Problem (?) displaying CEF-formatted alerts via TCP in Logger
We recently added some payload data to the event alerts from our product. The alerts are larger than UDP can handle so these are being sent by TCP. The alerts show up in Logger but I cannot figure out how to get the Logger to parse correctly. The RAW data shows that all the alert is making it into Logger with all the expected fields and I have added our specific fields as "Custom" fields but nothing will display in those columns when the alert comes in. This is what the raw packet looks like in Logger:
This is what it looks like in context with our UDP alerts:
In the above capture, the Interface Reset and Heartbeat deviceActions are diagnostic and sent via UDP. No data would be in the the columns that are empty. The Blocked Actions should show all of the columns at the top (and shows in the RAW file).
I have tried this on both a local copy of Logger and an AWS Marketplace instance and have exactly the same result. Any ideas what I can do to fix this?