NXLog search
Let's talk Start free
Let's talk Start free

Multiple Outputs

Tags: NXLog Enterprise Edition
#1 gavin.lacey@telegraph.co.uk

I have the following config forwarding all events to siem

Panic Soft#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\data

define LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%

Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data

<Extension _json>     Module      xm_json </Extension> <Input windows_security_eventlog>     Module  im_msvistalog     <QueryXML>         <QueryList>             <Query Id="0">                 <Select Path="Application">*</Select>                 <Select Path="System">*</Select>                 <Select Path="Security">*</Select>   <Select Path="ForwardedEvents">*</Select>             </Query>         </QueryList>     </QueryXML>     ReadFromLast  False     SavePos  False </Input>

<Output out_siem_windevents>     Module      om_udp     Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%     Port        %WINDNS_OUTPUT_DESTINATION_PORT%     Exec        $EventTime = integer($EventTime) / 1000;     Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;     Exec        to_json(); </Output> <Route r2>     Path    windows_security_eventlog => out_siem_windevents </Route>

 

I need to push sysmon events to a seperate feed within Siem, would the below be an aceptable config to use?  Not sure if the route statements need route r3 or if they can all exist within route r2

 

define ROOT     C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\data

define WINDNS_OUTPUT_DESTINATION_ADDRESS2 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT2 10519

define LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%

Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data

<Extension _json>    Module      xm_json</Extension><Input windows_security_eventlog>    Module  im_msvistalog    <QueryXML>        <QueryList>            <Query Id="0">                <Select Path="Application">*</Select>                <Select Path="System">*</Select>                <Select Path="Security">*</Select>  <Select Path="ForwardedEvents">*</Select>            </Query>        </QueryList>    </QueryXML>    ReadFromLast  False    SavePos  False</Input>

<Output out_siem_windevents>    Module      om_udp    Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%    Port        %WINDNS_OUTPUT_DESTINATION_PORT%    Exec        $EventTime = integer($EventTime) / 1000;    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;    Exec        to_json();</Output><Output out_siem_windevents2>    Module      om_udp    Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS2%    Port        %WINDNS_OUTPUT_DESTINATION_PORT2%    Exec        $EventTime = integer($EventTime) / 1000;    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;    Exec        to_json();</Output><Route r2>    Path    windows_security_eventlog => out_siem_windevents Path    windows_security_eventlog => out_siem_windevents2</Route>

Permalink
#2 KlevinDeactivated Nxlog ✓

Hello Gavin,

The correct syntax to config one input to multiple outputs would be the following

<Route r2>
   Path    windows_security_eventlog => out_siem_windevents , out_siem_windevents2
</Route>

or you need to add another route in case want to have things separated

<Route r2>    
  Path    windows_security_eventlog =>  out_siem_windevents2
</Route>

<Route r3>    
  Path    windows_security_eventlog => out_siem_windevents 
</Route>

More can be found in our online doc if needed.

Sincerely
Klevin
Login to see more