Hi guys,
I setup a graylog instance on debian in order to collect our windows clients event-logs.
I setup nxlog on my clients using a very basic config (no query at first). Input on graylog is very basic GELF UDP.
While everything seemed to work fine with the default candidates (eventlogs seen in eventviewer on the windows client were probably popping up on the graylog instance) I stumbled about a curious case involving the windows defender Eventlogs.
I am only seeing certain types of messages/eventIDs appear on graylog while other messages (of course the ones about more important EventIDs) from the same source/client dont seem to make it into the logserver.
I stared searching on the windows setup and got so far to see the UDP packages with the messages on the network - so that seems ok really.
I already tried to use TCP instead, but that doesn’t change the behavior either.
How can I figure out if/what of these is received on the graylog server and/or why these are not recorded/recevied?
Any help would be appreciated.
thanks in advance