Feb 15 2023 03:54 AM - edited Feb 15 2023 03:55 AM
Hi,
I'm having a hard time ingesting Mikrotik logs sent from the server with the installed log forwarder agent into Sentinel. Mikrotik is using RFC3614 log format and while the log is sent to the server in one piece (pls see the screenshot 1 below), the Sentinel displays logs in pieces (pls see the screenshot 2).
Screenshot 1:
Screenshot 2:
In addition to that, fields inside logs are also incorrect and the syslog message is incomplete, so for instance 'ProcessName' is an IP address from the content of the 'SyslogMessage', and not the actual process that generated the log (in my case rsyslogd).
Screenshot 3:
Is there a way to get the log in one piece inside Sentinel? I've seen that parsing logs inside Sentinel is possible, but it doesn't help in my case as the syslog message in Sentinel is not complete. Any advice or help is more than appreciated.
Ty.
Feb 15 2023 05:59 AM
Feb 16 2023 07:24 AM
@GBusheythank you for the advice. I've just submitted a ticket and I am going to share a solution here if this issue gets resolved successfully.