I'm using NXlog to ship windows event logs to an ELK stack. I need to preserve the datetime when the event happened <TimeCreated SystemTime=> that is stored in the event log.
However, the NXLog that is shipped doesn't preserve <TimeCreated SystemTime>, which I assume is because its invalid json. How can I preserve this in my nxlog.conf? Otherwise, I'm stuck with EventTime, which appears to be the datetime of when nxlog processes the event, not when the event happened.
How do I handle this?