date: 2016-03-31

Just a quick post detailing the conf file I found to work best with sysmon.

###### start of config file ############
##   See the nxlog reference manual at
##   http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.pdf

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

    Module      xm\_json

    Module      im_msvistalog
   
    # ref https://msdn.microsoft.com/en-us/library/aa385231.aspx
    # had to add tag into query tag and change “ for ‘
    Query   \\                 \\                     \*\\                 \\            
#    Exec if ($TargetUserName == ’SYSTEM’) OR ($EventType == ’VERBOSE’) drop(); #incase you want to filter at later date
    Exec $raw_event = to_json(); #keeps event on one line
</Input>

    Module      om\_tcp     Host        10.10.10.10     Port        5514

#useful for testing     Module      om\_file     file "nxlog\_output"

<Route 1>
    Path        in => out
</Route>
###### end of config file ############