nxlog.conf

# Blumira : Windows NXLog to Blumira Sensor or SIEM
#
# Version: 2.0
#
# NXLog configuration for converting and sending Windows logs to Blumira.
# Both Community (CE) and Enterprise (EE) Editions of NXLog are supported.  
# If you intend to collect WEF logs, you must use Enterprise Edition which 
# you will need to license internally due to limitations with CE.  


#####################################################
#################    Directions    ##################
#####################################################
# 1) Install NXLog Community Edition
# 2) Copy this config to the proper location. 
#    Most likely at C:\Program Files (x86)\nxlog\conf
# 3) Below, update `define SIEM A.B.C.D` to the IP address of your sensor
# 4) If troubleshooting, set `Loglevel` to DEBUG. (INFO is default when not specified)
# 5) Review each section you intend to use!
#    There are actions required for some to allow data collection to start.
# 6) Restart your nxlog service after every change that could add new data
#    net stop nxlog && net start nxlog 
# 7) Verify the connection has been made by viewing the nxlog.log file in C:\Program Files(x86)\data
#####################################################


#####################################################
#################       Notes      ##################
#####################################################

# Issues: Report Issues at https://github.com/Blumira/Flowmira/issues
# Changelog at https://github.com/Blumira/Flowmira/commits/master/nxlog.conf
# License: MIT

#####################################################
#################    Definitions   ##################
#################      2 tasks     ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) Update `define SIEM A.B.C.D` to the IP address of your sensor
# 2) If troubleshooting, set `Loglevel` to DEBUG. (INFO is default when not specified)
# 3) If 64bit is used, comment out (#) x86 and uncomment C:\Program Files\nxlog lines
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#Define logging level (aka "Unleash the Kraken?")
#LogLevel DEBUG

# Please set SIEM to the IP address of your Blumira sensor or SIEM
define SIEM A.B.C.D
define PORT 514

# Please set ROOT to the folder your nxlog was installed into
#define ROOT C:\Program Files\nxlog
#define ROOT_STRING C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\nxlog

# Define certs if used during Sensor Logger creation
define CERTDIR %ROOT%\cert
define CONFDIR  %ROOT%\\conf

# Define internal log details for NXLog
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log 
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
#LogFile %ROOT%\data\nxlog.log
LogFile %LOGFILE%

<Extension _fileop>
    Module xm_fileop
    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>
    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>
 
<Extension json>
    Module xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>

<Extension File operations>
    Module xm_fileop 
</Extension>
#####################################################
#################    Definitions   ##################
#################        END       ##################
#####################################################


#####################################################
##############    Internal NXLog Logs   #############
#################       START      ##################
#################      0 tasks     ##################
#####################################################
<Input blu_internal>
    Module im_internal
    # Drop if a log file is not found, likely IIS or FW are not configured
    Exec if ($Message =~ /does not exist/) drop();
    # Drop if IIS or old Windows logs are not found
    # If you're using Win 2k3 or lower, please reach out to support@blumira.com
    Exec if ($Message =~ /failed to subscribe to msvistalog/) drop();
    Exec  $Message = to_json(); 
</Input>
<Output blu_out_internal>
    Module om_tcp
    Host %SIEM%
    Port %PORT%
    Exec to_syslog_bsd();
</Output>
<Route route_internal>
    Path blu_internal => blu_out_internal
</Route>
#####################################################
##############    Internal NXLog Logs   #############
#################        END       ##################
#####################################################


#####################################################
############    Windows Core Event Logs   ###########
#################       START      ##################
#################      0 tasks     ##################
#####################################################
<Input blu_eventlog>
    Module im_msvistalog
    # Prevent endless loop due to 5156 logging nxlog.exe connections
    Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
    # Define Queries
    Query       <QueryList>\
                        <Query Id="0">\
                            <Select Path="Application">*</Select>\
                            <Select Path="System">*</Select>\
                            <Select Path="Security">*</Select>\
                            <Select Path="Setup">*</Select>\
                            <Select Path="Windows PowerShell">*</Select>\
                            <Suppress Path="Security">*[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress> \
                            <Suppress Path="Windows PowerShell">*[System[(EventID=501 or EventID=400 or EventID=600)]]</Suppress> \
                        </Query>\
                    </QueryList> 
    
