PA Traps CEF Format Anomaly

[jasonkeller]

Here is another non-working format that appears to be silently dropped on the floor due to their inclusion of the year in the header...

Jan 17 2018 15:05:27 10.2.103.26 CEF:0|Palo Alto Networks|Traps Agent|4.1.1.28779|Prevention Event|Threat|9|rt=Jan 17 2018 15:05:27 dhost=ago048 duser=BLAH\chewbach cs2Label=Module cs2=Local Analysis deviceProcessName=stikynot.exe fileHash=a8e28bd4f51d6d2b7a9ddb4e8220ff5c220007660f6edc7dbf8c6d81071386a9 cs3Label=ContentVersion cs3=28-2008 dvc=10.8.47.113 cs5Label=EventTime cs5=Jan 17 2018 15:05:24 msg=New prevention event. Prevention Key: 3bd9a290-08a5-45c8-adb4-3676ff04ce79

[jasonkeller]

FYI I have an open case with Palo Alto support, and it appears they are looking into correcting this so they are no longer in violation of RFC 3164 for timestamp formatting.

It took two-plus weeks and pushing through two different engineers, after having provided crystal-clear documentation as to what was wrong and refuting erroneous assertions foisted back at us, but here we are.

the Engineering team, has identified a gap in our formatting based on your notes. They are actively researching the correction to the formatting, and any other ramifications that it will cause for other portions of the software.

[jasonkeller]

Update from Palo Alto GTAC:

I was informed that in version 4.1.4, adjustments were made to standardize our CEF logs. No affect to the core code was found with these changes, and implementation has been completed. 4.1.4 should be in QA shortly.

[jasonkeller]

Version 4.1.4+ should now have all requisite fixes and has been released. This can be closed now.