I'm trying to deploy NXLog Enterprise to a couple of Windows domain controllers, pointed to Graylog to audit security.
As part of this, we need the "ResolveSID" feature so have gone Enterprise edition. Unfortunately only got a 1 year sub approved which doesn't allow enterprise support :(
However with Enterprise edition, the only Security events that NXLog sends to Graylog are "Event log automatic backup" events when the .evtx files get rotated - nothing else from Security (all other sources seem OK).
The interesting thing here is that the Community edition doesn't have this problem - security events are forwarded just fine.
I've also tried the 32bit v4 Enterprise MSI (since the Community edition is 32bit), but it exhibits the same behaviour as above.
The v3 Enterprise edition seems to mostly work, but ignores "ResolveSID TRUE" (it reads the setting ok, I've tested this by changing it to a non-boolean value to test that it read it to complain about it, and it did, but when set to TRUE, it still sends unresolved numeric SIDs through for Event ID 4627 "Group membership information" events)
Does anyone have any further troubleshooting tips for either of these problems? Ideally I'd like to get v4 working.