Hello, I am testing nxlog to see if it works with sending security logs to our SIEM. I only want to send the security Events on our servers, and have our config file as shown:
define ROOT C:\Program Files (x86)\nxlog
# Uncomment the following to collect specific event logs only
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
Path eventlog, internal => out
I get some security logs, but many are missing, like logon/logoff events (4624, 4634)
1. - why are these events missing and
2. Eventually, I would like to only send certain Event ID"s to our SIEM, and hope to get help with an example of what the query would look like with the specific Event ID's needed.
I will want to just send PCI Event ID's to our SEIM for retention.