My problem is I cannot collect ADDS or DNS events with Nxlog and send them to an ELK server. In the Nxlog config for the DC and DNS server I have the following Query
<QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
<Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4769)]]</Suppress>\
<Select Path="System">*[System/Level=2]</Select>\
<Select Path="Microsoft-Windows-ActiveDirectory_DomainService">*</Select>\
<Select Path="Microsoft-Windows-DNS-Server-Service">*</Select>\
</Query>\
</QueryList>
The config file works correctly without the Active Directory and DNS paths. The desired Security and System logs go to ELK correctly. I have also tried leaving only the ADDS or DNS paths in the config file with no luck. I don't think I have the correct paths for ADDS and DNS in the config and that is my problem. My Google-fu and Bing-fu hasn't found any results giving me the Event ID channel for ADDS and DNS events. I've only found the Event ID channels for Application, Security, System, and Setup. Any suggestions? I'm up for any!
The DC\DNS server and the ELK server are running on Windows Server 2012. ELK install is running the latest stable releases of ELK.
I found the answer. In Event Viewer on the DC\DNS server, right click on the Event ID channel, e.g. Directory Service, choose Filter Current Log. Doing so will bring up the Filter Current Log window. Click on the XML tab to find the Query List information!
I have verified this works for Directory Service and DNS. I plugged in the Select Path and added a back slash in my Nxlog config file.