Hello everybody,

I'm sorry to bother you with another question concerning Windows Eventlog forwarding to graylog. Unfortunately I'm not able to figure this out on my own.

used versions:
nxlog 2.10.2102 (running on Windows Server 2016)
graylog 2.4.6 (running on Debian 9)

I have two nxlog setups. One using syslog and another one using GELF. Both do not work as I would expect.

1. Syslog

<Extension syslog>
  Module      xm_syslog
</Extension>

<Input eventlog>
  Module      im_msvistalog
  Exec        delete($Keywords);
  Exec        if ($EventType == "VERBOSE") drop();
</Input>

<Output out_graylog>
  Module      om_tcp
  Host        graylog
  Port        5140

  Exec        $raw_event = replace($raw_event, "\n", " ");
  Exec        $raw_event = replace($raw_event, "\r", " ");
  Exec        $raw_event = replace($raw_event, "\t", " ");
  Exec        to_syslog_ietf();
</Output>

<Route route_eventlog>
  Path        eventlog => out_graylog
</Route>

The problem is that there are eventlog entries containing line breaks. Unfortunately they are not removed by the replace commands. So in graylog one message is split into many messages with every linebreak. Using wireshark I can observe that the linebreaks consist of LF characters (Unix line endings).

2. Gelf

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input eventlog>
  Module      im_msvistalog
  Exec        delete($Keywords);
  Exec        if ($EventType == "VERBOSE") drop();
</Input>

<Output out_graylog>
	Module		om_tcp
	Host    	graylog
    Port    	12201
	OutputType	GELF
</Output>

<Route route_eventlog>
  Path        eventlog => out_graylog
</Route>

Unfortunately this setup does not work at all. No messages are showing up in Graylog (of course I've activated the correspnding input). Using wireshark I can observe that a lot of TCP packets are sent to graylog but none of them contain readable messages.

Can anybody help me with either setup?

Thanks and Regards, Carsten