1
response

Hello,

I am attempting to use Nxlog on windows to forward windows event logs as syslog. I am finding that the windows event 4672 (and only this event oddly enough) keeps getting broken into multiple lines and showing the character strings
#011 and #015

May 18 10:29:20 desktop-XXXX #011#011#011SeLoadDriverPrivilege#015
May 18 10:29:20 desktop-XXXX #011#011#011SeBackupPrivilege#015
May 18 10:29:20 desktop-XXXX #011#011#011SeRestorePrivilege#015
May 18 10:29:20 desktop-XXXX #011#011#011SeDebugPrivilege#015
May 18 10:29:20 desktop-XXXX #011#011#011SeAuditPrivilege#015
May 18 10:29:20 desktop-XXXX #011#011#011SeSystemEnvironmentPrivilege
#015
May 18 10:29:20 desktop-XXXX #011#011#011SeImpersonatePrivilege#015
May 18 10:29:20 desktop-XXXX #011#011#011SeDelegateSessionUserImperso
natePrivilege" EventReceivedTime="2021-05-18 10:29:20" SourceModuleName="eventlog" SourceMod
uleType="im_msvistalog"] {"EventTime":"2021-05-18 10:29:19","Hostname": <snip>

This event also shows up with the FQDN instead of the hostname that the other events are sent with. The logs are being formatted to JSON prior to sending

I reviewed the documentation and I can't determine if there is a way to effect the parsing of this message.
Thanks for any input !

AskedMay 18, 2021 - 8:52pm

Comments (1)

Answers (0)