It looks like you're new here. If you want to get involved, click one of these buttons!
** Alert 1496918806.499: - pam,syslog,
2017 Jun 08 06:46:46 servername->/var/log/auth.log
Rule: 5502 (level 3) -> 'Login session closed.'
Jun 8 06:46:45 waftest su: pam_unix(su:session): session closed for user xxxxxx
They are successfully going into CloudWatch and I'm pulling them into AlienVault from there, but the plugin does not seem to parse them.
What format is the plugin expecting to parse?