windows event log formatting issues
Hi, I have a bit of an unconventional setup where I collect windows logs on one server, I then send these logs to another nxlog server via om_tcp. With the outputType GELF_TCP. From this second nxlog server, I then forward the logs to a graylog server using om_udp and outputType GELF_UDP. But the problem is that graylog seems to receive one message for each row in the windows log full message. If I instead forward directly from nxlog to graylog without the second nxlog-server inbetween, they arrive in the correct format. But I really need the other setup to work. Is there something I need to consider when it comes to formatting when first forwarding the logs to a second nxlog-server and then to the graylog server from there?
Does the collector server perform some kind of log transformation on the Windows logs being received via im_tcp? Do you use the same directive OutputType GELF_TCP for sending the logs to the Graylog directly and to the collector server? If yes, please try using this only on the output module of the server that “talks to” Graylog directly.
