$message =~ /(?<timestamp>\d+/\d+.\d+ )/s; $ts=$timestamp; $ts2=$1; $ts2 has the right info, $ts="" version nxlog-ce-2.10.2150

Hi all, It's possible (using the queries) to ONLY receive logs related to all windows administrators and not related to all users? Thanks.

Hi All, every once in a while nxlog on some win servers enteres stopped state after this error: 62501: 2019-10-21 04:32:54 ERROR EvtNext failed with error 1717: The interface is unknown. Does anybody know what might be causing this? All I could find is that this may have been a bug that was resolved in newer versions though. We are using v 4.0.3735 Thanks, Jarka

I am reading windows dns logs, and at the start of each file, windows adds text at the beginning of each file. Note that windows will do this in the middle of a multiline log message. Ideally what I want is that when the file is opened, im_file will throw away the header and then pass the rest of the file to xm_multiline so that xm_multiline never knows that this was there. As a work-around I could add a bunch of filters to match each known bad line and throw it out, but that's a pretty inefficient way to do things, This would be something similar to onEOF but happen at the start of the file instead. an example is: DNS Server log file creation at 11/6/2019 6:19:22 PM Log file wrap at 11/6/2019 6:19:22 PM Message logging key (for packets - other items use a subset of these fields): Field # Information Values ------- ----------- ------ 1 Date 2 Time 3 Thread ID 4 Context 5 Internal packet identifier 6 UDP/TCP indicator 7 Send/Receive indicator 8 Remote IP 9 Xid (hex) 10 Query/Response R = Response blank = Query 11 Opcode Q = Standard Query N = Notify U = Update ? = Unknown 12 [ Flags (hex) 13 Flags (char codes) A = Authoritative Answer T = Truncated Response D = Recursion Desired R = Recursion Available 14 ResponseCode ] 15 Question Type 16 Question Name normal log data, potentially starting in the middle of a log

Hi. How can I write SQL statement to the variable. For example: define variable $sql_statement = SELECT some_func() and in module om_dbi use this variable like Module om_dbi SQL $sql_statement Driver pgsql

I am parsing DNS logs (windows debug logs) where there may be multiple answers to one query (cname plus IP, or multiple cnames, or multiple IPs) but I want to normalize the output so that each output line contains one and only one answer (with the rest of the output being the same) so if I start with source 1.1.1.1 query type A query foo.com answer cname bar.com answer A 2.2.2.2 how can I get my output to be: source 1.1.1.1 query type A query foo.com answer cname bar.com source 1.1.1.1 query type A query foo.com answer A 2.2.2.2

Hi There, Using the CE edition on a Server 2012 R2 collector. I see in the logs the following: ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\output\Module om_udp.dll, The specified module could not be found. The config file %ROOT% has the correct path as far as I can see. I've reinstalled and once I start/restart services then this message appears. NXLog Ver: 2.10.2102 Any help appreciated!

I have a Graylog NXLog configuration that contains a multiline input. I'm trying to figure out what the best regex would be for the HeaderLine to delimit each message as a group for each instance of a username that appears in the log. This is the desired output: Message 1 should contain: Username : <Username1> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:15:34 UTC Fri Nov 1 2019 Message 2 should contain: Username : <Username2> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:16:12 UTC Fri Nov 1 2019 Instead, this is what happens: Message 1: Username Message 2: Index Message 3: Assigned IP Message 4: Public IP So on and so forth. Looking for advice on what should be put in the HeaderLine so the logs are delimited and can be read properly. Thanks in advance!

Dear All, I'm using this product for a months and it works fine, every windows PC (Win 7 and Win10) sent informations to central linux syslog server. Now it doesn't work because I've changed network settings. All of my Windows computers have got 802.1x authentication so the networking goes up after user login. Maybe NXlog starts before user login and try to connect syslog server sending some messages, so it doesn't reach syslog remain in running status and don't send any other informations. Any ideas ? Thanks a lot for you help ! Best Regards Willy

