Our setup: we have Windows Server 2019 servers that are forwarding some "Security" events to a single Windows Server 2019 event collector. On that single Windows Server 2019 event collector, we have installed NXLog, which is forwarding to Graylog.
Summary: servers --> event collector server (where NXLog is installed) --> Graylog server
All selected events are getting to the event collector, but only some are getting to Graylog. So the problem is somewhere on or after the event collector server.
Here is the complete NXLog config:
define ROOT C:\Program Files (x86)\nxlog
Path in => out
Is anything obvious missing?