The solution is and I have this working in pfsense 2.1
Go to Diagnostics -> Edit File, open file /etc/inc/filter.inc and change the following:
From: mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
To: mwexec_bg("/usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 | /usr/bin/sed -l -e 'N;s/\n //;P;D;' | logger -t pf -p local0.info");
You have to reboot your pfsense to see the changes applied, and there no more split lines!
My question now is, howto normalize it in Splunk?
NOTE: credits goes to: http://thwack.solarwinds.com/thread/54381
... View more