Hello, We are using NXLog extensively and just recently started seeing some parsing issues, so far specifically on Windows 2012r2 using Windows Event Forwarding, but could be others. It appears to be something with processing self-closed tags at first glance, but I've done a little bit of testing myself and couldn't directly reproduce the problem (so far), so figured I'd come here for guidance. Specific details are included below. Current Behavior NXLog appears to be improperly parsing empty, self-closed XML tags. Expected Behavior NXLog properly ignores empty, self-closed XML tags. NXLog Version: nxlog-ce-2.10.2150 NXLog Configuration File: ## NXLog configuration file define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %LOGFILE% # Rotate agent logs on the local system such that only the last 4 files are kept <Extension fileop> Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1M <Schedule> Every 1 hour Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 4); </Schedule> # Rotate our log file every week on sunday at midnight <Schedule> When @weekly Exec file_cycle('%LOGFILE%', 4); </Schedule> </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> # Agent logs <Input internal> Module im_internal </Input> # OS logs <Input eventlog> Module im_msvistalog # Drop EventID 5156 logs when application name is nxlog.exe Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing')\ AND ($EventID == 5156)\ AND ($Application =~ /nxlog.exe$/)\ drop(); </Input> <Input forwardedEvents> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="ForwardedEvents">*</Select>\ </Query> \ </QueryList> </Input> # SIEM port 3514 is listening for JSON-encoded IETF style syslog messages # OutputType Syslog_TLS required to enable the octet-framing described in RFC5425 <Output out> Module om_tcp Host XXX.XXX.XXX.XXX Port 3514 OutputType Syslog_TLS Exec $Message = to_json(); # Remove param-value pairs from structured data header with names > 32 characters. Exec if ($SourceName == 'Microsoft-Windows-GroupPolicy') {\ if ($EventID == 5017) OR ($EventID == 6017) OR ($EventID == 7017)\ delete($OperationElaspedTimeInMilliSeconds);\ if ($EventID == 5116) OR ($EventID == 6116) OR ($EventID == 7116)\ delete($GpsvcInitTimeElapsedInMilliseconds);\ if ($EventID == 5126) OR ($EventID == 6126) OR ($EventID == 7126)\ delete($GPODownloadTimeElapsedInMilliseconds);\ if ($EventID == 5257) OR ($EventID == 6257) OR ($EventID == 7257)\ delete($PolicyDownloadTimeElapsedInMilliseconds);\ if ($EventID == 5351) OR ($EventID == 6351) OR ($EventID == 7351)\ delete($WinlogonReturnTimeElapsedInMilliseconds);\ } Exec to_syslog_ietf(); </Output> <Route 1> Path internal, eventlog, forwardedEvents => out </Route> Windows Version: Windows 2012r2 (potentially others, but confirmed for sure on this one) Example Exported XML from EventViewer <?xml version="1.0" encoding="utf-8" standalone="yes"?> <Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event' xml:lang='en-US'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-10-23T14:01:56.684789600Z'/><EventRecordID>5238702734</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='3948'/><Channel>Security</Channel><Computer>hostname.domain</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>workstation$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x1754</Data><Data Name='NewProcessName'>C:\Windows\System32\wbem\WmiApSrv.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f8</Data><Data Name='CommandLine'/><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data></EventData><RenderingInfo Culture='en-US'><Message>A new process has been created...</Message><Level>Information</Level><Task>Process Creation</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event></Events> Example Data as Received on the wire: <14>1 2019-10-21T15:44:36.650065-04:00 hostname.domain Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4688" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="2" Task="13312" OpcodeValue="0" RecordNumber="355111132" ThreadID="5020" Channel="Security" Category="Process Creation" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="workstation$" SubjectDomainName="DOMAIN" SubjectLogonId="0x3e7" NewProcessId="0x13a8" NewProcessName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" TokenElevationType="%%1936" CommandLine\'/><Data_Name=\'TargetUserSid="S-1-0-0" TargetUserName="workstation$" TargetDomainName="DOMAIN" TargetLogonId="0x3e4" EventReceivedTime="2019-10-21 15:45:38" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] {"EventTime":"2019-10-21 15:44:36","Hostname":"hostname.domain","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4688,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":2,"Task":13312,"OpcodeValue":0,"RecordNumber":355111132,"ProcessID":4,"ThreadID":5020,"Channel":"Security","Message":"A new process has been created...","Category":"Process Creation","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"workstation$","SubjectDomainName":"domain","SubjectLogonId":"0x3e7","NewProcessId":"0x13a8","NewProcessName":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","TokenElevationType":"%%1936","CommandLine'/><Data Name='TargetUserSid":"S-1-0-0","TargetUserName":"workstation$","TargetDomainName":"DOMAIN","TargetLogonId":"0x3e4","EventReceivedTime":"2019-10-21 15:45:38","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} NOTE: I know the above two examples don't reference the exact same event. They are just for illustration and reference purposes You should see that in the XML exported from EventViewer, there's an empty and self-closed 'CommandLine' tag. However, in the example pulled from the wire, you should see that the 'CommandLine' tag has been mangled and parsed as if it were part of the 'TargetUserSid' tag and there's some XML data there. Have you seen similar behavior when parsing logs either through the ForwardedEvents (Windows Event Forwarding) or otherwise? Addendum: We have also seen this behavior with other empty, self-closed XML Fields such as a 'TargetDomainName' field, so it does not seem to be specifically related to the CommandLine tag itself.

