Error reading .evtx file
Hello community.
I'm having trouble reading an EVTX file. Basically, I'm trying to send events that are saved in a remote location, but I want them to be placed as a local drive (H:\audit_NARE_MICR_cifs_last.evtx). This file is constantly being written by the application, and when it reaches a certain size, it changes its name, adding the date and time (audit_NARE_MICR_cifs_D2025-10-27-T16-15-42_0000000000.evtx), but the events I want to send are the ones that say "LAST".
For this, I've tried several possible configurations, including:
<Input netapp>
Module im_msvistalog
File "H:\audit_NARE_MICR_cifs_last.evtx"
CaptureEventXML TRUE
Exec rewrite->process();
</Input>
With the following error "2025-10-23 17:34:15 WARNING [im_msvistalog|netapp] im_msvistalog There is no file to query"
Or I have also tried the following configuration
<Input netapp>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="2" Path="file://H:\audit_NARE_MICR_cifs_last.evtx">
<Select Path="file://H:\audit_NARE_MICR_cifs_last.evtx">*</Select>
</Query>
</QueryList>
</QueryXML>
CaptureEventXML TRUE
Exec rewrite->process();
</Input>
With the following error:
2025-10-23 17:50:54 WARNING [im_msvistalog|netapp] failed to subscribe to msvistalog events,the channel path is invalid [error code: 15000]: The specified channel path is invalid.
2025-10-23 17:50:54 WARNING [im_msvistalog|netapp] Invalid channel: 'file://H:\audit_NARE_MICR_cifs_last.evtx': The specified channel path is invalid.
2025-10-23 17:50:54 ERROR [im_msvistalog|netapp] 1 invalid channel(s) found in query
I need your help to solve this problem.
Thank you so much
You may want to change your quotes to single quotes, as doubles can treat certain strings as special characters. I think this is actually ok in your case, but better to be safe. For example, "C:\text" would show up as "C: ext".
I have added some suggestions to your configuration block that can help you identify and resolve the issue.
`LogLevel` for troubleshooting can illuminate a lot of potential issues. This will get noisy, be prepared to swap this back.
`ReadFromLast` will force files to read from the end, which is useful if you already have a saved position.
`Exec log_info(...` will print events to the nxlog.log file. If combined with `LogLevel`, this can make it difficult to see the events.
I would start with the quote change and `log_info` + `ReadFromLast` changes. If you do not see your events, enable DEBUG logging.
I hope this helps!
<Input netapp>
Module im_msvistalog
File 'H:\audit_NARE_MICR_cifs_last.evtx'
CaptureEventXML TRUE
Exec rewrite->process();
#LogLevel DEBUG
#ReadFromLast FALSE
#Exec log_info($raw_event);
</Input>
