Issue parsing endpoint logs (CEF) when processed trough rsyslog

[arnauos]

We found that when collecting endpoint logs in CEF format trough rsyslog, a space is getting added between "CEF:" and "0". This space breaks event parsing. We have only seen this with CEF formatted logs and it seems to be fixed on rsyslog 7 but we can't update to it currently.

May I suggest doing a simple change to transform.conf to take in account if there's an space in there?

Just adding "\s?" to the REGEX option for pan_endpoint entry in transforms.conf does the job, allowing events with or without the space to be parsed correctly:

[pan_endpoint] DEST_KEY = MetaData:Sourcetype REGEX = ^[^|,]+ CEF:\s?0| FORMAT = sourcetype::pan:endpoint

[btorresgil]

That is extremely strange behavior from rsyslog, but since this change to transforms.conf doesn't affect non-rsyslog users, I see no reason why not. We'll test this for addition and if it checks out we'll include it in a release.

Thanks! -Brian

[arnauos]

Great!, we are currently using an override on local/transforms.conf but having a permanent solution is always better.

This issue was really confusing but wireshark showed us that the events were going out correctly but for a strange reason, stored on disk via rsyslog with the added space.

[welcome[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!