Hi.
I started collecting syslog from my SentinelOne XDR platform. I choose to send syslog to IDR in the CEF:2 format as it contains much more data within the syslog.
IDR is unable to parse CEF:2 for some reason. I opened a ticket with support and they stated that CEF:2 was not industry standard (whatever that means 
).
The CEF:2 format fields are delimited byt a pipe (β|β).
I donβt want to create custom parsers for all the fields.
In anyone else collecting SentinelOne logs in CEF:2 format successfully?
I also noticed that unnecessary data was being sent before the actual syslog header which could mess up parsing.
"2024-02-29 14:54:10,890 sentinel - "
Can this unnecessary data be removed in the event pipeline?