nxlog.conf

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
    Module xm_json
</Extension>

<Extension fileop>
    Module xm_fileop
</Extension>

<Input in>
    Module im_msvistalog
    Query <QueryList> \
           <Query Id="0"> \
            <Select Path="Security">*</Select> \
            <Select Path="System">*</Select> \
            <Select Path="Application">*</Select> \
            <Select Path="OAlerts">*</Select> \
            <Select Path="Windows PowerShell">*</Select> \
            <Select Path="Microsoft-Windows-OfflineFiles/Operational">*</Select> \
            <Select Path="Microsoft-Windows-ReadyBoost/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Application-Experience/Problem-Steps-Recorder">*</Select> \
            <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select> \
            <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select> \
            <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select> \
            <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select> \
            <Select Path="Microsoft-Windows-Applocker/EXE and DLL">*</Select> \
            <Select Path="Microsoft-Windows-Applocker/MSI and Script">*</Select> \
            <Select Path="Microsoft-Windows-Bits-Client/Operational">*</Select> \
            <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select> \
            <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*</Select> \
            <Select Path="Microsoft-Windows-CorruptedFileRecovery-Client/Operational">*</Select> \
            <Select Path="Microsoft-Windows-CorruptedFileRecovery-Server/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Diagnostics-Performance/Operational">*</Select> \
            <Select Path="Microsoft-Windows-International-RegionalOptionsControlPanel/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*</Select> \
            <Select Path="Microsoft-Windows-Kernel-Power/Thermal-Operational">*</Select> \
            <Select Path="Microsoft-Windows-Kernel-StoreMgr/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Kernel-WDI/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Kernel-WHEA/Errors">*</Select> \
            <Select Path="Microsoft-Windows-Kernel-WHEA/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Known Folders API Service/Operational">*</Select> \
            <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> \
            <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> \
            <Select Path="Microsoft-Windows-UAC/Operational">*</Select> \
            <Select Path="Microsoft-Windows-UAC-FileVirtualization/Operational">*</Select> \
            <Select Path="Microsoft-Windows-UAC/Operational">*</Select> \
            <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select> \
            <Select Path="Microsoft-Windows-WER-Diag/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> \
            <Select Path="Microsoft-Windows-Windows-WinRM/Operational">*</Select> \
           </Query> \
          </QueryList>   
</Input>
<Output out>
    Module      om_udp
    Host        $IP
    Port        8531
    Exec        $submission_id = file_read("C:\id.txt");
    Exec        to_json(); $message = $raw_event;
</Output>

<Route 1>
    Path        in => out
</Route>