The above link is to a copy of my nxlog.conf. I couldn't find any documentation about how to use multiple blocks within a querylist block, but based on the name I assumed that I would be able to do this. My ELK server is receiving ALL events right now, not any of the filtered ones. I wanted to just use one query block but it is limited to 10 select entries. I can't find any examples of people using more than like 3 select entries. Has anyone had any luck with more advance nxlog.conf's? Any help would be appreciated.
actually there is no issue with the XML. I was viewing old results in my database from when I was testing nxlog.conf with no queries. My bad!