NXlog配置
NXlog文档:
http://nxlog.org/docs/nxlog-ce/nxlog-reference-manual.html
https://nxlog.org/documentation/nxlog-community-edition-reference-manual-v20928
Windows服务器上安装NXlog,然后配置为将Windows服务器上的事件日志发送到Linux syslog服务器(192.168.200.29:514)
<Extension _syslog>
Module xm_syslog #收集事件日志,所有的事件日志默认都被收集
</Extension> <Input in> #配置input
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog </Input> <Output out> #配置output
Module om_tcp #配置为使用tcp模式
Host 192.168.200.29 #远端syslog server IP
Port 514 #远端syslog server端口
Exec to_syslog_snare();
</Output> <Route 1>
Path in => out #源输入对应输出
</Route>
配置完成后,如果nxlog出现如下错误:配置完成后,ERROR Couldn't read next event, corrupted eventlog?; The data is invalid.
则是因为windows8.1下windows事件日志种类过多导致,可以自定义需要保存的事件日志种类,设置如下:
<Extension _syslog>
Module xm_syslog
</Extension> <Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog ReadFromLast FALSE
SavePos FALSE
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\ #配置为只发送Security Log
</Query>\
</QueryList> </Input> <Output out>
Module om_tcp
Host 192.168.200.29
Port 514
Exec to_syslog_snare();
</Output> <Route 1>
Path in => out
</Route>
配置为同时接收多个事件日志:
<Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog ReadFromLast FALSE
SavePos FALSE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList> </Input>
Linux收集到的日志如下:
每条事件日志对应一个log
如果Linux上某个目录下文件过多,删除方式如下:ls | xargs -n 10 rm -fr ls
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start. #define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log <Extension _syslog>
Module xm_json #日志输出格式为json
</Extension> <Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog ReadFromLast FALSE
SavePos FALSE
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\ #配置输入源为收集Security Log
</Query>\
</QueryList> </Input> <Input systemin> #配置第二个输入源名为 systemin
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog ReadFromLast FALSE
SavePos FALSE
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\ #配置收集System Log
</Query>\
</QueryList> </Input> <Output out> #配置第一个输出方式,对应接收input in
Module om_file
File 'E:\logtest\seclog.json' #输出到seclog.json文件
Exec to_json();
</Output> <Output systemout> #配置第二个输出方式,对应接收input systemin
Module om_file
File 'E:\logtest\syslog.json'
Exec to_json();
</Output> <Route 1>
Path in => out #将第一个input in 对应到ouput out
</Route> <Route 2>
Path systemin => systemout #将第二个input systemin 对应到 output systemout
</Route>
结果:
将两个input输出到同一个output:
<Route 1>
Path in, systemin => out
</Route>
按时间对output file进行rotate(未测试):
define DIR C:\\logdir
<Output out>
Module om_file
File "%DIR%\\test.log"
<Schedule>
Every 1 sec
Exec out->rotate_to("%DIR%\\test."+ strftime(now(), "%Y%m%d%H%M%S"));
</Schedule>
</Output>
按大小对output file进行rotate:
<Extension _syslog>
Module xm_json
</Extension> <Input secin>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog ReadFromLast FALSE
SavePos FALSE
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
</Query>\
</QueryList> </Input> <Input systemin>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog ReadFromLast FALSE
SavePos FALSE
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\
</Query>\
</QueryList> </Input> <Output secout>
Module om_file
CreateDir TRUE
sync FALSE
File "e:\logtest\sec_" + $Hostname + "_" + month(now()) + ".json"
Exec if secout->file_size() > 20M \
{ \
$newfile = "e:\logtest\sec_" + $Hostname + "_" + strftime(now(), "%Y%m%d%H%M%S") + ".json"; \
secout->rotate_to($newfile); \
};
Exec to_json();
