I believe I have a solution, and it's not pretty.
After setting the Destination log in the Subscription to TerminalServices-LocalSessionManager/Operational all the data started coming in in tact in the Event Viewer as expected. There were no %1, %2, %3, nonsense, all the variables were filled.
When nxlog read the eventlogs and logstash read nxlog's output, the "message" and "Message" fields were all in tact as well. No data is missing and my parsers are working properly.
I don't understand it, but there is an issue with the Destination Log set to Forwarded Events. Somehow data is lost in the transfer.
ContentFormat was also set back to RenderedText.
Update: Setting it to RenderedText has solved the issue. Forwarded Events log was also, by default, capped at 20 MB, and had to be increased. Another issue is the Subscription included Domain Computers, which included the Subscription server itself which led to the windows server recursively forwarding its logs.
ContentFormat set back to RenderedText (default setting).
Upped Destination log size to 5 GB.
Excluded self from Subscription.
I would suggest trying the tcp input, forget about defining the codec in your input, it's generally a bad idea I have found:
input {
tcp {
type => "eventlog"
port => 3515
}
}
filter {
multiline {
pattern => "^\s"
what => "previous"
}
json {
"source" => "message"
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
So in this config, it will accept the traffic on the tcp port defined, not setting a codec, then pass the input to a multiline filter, which will look for lines which start with whitespace, and if it finds any it will join them to the previous line. That new line created by muliline will then be passed to the json filter, which should be able to parse the entry.
Best Answer
There is an example in the manual: Example 6.9. Parsing URL request parameters in Apache access logs