We upgraded our Pulse Secure to 8.3R4 and noticed the syslogs are no longer parsed in our ArcSight SIEM. We're running the latest connector parser from ArcSight, which looks like it supports up to 8.2. The other interesting thing is the syslog is identifying the product as HPE ProCurve and not Pulse Secure. Why was the logging changed? Is there a way to change back to the old logging format?
In the release notes for 8.3R4 there is change which could affect the parsing.
PRS-353185 Summary: Syslog export is improperly formatted for RFC5424 compliance.
And checking the RFCs it seems the message format change a lot.
Another change I notice, was the reduction of fields in the WELF format and the
inexistence of W3C format. Both these changes can be overcome by creating a custom filter.