APM HSL to ArcSight or Splunk

For those using HSL - we're on V11.5.3 Configured HSL to send apmacl Filter to ArcSight and Splunk. Format is bsd-syslog. Raw data looks like the APM logs on the F5, but is there a better Format for groupings/collections to use for those tools? Options I saw were SYSLOG, Legacy BIG-ip or just send Raw remote HSL from the Publisher. SYSLOG uses multi line verses placing all Session info on a single line so it can be a bit disjointed. The goal would be report on User authentication: Lockouts, bad passwords, Allowed Access. I have a logging box in APM that writes the Session ID and User ID - thought was "Session.user.sessionId is"could now be a pattern taking the actual session into a method to grab everything associated, and then pick out whats needed.

thank you!