*Hi,*
Why don't you create inputs and outputs per channel? For me this is logical
as you can only select one channel per input.
One for Security, one for Application, one for System and so on...
We even have a different one for Network Policy Servers.
In the collector configuration you can have several input/output pairs for
the same collector config and each can have its own config.
We have 6 inputs and 6 outputs in the collector for Domain controllers.
Security/Application/System - twice as they are sending the logs to 2
different Graylog Cluster (2 different output, 1 for production cluster, 1
for development).
Example Input config: AD query for security events.
*<QueryList> <Query Id="0" Path="Security"> <Select
Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or
Level=0)]]</Select> </Query> </QueryList>*
Example Output Verbatim Config to tag and drop messages:
*#this configuration deletes the computer account logins (where
TargetUserName end with $)*
* Exec if ($EventID == 4624 or $EventID == 4634 or $EventID == 4678) and
($EventType == "AUDIT_SUCCESS") \*
* { \*
* if $TargetUserName =~ /.\$/ { \*
* $raw_event = "Time:" + $EventTime + ", EventID:" +
$EventID + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName +
"\\" + $TargetUserName + ", IPAddr:" + $IPAddress + "\n"; \*
* file_write("C:\\Program Files
(x86)\\nxlog\data\\security_drop.log", $raw_event);\*
* drop(); \*
* } \*
* }*
* Exec $tag = 'PCI-DSS';*
* Exec if $EventID == 1102 {$action = 'Log Clear';}*
* Exec if $EventID == 4608 {$action = 'Windows Start';}*
* Exec if $EventID == 4609 {$action = 'Windows Shutdown';}*
* Exec if $EventID == 4610 {$action = 'An authentication package was loaded
by the Local Security Authority.';}*
* Exec if $EventID == 4611 {$action = 'A trusted logon process has
registered with the Local Security Authority.';}*
* Exec if $EventID == 4612 {$action = 'Internal resources allocated for the
queuing of security event messages have been exhausted, leading to the loss
of some security event messages.';}*
* Exec if $EventID == 4614 {$action = 'A notification package was loaded by
the Security Accounts Manager';}*
* Exec if $EventID == 4616 {$action = 'Server time out of synchronization
with Domain Controller';}*
* Exec if $EventID == 4624 {$action = 'Successful Logon (on DC)';}*
* Exec if $EventID == 4625 {$action = 'Failed Logon attempts – All users';}*
* Exec if $EventID == 4634 {$action = 'logoff';}*
* Exec if $EventID == 4647 {$action = 'logoff initiated';}*
*and another 90 lines to go....*
Adding configurations to outputs is pretty simple since the Verbatim
configuration is possible. Just be careful to have a line feed at the end
(empty line) otherwise the Graylog writes the </Output> at the end of the
last line and nxlog does not loads that output.
You can make Snippets with special configuration too.
We use it to make special paths and add logfile rotation to the files left
on the Nxlog endpoints:
*{{if .Windows}}*
*Moduledir %ROOT%\modules*
*CacheDir %ROOT%\data*
*Pidfile %ROOT%\data\nxlog.pid*
*SpoolDir %ROOT%\data*
*LogFile %ROOT%\data\nxlog.log*
*LogLevel INFO*
*<Extension fileop>*
* Module xm_fileop*
*</Extension>*
*<Extension logrotate>*
* Module xm_fileop*
* <Schedule>*
* When @daily*
* Exec file_cycle('%ROOT%\data\nxlog.log', 7);*
* Exec file_cycle('%ROOT%\data\security_drop.log', 7);*
* </Schedule>*
*</Extension>*
*<Route route-13>*
* Path 57c587964158fb082fa0a4a8 => 58872007e8ad88038eb4ec3b*
*</Route>*
*<Route route-14>*
* Path 57c587d44158fb082fa0a4ea => 58872063e8ad88038eb4ec9d*
*</Route>*
*{{end}}*
I presume these samples will give you some ideas how can you setup your
system.
More info at this
post: https://groups.google.com/forum/#!msg/graylog2/ppPiVCA1hMg/-JPyvjo_AgAJ
Peter Dudas
On Tuesday, 7 February 2017 16:16:48 UTC+1, Ľubo wrote:
>
> Hi all,
> i have questions to queries for nxlog collectors with sidecar for windows.
>
> In configure NXLog inputs there are Channl and query field.
>
>
> Could you give more specific examples for querylist?
>
> <QueryList>\
>
> <Query Id=”0">\
>
> <Select Path=”Security”>*</Select>\
>
> <Select Path=”System”>*[System/Level=4]</Select>\
>
> <Select Path=”Application”>*[Application/Level=2]</Select>\
>
> <Select Path=”Setup”>*[System/Level=3]</Select>\
>
> <Select Path=”Windows PowerShell”>*</Select>\
>
> <Select Path=”Microsoft-Windows-Sysmon/Operational”>*</Select>\</Query>\
>
> </QueryList>
>
>
> we need logs from all channel, but we do not need logs for examle Level=3,
> or we do not need logs from specific source, do you have some experience
> and could you share these querylist?
>
>
> there is below define nxlog snippets, too.
>
>
> I would like to see some more specific use case of nxlog snippets?
>
> Is it possible to use "Exec if ($Channel ==
> "Microsoft-Windows-WMI-Activity/Operational") drop();
>
> Exec if ($Channel == "Security") drop();"
>
>
> thanks for your help
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/f7f0732f-ce98-4377-8c5c-6bc4192eadf8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
