Initiated a 30-day trial today to test what I had thought would be a fairly straightforward use case.

The following config works fine to forward Windows events from the local machine via syslog, but when I add the File directive for im_msvistalog to the Input module section the events in the file are not forwarded over syslog. The file is correctly formatted and can be read via the event viewer. I also tested writing the contents of the file to a local json file as-per examples in the documentation, that worked fine as well.

The file is publicly available at: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_sysmon-3-rdp-tun.evtx

Here are the contents of the config file:

NoCache True define LOGHOST 192.168.xxx.xxx

<Extension syslog> Module xm_syslog </Extension>

<Input event_in> Module im_msvistalog File C:\Program Files\nxlog\logs\test_log.evtx Exec $Hostname = hostname(); </Input>

<Output tcp_out> Module om_tcp Host %LOGHOST%:514 Exec to_syslog_snare(); </Output>

<Route 1> Path event_in => tcp_out </Route>