Hello,

I am new to using NXLog as it was suggested by my company's current SIEM vendor to be utilized when sending logs to our collectors. I am using NXLog on our Windows Event Forwarding Server to send logs the SIEM. I can get it working where i send all logs coming into the Forwarded Events log section to the collectors. However, I am not able to get it setup where i send logs from specific server to a specific destination. Ideally I would like to have each source sending logs to the WEF server going to a different port on the collector so I can manage them within the SIEM individually vs all as one. Below is what i am using for my input and output config. I am not sure if i need two input sections since it is coming from the same location? Currently this is just sending all logs from server1 and 2 to both ports on the collector. Any help would be appreciated.

<Input server1_in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>

</Input> <Input server2_in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList> </Input>

<Output server1_out> Module om_udp Host Collector IP Port 1111 Exec if ($MessageSourceAddress == "Server1 IP") to_syslog_snare(); </Output>

<Output server2_out> Module om_udp Host Collector IP Port 2222 Exec if ($MessageSourceAddress == "Server2 IP") to_syslog_snare(); </Output>

<Route 1> Path server1_in => server1_out </Route> <Route 2> Path server2_in => server2_out </Route>