IoanPopovici
3/28/2017 - 4:45 PM

NXLog configuration for SCCM Logging

NXLog configuration for SCCM Logging

Define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
<Extension gelf>
    Module xm_gelf
</Extension>

# Include fileop while debugging, also enable in the output module below
# <Extension fileop>
# Module xm_fileop
# </Extension>
 
<Extension json>
    Module xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>

<Extension SCEP_CSV>
    Module xm_csv
    Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware
    FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string
    Delimiter       ','
    QuoteChar       '"'
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Extension SCCM_CSV>
    Module xm_csv
    Fields $Message,$Component,$Date,$Thread
    FieldTypes string,string,string,string
    Delimiter       '>'
    QuoteChar       '''
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Input EVENTLOG>
    Module im_msvistalog
    # For windows 2003 and earlier use the following:
    # Module im_mseventlog

    Query <QueryList>\
        <Query Id="0">\
            <Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\
        </Query>\
    </QueryList>
</Input>
 
<Input SCEP>
    Module im_file
    # Location of the SCEPDetectionLog.csv
    File "CSV_File_Location\\Get-SCEPDetectionLogs.csv"
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop();                      \
        else {                                              \
            SCEP_CSV->parse_csv();                          \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";                            \
            $Message = to_json();                           \
        }
</Input>

<Input SCCM>
    Module im_file
    # SCCM Log Location
    File "D:\\CM\\Logs\\\*.log"  
    SavePos TRUE
    Exec    $event = $raw_event;
</Input>

<Output out>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    OutputType  GELF
</Output>

<Output out_e>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    Exec        to_json();
    OutputType  GELF
</Output>
  
<Route 1>
    Path        SCCM => out
</Route>

<Route 2>
    Path        EVENTLOG => out_e
</Route>

<Route 3>
    Path        SCEP => out
</Route>