NXLog seems to forward some older events but not new ones
Our setup: we have Windows Server 2019 servers that are forwarding some "Security" events to a single Windows Server 2019 event collector. On that single Windows Server 2019 event collector, we have installed NXLog, which is forwarding to Graylog.
Summary: servers --> event collector server (where NXLog is installed) --> Graylog server
All selected events are getting to the event collector, but only some are getting to Graylog. So the problem is somewhere on or after the event collector server.
Here is the complete NXLog config:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension _gelf> Module xm_gelf ShortMessageLength 500 </Extension>
<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='ForwardedEvents'>*</Select> </Query> </QueryList> </QueryXML> </Input>
<Output out> Module om_tcp Host graylog.local Port 12201 OutputType GELF_TCP </Output>
<Route 1> Path in => out </Route>
Is anything obvious missing?