Rahul Jha

As there is no response on the issue, we are closing the issue.

`tcpdump -s 0 host 1.2.3.4 and port 514 -i eth0 -w specificIP.pcap` , please change it as you see it fit.

Any more update here ?

As there is no update on the issue we are closing it.

@nandinivij can you please update this.

@mateuszpierzchala-splunk Can you please take a look?

We need the message before parsing as well , with pri and all , can you please capture it in tcpdump, sanitise and share here

sc4s fallback is for the sourcetypes which are not identified by the parsers and thats why it adds PRI and message.

All the supported vendors are documented , if something is breaking please feel free to share the sample sanitised log and we will try to fix it. the fallback details...

source product for example.