I am having an issue with forwarding event logs from a centralized server to an rsyslog and indexed in splunk.
The logs are forwarded but the Event ID (the most important part) is missing. I am also having an issue with control characters on , this however could be blamed on rsyslog, but as I understand it the issue with control characters could be solved in the nxlog config.

Anyone care to give me a nudge in the correct way here?


AskedSeptember 19, 2018 - 4:35pm

Answers (2)

Probably an issue with rsyslog all the way I guess.
As it does work on a standalone win10 machine forwarding to visual syslog.
Could there be a problem with windows server setting as well?

To make the EventID appear you need to use a format that sends this such as snare syslog, ietf syslog or some other structured format like JSON or KVP.
Rsyslog is known to do that with control characters, there are some configuration options, e.g. $EscapeControlCharactersOnReceive , $Escape8BitCharactersOnReceive and $ControlCharacterEscapePrefix.
It's also possible to remove such characters via nxlog.conf before sending.

Comments (1)

  • ryssland's picture

    I did the $EscapeControlCharactersOnReceive on the rsyslog but it ended up making a large whitespace between objects in the log, maybe one of the others will have another effect?
    I will double check the format but i am 99.9% certain that it is syslog_ietf().

    Will try it again