Important eventIDs seem to be missed
I am trying to collect Windows Defender Eventlogs on our win clients and forward them to our central log server (graylog).
I have included the Windows Defender Log in the config files search query like this: <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\
This seems to work basically as there are messages coming through to the logserver (mostly of EventID 1150/1151) but the important ones (1116,1117,...) dont show up. I already tried to select 1116 and 1117 specifically in the query and provoked some entries of that type, but to no avail. The events are in the eventlog, but they dont make it out of the client system.
Searching the web didn't get me anywhere either, so i'm trying my luck with the nxlog community.
Any help would be very much appreciated! Thanks
I would create a new route with im_msvistalog to om_file and set ReadFromLast and SavePos to false, then check for their inclusion in the text file.
It is possible that 1116 and 1117 ( MALWAREPROTECTION_STATE_MALWARE_DETECTED and MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN) haven't occurred since you started NXLog. It is also possible that your central syslog server is rejecting them for some reason.
