Hello,
If needed this is what our syslog config files look like and our GROK statement (used with Metron 0.4.2)
Server side syslog config files (messages sent to syslog are passed on to Kafka):

https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/blob/master/SampleLogFiles/configForServer-Encypted/rsyslog.conf

https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/blob/master/SampleLogFiles/configForServer-Encypted/00-GCRserverReciDionaea.conf

Client/honeypot side config file:
https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/blob/master/SampleLogFiles/configForHP-Encrypted/00-GCRdionaeaHP.conf

GROK Statement:
https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/blob/master/SampleLogFiles/README.md

-Ahmed
_______________________________________________________________
Ahmed Shah (PMP, M. Eng.)
Cybersecurity Analyst & Developer
GCR - Cybersecurity Operations Center
Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php>
________________________________
From: Casey Stella <[EMAIL PROTECTED]>
Sent: May 18, 2018 10:59 AM
To: [EMAIL PROTECTED]
Subject: Re: Request for Comment on new Syslog 5424 Parsing library

Cool!  I'd welcome a syslog parser!

On Fri, May 18, 2018 at 10:02 AM Otto Fowler <[EMAIL PROTECTED]>
wrote: