I'm trying to pass only Warning / Error / Critical level Application Logs through NXLog to my ELK stack. When I have this configuration
<Input EventLog_In>
Module im_msvistalog
# this kinda works for me, put * to get everything
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
</Query>\
</QueryList>
Exec to_json();
</Input>
everything works fine, and I'm collecting all levels of Application logs. I tried putting in a parameter on the <Select Path> line like this
<Select Path="Application">*[Application/Level=1]</Select>\
And it craps itself and I get nothing. NXLog isn't reporting any issue, and I'm not seeing anything on the logstash side of things.
I got the information about Event Viewer querying from this thread and adapted it to my use case: https://serverfault.com/questions/543494/query-specific-logs-from-event-log-using-nxlog
Figured it out. Apparently the reference for error level isn't Application, it's System. My query now looks like this and works flawlessly
<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>\
I'm using Windows Server 2008 R2, fwiw.