Open klasen opened 2 years ago
Hello, This pull request should fix it but I am not sure it still applies on master because there was another change merged since for another bug in the CEF parser: rsyslog/liblognorm#331
Just noticed this issue and can confirm it's still present in v2.0.6. E.g.
echo 'CEF:0|Vendor|Product|Version|Signature ID|some name|Severity|aa=field1 bb=this is a value cc=field 3' | lognormalizer -e json -r cef.rulebase | jq
produced a
instead of aa
for the first field name.
{
"extra": "",
"cef": {
"DeviceVendor": "Vendor",
"DeviceProduct": "Product",
"DeviceVersion": "Version",
"SignatureID": "Signature ID",
"Name": "some name",
"Severity": "Severity",
"Extensions": {
"a": "field1",
"bb": "this is a value",
"cc": "field 3"
}
}
}
Note this has been fixed in commit 6e6a50b "FIX CEF PARSER:" by Emile Duquennoy and it has been merged in master. This issue should be closed.
If there is no space between the last header delimter
|
and the first extension key name, the lognorm swallows the first character of the key.input (sample from ArcSight Common Event Format (CEF) - Version 26):
actual result
rc
:expected result
src
:log: