Nxlog configuration to log deleting objects on a Windows Server

Hello Guys, I have a special use case, i want to monitor the Object handling on a windows server.
I created a auditing job that work very well. A good guide is How to Audit File or Folder Deletion in Windows Server?.
I can now see the incoming events in the Windows Eventlog.
I tried to forward the messages to Graylog but it sends everything except the security logs. I need some help please.

My two ideas to configure Nxlog are:

define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
     Module      im_msvistalog
</Input>
 <Processor buffer>
           Module pm_buffer
           MaxSize 102400
           Type disk
 </Processor>
 
 <Output out>
     Module      om_udp
     Host        xxx.xxx.xxx.xxx
     Port        xxx
     OutputType  GELF
 </Output>
 
 <Route 1>
     Path        in => out
 </Route>

And

define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
     Module      im_msvistalog
<Query> 
              <QueryList>\
               <Query Id="0">\
                <Select Path="Application">*</Select>\
                 <Select Path="System">*</Select>\
                   <Select Path="Security">*</Select>\
               </Query>\
           </QueryList>
</Input>
 <Processor buffer>
           Module pm_buffer
           MaxSize 102400
           Type disk
 </Processor>
 
 <Output out>
     Module      om_udp
     Host        xxx.xxx.xxx.xxx
     Port        xxx
     OutputType  GELF
 </Output>
 
 <Route 1>
     Path        in => out
 </Route>

This results in only send system logs
thanks

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.