## This is a sample NXLog configuration file created by Loggly. June 2013
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\\Program Files\\nxlog
#define ROOT_STRING C:\\Program Files\\nxlog
define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
# Include fileop while debugging, also enable in the output module below
#
# Module xm_fileop
#
Module xm_json
Module xm_syslog
Module im_internal
Exec $Message = to_json();
# Windows Event Log
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
Query \
\
\
\
\
\
\
\
*[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]] \
*[System[(EventID=501 or EventID=400 or EventID=600)]] \
\
Exec $Message = to_json();
###########################
#
# Filter out by Application
#
###########################
Exec if ($Application =~ /appdata\\roaming\\dropbox\\bin\\dropbox.exe/) drop();
Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
Exec if ($Application =~ /icamsource\\icamsource.exe/) drop();
Exec if ($Application =~ /program files\\bonjour\\mdnsresponder.exe/) drop();
Exec if ($Application =~ /common files\\apple\\mobile device support\\applemobiledevicehelper.exe/) drop();
Exec if ($Application =~ /common files\\apple\\mobile device support\\applemobiledeviceservice.exe/) drop();
Exec if ($Application =~ /microsoft office\\office12\\outlook.exe/) drop();
Exec if ($Application =~ /windows\\system32\\spoolsv.exe/) drop();
Exec if ($Application =~ /quicken\\qw.exe/) drop();
###########################
#
# Filter out by Source and Destination IP
#
###########################
Exec if ($SourceAddress =~ /224.0.0.252/) drop();
Exec if ($SourceAddress =~ /192.168.1.255/) drop();
Exec if ($SourceAddress =~ /224.0.0.1/) drop();
Exec if ($SourceAddress =~ /239.255.255.250/) drop();
Exec if ($DestAddress =~ /8.8.8.8/) drop();
Exec if ($DestAddress =~ /224.0.0.22/) drop();
###########################
#
# Filter out by Command Line
#
###########################
Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
Exec if ($CommandLine =~ /\{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E\}/) drop();
Exec if ($CommandLine =~ /Processid:\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5\}/) drop();
Exec if ($CommandLine =~ /consent.exe 1116 310 000000000467BC60/) drop();
Exec if ($CommandLine =~ /C:\\Windows\\system32\\AUDIODG.EXE 0xfdc/) drop();
Exec if ($CommandLine =~ /"C:\\Windows\\system32\\SearchFilterHost.exe" 0 532 536 544 65536 540/) drop();
Exec if ($CommandLine =~ /"C:\\Windows\\system32\\SearchProtocolHost.exe" Global\\UsGthrFltPipeMssGthrPipe37/) drop();
Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\Google\\Chrome\\Application\\chrome.exe" --type=renderer --enable-deferred-image-dec/) drop();
Exec if ($CommandLine =~ /Find \/i/) drop();
Exec if ($CommandLine =~ /"conhost.exe 0xffffffff"/) drop();
# Exec if ($CommandLine =~ //) drop();
# Exec if ($CommandLine =~ //) drop();
# Exec if ($CommandLine =~ //) drop();
# Exec if ($CommandLine =~ //) drop();
# Exec if ($CommandLine =~ //) drop();
# Exec if ($CommandLine =~ //) drop();
# Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
Path internal, eventlog => out