config
	#stunnel for windows is available from https://www.stunnel.org/config_windows.html
	# ---
	Host 127.0.0.1
	Port 65514
	</Output>

	<Route 1>
	Path eventlog => eventlog_transformer => syslogout
	</Route>

	<Route 2>
	Path watchfile => filewatcher_transformer => syslogout
	</Route>

	# Replace route 2 with this implementation if watchfile2 is active
	#<Route 2>
	# Path watchfile, watchfile2 => filewatcher_transformer => syslogout
	#</Route>