QUESTION

When using the Panther Log Forwarder to ingest RFC 5424 syslog logs with parse: json enabled, should raw log filters in the console be based on the JSON parsed version of the log or the original RFC 5424 version?

ANSWER

When parse: json is enabled in the Panther Log Forwarder configuration, raw event filters must match against the JSON representation of the log, not the original RFC 5424 syslog text format.

Here's how the parsing works:

• Without parse: json: The syslog event is sent as-is in raw text format to Panther

• With parse: json: The log forwarder converts the RFC 5424 message into structured JSON before sending it to Panther

Raw event filters examine logs in their raw format as received by Panther, before they are further parsed by a log schema. When parse: jsonis used, this means the raw format is the structured JSON, not the original syslog text.

This same behavior applies when using type: file configuration with format: syslog.

For more information about the Panther Log Forwarder syslog input configuration, see Panther's Log Forwarder documentation.