Hi All,

Checking to see if anyone has run into this.  I have a windows eventlog collector, with a subscription setup to move specific security audit events to the "Forwarded Events" log.  From there, I am looking to push those logs to Sumologic.  Unfortunately Sumo's collector does not handle this well due to the out of sequence EventRecordID of the various events coming from multiple desktops/servers we're collecting from.

Question:

I'm trying to take advantage of Sumo's native Windows eventlog parser, however the options for sending the eventlog data using NXlog send in the specific formats, syslog_snare, xml, json, etc.  Is there a configuration i can use which send the messages as windows eventlog format?  You'll see from my config below, I've tried several formats, to no avail.  Any suggestions would be greatly appreciated.

<Input eventlog>
    Module      im_msvistalog
<QueryXML>
   <QueryList>                    
     <Query Id="0"> 
        <Select Path="ForwardedEvents">*</Select>
     </Query>
   </QueryList>
</QueryXML>
</Input>

<Output out>
    Module      om_tcp
    Host        10.x.x.x
    Port        514
#    Exec       to_xml();
       Exec to_syslog_snare();
#    Exec $raw_event = replace($raw_event, "\r\n"," ");
#    Exec $raw_event = replace($raw_event, "\t", " ");
#    Exec    $raw_event();
</Output>

<Route 1>
# Path in => out
 Path eventlog, internal => out
</Route>

Thanks in advance,

-A