I'm not very experienced with Sentinel, so I apologize if this is a basic question.
I have NetIQ Advanced Authentication setup to send CEF logs to Sentinel. When I do a search on events in the Sentinel web interface and filter on the "Universal Common Event Format" I can see the events from Adv. Auth. but none of the detail. So I'll see things like "User was successfully logged on" or "User was switched to a different method" or "Request Failed.". But I don't see any of the other data that follows those messages. If I use the Raw Data monitor in the Java Sentinel Control Center I can see a wealth of data in the _sBody and s_raw_message2 fields. This data appears to be pipe delimited following the basic event message. Why can I not see that data in the Sentinel web-based event search? What s the trick to get that data to appear?
Thanks.
Matt