While we have been using NXLog for years, we have always just had it forward logs to third party for evaluation. Now we are trying to forward some Windows Application Log events to a Slack channel.

We can target the correct Windows Server Application events based on an EventID and output them to a text file using NXLog. But when we are trying to use om_http to Slack we are getting an error: 400 Bad Request.

Previously we were getting errors around certs that they could not be evaluated, but we now have the certificates in a directory and a directive in our output for om_http and that error seems to have gone away.

We have tried a simple Exec $message = "Hello" at the end of our input stanza just to simplify (and eliminate any special characters) what we might be sending to Slack

Slack is expecting a JSON format.

In our output om_http stanza, we specify: Exec to_json(); ContentType application/json

nxlog.log just continuously shows this: 2020-08-27 21:06:42 ERROR HTTP response status is not OK: 400 Bad Request 2020-08-27 21:06:51 INFO reconnecting in 0 seconds 2020-08-27 21:06:51 ERROR http response timeout from server 2020-08-27 21:06:51 INFO connecting to hooks.slack.com:443 2020-08-27 21:06:52 ERROR HTTP response status is not OK: 400 Bad Request 2020-08-27 21:07:01 INFO reconnecting in 0 seconds 2020-08-27 21:07:01 ERROR http response timeout from server 2020-08-27 21:07:01 INFO connecting to hooks.slack.com:443 2020-08-27 21:07:02 ERROR HTTP response status is not OK: 400 Bad Request

I started to go down the path of Wireshark to do some packet captures. All the traffic is encrypted, and I was hoping to capture the keys using a Windows environment variable (SSLKEYLOGFILE) on the NXLog host but that was to no avail.

Anyone can tell me what I might be missing? I'm afraid I may have a fundamental misunderstanding, or just not seeing the obvious.