5
responses

Well...

NXlog (last vrsion from this site) installed on windows server 2012R2

Configured to get win-logs:

SavePos TRUE

    Module      im_msvistalog
    Query     <QueryList>                        \
              <Query Id="0" Path="Security">            \
                <Select Path="Application">*</Select>    \
                    <Select Path="Security">*</Select>    \
                    <Select Path="System">*</Select>    \
                    <Suppress Path="Security">*[System[(EventID=5156 or EventID=4663 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress>    \
                    <Suppress Path="System">*[System[(EventID=5156 or EventID=4663 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress>    \
                  </Query>                \
        </QueryList>

As a result I see events only from System and Application... Nothing from Security

Any Idea why it can happen?

Logs are captured by windows - I can see it with eventvwr.msc, but nothing with Nxlog

 

NXlog have no information, looks like everything is ok:

...INFO nxlog-ce-2.8.1248 started... - no errors, no warnings... nothing else

AskedDecember 24, 2014 - 8:47am

Comments (1)

Answer (1)

If there are events from the Security log then you should check why events with event id 4624 are filtered out. Make sure your Query XML does what you want.

If you want to test your config on existing eventlog data then you should set the following:

ReadFromLast FALSE

SavePos FALSE

Comments (3)

  • Palain's picture

    Hello,

    We have the same problem in my company, event id 4624 is missing from nxlog.

    Can you describe the resolution with your policies please?

     

    Pierre-Alain