    # Filter out by Application
    Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
    # Filter out by Source and Destination IP   
    Exec if ($SourceAddress =~ /224.0.0.252/) drop();
    Exec if ($SourceAddress =~ /192.168.1.255/) drop();
    Exec if ($SourceAddress =~ /224.0.0.1/) drop();
    Exec if ($SourceAddress =~ /239.255.255.250/) drop();
    Exec if ($DestAddress =~ /224.0.0.22/) drop();
    # Filter out by Command Line    
    Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
    # Dropping non-security but often-loud logs for DFS and failed ISATAP issues
    Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
    
    # Workaround for local time so as to standardize to absolute microseconds since epoch
    Exec $EventTime = integer($EventTime);
    # JSON is required because some Windows logs contain new-line characters.
    Exec $Message = to_json();
</Input>
<Output blu_out_eventlog>
    Module om_tcp
    Host %SIEM%
    Port %PORT%
    Exec to_syslog_bsd();
</Output>
<Route route_eventlog>
    Path blu_eventlog => blu_out_eventlog
</Route>
#####################################################
############    Windows Core Event Logs   ###########
#################         END      ##################
#####################################################


#####################################################
####  Windows Priority 1 Supplemental Event Logs ####
#################       START      ##################
#################      0 tasks     ##################
#####################################################
<Input blu_eventlog_sup>
    Module im_msvistalog
    # Prevent endless loop due to 5156 logging nxlog.exe connections
    Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
    # Define Queries
    Query       <QueryList>\
                        <Query Id="0">\
                            <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>\
                            <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>\
                            <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>\
                            <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>\
                            <Select Path="Microsoft-Windows-LSA/Operational">*</Select>\
                            <Select Path="Microsoft-Windows-NTLM/Operational">*</Select>\
                            <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>\
                            <Select Path="Microsoft-Windows-Powershell/Operational">*</Select>\
                            <Select Path="Microsoft-Windows-PrintService/Admin">*</Select>\
                            <Select Path="Microsoft-Windows-PrintService/Operational">*</Select>\
                            <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>\
                        </Query>\
                    </QueryList> 
    
    # Filter out by Application
    Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
    # Filter out by Source and Destination IP   
    Exec if ($SourceAddress =~ /224.0.0.252/) drop();
    Exec if ($SourceAddress =~ /192.168.1.255/) drop();
    Exec if ($SourceAddress =~ /224.0.0.1/) drop();
    Exec if ($SourceAddress =~ /239.255.255.250/) drop();
    Exec if ($DestAddress =~ /224.0.0.22/) drop();
    # Filter out by Command Line    
    Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
    # Dropping non-security but often-loud logs for DFS and failed ISATAP issues
    Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
    
    # Workaround for local time so as to standardize to absolute microseconds since epoch
    Exec $EventTime = integer($EventTime);
    # JSON is required because some Windows logs contain new-line characters.
    Exec $Message = to_json();
</Input>
<Output blu_out_eventlog_sup>
    Module om_tcp
    Host %SIEM%
    Port %PORT%
    Exec to_syslog_bsd();
</Output>
<Route route_eventlog_sup>
    Path blu_eventlog_sup => blu_out_eventlog_sup
</Route>
#####################################################
####  Windows Priority 1 Supplemental Event Logs ####
#################        END       ##################
#####################################################


