Hi, I have a problem trying to send the raw event of Windows Server 2016. I have this configuration in nxlog.conf:

 Panic Soft
#NoFreeOnExit TRUE
define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
<Extension _syslog>
Module      xm_syslog
</Extension>
<Extension _leef>
Module  xm_leef
</Extension>
<Extension xml>
Module           xm_xml
</Extension>
<Extension _charconv>
Module      xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module      xm_exec
</Extension>
<Extension rewrite>
Module          xm_rewrite
Keep            EventXML
</Extension>
<Input argentina>
Module  im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[band(Keywords,13510798882111488)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Processor buffer1>
Module                pm_buffer
MaxSize               102400
Type                  Mem
</Processor>
<Output qradar>
Module  om_tcp
Host    XXX.XXX.XXX.XXX:514
Exec $raw_event = $EventXML;
Exec   delete_all();
</Output>
<Route r1>
Path    argentina => buffer1 => qradar
</Route>

but in our SIEM i see this output (every line is a diferent log):

I used "tcpdump" to saw if every log are diferent packets but i saw that it's only one packet but it has a special character that separete the line (i thought) .

Could someone help to solve this? maybe using “replace” or changing the encoding.

Thanks