Unable to replace Windows new line characters and tabs when using to_json
I am unable to replace \r\n and \t when using to_json. When using to_syslog_bsd I can replace them, but not with JSON. Do I have an error in my config or is this a bug?
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension syslog> Module xm_syslog </Extension>
<Extension json> Module xm_json </Extension>
<Input internal> Module im_internal </Input>
<Input eventlog> Module im_msvistalog
For windows 2003 and earlier use the following:
Module im_mseventlog
</Input>
<Input mark> Module im_mark MarkInterval 60 Mark 226d61792074686520666f726365206265207769746820796f7522 </Input>
<Output out> Module om_udp Host logspot.server.org Port 514 Exec $raw_event = replace($raw_event, "\r\n", " "); Exec $raw_event = replace($raw_event, "\t", " "); Exec to_json(); </Output>
<Route 1> Path eventlog, internal, mark => out </Route>
to_json() creates a JSON taking all the fields (except raw_event) and puts the resulting JSON into raw_event. I assume you would want to strip newlines from $Message:
Exec $Message = replace($Message, "\r\n", " ");
The other option would be to call to_json() first and then replace the literal '\r\n' (not "\r\n") in the JSON in raw_event.
