Are the logs you’re sending with syslog in CEF format? You will note that the CEF sensor uses the CEF parser, which means unless your logs are in CEF format, they will fail to parse and be dropped into the error index (worth checking the error index in kibana via the Metron Error Dashboard. That will likely tell you why things aren’t parsing.
The most likely scenario is that you are sending something non-CEF on the syslog feed, in which case you will need something like a Grok parser. I suggest reading through the Squid example in the documentation on how to do this. Simon > On 4 Jan 2018, at 18:49, Gaurav Bapat <gauravb3...@gmail.com> wrote: > > They are syslogs and my topic name is cef, I get one parsed logs out of 1000+ > and I want to do analytics using Spark but I cant find a way out.
