All Apps and Add-ons

Pulse Secure logs not matching any samples

_joe
Communicator

I was wondering if anyone else has seen this.

I had the Pulse Sec admin send some logs to my syslog-ng server. I'm showing an example of the log below:

Mar 16 08:45:49 10.51.56.4 1 2020-03-16T13:45:49Z 192.168.2.1 PulseSecure: - - - 2020-03-16 13:45:49 - OmmitedName - [127.0.0.1] System()[] - ..Ommmted...

My logs are coming in with "PulseSecure: - - - 2020-03-16 13:45:49" which doesn't match any of the sample logs inside the TA. However, it appears to be expected since the TA is looking for "TIME_PREFIX = PulseSecure:\s-\s-\s-\s". Something still is not correct as evident by this extract not working properly:

EXTRACT-priority = ^\d+\s\<(?<priority>\d+)
EXTRACT-header = ^(?P<header>\d+)    

Obviously I could recreate these extractions but still trying to figure out what is happening incorrectly.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.