## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_json
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
Module im_msvistalog
Query \
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
# note by tak (3/17/2015)
# $EventTime maps to Windows event log's Event/System/TimeCreated in datetime type (refer to nxlog's manual).
# The time granularity on Windows is microseconds, we divide it by 1000 to get a millisecond epoch.
# The reason we use epoch is because (1) it's a format elasticsearch can easily parse,
# and (2) strftime function in nxlog (which is from libc) can't handle milliseconds.
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec $EventTime = integer($EventTime) / 1000; to_json();
# Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; to_json();
# Exec to_json();
# Exec $Message = to_json();
# Exec to_json();
#Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Path internal, eventlog => out3