Here are the error messages: 2019-10-30 11:38:17 INFO nxlog-ce-2.10.2150 started 2019-10-30 11:38:22 WARNING stopping nxlog service 2019-10-30 11:38:22 WARNING nxlog-ce received a termination request signal, exiting... Conf file: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog ReadFromLast TRUE For windows 2003 and earlier use the following: Module im_mseventlog Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security">*</Select> </Query> </QueryList> </Input> <Output Graylog> Module om_udp Host secret Port secret OutputType GELF_UDP </Output> <Route 1> Path in => Graylog </Route>

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work? <Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension> <Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor> <Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output> <Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route> Give an example configuration using the xm_filelist module.

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work? <Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension> <Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor> <Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output> <Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route> Give an example configuration using the xm_filelist module.

Good day everyone! I am starting to use NXLog:CE in my environment and am having a few windows devices not reporting to my Observium server. I have the same .conf deployed across all windows devices. I am attempting to pattern hunt what could be different but being enterprise devices they are not configured much differently. I have a local debug file running and I am seeing events being written on all devices. I know this is not much detail but I would appreciate any suggestions of places to look. Thank you in advance, Scott

Hi, My system creates binary log file whenever some error happens. So, I would like to send the binary log file to server(also running the nxlog) when the file is created. The binary log file is created with specific extension name (for example *.binlog) and I want to send the file to server with same filename. Can I do this with nxlog? Thanks. Harry

Hi, I try configure regex to send log from localhost_access.log tomcat. I test this in many regex tester online and have error when I use this in nxlog. Sample: 4.3.2.1 - - [21/Oct/2019:06:29:10 +0200] "GET /webapi?Subsystem=Order&Action=GetTradeReports&Exchange=GRATR&TS=1571632145141&trpt.a=0%2C1%2C3%2C4%2C5%2C6%2C8%2C9%2C10%2C11%2C13%2C15%2C17%2C47%2C52%2C53%2C57%2C58%2C59%2C60%2C61%2C62%2C63&Session=A.z27L1EKuJetOW0RD890Q3DXXK1zwo5eJ HTTP/1.1" 200 89 and config: <Input tomcat_localhost> InputType multiline Module im_file File '/var/log/tomcat/localhost_access.log' <Exec> if $raw_event =~ /^(\S+) (\S+) (\S+) [([\w:/]+\s[+-]\d{4})] "(\S+)\s?(\S+)?\s?(\S+)?" (\d{3}|-) (\d+|-)\s?"?([^"])"?\s?"?([^"])?"?$/ { $IP_address = $1; $EventTime = parsedate($4); $HTTPMethod = $5; $HTTPMethod = $4; $HTTPURL = $5; $HTTPResponseStatus = $8; $HTTPProtocol = $7; $Message = $6; } </Exec> </Input> error in log: 2019-10-21 10:01:08 ERROR Couldn't parse Exec block at /var/lib/graylog-sidecar/generated/nxlog.conf:61;couldn't parse statement at line 62, character 47 in /var/lib/graylog-sidecar/generated/nxlog.conf;failed to compile regular expression '^(\S+) (\S+) (\S+) [([\w:', error at position 26: missing terminating ] for character class Why they expected "]" ?

