Salto new parser to remove PRI=13

[varo-pavel]

Note: If your issue is not a bug or a feature request, please raise a support ticket through our support portal (Splunk.com > Support > Support Portal). This will help us resolve your issue more efficiently and provide you with better assistance. For more information on how to work with the Splunk Support, please refer to this guide.
This is coming from a support case 3708744

What is the sc4s version?
2.49.8

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?

capture.zip

What the vendor name?
Salto

What's the product name?
Salto: Smart Access & Identity Management Solutions

If you're requesting support for a new vendor, do you have any preferences regarding the default index and sourcetype for their events?
We can define it ourselves

Do you have syslog documentation or a manual for that device??
the best I could have found, but far from informative https://support.saltosystems.com/de/space/user-guide/operator/system/system-auditor/

Feature Request description:
strip down PRI=13 MESSAGE=[]

Do you want to have it for local usage or prepare a github PR?
both options are good, the fastest path is preferred

[rjha-splunk]

The PRI is there because there is no parser for it , can you please just follow the instructions outlined here https://splunk.github.io/splunk-connect-for-syslog/main/create-parser/.

Can you also update the version to latest.

PRI will go away if we can just filter the message using sc4s_vendor and sc4s_product values from UI , filter it and rewrite the sourcetype and other metadata as seen relevant , in template you can mention "t_message_only".