Hi, I have a problem trying to send the raw event of Windows Server 2016. I have this configuration in nxlog.conf:

 Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _leef>
    Module  xm_leef
</Extension>

<Extension xml>
    Module           xm_xml
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension rewrite>
    Module          xm_rewrite
    Keep            EventXML
</Extension>

<Input argentina>
    Module  im_msvistalog
    <QueryXML>
	<QueryList>
            <Query Id="0" Path="Security">
                 <Select Path="Security">*[System[band(Keywords,13510798882111488)]]</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Processor buffer1>
    Module                pm_buffer
    MaxSize               102400
    Type                  Mem
</Processor>

<Output qradar>
    Module  om_tcp
    Host    XXX.XXX.XXX.XXX:514
    Exec $raw_event = $EventXML;
    Exec   delete_all();
</Output>

<Route r1>
    Path    argentina => buffer1 => qradar
</Route>

but in our SIEM i see this output (every line is a diferent log):

I used "tcpdump" to saw if every log are diferent packets but i saw that it's only one packet but it has a special character that separete the line (i thought) .

Could someone help to solve this? maybe using “replace” or changing the encoding.

Thanks