Hello community.

I'm having trouble reading an EVTX file. Basically, I'm trying to send events that are saved in a remote location, but I want them to be placed as a local drive (H:\audit_NARE_MICR_cifs_last.evtx). This file is constantly being written by the application, and when it reaches a certain size, it changes its name, adding the date and time (audit_NARE_MICR_cifs_D2025-10-27-T16-15-42_0000000000.evtx), but the events I want to send are the ones that say "LAST".

For this, I've tried several possible configurations, including:

<Input netapp>

Module im_msvistalog

File "H:\audit_NARE_MICR_cifs_last.evtx"

CaptureEventXML TRUE

Exec rewrite->process();

</Input>

With the following error "2025-10-23 17:34:15 WARNING [im_msvistalog|netapp] im_msvistalog There is no file to query"

Or I have also tried the following configuration

<Input netapp>

Module im_msvistalog

<QueryXML>

<QueryList>

<Query Id="2" Path="file://H:\audit_NARE_MICR_cifs_last.evtx">

<Select Path="file://H:\audit_NARE_MICR_cifs_last.evtx">*</Select>

</Query>

</QueryList>

</QueryXML>

CaptureEventXML TRUE

Exec rewrite->process();

</Input>

With the following error:

2025-10-23 17:50:54 WARNING [im_msvistalog|netapp] failed to subscribe to msvistalog events,the channel path is invalid [error code: 15000]: The specified channel path is invalid.

2025-10-23 17:50:54 WARNING [im_msvistalog|netapp] Invalid channel: 'file://H:\audit_NARE_MICR_cifs_last.evtx': The specified channel path is invalid.

2025-10-23 17:50:54 ERROR [im_msvistalog|netapp] 1 invalid channel(s) found in query

I need your help to solve this problem.

Thank you so much