Sorry for the slow response, finally slept for a decent length.
We are getting everything from the Windows Event logs by default just fine where they should be.
Logall is grabbing everything else into archives.
What I need is the contents of the mentioned text files into, especially changes in role or configuration and the user that made them.
What I cannot get a handle on is why they don't show up at all.
I have read the docs, and tried to modify local_rules.xml to grab all the content from those and it fails config check with not enough explanations as to why.
<group name="QlikSense Roles">
<rule id="100001" level="7">
<srcip>192.168.2.10</srcip>
<description>Example of rule that will grab role changes</description>
<description>Role Change from IP 192.168.2.10</description>
</rule>
User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin (from one logfile)
<decoder name="tom_decoder"> <prematch>^TomTag: </prematch></decoder>
<decoder name="tom_decoder-log1"> <parent>tom_decoder</parent> <prematch>updated</prematch> <regex offset="after_parent">User '(\S+)' updated by '(\S+)</regex> <order>srcuser,dstuser</order></decoder>
<decoder name="tom_decoder-log2"> <parent>tom_decoder</parent> <prematch offset="after_parent">^Stream</prematch> <regex offset="after_parent">Stream with name '(\S+)' added by user '(\S+)</regex> <order>url,user</order></decoder>
<group name="tom_group,">
<rule id="10002" level="0">
<decoded_as>tom_decoder</decoded_as>
<description>Tom: messages grouped</description>
</rule>
<rule id="10003" level="0">
<if_sid>10002</if_sid>
<match>updated</match>
<description>Tom: Updated event</description>
</rule>
<rule id="10004" level="0">
<if_sid>10002</if_sid>
<match>added</match>
<description>Tom: Added event</description>
</rule>
</group>
TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin
**Phase 1: Completed pre-decoding.
full event: 'TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin'
hostname: 'LinMV'
program_name: '(null)'
log: 'TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin'
**Phase 2: Completed decoding.
decoder: 'tom_decoder'
srcuser: 'AIPTEST\some.user'
dstuser: 'AIPTEST\qssadmin'
**Phase 3: Completed filtering (rules).
Rule id: '10003'
Level: '0'
Description: 'Tom: Updated event'
TomTag: Stream with name 'Test' added by user 'AIPTEST\qssadmin
**Phase 1: Completed pre-decoding. full event: 'TomTag: Stream with name 'Test' added by user 'AIPTEST\qssadmin' hostname: 'LinMV' program_name: '(null)' log: 'TomTag: Stream with name 'Test' added by user 'AIPTEST\qssadmin'
**Phase 2: Completed decoding. decoder: 'tom_decoder' url: 'Test' dstuser: 'AIPTEST\qssadmin'
**Phase 3: Completed filtering (rules). Rule id: '10004' Level: '0' Description: 'Tom: Added event'