Cannot get CommonSecurityLog Events to show in Sentinel "pattern not match"

SOLUTION:

The pattern that it is matching to is defined in the security_events.conf under:

/etc/opt/microsoft/omsagent/f1886a55-033b-4c04-9198-50e9ddf678bb/conf/omsagent.d

<source>
    type syslog
    port 25226
    bind 127.0.0.1
    protocol_type udp
    tag oms.security
    format /^(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
    message_length_limit 4096
</source>

<filter oms.security.**>
    type filter_syslog_security
</filter>

This regex string needs to match the message that you are seeing in the log.  In my case the pid grouping did not match and that was causing the error.  Once you get the string that I have bolded above to match your message then that will clear the error.

NOTE: The '/' bookend characters need to be in the config file for the omsagent or when you restart the service you will get an error that the template is not recognized.

Now I am onto the next error:
[warn]: Failed to find data type for record with ident: 'Cyber-Ark'

What this is identifying is that the grouping of that regex string that is labeled ident does not have a known data type.... not sure what that means yet, more to follow