Github user ctramnitz commented on the issue: https://github.com/apache/metron/pull/579 I think https://github.com/apache/metron/pull/579/commits/ccd99dda3c8a72408ae13eeaca078af1e345a36c#diff-e0385f97ebea64bab3a83bceef70bb4aR67 expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1"); should be expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1"); The rest is the syslog header, not the PA domain. I'd suggest to strip the syslog header off the test data and assume it will also be stripped off on ingestion until we have a syslog-preparsing capability (i.e. https://issues.apache.org/jira/browse/METRON-1453). I'm already doing this using rsyslog: ``` module(load="imudp") module(load="omkafka") template(name="msgonly" type="string" string="%msg:::drop-last-lf%" ) ruleset(name="udp514"){ if (<some-condition>) then { action( broker=["<kafka_host>:6667"] confparam=["client.id=rsyslog", "compression.codec=snappy", "socket.keepalive.enable=true"] type="omkafka" topic="paloalto" template="msgonly" errorfile="/var/log/rsyslog_kafka_failures.log" ) } } input(type="imudp" port="514" ruleset="udp514") ```
---