All,

I'm struggling with NXLOG forwarding events to our SEIM.  I'm able to see Logoff (4647) events, but not Logon (4624) events.  Under the WIndows Event Log, we see both events occuring as expected, but our SEIM is only getting Logoffs...

Our config file is standard, but here it is below...

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Input internal>
    Module im_internal
</Input>

<Input eventlog>
    Module im_msvistalog

</Input>

<Output out>
    Module      om_udp
    Host        xx.yy.zz.xyz
    Port        514
    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        eventlog, internal => out
</Route>