I'm using rsyslog to send snort alerts from my NSTPRO box to splunk. Multiple events are showing up in splunk as a single entry. Note the timestamps are different. Any ideas why or how to fix? Thanks.
May 24 14:11:12 10.40.36.208 May 24 07:04:56 probe-eth0 snort[16339]: [1:1917:6] SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 10.40.36.227:2488 -> 239.255.255.250:1900
May 24 14:11:15 10.40.36.208 May 24 07:04:59 probe-eth0 snort[16339]: [1:1917:6] SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 10.40.36.227:2488 -> 239.255.255.250:1900
May 24 14:11:18 10.40.36.208 May 24 07:05:02 probe-eth0 snort[16339]: [1:1917:6] SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 10.40.36.227:2488 -> 239.255.255.250:1900
host=xxxxxxx Options| sourcetype=snort Options| source=udp:6456 Options| dest_ip=239.255.255.250 Options| dest_port=1900 Options| eventtype=snort-alert Options| src_port=2488 Options| src_ip=10.40.36.227