Use-Fluentd

1.1.0.0

Set-FluentdConfig.psm1

                                <#

    .SYNOPSIS

        This downlaods, installs and configures a fluentd windows agent via td-agent to forward logs to a centeralized server.

    .PARAMETER Server

        The IP or FQDN of the fluentd server to forward the packets to.

    .PARAMETER Servername

        The hostname of the fluentd server to forward the packets to.

    .PARAMETER Port

        The port number of the server to specify (defaults to 443)

    .EXAMPLE

        Set-FluentdCconfig -Server logs.example.com -port 7777

#>

function Set-FluentdConfig {

[CmdletBinding()]

param(

[Parameter()]

[string]$Server,

[string]$Servername,

[string]$Tag='winevt.raw',

[int]$Port=443

)

$ConfigFileBasline = "

#==============================================================================

# FluentD (aka td-agent) - Azusa Pacific University

#==============================================================================

#--------------------------------------

# INPUT PLUGINS

#--------------------------------------

<source>

    @type windows_eventlog2

    @id windows_eventlog2

    channels application,system,security

    read_existing_events false

    parse_description true

    read_interval 2

    tag $Tag

    rate_limit 300

    <storage>

        persistent true

        path C:\opt\td-agent\winevt.pos

    </storage>

    <subscribe>

        channels application,system,security

        read_existing_events false

    </subscribe>

</source>

#--------------------------------------

# FILTER PLUGIN

#--------------------------------------

# This is used to ensure compatibility with elasticsearch and graylog.

<filter **>

   @type record_transformer

   <record>

        message `${record[`"DescriptionTitle`"]}

   </record>

</filter>

#--------------------------------------

# OUTPUT PLUGINS

#--------------------------------------

## Forward to central fluent aggregator

<match **>

    @type copy

    <store>

        @type stdout

    </store>

    <store>

        @type forward

        send_timeout 5s

        recover_wait 10s

        heartbeat_interval 1s

        phi_threshold 16

        hard_timeout 60s

        <server>

            name $(if ($ServerName){$ServerName}else{$Server})

            host $Server

            port $Port

        </server>

        <secondary>

            @type file

            path C:/opt/td-agent/forward-failed

        </secondary>

        <buffer>

            @type file

            path C:/opt/td-agent/fluent.general

            flush_interval 10s

        </buffer>

    </store>

</match>

"

Out-File -Encoding utf8 -Force -FilePath "C:\opt\td-agent\etc\td-agent\td-agent.conf" -InputObject $ConfigFileBasline

}