Hello, I am using NXLOG to capture windows event viewer logs . I have below requirements
(1) Forward Event ID 4624 events
(2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes.

Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ?

Query	<QueryList>\  
                    	<Query Id="0">\  
			<Select Path="Security">*[System[(EventID=4624]]</Select>\  
                       	<Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]</Select>\  
                	</Query>\

Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ?

Query	<QueryList>\  
                    	<Query Id="0">\  
			<Select Path="Security">*[System[(EventID=4624]]</Select>\  
                       <Query>\  
                     <Query Id="1">\  
                       	<Select Path="Security">*[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]</Select>\  
                	</Query>\