We have the following problem. We are currently migrating from REDIS to KAFKA on our windows server 2012 machines. In order to do this we are changing our nxlog.conf. (see below for entire configuration) We cannot seem to get our certificates to work. Something to note is that the same certificates work on a linux machine in the same environment (acceptance) Kafka is configured correctly, so that isn’t the problem. (considering that it works in a similar setup for a linux machine that connects to the same KAFKA topic with the same certificates.) When we start the nxlog service like this, the service basically is stuck on the starting phase of the service configuration. We need to force kill the PID to breath live back into it. We changed the .jks (java keystore) into a .p12 extension via a keystore manipulator (keystore explorer), since we do not have JAVA running on these windows machines. When we put Loglevel on DEBUG we get logging up until the kafka_out module but not further. (i.e. No information about handshaking etc.) In the configuration we tried o Protocol SSL with CAFILE and either (CertKeyFile and KeyPass) or (Keyfile as a cer file) o We didn’t try converting it to a PEM. o I put the Partition parameter on comment, since we use multiple partitions in our Kafka-bus, so it wouldn’t make sense to aim for the first one all the time. (Noting that even if not commented out it also fails) We use a root and an intermediate certificate for our CA-path. There are hardly any examples for om_kafka modules, especially when you have more than 1 broker. We are running with version nxlog-4.5.4503 Information I could find on the WWW CAFile %CERTDIR%/cert-bundle.pem CAFile %CERTDIR%/cacert.pem CertFile %CERTDIR%/client-cert.pem CertKeyFile %CERTDIR%/client-key.pem KeyPass yourPasswordOfTheKey #CAFile: This specifies the path of the certificate authority (CA) certificate, which will be used to check the certificate of the remote brokers. CAFile is required if Protocol is set to ssl or sasl_ssl. #CertFile: This specifies the path of the certificate file to be used for the SSL handshake. #CertKeyFile: This specifies the path of the certificate key file to be used for the SSL handshake. Primary questions: Can CAFILE be used with a keystore or only with a .PEM / .CRT file? KeyPass is related to CertKeyFile. If there is a password on either CAFILE or KEYFILE how do I configure this then? Is there a higher level of debug so we can see what happens after the statements in our logging? NXLOG.CONF --GENERAL SETTINGS----------------- envvar COMPUTERNAME define ROOT O:\NXLOG define ENV PRD define APPLI MyPortal KAFKA omgeving define KAFKA_TOPIC mon_myportal_topic define KAFKA_BROKERLIST_PROD 'kafka-0.intranet:9093,kafka-1.intranet:9093,kafka-2.intranet:9093,kafka-3.intranet:9093,kafka-4.intranet:9093,kafka-5.intranet:9093,kafka-6.intranet:9093,kafka-7.intranet:9093,kafka-8.intranet:9093,kafka-9.intranet:9093,kafka-10.intranet:9093,kafka-11.intranet:9093' ---------------------------------------------------------------------- Moduledir %ROOT%\modules CacheDir %ROOT%\data SpoolDir %ROOT%\data CertDir %ROOT%\cert LogLevel DEBUG LogFile %ROOT%\log\nxlog.log #Pidfile %ROOT%\test\nxlog.pid ---------------------------------------------------------------------- <Extension json> Module xm_json </Extension> <output kafka_out> Module om_kafka BrokerList %KAFKA_BROKERLIST_PROD% Topic %KAFKA_TOPIC% Partition 1 Protocol ssl CAFile %CertDir%\client.truststore.p12 CertFile %CertDir%\intermediairportal-PRD.crt CertKeyFile %CertDir%\intermediairportal-PRD.p12 KeyPass <password obfuscated> </Output> include %ROOT%\conf\check1.conf include %ROOT%\conf\check2.conf

I'm trying to trigger a powershell script to run with passed parameters on pattern matching the contents of $message. The method itself works, I just cannot work out how to pass parameters to the script I'm calling. <Input internal> Module im_internal Exec if ($message =~ /nxlog-ce-2.10.2150 started/) exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1"); </Input> My working test configuration is shown above. The script called nxlog_exec_async_test.ps1 is successfully called from an elevated shell, if there is no parameter passed in. exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test"); I've tried passing the parameter "test" in the following ways, but this doesn't work either i.e.: exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1", "test"); exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test"); The powershell script simply echos a line out to file, and the first line is: $testparm==$args[0] Which is assigning the first parameter to the variable $testparm Can anyone help? Cheers, Phil

Hello everyone, I have a window server that receives logs from other windows hosts (log collector) and from this last one, events are sent to a Fortisiem. The problem is that in SIEM the IP that appears is always the collector's IP and all host events are identified by that IP. Is it possible to keep the original IP of each host? My out config: <Output out> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); Exec $Message = to_json(); to_syslog_snare(); </Output> Thanks

For about 5 years, I've been using NXLog to forward Windows logs from all of my Windows servers into a Graylog server. Recently, one of the servers developed an issue where there will be event ID 5156 (&quot;The Windows Filtering Platform has permitted a connection&quot;) triggered when NXLog sends logs to the Graylog server, which triggers another event ID 5156, which triggers another and another and another and so on. So, logging from that one server goes from an average of 50,000/hr to as much as 10 million/hr. I don't see anything in the Windows event logs that seems to trigger the issue but all I have to do is restart the NXLog service to break the loop and resume normal log forwarding for a couple of days. I've uninstalled/re-installed NXLog and upgraded to 'nxlog-ce-2.10.2150'. The server is essentially just a file server. It has Checkpoint Endpoint installed but so do all of my other Windows servers. Does anyone have any suggestions as to what causes this and how I can resolve the issue? I don't want to disable the events from the Windows Filtering Platform in total but I wouldn't mind if I never saw one triggered by NXLog making network connections. Below is the same NXLog config I've used for all of the Windows servers, even the server I'm having the issue on. Any help you can give is greatly appreciated. #define ROOT C:\Program Files (x86)\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog Uncomment the following to collect specific event logs only Query &lt;QueryList&gt;\ &lt;Query Id=&quot;0&quot;&gt;\ &lt;Select Path=&quot;Application&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;System&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\ &lt;/Query&gt;\ &lt;/QueryList&gt; </Input> <Output out> Module om_udp Host 172.xx.xx.xxx {<-- redacted for this post} Port 12201 OutputType GELF </Output> <Route 1> Path in => out </Route>