CEF:2 Parsers

I started collecting syslog from my SentinelOne XDR platform. I choose to send syslog to IDR in the CEF:2 format as it contains much more data within the syslog.

IDR is unable to parse CEF:2 for some reason. I opened a ticket with support and they stated that CEF:2 was not industry standard (whatever that means :frowning: ).

The CEF:2 format fields are delimited byt a pipe (β€œ|”).

I don’t want to create custom parsers for all the fields.

In anyone else collecting SentinelOne logs in CEF:2 format successfully?

I also noticed that unnecessary data was being sent before the actual syslog header which could mess up parsing.

"2024-02-29 14:54:10,890 sentinel - "

Can this unnecessary data be removed in the event pipeline?