Occasional Contributor I

Delimiting in Syslog Export Filters

I did a quick (but not thorough) search before creating the topic. If this has already been discussed, I apologize.


Is there any way to change the actual formatting of the syslog events generated by the export filters? I've been experimenting with the various filter types, and the logs generated by the 'session' template don't appear to be well delimited.


In the example below you can see that the various attributes are comma-delimited. However the multi-valued attributes ( like roles and enforcement-profiles ) use commas within the attribute to seperate values. This makes the logs really frustrating to parse, and I'd like to change the delimiting if possible.


2017-10-11T17:43:12-04:00 2017-10-11 17:43:12,396 session_logs_example 2 1 0,Common.Service=MAC - Aruba,Common.Roles=nonsponsored_guest, [User Authenticated],Common.Enforcement-Profiles=[Allow Access Profile], update_nonsponsored_guest, update_from_endpoint,Common.Host-MAC-Address=b853ac61f40e,Common.NAS-IP-Address=,Common.Request-Timestamp=2017-10-11 17:42:59-04,Common.Login-Status=ACCEPT

Guru Elite

Re: Delimiting in Syslog Export Filters

No, but you can try using CEF or LEEF formatted messages to see if that works better for you.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Delimiting in Syslog Export Filters

I opted to try the 'Insight' templates instead, which appear to be better delimited. If this doesn't work out for us, I'll explore the CEF/LEEF options.


Thanks for the assistance

Search Airheads
Showing results for 
Search instead for 
Did you mean: