Windows event logs are being picked up by Universal Forwarder v5 and sent to an Indexer v5.
I'm trying to forward these events to a third party for analysis. I've followed the instructions here and have events hitting my third party server on UDP 514.
Tcpdump shows the data contains newline characters. For example: ...\nLogName=Security\nSourceName=Security\n
It appears that UF picks up the newlines from the windows event log, and the built-in sourcetype creates multi-line events. But my third party server does not handle multi-line events in syslog correctly.
Is there any way to have Splunk escape/replace the newlines in the event with some other character or pattern prior to sending them to the third party over syslog?
... View more