Receiving Incomplete Windows Events
I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs.
Can anyone please help me in diagnosing and resolving this?
What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog.
#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
#=========== For Windows Event Log ===========
# For windows 2003 and earlier use the following:
# For windows 2005 and later use the following:
Path MSEvtIN => MSEvtOUT
Could you drop here a full config? I have some idea but want to be sure.