Hello -

I've been trying to figure this out for a few days, and it just isn't working. I want to allow certain messages by EventID, disallow all other INFO, DEBUG, but also allow all other ERRORs.

What I would like to end up with is: The cherry picked EventIDs (collection of INFO, ERROR, WARNING), and all error messages. Everytime I add a filter by SEVERITY it seems to change the dynamic of the filter. 

Any tips? Below is that my config currently looks like, I'm just getting the EventIDs which I want, but I'm not getting all ERROR messages.

----------------------------

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
    Exec if ($EventID == 624 or $EventID == 630 or $EventID == 631 or $EventID == 634 or $EventID == 635 or $EventID == 638 or $EventID == 658 or $EventID == 662 or $EventID == 4624 or $EventID == 4625 or $EventID == 4720 or $EventID == 4726 or $EventID == 4727 or $EventID == 4728 or $EventID == 4729 or $EventID == 4730 or $EventID == 4731 or $EventID == 4732 or $EventID == 4733 or $EventID == 4734 or $EventID == 4735 or $EventID == 4737 or $EventID == 4740 or $EventID == 4741 or $EventID == 4742 or $EventID == 4743 or $EventID == 4754 or $EventID == 4755 or $EventID == 4756 or $EventID == 4757 or $EventID == 4758 or $EventID == 4764 or $EventID == 4767);\
        else drop();    
</Input>

<Output out>
    Module      om_udp
    Host        log.myserver.org
    Port        5414
    OutputType  GELF
</Output>

<Route 1>
     Path        in => out
</Route>