How to forward windows log using Nxlog to rsyslog server(linux)?

Question

Im using nxlog version 3.0 on WinServ2012 R2 Standard, i can forward the event logs under Eventviewer --> windows logs --> application, system, security. But Im not able to forward other log that is on different log directory/levels for example(screenshot)

below is my nxlog configuration file nxlog.conf , im trying to grab the usb drive/pen drives insert/eject logs from Microsoft-Windows-DriverDriverFrameworks-UserMode/Operational event log. Logs are populated but im not able to receive them at the syslog server.

Panic Soft
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE '%LOGDIR%/nxlog.log'
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogLevel INFO

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
    Module      xm_exec
</Extension>
<Extension _fileop>
    Module      xm_fileop
    <Schedule>
        Every   1 hour
        Exec    if (file_exists(%LOGFILE%) and (file_size(%LOGFILE%) >= 5M)) file_cycle(%LOGFILE%, 8);
    </Schedule>
</Extension>
<Input eventlog>
    Module       im_msvistalog
    ReadFromLast TRUE
    <QueryXML>
       <QueryList>
         <Query Id='1'>
            <Select Path='Application'>*</Select>
            <Select Path='Security'>*</Select>
            <Select Path='System'>*</Select>
            <Sekect Path='Microsoft-Windows-DriverDriverFrameworks-UserMode/Operational'>*</Select>
         </Query>
       </QueryList>
   </QueryXML>
</Input>

<Input agentlogging>
    Module      im_internal
</Input>

<Output logcontents>
    Module       om_tcp
    Host         10.10.10.100
    Port         514
    Exec         to_syslog_snare();
</Output>

<Output agentlog>
    Module       om_tcp
    Host         10.10.10.100
    Port         514
    Exec         to_syslog_snare();
</Output>
<Route 1>
    Path        eventlog => logcontents
</Route>

<Route 2>
    Path        agentlogging => agentlog
</Route>

Answer 1

To send syslog from NXLog to a syslog server you'd need to use the xm_syslog extension module and invoke one of the formatters (to_syslog_bsd(), to_syslog_ietf(), to_syslog_snare()) depending on the desired format that your syslog server supports. For more details see the Syslog section in the User Guide.

While some USB events stored in the Windows Eventlog, there are other data sources for USB events:

• Windows Event Tracing (ETW). NXLog EE has a module called im_etw that can collect ETW logs directly. See this post for the list of related ETW providers.
• Windows registry. USB devices are enumerated under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB and by monitoring this registry hive it is possible to detect changes to the USB configuration. The im_regmon input module supports registry monitoring in the NXLog EE.

Answer 2

Finally got it working, but the steps are trial/error thing:-

1. In the nxlog.conf file , change the param inside <Input eventlog> ReadFromLast TRUE to ReadFromLast FALSE and comment the lines(put hash# infront)

   # # #

2. Restart nxlog service from task manager

3. Uncomment the previously commented lines again

4. restart the nxlog service

5. Insert the USB pendrive into windows2012 machine and check logs

and I got the logs starting to showup,Im still not sure what triggred this thing.. since i want to read logs from last ,I changed the ReadFromLast FALSE to ReadFromLast TRUE and logs still are showing up