Maybe I can help you with this problem.
For a better understanding, we have 100+ Hyper-V servers running Windows Server 2019 and they all have Nxlog configured.
Our standard configuration as shown below.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log
# Check the log file size every hour and rotate if larger than 5 MB
Every 1 hour
if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
# Rotate log file every week on Sunday at midnight
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Exec $Hostname = hostname_fqdn();
Exec $FullMessage = $raw_event;
Path in => out
What we noticed with this configuration above is that it does pick up a lot of Default Events generated from Hyper-V servers, BUT we had to enable the proper Audit logging in the Domain controlers and what I mean by that is some events did not come through.
Here is example below just to give you a better understanding what we had to go though.
To make this happen as shown below.
We had to configure this in our domain control as follow.
Step 1: going to your Group Policy management console → Domain policy → Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy/Advanced audit policy configuration.
Step 2: Select the events you want to audit.
Step 3: Now to view the AD event logs for these, go to Administrative tools → Event Viewer.
Step 4: Select the type of AD audit logs that you wish to view (ex: Application, System, etc.).
So, the moral of the story is if you need something unique or verbose logging you may have to enable certain Audit logging configurations in your domain controller and/or Hyper-v server.
Hope this helps.