-
-
Notifications
You must be signed in to change notification settings - Fork 7
\Config\ConsoleAppConfig.conf (SWELF APP CONFIG)
Ceramicskate0 edited this page Apr 6, 2020
·
35 revisions
| App Config Command | Example | Notes |
|---|---|---|
| log_collector | log_collector=HostName | |
| log_collector1 | log_collector1=127.0.0.1:514 | |
| log_collector2 | log_collector2=127.0.0.1:515 | |
| log_collector3 | log_collector3=127.0.0.1 | |
| log_collector4 | log_collector4=HostName:514 | |
| log_collector5 | log_collector5=127.0.0.1 | |
| central_search_config | entral_search_config=https://ceramicskate0.github.io/SWELF/examples/Config/ConsoleAppConfig.conf | |
| central_app_config | central_app_config=https://ceramicskate0.github.io/SWELF/examples/Config/ConsoleAppConfig.conf | |
| central_plugin_search_config | central_plugin_search_config =https://ceramicskate0.github.io/SWELF/examples/Config/ConsoleAppConfig.conf | |
| central_whitelist_search_config | central_whitelist_search_config =https://ceramicskate0.github.io/SWELF/examples/Config/ConsoleAppConfig.conf | |
| output_format | output_format=keyvalue | Choose 1 output option(keyvalue,data,syslogxml,xml,syslog) |
| output_ips | output_ips=true | |
| output_hashs | output_hashs=true | |
| check_service_up | check_service_up=sysmon | Choose up to 10 services by Service Name to check if they are Running |
| transport_protocol | transport_protocol=tcp | Options are TCP or UDP |
| delete_local_log_files_when_done | delete_local_log_files_when_done=true | |
| debug | debug=true | |
| logging_level | logging_level=warning | |
| parse_sysmon_logs | parse_sysmon_logs=true | Parses Sysmon Logs when sending logs (v0.6.1.0 and later) |
This page provides configuration information and examples for the application.
Log_Collector
IPv4 of place to send some form of eventlog over port of your choosing(default udp/514)
(SWELF in versions after 0.3.4.0 will use the following format to send logs to any port)
127.0.0.1:515 or 127.0.0.1:{Any port you want over udp
Log_Collector1-5
IPv4 of place to send some form of eventlog over port of your choosing(default udp/514)
(SWELF in versions after 0.3.4.0 will use the following format to send logs to any port)
127.0.0.1:515 or 127.0.0.1:{Any port you want over udp}
output_format
The values possible for this command are "xml" ,"data" ,"syslog" ,"syslogxml", or "keyvalue"
central_app_config
http://{IP or URL with or without uncommonport socket
/DirPath to dir containing config files or file path
central_plugin_search_config
http://IP or URL with or without uncommon port socket
/DirPath to dir containing Search file or file path
central_search_config
http://IP or URL with or without uncommonport socket
/DirPath to dir containing search files or file path
central_whitelist_search_config http://IP or URL with or without uncommonport socket
/DirPath to dir containing search files or file path
logging_level
It will search windows event log for severity level of event log and return just those logs
Values for this command are "verbose","infomrtaion","warning", or "critical"
output_hashs
Putting this on any line in the config file will tell app to output hashs.txt file to SWELF.exe current directory.
To not do this do not set or include the option in config.
File contains hashs from Sysmon logs.
Format is output_hashs={Something}
output_ips
Putting this on any line in the config file will tell app to output ips.txt file to SWELF.exe current directory.
To not do this do not set or include the option in config.
File contains all ips from all logs searched.Format is output_ips={Something}
transport_protocol
Tells SWELF to send data to a port you specify (or 514 by default) in either tcp or UDP (UDP is default).
To not do this do not set or include the option in config.
tcp OR udp (to be released in 0.4.3.0)(if not defined udp is default)
delete_local_log_files_when_done
If this value equals anything SWELF assumes you want to remove any file that it has read and sent the log off from.
To not do this do not set or include the option in config.
(to be released in 0.4.3.0 and later)(if not defined do nothing is default, if defined with anything it will remove)
check_service_up
You tell SWELF which app you want to monitor are in the "running" state at SWELF start. For Example "Sysmon". SWELF expects the name to be the "Service Name" as seen in the services plugin to mmc.exe.
(to be released in 0.4.4.0 and later)
example(Send Data): Log_Collector=10.0.0.3
example(Send Data): Log_Collector1=10.0.0.1
example(Send Data): Log_Collector1=10.0.0.1:515
example(Send Data)(max collector number): Log_Collector5=10.0.0.2
example(Dont Send Data): Log_Collector=
example(Dont Send Data):
example: outputformat=keyvalue
example: central_app_config=http://127.0.0.1/SWELF/Config/
example: central_search_config=http://127.0.0.1/SWELF/Log_Searchs/
example: central_plugin_search_config=http://127.0.0.1:8080/SWELF/Plugins/Plugin_Searchs/
- Dont worry the port 8080 is optional its here to show that port doesnt matter if it can reach it.
example: log_level=infomrtaion
example: output_hashs=true
example: output_ips=true
example: check_service_up=Sysmon
example: check_service_up=Sysmon64
- Home
- How it Works
- Knowledge Base
- Configuration
- Searchs
- Plugins
- Usage
- Extras
- SWELF Logging
- SWELF Development