Options to send syslog in RFC5424 format

What is a one sentence summary of your feature request?

Add tags to NTP agent that allow RFC5424 to be matched.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Timestamps currently only present in local or UTC format. Timestamp format ISO 8601 should be available 2026-03-29T22:31:30.000Z. Product refers to itself as Netwrix Threat Prevention, spaces are not allowed in this format and should be Netwrix-Threat-Prevention.

How do you currently solve the challenges you have by not having this feature?

Currently no workaround as the SIEM being used is not ingesting events properly due to missing formats.

Hi Ian,

Thanks for this submission! What SIEM platform are they leveraging that only accepts RFC5424? I’ll review this with the team, but that information would help.

Hi Kevin,

MSFT Sentinel, with Kafka integration

Definitely need this for a customer we are working with!

Hi Kevin,

Is this something that can be implemented soon? We’re trying to determine if we need to explore other options for sending the data to syslog.

This is what they’re expecting:
<14>1 2026-03-29T22:31:30.000Z X.X.X.X Netwrix-Threat-Prevention - - - eventName=“Event Name” eventCode=“X.X.X” …

What they’re seeing wrapped in a BSD layer (which they don’t want):
Apr 1 04:50:32 172.29.38.157 1 2026-03-29 22:31:30.000 LVA1-NTPAPP02 Netwrix Threat Prevention - EVENT - eventName=“LDAP Search” …

Hey Peter,

This is something we’re looking to tackle in our Q2 release cycle to have a SIEM output that supports RFC5424. Our Q2 is May through July. As we get through some of the planning, I will report back any estimates as to when we can ship something here.

I am also checking with the team if this is possible to be worked around with custom SIEM mapping files to help in the short-term.