Hello everyone,

I'm trying to solve a problem that seems simple.

I would like to log Windows events on two different log servers. I would like to send all relevant logs to a Graylog but without the MSSQL logs. These are filtered and sent to another Graylog.

Filtering by “MSSQL-ONLY” works fine, but dropping MSSQL events does not work. I get all logs including MSSQL an the "logs" output.

Any idea?

Windows Server 2022, 

nxlog-ce-3.2.2329.msi

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
<Extension gelf>
Module      xm_gelf
</Extension>
<Input eventlog>
Module im_msvistalog
Query <QueryList>

<Query Id="0">

<Select Path="Application"></Select>

<Select Path="System"></Select>

<Select Path="Security"></Select>

<Select Path="Microsoft-Windows-Windows Defender/Operational"></Select>

</Query>

</QueryList>
<Exec>
if ($SourceName = "SQLSERVER") drop();
</Exec>
</Input>
<Input sqllog>
Module im_msvistalog
Query <QueryList>

<Query Id="0">

<Select Path="Application">*[System[Provider[@Name='MSSQLSERVER']]]</Select>

</Query>

</QueryList>
</Input>
<Output logs>
Module      om_tcp
Host        graylog01.something.com
Port        12202
OutputType  GELF_TCP
Exec $Hostname = 'XYZ.somthing.com';
</Output>
<Output sqllogs>
Module      om_tcp
Host        graylog02.something.com
Port        12202
OutputType  GELF_TCP
Exec $Hostname = 'XYZ.somthing.com';
</Output>
<Route eventlog_to_udp>
Path        eventlog => logs
</Route>
<Route sqllog_to_udp>
Path        sqllog => sqllogs
</Route>