Request trial
Request Trial

NXlog agent do not send events from Windows Security log

Tags: windows 2012
#1 Barns2

Well...

NXlog (last vrsion from this site) installed on windows server 2012R2

Configured to get win-logs:

SavePos TRUE

    Module      im_msvistalog
    Query     <QueryList>                        \
              <Query Id="0" Path="Security">            \
                <Select Path="Application">*</Select>    \
                    <Select Path="Security">*</Select>    \
                    <Select Path="System">*</Select>    \
                    <Suppress Path="Security">*[System[(EventID=5156 or EventID=4663 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress>    \
                    <Suppress Path="System">*[System[(EventID=5156 or EventID=4663 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress>    \
                  </Query>                \
        </QueryList>

As a result I see events only from System and Application... Nothing from Security

Any Idea why it can happen?

Logs are captured by windows - I can see it with eventvwr.msc, but nothing with Nxlog

 

NXlog have no information, looks like everything is ok:

...INFO nxlog-ce-2.8.1248 started... - no errors, no warnings... nothing else

Permalink
#2 Barns2
#1 Barns2
Well... NXlog (last vrsion from this site) installed on windows server 2012R2 Configured to get win-logs: SavePos TRUE     Module      im_msvistalog     Query     <QueryList>                        \               <Query Id="0" Path="Security">            \                 <Select Path="Application">*</Select>    \                     <Select Path="Security">*</Select>    \                     <Select Path="System">*</Select>    \                     <Suppress Path="Security">*[System[(EventID=5156 or EventID=4663 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress>    \                     <Suppress Path="System">*[System[(EventID=5156 or EventID=4663 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress>    \                   </Query>                \         </QueryList> As a result I see events only from System and Application... Nothing from Security Any Idea why it can happen? Logs are captured by windows - I can see it with eventvwr.msc, but nothing with Nxlog   NXlog have no information, looks like everything is ok: ...INFO nxlog-ce-2.8.1248 started... - no errors, no warnings... nothing else

Little update:
nxlog collect events with id 4662, 5136 and some else
But nothing about 4624, etc
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS