Initiated a 30-day trial today to test what I had thought would be a fairly straightforward use case.
The following config works fine to forward Windows events from the local machine via syslog, but when I add the File directive for im_msvistalog to the Input module section the events in the file are not forwarded over syslog. The file is correctly formatted and can be read via the event viewer. I also tested writing the contents of the file to a local json file as-per examples in the documentation, that worked fine as well.
The file is publicly available at: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_sysmon-3-rdp-tun.evtx
Here are the contents of the config file:
define LOGHOST 192.168.xxx.xxx
File C:\Program Files\nxlog\logs\test_log.evtx
Exec $Hostname = hostname();
Path event_in => tcp_out