I am trying to collect Windows Defender Eventlogs on our win clients and forward them to our central log server (graylog).

I have included the Windows Defender Log in the config files search query like this: <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\

This seems to work basically as there are messages coming through to the logserver (mostly of EventID 1150/1151) but the important ones (1116,1117,...) dont show up. I already tried to select 1116 and 1117 specifically in the query and provoked some entries of that type, but to no avail. The events are in the eventlog, but they dont make it out of the client system.

Searching the web didn't get me anywhere either, so i'm trying my luck with the nxlog community.

Any help would be very much appreciated! Thanks