We currently have a central logging server for our Windows Servers collecting and forwarding with NXLog to AlienVault.  We have a working config file currently that I would like to modify to be able to send two of the Windows Event ID's that are being collected to our NDR (Vectra).  What is the best route to be able to configure multiple sources and/or outputs? Currently we have two working configs, one for Vectra and one for AlienVault, but I'd like to “combine” them in a way that allows us to be able to send relevant data to their needed sources.

AlienVault uses a patterndb.xml file for what events it wants to collect, Vectra just needs two specific event ID's that it calls out in the log file with the below line. It then outputs to an IP.  This seems like it should be pretty straight forward but I'd like to have it sort of configured/figured out before I bring down my AlienVault feed.

We are also currently using the Nxlog community edition if that matters.

<Input eventlog>
   Module im_msvistalog
<QueryXML>
 <QueryList>
  <Query Id="0" Path="ForwardedEvents">
  <Select Path="ForwardedEvents">*[System[(EventID=4768 or EventID=4769)]]</Select>
 </Query>
</QueryList>
</QueryXML>
</Input>