Kevin, Have you thought of locally processing the logs using ausearch -i (which does the conversion you want) and then transmitting the locally interpreted logs to your SIEM? On Tue, 2016-10-04 at 10:13 -0400, Kevin Brown wrote: > Thanks for the responses so far >