Windows Event Logs not forwarding
I have Windows server subscribing to a windows log event forwarder. I have noticed that some events that appear within the forwarded event log are not ingested by NX Log and forwarded to the SIEM platform. eg
event id 1102 and 22
both events are forwarded from the source servers to the windows forwarded where nx log is running so windows upload is fine, just nxlog sending on to SIEM
There is a similar issue posted here:
NXLog does not perform any Windows events filtering unles it is instructed to do so…but it seems like some SIEMs do the filtering, or they index the events in different way or…there could be many reasons. The best way to troubleshoot this issue is to redirect the logs being collected to a local test file (same Windows machine) and then search for the 1102 events.