I’ve configured an Windows EventLog collection server and setup a handful of custom eventlog channels per the following article.
My custom event log channels are receiving the correct logs, and everything is working as expected as far as event collection goes.
I'm now trying to configure nxlog to pick up the event logs from my custom channels and forward them to a syslog server, but it doesn’t seem to be working.
nxlog does forward if I query the built in "Security" channel, but not from my custom channels (or even "forwarded events).
Here is a copy of my NXlog configuration file:
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
# Module im_msvistalog
# SavePos TRUE
# #Query <QueryList><Query Id="0"><Select Path="_ApplicationServers">*</Select></Query></QueryList>
# #Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
# Exec $Message = to_json();
Path internal, eventlog => out
Check nxlog.log if you see any errors there and also make sure that the query also works in Event Viewer.