AnsweredAssumed Answered

Did CEF parsing break in 10.6.5 ?

Question asked by David Waugh on Feb 8, 2018
Latest reply on Mar 21, 2018 by Emmanuele La Porta

We have just upgraded to 10.6.5 and CEF parsing seems to have stopped working.

I used to send ESA alerts as syslog to our log decoder and the CEF messages would then get parsed.

 

 

The message was created with the following template.

 

<#include "macros.ftl"/>
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as metadata><#list metadata?keys?sort as key> ${key}=<@value_of metadata[key]/></#list></#list>

Outcomes