We have just upgraded to 10.6.5 and CEF parsing seems to have stopped working.
I used to send ESA alerts as syslog to our log decoder and the CEF messages would then get parsed.
The message was created with the following template.
<#include "macros.ftl"/>
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as metadata><#list metadata?keys?sort as key> ${key}=<@value_of metadata[key]/></#list></#list>
does the alert fire a syslog message but not get parsed or did the template not fire and no syslog message was sent?
can you tcpdump during a test fire of the rule and check the esa logs to see if for some reason the template options changed in freemarker and broke your template.