I did a quick (but not thorough) search before creating the topic. If this has already been discussed, I apologize.
Is there any way to change the actual formatting of the syslog events generated by the export filters? I've been experimenting with the various filter types, and the logs generated by the 'session' template don't appear to be well delimited.
In the example below you can see that the various attributes are comma-delimited. However the multi-valued attributes ( like roles and enforcement-profiles ) use commas within the attribute to seperate values. This makes the logs really frustrating to parse, and I'd like to change the delimiting if possible.
2017-10-11T17:43:12-04:00 cppm.vt.edu 2017-10-11 17:43:12,396 192.0.2.0 session_logs_example 2 1 0 Common.Username=johndoe@vt.edu,Common.Service=MAC - Aruba,Common.Roles=nonsponsored_guest, [User Authenticated],Common.Enforcement-Profiles=[Allow Access Profile], update_nonsponsored_guest, update_from_endpoint,Common.Host-MAC-Address=b853ac61f40e,Common.NAS-IP-Address=192.0.1.0,Common.Request-Timestamp=2017-10-11 17:42:59-04,Common.Login-Status=ACCEPT