I'n using nxlog to send logs from Windows Event Log to rsyslogd.
To identify my Windows hosts, i use local6 facility. So they are logged to a separate folder based on IP and facility: local6 messages are logged to /var/log/hosts/windows/SERVER_IP/remote.log, all other facilities (non-local6) are logged to /var/hosts/linux/SERVER_IP/remote.log
The thing is, i sometimes find new messages in /var/log/hosts/linux/WINSERVER_IP/remote.log, which are (mostly) a part of other windows Event Log messages. Looks like big messages from Event Log are split into fragments, the first one gets the local6 facility (via SyslogFacilityValue) and is logged to windows-log folder (correct behavior), the rest get another facility value (which is unknown for me) and are logged to linux-log folder (incorrect behavior).
My nxlog config (part of it):
Exec $SyslogFacilityValue = 22;
Exec $Hostname = hostname();
Exec $raw_event = replace($raw_event, "\r\n", " ");
Exec $raw_event = replace($raw_event, "\t", " ");
Path in => eventlog_transformer => out
Is there a way to strictly specify local6 facility to all outgoing syslog-type messages and their parts, if they get split?