Multiple Outputs
I have the following config forwarding all events to siem
Panic Soft#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%
Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data
<Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input>
<Output out_siem_windevents> Module om_udp Host %WINDNS_OUTPUT_DESTINATION_ADDRESS% Port %WINDNS_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_siem_windevents </Route>
I need to push sysmon events to a seperate feed within Siem, would the below be an aceptable config to use? Not sure if the route statements need route r3 or if they can all exist within route r2
define ROOT C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\data
define WINDNS_OUTPUT_DESTINATION_ADDRESS2 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT2 10519
define LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%
Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data
<Extension _json> Module xm_json</Extension><Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False</Input>
<Output out_siem_windevents> Module om_udp Host %WINDNS_OUTPUT_DESTINATION_ADDRESS% Port %WINDNS_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json();</Output><Output out_siem_windevents2> Module om_udp Host %WINDNS_OUTPUT_DESTINATION_ADDRESS2% Port %WINDNS_OUTPUT_DESTINATION_PORT2% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json();</Output><Route r2> Path windows_security_eventlog => out_siem_windevents Path windows_security_eventlog => out_siem_windevents2</Route>
Hello Gavin,
The correct syntax to config one input to multiple outputs would be the following
<Route r2> Path windows_security_eventlog => out_siem_windevents , out_siem_windevents2</Route>
or you need to add another route in case want to have things separated
<Route r2> Path windows_security_eventlog => out_siem_windevents2</Route>
<Route r3> Path windows_security_eventlog => out_siem_windevents </Route>
More can be found in our online doc if needed.
Sincerely
Klevin
