Hi Team,

We are using Nxlog to send logs to RSA(SIEM), but few of the security logs are not sending to RSA. Below are the event ids we are not receiving: Event ids starting with 4860- 4890. Below is the configuration which we are using in RSA.

Can you please check below configuration and let me know if anything needs to be changed to receive the windows security and application logs.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nslog.log

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'></Select> <Select Path='Security'></Select> </Query> </QueryList> </QueryXML> </Input>

<Output out> Module om_tcp Host hostname(hided) Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ','); </Output>

<Route 1> Path in => out </Route>