Hi,

My scenario is:  (Windows server + nxlog configured for Windows events) => Logstash => Elasticsearch

I am wondering where nxlog stores current informations about sent Windows Events (for every category).
If i need to resend a few Windows events from past, how i can do it?

Is there any way to select last X hours (example: last 48 hours from Security category, from the starting nxlog service moment).
SavePos and ReadFromLast are helpful, but if both are false, event logs are sent from the first one stored on Windows server.

Also, where nxlog save all events in case of temporary lost tcp connection? This is probably SavePos location.

Thanks