I've been wrestling with getting something parsed for a while now and I just can't seem to wrap my head around the problem.
Here's the thing: we audit admins by using sudosh. As far as I know, this does not get parsed by enVision, so we used ESI to parse. The log comes in the same syslogstream, so I want to modify the original Solaris XML to also parse the sudosh messages.
I ran sendunknownmessages for the past 10 days and went about parsing. We updated ESI to the same scheme as our enVision, with the ESU -esi-install flag. Now, the logfile parses fine in ESI, has no datapattern warnings and everything is how it should be. When I copy the XML file to the enVision (an ES), it simply refuses to parse the log. It still comes out as an unknown message and it doesn't show up in a query.
Could you guys please have a look and what's wrong? I've added a scrubbed bit of log and the XML I created, the messages I added are at the bottom.