105 lines
2.9 KiB
JSON
105 lines
2.9 KiB
JSON
{
|
|
"TimberWinR": {
|
|
"Inputs": {
|
|
"WindowsEvents": [
|
|
{
|
|
"source": "System,Application",
|
|
"binaryFormat": "PRINT",
|
|
"resolveSIDS": true
|
|
}
|
|
],
|
|
"Tcp": [
|
|
{
|
|
"port": "5140"
|
|
}
|
|
],
|
|
"Logs": [
|
|
{
|
|
"name": "Syslogs1",
|
|
"location": "C:\\Logs1\\*.log"
|
|
}
|
|
],
|
|
"IISW3CLogs": [
|
|
{
|
|
"name": "Default site",
|
|
"location": "c:\\inetpub\\logs\\LogFiles\\W3SVC1\\*"
|
|
}
|
|
]
|
|
},
|
|
"Outputs": {
|
|
"Redis": [
|
|
{
|
|
"host": [
|
|
"logaggregator.vistaprint.svc"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"Filters": [
|
|
{
|
|
"grok": {
|
|
"condition": "[type] == \"Win32-Eventlog\"",
|
|
"match": [
|
|
"Message",
|
|
""
|
|
],
|
|
"remove_field": [
|
|
"ComputerName"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"grok": {
|
|
"match": [
|
|
"message",
|
|
"%{SYSLOGLINE}"
|
|
],
|
|
"add_tag": [
|
|
"rn_%{Index}",
|
|
"bar"
|
|
],
|
|
"add_field": [
|
|
"foo_%{logsource}",
|
|
"Hello dude from %{ComputerName}"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"grok": {
|
|
"match": [
|
|
"Text",
|
|
"%{SYSLOGLINE}"
|
|
],
|
|
"add_tag": [
|
|
"rn_%{RecordNumber}",
|
|
"bar"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"date": {
|
|
"match": [
|
|
"timestamp",
|
|
"MMM d HH:mm:sss",
|
|
"MMM dd HH:mm:ss"
|
|
],
|
|
"target": "UtcTimestamp",
|
|
"convertToUTC": true
|
|
}
|
|
},
|
|
{
|
|
"mutate": {
|
|
"_comment": "Orion Rules",
|
|
"rename": [
|
|
"host", "Host",
|
|
"message","Message",
|
|
"type","Type",
|
|
"SID", "Username"
|
|
]
|
|
}
|
|
},
|
|
|
|
]
|
|
}
|
|
}
|