I have created an Irule in my F5 BigIP LTM to send information to SA.
I also, configure a new header & message information using the "RSA enVision EventSource Integrator" software.
When using the RSA enVision EventSource software, i am able to parse all the syslogs that are comming from the F5.
But I notice that after copy the new bigipmsg.xml file to SA, i am still unable to see the parse data.
After investigating the issue, i notice that the Syslog is parsed as rlinux device and that is why i am unable to see the parse data (it has no parser for it in the rlinuxmsg.xml file)
I am guessing that the rlinux parser come first in the parsing and because of that SA stop the parsing and not parsing the Syslog as BigIP.
Is there a way to make sure the bigip parser will be "first in line" ? First try parsing it as bigip and only if that fails, try the rlinux parser.
If not, is there any way to tell SA rlinux parser never to parse a syslog that contain some special unique string ?