Could you please consider merging this PR ? All CEF logs I've seen so far do not have a space before the first extension key. Also I could not find a spec stating that their MUST be a space between the last '|' from the header part and the first extension key name, though leading spaces are okay.
Hello Rainer,
Could you please consider merging this PR ? All CEF logs I've seen so far do not have a space before the first extension key. Also I could not find a spec stating that their MUST be a space between the last '|' from the header part and the first extension key name, though leading spaces are okay.
Sample log :
CEF:0|FORCEPOINT|Firewall|1.2.3|1234|FW_Related-Connection|0|in=0 out=52 app=TCP/12345 rt=Jan 30 2020 04:47:01 deviceFacility=Packet Filtering act=Allow deviceInboundInterface=0,0 proto=6 dpt=12345 spt=12 dst=1.2.3.4 src=4.3.2.1 dvchost=9.8.7.6 dvc=9.8.7.6 deviceExternalId=FW-ACME node 1 cs1Label=RuleID cs1=2100123.1 cs2Label=NatRuleId cs2=8123.3
This patch break a test, although I reckon this test case should be invalid.
Regards, Julien