diff --git a/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl b/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
index f64258e..f6c07fb 100644
--- a/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
+++ b/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
@@ -1,6 +1,6 @@
 
 filter f_cef {
-    message('(<\d*>)1? ?(?:(.*) |^)(CEF:0\|.*)' flags(store-matches)
+    message('(<\d*>)?1? ?(?:(.*) |^)(CEF:0\|.*)' flags(store-matches)
     );
 };
 filter f_iscef {