#####################################################
####  Windows Priority 2 Supplemental Event Logs ####
#################       START      ##################
#################      2 tasks     ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) Many of these event channels can cause issues with the CE version of nxlog when not present
#    Ensure all event channels are present on the host prior to uncommenting this section for logflow to continue working
#
# 2) If you want to utilize extra windows event channel logging 
# remove all # at the beginning of lines from 
# <Input blu_eventlog_sup2> to </Route> after route_eventlog_sup2 in this section
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#<Input blu_eventlog_sup2>
#    Module im_msvistalog
#    # Prevent endless loop due to 5156 logging nxlog.exe connections
#    Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
#    # Define Queries
#    Query       <QueryList>\
#                        <Query Id="0">\
#                            <Select Path="Directory Service">*</Select>\
#                            <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select>\
#                            <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select>\
#                            <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select>\
#                            <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select>\
#                            <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select>\
#                            <Select Path="Microsoft-Windows-Bits-Client/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*[System[Provider[@Name='Microsoft-Windows-CodeIntegrity']]]</Select>\
#                            <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select>\
#                            <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select>\
#                            <Select Path="Microsoft-Windows-WinRM/Operational">*</Select>\
#                            <Select Path="Network Isolation Operational">*</Select>\
#                        </Query>\
#                    </QueryList> 
#    
#    # Filter out by Application
#    Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
#    # Filter out by Source and Destination IP   
#    Exec if ($SourceAddress =~ /224.0.0.252/) drop();
#    Exec if ($SourceAddress =~ /192.168.1.255/) drop();
#    Exec if ($SourceAddress =~ /224.0.0.1/) drop();
#    Exec if ($SourceAddress =~ /239.255.255.250/) drop();
#    Exec if ($DestAddress =~ /224.0.0.22/) drop();
#    # Filter out by Command Line    
#    Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
#    # Dropping non-security but often-loud logs for DFS and failed ISATAP issues
#    Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
#    
#    # Workaround for local time so as to standardize to absolute microseconds since epoch
#    Exec $EventTime = integer($EventTime);
#    # JSON is required because some Windows logs contain new-line characters.
#    Exec $Message = to_json();
#</Input>
#<Output blu_out_eventlog_sup2>
#    Module om_tcp
#    Host %SIEM%
#    Port %PORT%
#    Exec to_syslog_bsd();
#</Output>
#<Route route_eventlog_sup2>
#    Path blu_eventlog_sup2 => blu_out_eventlog_sup2
#</Route>
#####################################################
####  Windows Priority 2 Supplemental Event Logs ####
#################        END       ##################
#####################################################


#####################################################
###########  Windows Defender Event Logs ############
#################       START      ##################
#################      0 tasks     ##################
#####################################################
<Input blu_eventlog_def>
    Module im_msvistalog
    # Prevent endless loop due to 5156 logging nxlog.exe connections
    Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
    # Define Queries
    Query       <QueryList>\
                        <Query Id="0">\
                            <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\
                            <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>\
                            <Suppress Path="Security">*[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress> \
                            <Suppress Path="Windows PowerShell">*[System[(EventID=501 or EventID=400 or EventID=600)]]</Suppress> \
                        </Query>\
                    </QueryList> 
    
    # Filter out by Application
    Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
    # Filter out by Source and Destination IP   
    Exec if ($SourceAddress =~ /224.0.0.252/) drop();
    Exec if ($SourceAddress =~ /192.168.1.255/) drop();
    Exec if ($SourceAddress =~ /224.0.0.1/) drop();
    Exec if ($SourceAddress =~ /239.255.255.250/) drop();
    Exec if ($DestAddress =~ /224.0.0.22/) drop();
    # Filter out by Command Line    
    Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
    # Dropping non-security but often-loud logs for DFS and failed ISATAP issues
    Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
    
    # Workaround for local time so as to standardize to absolute microseconds since epoch
    Exec $EventTime = integer($EventTime);
    # JSON is required because some Windows logs contain new-line characters.
    Exec $Message = to_json();
</Input>
<Output blu_out_eventlog_def>
    Module om_tcp
    Host %SIEM%
    Port %PORT%
    Exec to_syslog_bsd();
</Output>
<Route route_eventlog_def>
    Path blu_eventlog_def => blu_out_eventlog_def
</Route>
#####################################################
###########  Windows Defender Event Logs ############
#################        END       ##################
#####################################################


#####################################################
#################  SYSMON Event Logs ################
#################       START      ##################
#################      2 tasks     ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) Install Sysmon on your endpoints if you intend to use this feature
#
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
# https://www.blumira.com/enable-sysmon/
#
# 2) If you want to utilize Sysmon Logging 
# remove all # at the beginning of lines from 
# <Input blu_eventlog_sysmon> to </Route> after route_eventlog_sysmon in this section
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
<Input blu_eventlog_sysmon>
    Module im_msvistalog
    Query       <QueryList>\
                        <Query Id="0">\
                            <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
                        </Query>\
                    </QueryList> 
           
