Request trial
Request Trial

Can't get Windows Event logs to send to Syslog server with new lines intact

Tags:
#1 tdavis

I have to retain the new lines in a syslog.  I'm using NXLog to send logs from my laptop to a test syslog server.  I'm currently using the following:

<Extension _syslog>

    Module      xm_syslog

</Extension>


<Input in>

    Module      im_msvistalog

Exec to_syslog_ietf();

</Input>


<Processor rewrite>

    Module      pm_null

Exec        $Message = $EventID + "|" + $EventType + "|" + $Hostname + "|" + $SourceName + "|" + $AccountName + "|" + $AccountType + "|" + $Domain + "|" + $UserID + "|" + $raw_event;

</Processor>


<Output out>

    Module      om_udp

    Host        192.168.100.33

    Port        514

    #Exec        to_syslog_bsd();

</Output>


<Route 1>

    Path        in => rewrite => out

</Route>

I can get the logs to send with the \r\n intact is to remove the Exec to_syslog_snare(), then I loose all the other details about the log such as event id etc.  So I thought ok I'll construct my own by using Exec $Message = all the data fields I want....this doesn't work...so then I started playing with to_syslog_ieft and to_syslog_bsd() and they both strip out new lines.

What am I doing wrong?

Permalink
#2 b0ti Nxlog ✓
#1 tdavis
I have to retain the new lines in a syslog.  I'm using NXLog to send logs from my laptop to a test syslog server.  I'm currently using the following: <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog Exec to_syslog_ietf(); </Input> <Processor rewrite> Module pm_null Exec $Message = $EventID + "|" + $EventType + "|" + $Hostname + "|" + $SourceName + "|" + $AccountName + "|" + $AccountType + "|" + $Domain + "|" + $UserID + "|" + $raw_event; </Processor> <Output out> Module om_udp Host 192.168.100.33 Port 514 #Exec to_syslog_bsd(); </Output> <Route 1> Path in => rewrite => out </Route> I can get the logs to send with the \r\n intact is to remove the Exec to_syslog_snare(), then I loose all the other details about the log such as event id etc.  So I thought ok I'll construct my own by using Exec $Message = all the data fields I want....this doesn't work...so then I started playing with to_syslog_ieft and to_syslog_bsd() and they both strip out new lines. What am I doing wrong?

Linebreaks in syslog cause problems with TCP transport and are removed. We are planning to make this configurable.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS