if you have the option to set the default log format to syslog than do this. Im almost sure about that it is harder to write a parser for multiline that is to write for a singleline log. Do you have already tried do set one of the standard parser?
Thank you for your reply. Unfortunately the logs are already coming as Syslog. I have attempted to use both the Unix-Linux parser and Generic ASP data sources and the logs still come in the same, multi-line format. It appears that my only option is to change the format type so I can define how many lines each log is.
I have already attempted to build my own custom parser and the Event Receiver cannot read past the first line. I currently have a ticket open with McAfee to help with a work around, they are just moving at a snails pace, so I figured I would ask the community and see if anyone else had experience with a similar scenario.
I have actually solved my issue.
When the logs were coming into the SIEM, I was looking at the packet via the "Packet" tab, however, when I switched over to the ELM Archive view of the log, it was one line.
I used the raw log in the ELM Archive view to create my parser and everything is parsing correctly!