When enabling Preserve Original Event, the integration will not actually save the original event received by filebeat. This is due to the syslog processor changing the event as the message is being processed (it will only save the message part of the log, syslog headers are removed).

The solution is to add a copy_fields processor immediately before the syslog processor in the agent processor chain to copy message to event.original if preserve original event was requested:

processors: - add_locale: ~ {{#if preserve_original_event}} - copy_fields: fields: - from: message to: event.original {{/if}} - syslog: field: message format: auto timezone: {{tz_offset}} 

This affects the panw integration, but would also affect any other integration that uses the syslog processor. The tcp and udp integration also use the syslog processor as an option, but Preserve Original Event is not a feature of those integrations yet. That would have to be a new feature that's added.