philhagen
commented
8 months ago ok! @Pierre450 I am pretty sure I figured out what the problem was and my test against your capstone azure data is now consistent with the public and class versions. Please let me know if you see otherwise, but if it looks good, I will cherrypick this commit to the latest public branch
The Azure logstash parser in the public release is processing a lot less entries that the older version which are still using in the FOR509 class version. Something has changed, but it's not clear what it is.