Hi, I am trying to test/deploy the "Extended configuration example of security-focused event IDs to monitor" NXlog configuration for Windows events, as per the article/NXlog conf file example here: https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html (Example 543). I am using NXLog CE (latest version) on Windows 2012R2. Here's the NXlog.conf I have, using the above conf example and added to the usual NXLog conf needs: # NXLog.conf define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS define OUTPUT_DESTINATION_PORT 514 # define Account Usage Events define AccountUsage 4740, 4648, 4781, 4733, 1518, 4776, 5376, 5377, \ 4625, 300, 4634, 4672, 4720, 4722, 4782, 4793, \ 4731, 4735, 4766, 4765, 4624, 1511, 4726, 4725, \ 4767, 4728, 4732, 4756, 4704 # define Application Crash Events define AppCrashes 1000, 1002, 1001 # define Application Whitelisting Events define AppWhitelisting 8023, 8020, 8002, 8003, 8004, 8006, 8007, 4688, \ 4689, 8005, 865, 866, 867, 868, 882 # define Boot Events define BootEvents 13, 12 # define Certificate Services Events define CertServices 95, 4886, 4890, 4874, 4873, 4870, 4887, 4885, \ 4899, 4896, 1006, 1004, 1007, 1003, 1001, 1002 # define Clearing Event Logs Events define ClearingLogs 1100, 104, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 5137, 5141, 5136, 5139, 5138, 3008, 3020 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Kernel Driver Signing Events define KernelDriver 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281, 219 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 4714, 4713, 4769, 6273, 6275, 6274, 6272, \ 6278, 6277, 6279, 6276, 6280, 5140, 5145, \ 5142, 5144, 4706, 1024, 4897, 4719, 4716, \ 4779, 4778, 5632 # define PassTheHash Detection Events define PassTheHash 4624, 4625 # define PowerShell Activities define PowerShell 800, 169, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define Logon Events define LogonEvents 4624, 4634 # define Software Service Installation Events define Installation 903, 904, 6, 1022, 1033, 7045, 907, 908, 7000, \ 800, 2, 905, 906, 19 # define System Integrity Events define SystemIntegrity 4657, 1, 4616 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Task Scheduler Activities define TaskScheduler 106, 141, 142, 200 # define Windows Defender Activities define WinDefender 1008, 1006, 1116, 1010, 2003, 2001, 1009, 1118, \ 1119, 1007, 1117, 3002, 2004, 1005, 5008 # define Windows Firewall Events define WinFirewall 2009, 2004, 2005, 2006, 2033 # define Windows Update Error Events define WinUpdateError 1009, 20, 24, 25, 31, 34, 35 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_json Module xm_syslog Module im_internal Module im_msvistalog * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *[System[Provider[@Name='Microsoft-Windows-CodeIntegrity']]] * if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PassTheHash%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%LogonEvents%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%TaskScheduler%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); # Output MS Event Log Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); # Route for MS eventlog logs: Path extendedeventlog => out_mseventlog_nxlog But this results in the following errors in the log: > 2021-04-12 16:26:55 ERROR invalid keyword: TolerateQueryErrors at C:\Program Files (x86)\nxlog\conf\nxlog.conf:116 > 2021-04-12 16:26:55 ERROR module 'extendedeventlog' has configuration errors, not adding to route 'route_msevent_nxlog' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 > 2021-04-12 16:26:55 ERROR route route_msevent_nxlog is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 > 2021-04-12 16:26:55 WARNING no routes defined! > 2021-04-12 16:26:55 WARNING not starting unused module internal > 2021-04-12 16:26:55 WARNING not starting unused module extendedeventlog > 2021-04-12 16:26:55 WARNING not starting unused module out_mseventlog_nxlog If I remove 'TolerateQueryErrors', I get: > 2021-04-12 17:42:04 INFO nxlog-ce-2.10.2150 started > 2021-04-12 17:42:04 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration. Any obvious things for me to start checking/debugging this? Thanks in advance!