Hello,
Maybe I can help you with this problem.
For a better understanding, we have 100+ Hyper-V servers running Windows Server 2019 and they all have Nxlog configured.
Our standard configuration as shown below.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _fileop>
Module xm_fileop
# Check the log file size every hour and rotate if larger than 5 MB
<Schedule>
Every 1 hour
<Exec>
if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
file_cycle('%LOGFILE%', 8);
</Exec>
</Schedule>
# Rotate log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
Module im_msvistalog
#Query <QueryList>\
#<Query Id="0">\
#<Select Path="Application">*</Select>\
#<Select Path="System">*</Select>\
#<Select Path="Security">*</Select>\
#</Query>\
#</QueryList>
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>
<Output out>
Module om_ssl
Host graylog.domain.com
Port 51412
OutputType GELF_TCP
CertFile %CERTDIR%/graylog3-certificate.pem
CertKeyFile %CERTDIR%/graylog3-key.pem
CAFile %CERTDIR%/cert3.pem
KeyPass secret
AllowUntrusted true
Exec $Hostname = hostname_fqdn();
Exec $FullMessage = $raw_event;
#Exec to_syslog_snare();
</Output>
<Route >
Path in => out
</Route>
What we noticed with this configuration above is that it does pick up a lot of Default Events generated from Hyper-V servers, BUT we had to enable the proper Audit logging in the Domain controlers and what I mean by that is some events did not come through.
Here is example below just to give you a better understanding what we had to go though.
We had to configure this in our domain control as follow.
Step 1: going to your Group Policy management console → Domain policy → Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy/Advanced audit policy configuration.
Step 2: Select the events you want to audit.
Step 3: Now to view the AD event logs for these, go to Administrative tools → Event Viewer.
Step 4: Select the type of AD audit logs that you wish to view (ex: Application, System, etc.).
So, the moral of the story is if you need something unique or verbose logging you may have to enable certain Audit logging configurations in your domain controller and/or Hyper-v server.