Checking to see if anyone has run into this. I have a windows eventlog collector, with a subscription setup to move specific security audit events to the "Forwarded Events" log. From there, I am looking to push those logs to Sumologic. Unfortunately Sumo's collector does not handle this well due to the out of sequence EventRecordID of the various events coming from multiple desktops/servers we're collecting from.
I'm trying to take advantage of Sumo's native Windows eventlog parser, however the options for sending the eventlog data using NXlog send in the specific formats, syslog_snare, xml, json, etc. Is there a configuration i can use which send the messages as windows eventlog format? You'll see from my config below, I've tried several formats, to no avail. Any suggestions would be greatly appreciated.
# Exec to_xml();
# Exec $raw_event = replace($raw_event, "\r\n"," ");
# Exec $raw_event = replace($raw_event, "\t", " ");
# Exec $raw_event();
# Path in => out
Path eventlog, internal => out
Thanks in advance,