</Output> <Output systemout>
Module om_file
File 'E:\logtest\syslog.json'
Exec to_json();
</Output> <Route 1>
Path secin => secout
</Route> <Route 2>
Path systemin => systemout
</Route>
output还可以编辑为如下,效果相同:
<Output secout>
Module om_file
CreateDir TRUE
sync FALSE
File "e:\logtest\sec_" + $Hostname + "_" + month(now()) + ".json" #此为当前正在写入的文件
<Exec>
if secout->file_size() > 20M
{
$newfile = "e:\logtest\sec_" + $Hostname + "_" + strftime(now(), "%Y%m%d%H%M%S") + ".json";
secout->rotate_to($newfile);
}
</Exec>
Exec to_json();
</Output>
输出如下:
收集IIS Log:
IIS仍为源格式
<Input IIS01> #按照不同站点分为多个Input
Module im_file
File "d:\\iislog\W3SVC2\\\\u_ex*.log"
SavePos TRUE
</Input> <Output IIS01>同其他</Output>
IIS log输出为json格式
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension> <Input iis01in>
Module im_file
File 'E:\IISLog\W3SVC1\u_ex*'
SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$raw_event = to_json(); \
}
</Input> <Output iis01out>
Module om_file
CreateDir TRUE
sync FALSE
Exec $Hostname = 'server01';
File "e:\logtest\iis_" + $Hostname + "_" + month(now()) + ".json"
<Exec>
if iis01out->file_size() > 200M
{
$newfile = "e:\logtest\iis_" + $Hostname + "_" + strftime(now(), "%Y%m%d%H%M%S") + ".json";
iis01out->rotate_to($newfile);
}
</Exec>
# Exec to_json();
</Output> <Route iis01>
Path iis01in => iis01out
</Route>
Using the Query directive
The im_msvistalog has a Query directive which can be used to specify an XML Query that gets passed to the Windows EventLog API in order to read only the selected events. The Windows Event Viewer can help construct such XML queries. The following example will only collect only process creation event records from the Sysmon source.
Query <QueryList> \
<Query Id="0">\
<Select Path="Microsoft-Windows-Sysmon/Operational">*[System[(EventID='1')]]</Select>\
</Query>\
</QueryList>
The event records filtered with the Query directive do not reach NXLog so this might be slightly more efficient than the next native NXLog filtering method.
Filtering with NXLog's log processing language
The NXLog log processing language is available for use by all modules and may be easier to write than the XML query syntax provided by the Windows EventLog API that the im_msvistalog exposes. The following NXLog style filter statement achieves the same as the XML Query above.
Exec if not ($Channel == 'Microsoft-Windows-Sysmon' and $EventID == 1) drop();
The following filtering rule will remove event records that are HTTP network connections to a specific server:
Exec if $SourceName == 'Microsoft-Windows-Sysmon' and $DestinationPort == 80 and $DestinationIp == 10.0.0.1 drop(); nxlog-ce-2.9.1504出现如下报错,可以替换成版本“nxlog-ce-2.9.1347”解决
报错:ERROR if-else failed at line 61, character 312 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 61, character 98 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 15, got 11 in input 'Exchange.asmx &CorrelationID=<empty>;&cafeReqId=bdbb53c3-5227-4601-8dbe-a5a7fb72c7b9; 80 xx\tuliqi 106.3.4.150 AppleExchangeWebServices/806.1+ExchangeSync/121 - 200 0 0 9'
NXlog配置的更多相关文章
- Sysmon + NXlog构建简单的windows安全监控
工具: Sysmon (sysmon 5.0) ,NXlog(nxlog-ce-2.9.1716.msi) . Sysmon监控系统并生成windows event log, NXlog将wind ...
- nxlog以syslog方式发送日志
1.nxlog简介 nxlog是个跨平台日志传输插件,支持linux.windows平台,支持window及linux内置的大部分系统日志及常见的web日志,支持tcp.udp.http(s)等协议传 ...
- ElasticSearch 日期赋值
Nxlog date to elasticsearch elasticsearch会自动检测日期类型,"2016-03-31 22:09:42"会当作字符串,"2 ...
- ELK Nxlog->Kafka->ElasticSearch
Windows 系统下,log4日志通过kafka发送到elasticsearch; windows 下nxlog没有找到直接发送数据到kafka的插件,所以采用logstash中转下 Nxl ...
- ELK IIS 日志-->logstash-->ElasticSearch
NXLOG 配置 #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROO ...
- ELK笔记
ELK笔记 ELKStack高级实战培训http://files.cnblogs.com/files/MYSQLZOUQI/ELKStack%E9%AB%98%E7%BA%A7%E5%AE%9E%E6 ...
- Windows Log4日志发送到ElasticSearch
处理多行数据到elasticsearch Nxlog 配置 <Input in> Module im_file File "E:\\log\\webapi\\\err.log&q ...
- nxlog安装配置
Nxlog安装配置文档 任 帅 1.安装nxlog,全部默认即可. 如果拷贝直接安装,没有拷贝可以下载.下载链接: https://nxlog.co/system/files/products ...
- ELK系列~Nxlog日志收集加转发(解决log4日志换行导致json转换失败问题)
本文章将会继承上一篇文章,主要讲通过工具来进行日志的收集与发送,<ELK系列~NLog.Targets.Fluentd到达如何通过tcp发到fluentd> Nxlog是一个日志收集工具, ...
随机推荐
- jar包运行main程序
当把java项目打包成jar后,如何运行main函数呢? 第一种:指定运行main类: 1 java -cp test.jar com.hk.app.Application 第二种:在MANIFEST ...
- Geohash距离估算
http://www.cnblogs.com/LBSer/p/3298057.html 一.经纬度距离换算 a)在纬度相等的情况下: 经度每隔0.00001度,距离相差约1米: 每隔0.0001度,距 ...
- LVS专题-(3) 虚拟ip理解
1.虚拟IP是什么? 要是单讲解虚拟 IP,理解起来很困难,所以干脆把 动态 IP .固定 IP .实体 IP 与虚拟 IP都讲解一下,加深理解和知识扩展 实体 IP:在网络的世界里,为了要辨识每一部 ...
- Java @Repeatable
查看@PropertySource注解时候,发现了@Repeatable,从来没见过的注解,学习了下: 首先介绍下@Repeatable注解: JDK1.8出现的,作用是解决一个类上不能标注重复的注解 ...
- Spring读取配置文件 @Value
最近在学习Spring如何读取配置文件,记录下方便自己也方便别人: 大致分为两类吧,一种的思路是利用Spring的beanFactoryPostProcessor读取配置文件内容到内存中,也就是应用程 ...
- VS2012 编译报错:找不到编译动态表达式所需的一个或多个类型。是否缺少引用?
今天编译公司项目,原本项目是3.5,由于现在要用到dynamic ,把target 改为4.0 ,编译时 报错误 “找不到编译动态表达式所需的一个或多个类型.是否缺少引用?”,然后根据另一个提示排错 ...
- kooboocms遇到的问题
1.工作流:需要在网站的内容设置里启用工作流,然后添加一个工作流,再在内容文件夹里设置工作流属性(经测试,工作流对网络用户才有效,也就是说必须把用户添加到该网站下) 2.网络用户页面bug:在行 1. ...
- C# Hadoop学习笔记(二)—架构原理
一,架构 二.名词解释 (一)NameNode(简称NN),Hadoop的主节点,负责侦听节点是否活跃,对外开放接口等.在未来的大数据处理过程中,由于访问量和节点数量的不断增多,需要该节点的处理能 ...
- 【Java并发编程】8、各种锁的概念
持续更新中... 共享锁(S锁):如果事务T对数据A加上共享锁后,则其他事务只能对A再加共享锁,不能加排他锁,直到已释放所有共享锁.获准共享锁的事务只能读数据,不能修改数据. 排他锁(X锁):如果事务 ...
- Java - "JUC线程池" 架构
Java多线程系列--“JUC线程池”01之 线程池架构 概要 前面分别介绍了"Java多线程基础"."JUC原子类"和"JUC锁".本章介 ...