From 826322e627c85ca2429ee2975c0585f0c2b4ded5 Mon Sep 17 00:00:00 2001
From: Daryl Coburn <daryl_coburn@cargill.com>
Date: Fri, 25 Oct 2024 11:42:58 -0600
Subject: [PATCH] removed event.created,message field removes; updated date
 match patterns

---
 config/processors/syslog_security_symantec.endpoint.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/processors/syslog_security_symantec.endpoint.conf b/config/processors/syslog_security_symantec.endpoint.conf
index 1a302e96..c3f5e0b6 100644
--- a/config/processors/syslog_security_symantec.endpoint.conf
+++ b/config/processors/syslog_security_symantec.endpoint.conf
@@ -410,7 +410,7 @@ filter {
     rename => {"[sepm][Source]" => "[log][logger]"}
     rename => {"[sepm][Disposition]" => "[error][type]"}
     rename => {"[sepm][Event Type]" => "[event][category]"}
-    remove_field => ["[log][date_time]", "[event][created]", "[received][date_time]", "actual_msg"]
+    remove_field => ["[log][date_time]", "[received][date_time]", "actual_msg"]
   }
   if [rule][id] {
     mutate {
@@ -468,7 +468,7 @@ filter {
 
   if [event][start] {
     date {
-      match => ["[event][start]" , "yyyy-MM-dd HH:mm:ss"]
+      match => ["[event][start]", "ISO8601", "yyyy-MM-dd HH:mm:ss", "MMM dd HH:mm:ss"]
       timezone => "GMT"
       locale => "en"
       target => "[event][start]"
@@ -482,7 +482,7 @@ filter {
   }
   if [event][end] {
     date {
-      match => ["[event][end]" , "yyyy-MM-dd HH:mm:ss"]
+      match => ["[event][end]", "ISO8601", "yyyy-MM-dd HH:mm:ss", "MMM dd HH:mm:ss"]
       timezone => "GMT"
       locale => "en"
       target => "[event][end]"