Hi all,

I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.

For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.

<Input Source_Eventlogs>
   Module im_msvistalog
</Input>
<Output Dest_LogServer>
Module om_tcp
Host 192.168.1.1
Port 514
Exec to_syslog_ietf();
</Output>
<Route send>
Path Source_Eventlogs => Dest_LogServer
</Route>

In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log

$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log"
*.info -?DynamicFile

I met a first issue with security logs who where sent to a folder using the IP address. I assumed the issue was due to a failed resolving name and after adding the Nxlog client name to the /etc/hosts file and it solved the first issue.

I met a second issue with Eventlogs who create many folder in the rsyslog folder because the logs are sent without hostname.

For example i receive logs in a folder name VMICTimeProvider and when i look to the notice.log file i can see that there is no hostname

cat VMICTimeProvider/notice.log
2023-07-22T09:18:39.022270+00:00. VMICTimeProvider (Local)
2023-07-23T09:40:51.040169+00:00. VMICTimeProvider (Local)
2023-07-24T08:03:51.264202+00:00. VMICTimeProvider (Local)

i tried to correct the receipt in the rsyslog side with receipt conditions like 

if $fromhost-ip=='1.2.3.4'
then {
actions
}
. -?WindowsLogs

$template WindowsLogs,"/var/log/rsyslog/Windows/Windows/log"

But I have to do a line for any Windows collection in the file, and i think if i want to transfert the logs to another file server i will have the logs lines with missing hostname and i will met the same problem.

Thank you for your help.

Kind regards.

Adrien