Hi Folks, I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue. Here is the nxlog.conf file ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_gelf Module im_msvistalog Query \ \ # *\ # *\ # *[System[(EventID=EventID=4625 or EventID=4740)]]\ *\ \ Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk Module om_tcp Host SERVER_IP Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; Path in => out ************************************ In the log file i get the following error, 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid. 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001] somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31 Appreciate if someone can guide me in right direction. Thanks, Navdeep

You seem to be using `#` for comments inside single line XML which is incorrect and that is why you get the _invalid query_ error. Use `QueryXML` without the `\` line continuation marks or use XML style comments ``.