98 lines
2.9 KiB
JSON
98 lines
2.9 KiB
JSON
{
|
|
"TimberWinR": {
|
|
"Inputs": {
|
|
"WindowsEvents": [
|
|
{
|
|
"source": "System,Application",
|
|
"binaryFormat": "PRINT",
|
|
"resolveSIDS": true
|
|
}
|
|
],
|
|
"Tcp": [
|
|
{
|
|
"_comment": "Output from NLog",
|
|
"port": 5140
|
|
}
|
|
]
|
|
},
|
|
"Outputs": {
|
|
"Redis": [
|
|
{
|
|
"threads": 1,
|
|
"interval": 5000,
|
|
"batch_count": 500,
|
|
"host": [
|
|
"tstlexiceapp006.vistaprint.svc"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"Filters": [
|
|
{
|
|
"grok": {
|
|
"condition": "[type] == \"Win32-Eventlog\"",
|
|
"match": [
|
|
"Message",
|
|
""
|
|
],
|
|
"remove_field": [
|
|
"ComputerName"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"grok": {
|
|
"match": [
|
|
"message",
|
|
"%{SYSLOGLINE}"
|
|
],
|
|
"add_tag": [
|
|
"rn_%{Index}",
|
|
"bar"
|
|
],
|
|
"add_field": [
|
|
"foo_%{logsource}",
|
|
"Hello dude from %{ComputerName}"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"grok": {
|
|
"match": [
|
|
"Text",
|
|
"%{SYSLOGLINE}"
|
|
],
|
|
"add_tag": [
|
|
"rn_%{RecordNumber}",
|
|
"bar"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"date": {
|
|
"condition": "[type] == \"Win32-FileLog\"",
|
|
"match": [
|
|
"timestamp",
|
|
"MMM d HH:mm:sss",
|
|
"MMM dd HH:mm:ss"
|
|
],
|
|
"target": "UtcTimestamp",
|
|
"convertToUTC": true
|
|
}
|
|
},
|
|
{
|
|
"mutate": {
|
|
"_comment": "Orion Rules",
|
|
"rename": [
|
|
"ComputerName", "Host",
|
|
"host", "Host",
|
|
"message","Message",
|
|
"type","Type",
|
|
"SID", "Username"
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|