I've want to include nxlog to send all Windows logs to syslog plus Microsoft-Windows-Windows Defender/Operational, however as "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" doesn't seem to include "Microsoft-Windows-Windows Defender" it doesn't read that config in at start and send those Windows Defender logs.
How can I get nxlog to send everything it does now, plus Microsoft-Windows-Windows Defender logs, without having to define everything? The only way I can see to do this is with two im_msvistalog defines, i.e.
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\
Exec $Hostname = hostname();
[removed, but its to Papertrail]
Path eventlog => eventlog_transformer => syslogout
Path eventlog_defender => eventlog_transformer => syslogout
That seems to work except there are three problems compared to when I only have the Microsoft-Windows-Windows Defender going and the other blocks deleted:
1. The Windows Defender logging is a little inconsistent, testing with an EICAR test virus doesn't always appear, probably 50% chance it appears in the syslog (all events appear in Windows log)
2. The severity and source is copied from the previous log line (usually info rather than warn severity, and not Microsoft-Windows-Windows Defender), maybe a threading issue?
3. Each rows of text is in its own line rather than all in a single message which happens when its the only logging to send
Is there a better way to do 'everything' plus Microsoft-Windows-Windows Defender?