Problem with NT AUTHORITY\СИСТЕМА in windows event log


While reading log from windows, I got string with two encodings WIN-1251 and UTF-8:

like 2017-02-21 16:40:24 IT-73.domain.name INFO 44 NT AUTHORITY\҈Ғƌ�Центр обновления Windows начал скачивать обновление.

where all message in utf-8, and part with AccountName that (usually NT AUTHORITY\SYSTEM in english version of Windows 7) but in russian version its NT AUTHORITY\СИСТЕМА and in logs it looks like NT AUTHORITY\҈Ғƌ�

If I use 

AskedMarch 23, 2017 - 9:39am

Problem with Windows Event


nxlog CE v2.9.1504, Windows Server 2008 Enterprise

relevant part of config file:

AskedMarch 21, 2017 - 5:39pm

Forwarding events from Windows eventlog collector's "Forwarded Events" to Sumo

Hi All,

Checking to see if anyone has run into this.  I have a windows eventlog collector, with a subscription setup to move specific security audit events to the "Forwarded Events" log.  From there, I am looking to push those logs to Sumologic.  Unfortunately Sumo's collector does not handle this well due to the out of sequence EventRecordID of the various events coming from multiple desktops/servers we're collecting from.


AskedMarch 20, 2017 - 4:35pm

regex to drop certain string from message

Hello All,


I am new to nxlog or rather logics in terms of regex and all. 

I am looking to drop any message which has *.*.*.255 in message field. I tried below , however it does not seem to be working for me:


Exec if $Message =~ /^([01][0-9][0-9]|2[0-4][0-9]|25[0-5]) . ^([01][0-9][0-9]|2[0-4][0-9]|25[0-5]) . ^([01][0-9][0-9]|2[0-4][0-9]|25[0-5]) . 255/  drop();


Please suggest

AskedMarch 20, 2017 - 2:46pm