    # Workaround for local time so as to standardize to absolute microseconds since epoch
    Exec $EventTime = integer($EventTime);
    # JSON is required because some Windows logs contain new-line characters.
    Exec $Message = to_json();
</Input>
<Output blu_out_eventlog_sysmon>
    Module om_tcp
    Host %SIEM%
    Port %PORT%
    Exec to_syslog_bsd();
</Output>
<Route route_eventlog_sysmon>
    Path blu_eventlog_sysmon => blu_out_eventlog_sysmon
</Route>
#####################################################
#################  SYSMON Event Logs ################
#################        END       ##################
#####################################################


#####################################################
##############  Windows IIS Event Logs ##############
#################  VIA Event Viewer #################
#################       START      ##################
#################      3 tasks     ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) If you want to utilize IIS Logging through the Log Files, 
# remove all # at the beginning of lines from 
# <Input blu_eventlog_iis> to </Route> after route_eventlog_iis in this section
#
# 2) Run the following commands on the host(s) you want to collect
#    logs from via Event Viewer, this will enable the logs. Running this
#    command in your deployment script is OK. You will get errors on hosts
#    that do not have IIS, they can be ignored.
#
# From an administrative command shell prompt
# - wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true
# - wevtutil sl Microsoft-IIS-Configuration/Operational /e:true
# - wevtutil sl Microsoft-IIS-Logging/Logs /e:true
# 
# 3) Go to your IIS Manager, Server Configuration, select Logging and select "Both log file and ETW event" 
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#<Input blu_eventlog_iis>
#    Module im_msvistalog
#    Query       <QueryList>\
#                        <Query Id="0">\
#                            <Select Path="Microsoft-IIS-Configuration/Administrative">*</Select>\
#                            <Select Path="Microsoft-IIS-Configuration/Operational">*</Select>\
#                            <Select Path="Microsoft-IIS-Logging/Logs">*</Select>\
#                        </Query>\
#                    </QueryList> 
#        
#    # Filter noise from IIS schema issues
#    Exec if ($Message =~ /Unable to find schema/) drop();
#    
#    # Workaround for local time so as to standardize to absolute microseconds since epoch
#    Exec $EventTime = integer($EventTime);
#    # JSON is required because some Windows logs contain new-line characters.
#    Exec $Message = to_json();
#</Input>
#<Output blu_out_eventlog_iis>
#    Module om_tcp
#    Host %SIEM%
#    Port %PORT%
#    Exec to_syslog_bsd();
#</Output>
#<Route route_eventlog_iis>
#    Path blu_eventlog_iis => blu_out_eventlog_iis
#</Route>
#####################################################
##############  Windows IIS Event Logs ##############
#################  VIA Event Viewer #################
#################        END       ##################
#####################################################


#####################################################
##############  Windows IIS Event Logs ##############
##################  VIA Log Files ###################
#################       START      ##################
#################      2 tasks     ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# NOTE: This is the non-Event Viewer method, only use this method if you have a reason to not use Event Viewer
# ------------
# Tasks:
# 1) If you want to utilize IIS Logging through the Log Files, remove all # at the beginning of lines from 
# <Extension w3c> to </Route> after route_iis in this section
# 2) You will need to ensure that logging is enabled per site for IIS in this configuration section
# Task note: If you are storing logs in a different location than default, change File below to the appropriate path.
#            If you're unsure what to change it to, or, if you have more than one and are unsure
#            what the final output should be, please reach out to support@blumira.com with your configuration details.
#
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#<Extension w3c>
#    Module xm_csv
#
#    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $csReferer $sc-status, $sc-substatus, $sc-win32-status, $time-taken
#    FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
#    Delimiter ' '
#    UndefValue -
#</Extension>
#<Input blu_iis_logs>
#    Module   im_file
#    File     "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
#    SavePos  TRUE
#    
#    Exec $Hostname = hostname_fqdn();
#    Exec if $raw_event =~ /^#/ drop();              \
#      else                          \
#          {                             \
#             w3c->parse_csv();              \
#             $EventTime = parsedate($date + " " + $time);   \
#             $raw_event = to_json();              \
#          }
#</Input>
#<Output blu_out_iis>
#    Module      om_udp
#    Host        %SIEM%
#    Port        514
#    Exec        $raw_event = 'BLU_IIS: ' + $raw_event;
#    
#    Exec to_syslog_bsd();
#</Output>
#<Route route_iis>
#    Path blu_iis_logs => blu_out_iis
#</Route>
#####################################################
##############  Windows IIS Event Logs ##############
##################  VIA Log Files ###################
#################        END       ##################
#####################################################


