Formatting codes in multi line windows event ?
Hello,
I am attempting to use Nxlog on windows to forward windows event logs as syslog. I am finding that the windows event 4672 (and only this event oddly enough) keeps getting broken into multiple lines and showing the character strings
#011 and #015
May 18 10:29:20 desktop-XXXX #011#011#011SeLoadDriverPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeBackupPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeRestorePrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeDebugPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeAuditPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeSystemEnvironmentPrivilege #015 May 18 10:29:20 desktop-XXXX #011#011#011SeImpersonatePrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeDelegateSessionUserImperso natePrivilege" EventReceivedTime="2021-05-18 10:29:20" SourceModuleName="eventlog" SourceMod uleType="im_msvistalog"] {"EventTime":"2021-05-18 10:29:19","Hostname": <snip>
This event also shows up with the FQDN instead of the hostname that the other events are sent with. The logs are being formatted to JSON prior to sending
I reviewed the documentation and I can't determine if there is a way to effect the parsing of this message. Thanks for any input !