We are having issues parsing events been sent via TCP because the scripts adds facility number <30> to every event when syslog parameter is used in script even changed different log formats. How do we remove these facility number from logs as siem can't parse such log events which are modifying the JSON format?
Checked this via tcp dump command on server. Sharing the sample below.
We are having issues parsing events been sent via TCP because the scripts adds facility number <30> to every event when syslog parameter is used in script even changed different log formats. How do we remove these facility number from logs as siem can't parse such log events which are modifying the JSON format? Checked this via tcp dump command on server. Sharing the sample below.
.aZ...dX<30>{"endpoint_id": "XXXXXXXXXXXXXX", "source_info": {"ip": "XXXXXXXXXXX"}, "customer_id": "XXXXXXXXXXX", "severity": "low", "endpoint_type": "computer", "type": "Event::Endpoint::UpdateSuccess", "group": "UPDATING", "id": "XXXXXXXXXXX", "name": "Update succeeded", "datastream": "event", "rt": "2023-09-12T11:49:53.664Z", "duid": "XXXXXXXXXXXX", "end": "2023-09-12T11:49:53.654Z", "suser": "XXXX\\XXXX", "dhost": "XXXX"}