#####################################################
###########  Windows Firewall Event Logs ############
#################       START      ##################
#################      2 tasks     ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) If you want to utilize this section, remove all # at the beginning of lines from 
#     <Extension csv_windows_fw> to </Route> after route_windows_fw in this section
#
# 2) You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only.
#     Adding successful packets will most likely be unnecessarily verbose unless you require visibility 
#     due to lack of segmentation.
#      
#     Recommended Powershell Command - Requires FW to be configured to at least generally functional state
#     - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True
#       
#     If SIGNIFICANT verbosity is required, use this command which will log Allowed connections as well:
#     - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True
#       
#       --- Manual Setup ---
#       https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#<Extension csv_windows_fw>
#    Module          xm_csv
#    Fields          date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
#    FieldTypes      string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
#    Delimiter       ' '
#</Extension>
#<Input blu_windows_fw>
#    Module      im_file
#    File        "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
#    Exec if $raw_event =~ /^#/ drop();\
#    {\
#               csv_windows_fw->parse_csv();\
#               $EventTime = parsedate($date + " " + $time);\
#               $raw_event = to_json();\
#    }
#</Input>
#<Output out_windows_firewall>
#    Module      om_tcp
#    Host        %SIEM%
#    Port        514
#    Exec        $raw_event = 'BLU_WIN_FW: ' + $raw_event;
#    
#    Exec to_syslog_bsd();
#</Output>
#<Route route_windows_fw>
#    Path        blu_windows_fw => out_windows_firewall
#</Route>
#####################################################
###########  Windows Firewall Event Logs ############
#################        END       ##################
#####################################################


#####################################################
#####  Azure AD Password Protection Event Logs ######
#################       START      ##################
#################      2 tasks     ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) If you want to utilize IIS Logging through the Log Files, 
# remove all # at the beginning of lines from 
# <Input blu_eventlog_azuread_pwpro> to </Route> after route_eventlog_azuread_pwpro in this section
# 2) Enable Azure PP and deploy agent
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#<Input blu_eventlog_azuread_pwpro>
#    Module im_msvistalog
#    Query       <QueryList>\
#                        <Query Id="0">\
#                            <Select Path="Microsoft-AzureADPasswordProtection-DCAgent/Admin">*</Select>\
#                            <Select Path="Microsoft-AzureADPasswordProtection-DCAgent/Operational">*</Select>\
#                            <Select Path="Microsoft-AzureADPasswordProtection-DCAgent/Trace">*</Select>\
#                            <Select Path="Microsoft-AzureADPasswordProtection-ProxyService/Admin">*</Select>\
#                            <Select Path="Microsoft-AzureADPasswordProtection-ProxyService/Operational">*</Select>\
#                            <Select Path="Microsoft-AzureADPasswordProtection-ProxyService/Trace">*</Select>\
#                        </Query>\
#                    </QueryList> 
#    
#    # Workaround for local time so as to standardize to absolute microseconds since epoch
#    Exec $EventTime = integer($EventTime);
#    # JSON is required because some Windows logs contain new-line characters.
#    Exec $Message = to_json();
#</Input>
#<Output blu_out_azuread_pwpro>
#    Module om_tcp
#    Host %SIEM%
#    Port %PORT%
#    Exec to_syslog_bsd();
#</Output>
#<Route route_eventlog_azuread_pwpro>
#    Path blu_eventlog_azuread_pwpro => blu_out_azuread_pwpro
#</Route>
#####################################################
#####  Azure AD Password Protection Event Logs ######
#################        END       ##################
#####################################################