I'm trying to pass only Warning / Error / Critical level Application Logs through NXLog to my ELK stack. When I have this configuration
<Input EventLog_In> Module im_msvistalog
<QueryList>\ <Query Id="0">\
<Select Path="Application">*</Select>\
</Query>\ </QueryList>
Exec to_json(); </Input>
everything works fine, and I'm collecting all levels of Application logs. I tried putting in a parameter on the <Select Path> line like this
<Select Path="Application">*[Application/Level=1]</Select>\
And it craps itself and I get nothing. NXLog isn't reporting any issue, and I'm not seeing anything on the logstash side of things.
I got the information about Event Viewer querying from this thread and adapted it to my use case: https://serverfault.com/questions/543494/query-specific-logs-from-event-log-using-nxlog
