Request trial
Request Trial

Formatting codes in multi line windows event ?

Tags: #Eventlog #windowsnxlog
#1 farridem

Hello,

  I am attempting to use Nxlog on windows to forward windows event logs as syslog. I am finding that the windows event 4672 (and only this event oddly enough) keeps getting broken into multiple lines and showing the character strings

#011 and #015

May 18 10:29:20 desktop-XXXX #011#011#011SeLoadDriverPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeBackupPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeRestorePrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeDebugPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeAuditPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeSystemEnvironmentPrivilege #015 May 18 10:29:20 desktop-XXXX #011#011#011SeImpersonatePrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeDelegateSessionUserImperso natePrivilege" EventReceivedTime="2021-05-18 10:29:20" SourceModuleName="eventlog" SourceMod uleType="im_msvistalog"] {"EventTime":"2021-05-18 10:29:19","Hostname": <snip>

This event also shows up with the FQDN instead of the hostname that the other events are sent with. The logs are being formatted to JSON prior to sending

I reviewed the documentation and I can't determine if there is a way to effect the parsing of this message. Thanks for any input !

Permalink
#2 farridem
#1 farridem
Hello, I am attempting to use Nxlog on windows to forward windows event logs as syslog. I am finding that the windows event 4672 (and only this event oddly enough) keeps getting broken into multiple lines and showing the character strings #011 and #015 May 18 10:29:20 desktop-XXXX #011#011#011SeLoadDriverPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeBackupPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeRestorePrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeDebugPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeAuditPrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeSystemEnvironmentPrivilege #015 May 18 10:29:20 desktop-XXXX #011#011#011SeImpersonatePrivilege#015 May 18 10:29:20 desktop-XXXX #011#011#011SeDelegateSessionUserImperso natePrivilege" EventReceivedTime="2021-05-18 10:29:20" SourceModuleName="eventlog" SourceMod uleType="im_msvistalog"] {"EventTime":"2021-05-18 10:29:19","Hostname": <snip> This event also shows up with the FQDN instead of the hostname that the other events are sent with. The logs are being formatted to JSON prior to sending I reviewed the documentation and I can't determine if there is a way to effect the parsing of this message. Thanks for any input !

May have had a positive impact by moving from IETF to BSD syslog, waiting to see
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS