I am unable to replace \r\n and \t when using to_json. When using to_syslog_bsd I can replace them, but not with JSON. Do I have an error in my config or is this a bug?

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog

<Extension json>
Module xm_json

<Input internal>
Module im_internal

<Input eventlog>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog


<Input mark>
Module im_mark
MarkInterval 60
Mark 226d61792074686520666f726365206265207769746820796f7522

<Output out>
Module om_udp
Host logspot.server.org
Port 514
Exec $raw_event = replace($raw_event, "\r\n", " ");
Exec $raw_event = replace($raw_event, "\t", " ");
Exec to_json();

<Route 1>
Path eventlog, internal, mark => out

AskedOctober 12, 2016 - 1:26am

Answer (1)

to_json() creates a JSON taking all the fields (except raw_event) and puts the resulting JSON into raw_event. I assume you would want to strip newlines from $Message:

Exec $Message = replace($Message, "\r\n", " ");

The other option would be to call to_json() first and then replace the literal '\r\n' (not "\r\n") in the JSON in raw_event.