Hello, I do admit I am totally lost about NXLog.conf for Windows 2K12 R2 machines. The purpose is to filter some EventIDs from Security Event Log, for that I tried the below nslog.conf : <Extension _syslog>     Module      xm_syslog </Extension> <Input>    Module      im_msvistalog # For windows 2003 and earlier use the following: #   Module      im_mseventlog     Exec if ($EventID == 4634 or $EventID == 4624 or $EventID == 4672 or $EventID == 4801 or $EventID == 64 or $EventID == 7036 or $EventID == 7040) drop();\     else\     {\         parse_syslog_ietf();\         $Message = $FileName + ": " + $Message;\         $SyslogFacility = syslog_facility_string(22);\         $SyslogFacilityValue = syslog_facility_value("local6");\         if ( $EventType == "INFO" ) $SyslogSeverityValue = 6;\         if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4;\         if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3;\     } </Input> <Output out>     Module      om_udp     Host        10.1.1.39     Port        1514     Exec        to_syslog_snare(); </Output> <Route 1>     Path internal, eventlog => out </Route>     Unfortunately despite the host and port are well set it doesn't work, and I also have these messages from nxlog.log : xxxxxx WARNING no routes defined! xxxxxx WARNING not starting unused module out   I would really appreciate any help

My problem is I cannot collect ADDS or DNS events with Nxlog and send them to an ELK server. In the Nxlog config for the DC and DNS server I have the following Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*</Select>\ <Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4769)]]</Suppress>\ <Select Path="System">*[System/Level=2]</Select>\ <Select Path="Microsoft-Windows-ActiveDirectory_DomainService">*</Select>\ <Select Path="Microsoft-Windows-DNS-Server-Service">*</Select>\ </Query>\ </QueryList> The config file works correctly without the Active Directory and DNS paths. The desired Security and System logs go to ELK correctly. I have also tried leaving only the ADDS or DNS paths in the config file with no luck. I don't think I have the correct paths for ADDS and DNS in the config and that is my problem. My Google-fu and Bing-fu hasn't found any results giving me the Event ID channel for ADDS and DNS events. I've only found the Event ID channels for Application, Security, System, and Setup. Any suggestions? I'm up for any! The DC\DNS server and the ELK server are running on Windows Server 2012. ELK install is running the latest stable releases of ELK. Thanks!

Hi, Please advise...Thanks! is it possible to have an nxlog.conf that references other nxlog.conf files.  For example,  If I have iis.conf msevent.conf log4net.conf could I have an nxlog.conf that imports them in a componentized or modular format nxlog.conf would look something like: import  iis.conf import msevent.conf import log4net.conf I am trying to handle many different roles for servers at a big company..  Some servers just have log4net logs we want,  other servers we just want iis logs from and others iis logs and msevent logs.. There are lots of combinations. I am looking for an easy way handle all the server roles....web server, app server, DB server etc.  Each server type is going have different sets of logs processed and sent.  Nxlog is awesome...keep up the great work.  Thanks! Best Regards, Daniel