ini SCCM日志记录的NXLog配置

Posted 2021-05-24

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了ini SCCM日志记录的NXLog配置相关的知识，希望对你有一定的参考价值。

Define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
<Extension gelf>
    Module xm_gelf
</Extension>

# Include fileop while debugging, also enable in the output module below
# <Extension fileop>
# Module xm_fileop
# </Extension>
 
<Extension json>
    Module xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>

<Extension SCEP_CSV>
    Module xm_csv
    Fields $Type,$RowID,$Name,$Description,$Timestamp,$SchemaVersion,$ObserverHost,$ObserverUser,$ObserverProductName,$ObserverProductversion,$ObserverProtectionType,$ObserverProtectionVersion,$ObserverProtectionSignatureVersion,$ObserverDetection,$ObserverDetectionTime,$ActorHost,$ActorUser,$ActorProcess,$ActorResource,$ActionType,$TargetHost,$TargetUser,$TargetProcess,$TargetResource,$ClassificationID,$ClassificationType,$ClassificationSeverity,$ClassificationCategory,$RemediationType,$RemediationResult,$RemediationErrorCode,$RemediationPendingAction,$IsActiveMalware
    FieldTypes string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string
    Delimiter       ','
    QuoteChar       '"'
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Extension SCCM_CSV>
    Module xm_csv
    Fields $Message,$Component,$Date,$Thread
    FieldTypes string,string,string,string
    Delimiter       '>'
    QuoteChar       '''
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Input EVENTLOG>
    Module im_msvistalog
    # For windows 2003 and earlier use the following:
    # Module im_mseventlog

    Query <QueryList>\
        <Query Id="0">\
            <Select Path="Application">*[System[Provider[@Name='SMS Client' or @Name='SMS Performance Data Provider' or @Name='SMS Provider' or @Name='SMS Server']]]</Select>\
        </Query>\
    </QueryList>
</Input>
 
<Input SCEP>
    Module im_file
    # Location of the SCEPDetectionLog.csv
    File "CSV_File_Location\\Get-SCEPDetectionLogs.csv"
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop();                      \
        else {                                              \
            SCEP_CSV->parse_csv();                          \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";                            \
            $Message = to_json();                           \
        }
</Input>

<Input SCCM>
    Module im_file
    # SCCM Log Location
    File "D:\\CM\\Logs\\\*.log"  
    SavePos TRUE
    Exec    $event = $raw_event;
</Input>

<Output out>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    OutputType  GELF
</Output>

<Output out_e>
    Module      om_udp
    Host        your_host_ip_or_fqdn
    Port        12202
    Exec        to_json();
    OutputType  GELF
</Output>
  
<Route 1>
    Path        SCCM => out
</Route>

<Route 2>
    Path        EVENTLOG => out_e
</Route>

<Route 3>
    Path        SCEP => out
</Route>

以上是关于ini SCCM日志记录的NXLog配置的主要内容，如果未能解决你的问题，请参考以下文章

sysmon 到 nxlog 不记录任何文件或 tcp

nxlog 进程根据文件名记录文件

logstash--使用ngxlog收集windows日志

通过 Nxlog 配置将日志发送到特定的 Graylog 索引

NXLog采集windows日志配置conf文件

nxlog 如何跟踪行号？