We have just upgraded to 10.6.5 and CEF parsing seems to have stopped working.
I used to send ESA alerts as syslog to our log decoder and the CEF messages would then get parsed.
The message was created with the following template.
<#include "macros.ftl"/>
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as metadata><#list metadata?keys?sort as key> ${key}=<@value_of metadata[key]/></#list></#list>
Thanks Eric. I can see the log Message in the investigation GUI. It just isnt parsed. it comes up as device type CEF. I have a parser IP binding on the log decoder for the ESa IP with the order cef,rsasecurityanalytics,rhlinux.
I changed the template to the default Syslog Template for ESA and the result was the same. The device type of the message was CEF rather than the cef parser derived device type from the message.
This was all working before the 10.6.5 upgrade so I think 10.6.5 has broken something.
Does seem like a defect, i wonder if somehow the cef, in the device parser override is taking that literally and not letting CEF create the device.type and using that string literally.
Open a defect
Confirmed as a bug and reproduced by support. How did this get through testing?
We have just finished testing this as customers and it failed the Alpha testing. They had to release the software first, so that customers could grab and test it.
Unfortunately when it comes to Netwitness Upgrades I sometimes feel this is like Russian Roulette. I always have to think in the back of my mind "What will break this time?"
If it worked before the upgrade it should work after the upgrade.
Come on RSA you can do better testing than this!
What's the support case number? We're using 10.6.5 with CEF parser (have some customization), but testing result it's ok. So only the ESA CEF alert issue? Or issue with all the CEF logs?
Hello support case number is 01117016.
If your device is 1.2.3.4 and you have parser mapping linked to device 1.2.3.4 then CEF parsing wont work.
Hello David,
mapping CEF parser with an IP in 10.6.5 brakes the CEF parser, not just the device.type but all the variables from the template are affected.
The temporary solution is to REMOVE the link between all the CEF device type linked to the ips
Regards Emmanuele
does the alert fire a syslog message but not get parsed or did the template not fire and no syslog message was sent?
can you tcpdump during a test fire of the rule and check the esa logs to see if for some reason the template options changed in freemarker and broke your template.