I'm trying to pass only Warning / Error / Critical level Application Logs through NXLog to my ELK stack. When I have this configuration

<Input EventLog_In> Module im_msvistalog

<QueryList>\ <Query Id="0">\

<Select Path="Application">*</Select>\

</Query>\ </QueryList>

Exec to_json(); </Input>

everything works fine, and I'm collecting all levels of Application logs. I tried putting in a parameter on the <Select Path> line like this

<Select Path="Application">*[Application/Level=1]</Select>\

And it craps itself and I get nothing. NXLog isn't reporting any issue, and I'm not seeing anything on the logstash side of things.

I got the information about Event Viewer querying from this thread and adapted it to my use case: https://serverfault.com/questions/543494/query-specific-logs-from-event-log-using-nxlog

AskedOctober 22, 2015 - 5:55pm

Answer (1)

Figured it out.  Apparently the reference for error level isn't Application, it's System. My query now looks like this and works flawlessly

<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>\

I'm using Windows Server 2008 R2, fwiw.