Sorry to necro post, but dominiquevocat comment seemed the simplest way to go, and I think was almost there. On the forwarder recieving the syslog from our eDirectory servers, i created a new eDir app and added a props.conf with Defined in eDir Apps props.conf (sedCMDs to remove the preceeding “eDirectory : INFO ” and” IDM : INFO ”) [eDirXDAS] SEDCMD-StripEDirInfo = s/eDirectory : INFO {/{/g SEDCMD-StripIDMInfo = s/IDM : INFO {/{/g KV_MODE = json INDEXED_EXTRACTIONS = json pulldown_type=1 and then set the sourcetype for that syslog listener to eDirXDAS. The SED commands can be added to for any other strings that are being prepended to the supplied JSON. ... View more