ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
shahpasandi
Got this error while trying to forward windows 11 event logs to SIEM:
ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
my nxlog config is here
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Win Event Log - Security
<Input inSecurityEvent>
Module im_msvistalog
Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList>
Exec $Message = to_json();
</Input>
<Output outSecurityEvent>
Module om_tcp
Host X.X.X.X
Port 5060
Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ'); \
to_json();
Exec to_json();
Exec file_write("C:\\Program Files\\nxlog\\data\\SecurityEvents_output.log", $raw_event);
</Output>
<Route 1>
Path inSecurityEvent => outSecurityEvent
</Route>This works fine on other version of windows. the problem is windows 11
