Hello Everybody, 

We are currently using nxlog to send Windows logs to QRadar SIEM utsing TLS.

It works fine, but I receive extra lines in QRadar. I receive empty logs (containing Cg== on base 64, which seems to be a carriage return or a line break). 

The problem appears only when using module om_ssl, not whith om_tcp or om_udp. We tried to remove line break or carriage return using nxlog configuration, but  we still have the behaviour. 

Has anybody seen the same problem ? How could I correct this behaviour ? 

You'll find below our current configuration

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
    Module    im_msvistalog
    ReadFromLast TRUE
</Input>
<Output ssl_out>
    Module    om_ssl
    CertFile    C:\CERTDIR\syslog-tls.cert
    CertKeyFile    C:\CERTDIR\syslog-tls.key
    AllowUntrusted TRUE
    Host    10.0.0.1
    Port    6514
    Exec    to_syslog_snare();
</Output>

<Route 1>
    Path    internal => ssl_out
</Route>

Thank you !