I'm trying to pass only Warning / Error / Critical level Application Logs through NXLog to my ELK stack. When I have this configuration <Input EventLog_In> Module im_msvistalog <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ </Query>\ </QueryList> Exec to_json(); </Input> everything works fine, and I'm collecting all levels of Application logs. I tried putting in a parameter on the <Select Path> line like this <Select Path="Application">*[Application/Level=1]</Select>\ And it craps itself and I get nothing. NXLog isn't reporting any issue, and I'm not seeing anything on the logstash side of things. I got the information about Event Viewer querying from this thread and adapted it to my use case: https://serverfault.com/questions/543494/query-specific-logs-from-event-log-using-nxlog