Hi, I'm looking at trying to convert an XML file from one of our filers containing this XML file below (top line is different to rest of the xml) into a syslog output: ` 4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurityservercf380853-6606-11e6-9638-00a098a5e1db/2fe0edc3-723f-11e7-ab83-00a098a627d4192.168.0.24S-1-5-21-1997283580-3459341067-486214353-122727falseDomainfirstname.lastnameSecurityDirectory000000000004cc;00;00000061;2a5f8706(server);/share%%4416 %%4423 81Read Data; List Directory; Read Attributes; ` Currently I have the following config but I'm not getting anything sent to the syslog server running on the same box (for testing purposes at present): define ROOT C:\Program Files (x86)\nxlog Module xm_gelf Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_multiline HeaderLine /^/ EndLine /^/ Module xm_xml Module xm_json Module im_file File "C:\\audit.xml" SavePos FALSE ReadFromLast FALSE InputType multiline # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^/ drop(); # Parse the xml event parse_xml(); # Rewrite some fields #$EventTime = parsedate($timestamp); #delete($timestamp); #delete($EventReceivedTime); # Convert to JSON to_json(); Module om_udp Host 192.168.0.12 Port 2548 Path in => out Can anyone point me at where I'm going wrong? Thanks for your help.

The config with `xm_multiline` will read XML when the tags are on separate lines like this: ``` foo bar ``` In this case it looks like your events are in a single line. Also looking at the data I see that this is XML extracted from the windows eventlog. You might want to consider using the `im_msvistalog` module to read that directly. There is a `File` directive for `im_msvistalog` in the Enterprise Edition that lets you read `.evtx` files directly that netapp creates.