What log source protocol type includes Event Start Pattern and Event End Pattern fields?

The protocol type that includes the Event Start Pattern and Event End Pattern fields is related to the handling of multiline messages in logs. The TCP Multiline Syslog is specifically designed to accommodate logs that span multiple lines, which is common in various applications and services that generate output in a format that includes structured information.

In a multiline log entry, there could be a need to identify where an event begins and where it ends. The Event Start Pattern field is used to define the string or conditions that indicate the start of a new event, while the Event End Pattern field identifies the condition or string that signifies the conclusion of that event. This is particularly relevant when parsing logs that may have complex structures, like stack traces or logs from certain applications.

Thus, when working with TCP Multiline Syslog, the use of these patterns ensures that the QRadar SIEM can accurately capture and separate individual events from a log source that formats output over multiple lines, allowing for correct parsing, indexing, and alerting based on those events.