From 65d0930acb686634bd91239491ea78867c9c0118 Mon Sep 17 00:00:00 2001
From: mbonsack <mbonsack@splunk.com>
Date: Fri, 7 Aug 2020 17:25:59 -0700
Subject: [PATCH] CEF:  Imperva WAF timestamp parsing (#624)

* CEF:  Imperva WAF timestamp parsing fix
---
 .../log_paths/lp-common_event_format.conf.tmpl       | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
index 65486fe..506aeba 100644
--- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -16,12 +16,20 @@ parser p_cef_header {
 };
 
 parser p_cef_ts_rt {
-    date-parser-nofilter(format('%s.%f','%s')
+    date-parser-nofilter(format(
+                '%s.%f',
+                '%s',
+                '%b %d %H:%M:%S',
+                '%b %d %Y %H:%M:%S')
                 template("${.cef.rt}")
     );
 };
 parser p_cef_ts_end {
-    date-parser-nofilter(format('%s.%f','%s')
+    date-parser-nofilter(format(
+                '%s.%f',
+                '%s',
+                '%b %d %H:%M:%S',
+                '%b %d %Y %H:%M:%S')
                 template("${.cef.end}")
     );
 };