Hi, I recently started using Nxlog with Windows event log.

I'm able to get events off of the Security log and onto my server, however, I've noticed something peculiar.

The value of the 'ProcessID' field is always 4, no matter what process is generating the event.

My nxlog.conf has the following sections:

<Extension json>
    Module      xm_json
</Extension>
<Input security_log>
Module      im_msvistalog
SavePos     TRUE
ReadFromLast    TRUE
Channel     Security
Query       *
</Input>
<Output out>
Module      om_tcp
Host        10.1.11.50
Port        9000
Exec        to_json();
</Output>
<Route 1>
Path        security_log => out
</Route>

And the resulting output looks like:

{
"EventTime":"2016-01-18 10:32:13",
"Hostname":"dev-collector.dev.local",
"Keywords":-9214364837600034816,
"EventType":"AUDIT_SUCCESS",
"SeverityValue":2,
"Severity":"INFO",
"EventID":4689,
"SourceName":"Microsoft-Windows-Security-Auditing",
"ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}",
"Version":0,
"Task":13313,
"OpcodeValue":0,
"RecordNumber":355,
"ProcessID":4,
"ThreadID":48,
"Channel":"Security",
"Message":"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3503561835-834928460-339998367-1000\r\n\tAccount Name:\t\tachung\r\n\tAccount Domain:\t\tDEV-COLLECTOR\r\n\tLogon ID:\t\t0x727518c\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xb64\r\n\tProcess Name:\tC:\\Windows\\System32\\calc.exe\r\n\tExit Status:\t0x0",
"Category":"Process Termination",
"Opcode":"Info",
"SubjectUserSid":"S-1-5-21-3503561835-834928460-339998367-1000",
"SubjectUserName":"achung",
"SubjectDomainName":"DEV-COLLECTOR",
"SubjectLogonId":"0x727518c",
"Status":"0x0",
"ProcessName":"C:\\Windows\\System32\\calc.exe",
"EventReceivedTime":"2016-01-18 10:32:14",
"SourceModuleName":"security_log",
"SourceModuleType":"im_msvistalog"
}

The value of the "ProcessID" field is 4, when it should be 2916 (0xb64), as shown in the "Message" field. Is this a configuration issue or possibly a bug with one of the modules?

Thanks,

Allen