Hello Everyone,
I am trying to forward Windows Server logs to Azure VM. We have a config for on premises forwarding. I have tried to make changes in config according to what i found in documentation.

New Config: (WIth Changes)
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension resolver>
Module xm_resolver
</Extension>

########################INPUTS##########################
<Input eventlog>
Module im_msvistalog
# ReadFromLast and SavePos control when we read data.

# False is good for troubleshooting, but not likely what you want in Prod
#ReadFromLast False
#SavePos False
TolerateQueryErrors True
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational"></Select>
<Select Path="Security"></Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
# This if is just so I only see 4662 events
#if $EventID != 4662 drop();
# These fields are set, but you will need to add the values to your output at some point.

# This is done automatically in Syslog IETF and JSON, but not Snare
$TypeR = ad_guid_to_name($ObjectType);
$NameR = ad_guid_to_name($ObjectName);
# These lines just log the values to the internal log file. Not needed for production, only troubleshooting.
log_info($raw_event);
log_info("TypeR: " + $TypeR);
log_info("NameR: " + $NameR);
</Exec>
</Input>
########################OUTPUTS##########################
<Output out>
Module om_udp
Host 52.165.172.76
Port 518
Exec to_syslog_bsd();
########################PUTS EVENT IN IETF FORMAT########
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog => syslogout
</Route>

On-premises config
Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _resolver>
Module xm_resolver
</Extension>

# This block rotates %MYLOGFILE% on a schedule. Note that if LogFile
# is changed in log4ensics.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension resolver>
Module xm_resolver
</Extension>

########################INPUTS##########################
<Input eventlog>
Module im_msvistalog
# ReadFromLast and SavePos control when we read data.

# False is good for troubleshooting, but not likely what you want in Prod
#ReadFromLast False
#SavePos False
TolerateQueryErrors True
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational"></Select>
<Select Path="Security"></Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
# This if is just so I only see 4662 events
#if $EventID != 4662 drop();
# These fields are set, but you will need to add the values to your output at some point.

# This is done automatically in Syslog IETF and JSON, but not Snare
$TypeR = ad_guid_to_name($ObjectType);
$NameR = ad_guid_to_name($ObjectName);
# These lines just log the values to the internal log file. Not needed for production, only troubleshooting.
log_info($raw_event);
log_info("TypeR: " + $TypeR);
log_info("NameR: " + $NameR);
</Exec>
</Input>
########################OUTPUTS##########################
<Output syslogout>
Module om_udp
#Module om_tcp
Host 10.0.0.129
Port 515
########################PUTS EVENT IN IETF FORMAT########
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog => syslogout
</Route>
</Output>

If anyone can provide help it will be helpfull


Thank you.