1. i am ingesting firewall logs as syslog and trying to parse out the fields accordingly using the split command, i have a problem that the beginig of the logs is not piped and i have made the split in 2 occasions.
as you can see in the attached pic the FWD|UDP|p4| fields are nit parsed out.
I make the difference 152 vs 15 columns of data, are there certain columns you are missing in Syslog? Is the data you require in the Syslog but needs extracting / parsing which is I believe one of the things CEF does for you? BTW, I'm no expert on CEF or Syslog, but keen to understand your use case.