I'm using NXlog to ship windows event logs to an ELK stack.  I need to preserve the datetime when the event happened <TimeCreated SystemTime=> that is stored in the event log.


However, the NXLog that is shipped doesn't preserve <TimeCreated SystemTime>, which I assume is because its invalid json.  How can I preserve this in my nxlog.conf?  Otherwise, I'm stuck with EventTime, which appears to be the datetime of when nxlog processes the event, not when the event happened.


How do I handle this?

AskedMay 6, 2016 - 5:36pm

Answer (1)

The value of TimeCreated is stored in EventTime.

Comments (2)

  • cybergoof's picture

    I don't believe that is correct. "EventTime" created by windows event system is the time in which the event occurred. I think that TimeCreated is the time in which the NXLog file is created/shipped.  Do I have that right?