## Please set the ROOT to the folder your nxlog was installed into,## otherwis

1. ## Please set the ROOT to the folder your nxlog was installed into,
2. ## otherwise it will not start.
3.  
4. #define ROOT C:\Program Files\nxlog
5. define ROOT C:\Program Files (x86)\nxlog
6.  
7. Moduledir %ROOT%\modules
8. CacheDir %ROOT%\data
9. Pidfile %ROOT%\data\nxlog.pid
10. SpoolDir %ROOT%\data
11. LogFile %ROOT%\data\nxlog.log
12.  
13. <Extension json>
14. Module xm_json
15. </Extension>
16.  
17. # Nxlog internal logs
18. <Input internal>
19. Module im_internal
20. Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
21. </Input>
22.  
23.  
24. # Windows Event Log
25. <Input eventlog>
26. # Uncomment im_msvistalog for Windows Vista/2008 and later
27. Module im_msvistalog
28. Query <QueryList>\
29. <Query Id="0">\
30. <Select Path='Security'>*[System[(EventID='4624') ]]</Select> \
31. <Select Path='Security'>*[System[(EventID='4625') ]]</Select> \
32. <Select Path='Security'>*[System[(EventID='4648') ]]</Select> \
33. <Select Path='Security'>*[System[(EventID='4728') ]]</Select> \
34. <Select Path='Security'>*[System[(EventID='4732') ]]</Select> \
35. <Select Path='Security'>*[System[(EventID='4634') ]]</Select> \
36. <Select Path='Security'>*[System[(EventID='4735') ]]</Select> \
37. <Select Path='Security'>*[System[(EventID='4740') ]]</Select> \
38. <Select Path='Security'>*[System[(EventID='4756') ]]</Select> \
39. </Query>\
40. <Query Id="1"> \
41. <Select Path='Security'>*[System[(EventID='1022') ]]</Select> \
42. <Select Path='Security'>*[System[(EventID='4633') ]]</Select> \
43. <Select Path='Security'>*[System[(EventID='5038') ]]</Select> \
44. <Select Path='Security'>*[System[(EventID='6281') ]]</Select> \
45. <Select Path='Security'>*[System[(EventID='219') ]]</Select> \
46. <Select Path='Security'>*[System[(EventID='104') ]]</Select> \
47. <Select Path='Security'>*[System[(EventID='1102') ]]</Select> \
48. <Select Path='Security'>*[System[(EventID='7045') ]]</Select> \
49. </Query> \
50. <Query Id="2">\
51. <Select Path='Security'>*[System[(EventID='43') ]]</Select> \
52. <Select Path='Security'>*[System[(EventID='400') ]]</Select> \
53. <Select Path='Security'>*[System[(EventID='410') ]]</Select> \
54. </Query>\
55. </QueryList>
56.  
57.  
58.  
59. # Uncomment im_mseventlog for Windows XP/2000/2003
60. # Module im_mseventlog
61.  
62. Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
63. </Input>
64.  
65. <Output out>
66. Module om_tcp
67. Host 120.40.80.131
68. Port 5516
69. </Output>
70.  
71. <Route 1>
72. Path internal, eventlog => out
73. </Route>