CEF parser doesn't handle extension field ending in an empty string

[yrro]

If a CEF message field has zero-length and is the last field in the message, the CEF parser fails to parse the message:

$ cat cef.rulebase
rule=:%cef:cef%

$ cat cef-msg 
CEF:0|My Vendor|My Product|My Version|blah|My Activity|1| field1=foo field2=bar field3=

$ < cef-msg lognormalizer -r cef.rulebase
{ "originalmsg": "CEF:0|My Vendor|My Product|My Version|blah|My Activity|1| field1=foo field2=bar field3=", "unparsed-data": "CEF:0|My Vendor|My Product|My Version|blah|My Activity|1| field1=foo field2=bar field3=" }

If I add a trailing space character to cef-msg (so that the = character is not the final character in cef-msg, the message parses OK:

$ < cef-msg lognormalizer -r cef.rulebase 
{ "cef": { "DeviceVendor": "My Vendor", "DeviceProduct": "My Product", "DeviceVersion": "My Version", "SignatureID": "blah", "Name": "My Activity", "Severity": "1", "Extensions": { "field1": "foo", "field2": "bar", "field3": " " } } }