In SecOps 1.3, user who does not utilize Incident Management in Security Analytics can use UCF to configure a Syslog endpoint to receive Reporting Engine alerts.
For the Reporting Engine to send alerts to UCF, it is necessary to configure syslog configuration in Security Analytics (Administration -> Services-> Reporting Engine -> Config -> Output Action).
There is a parameter called "Syslog Message Delimiter". You must set to LF in order for UCF to parse the alerts properly. Setting it to CR will cause UCF to trash the request without any process.
In SecOps 1.1, we can use delimiters such as CR. Therefore, if you upgrade to SecOps 1.3, you will need to ensure to change the delimiter setting in the Syslog configuration
The cause of this issue is currently being investigated by the Engineering team so that it may be resolved in a future release. If you are experiencing this issue, contact RSA Support and quote this article number for further assistance.
In the Security Analytics UI:
Go to Administration -> Services -> Reporting Engine -> Config -> Output Action.
On the Syslog Configuration and modify the existing settings.
Select LF in the Syslog Message Delimiter drop-down menu.