I need to add an additional line break to events at the heavy forwarder. I'm trying to use transforms.conf:
[add_linebreak]
REGEX = .
FORMAT = $0\r\n
DEST_KEY= _raw
but it's adding a literal [slash]r and [slash]n to the event. Is it possible to add linebreaks at the heavy forwarder?
I found that using SEDCMD in props.conf at the heavy forwarder was the best way to do this.
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
SEDCMD-add_linebreak = s/<\/Event>/<\/Event>\n\n/g
I found that using SEDCMD in props.conf at the heavy forwarder was the best way to do this.
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
SEDCMD-add_linebreak = s/<\/Event>/<\/Event>\n\n/g