CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Hi all i ran into a problem while i, getting logs from Force-Point ,"security events" from a Syslog daemon connector 

the problem is that the device is Sending the Epoch time in seconds to the rt field and then the END TIME is a shown the date in End Time : 19 Jan 1970 09:19:46 IST
in all the logs 

i tried to use additional regex parsing but it dont work  

<159>Feb 13 10:34:37 10.113.0.33 CEF:0|Forcepoint|Security|

rt=1581582877

Smartconnector version is ArcSight 7.14

any suggestion ?

Parents Reply
  • I was able to resolve the problem with event.endTime=__createLocalTimeStampFromSecondsSinceEpoch, I figured out theT the time stamp on endTime is really in format of epoch even if it shown as type TimeStamp , I’ll be happy to share the parser if someone needs it tnx for everyone for the help ..:)
Children