[filtermod] Update CEF Parser (#636)

* Update CEF Parser

* Update CEF parser to use standard 3164 parsing
* [filtermod] [breaking] Change indexed field `sc4s_cef_version` to `cef_version` to align with other CEF indexed fields
* [filtermod] [breaking] Change value of `sc4s_syslog_format` from `cef` to `CEF` (it is an acronym)
* Fix minor but in Imperva WAF test

* Update templates.conf

Co-authored-by: rfaircloth-splunk <rfaircloth@splunk.com>

package/etc/conf.d/conflib/_common/templates.conf

@@ -39,7 +39,7 @@ template t_everything {
 # ===============================================================================================
 
 template t_cef_hdr_msg {
-        template("${3}");
+        template("$(strip $MESSAGE )");
         };
 
 # ===============================================================================================

package/etc/conf.d/filters/common_event_format/cef.conf

@@ -0,0 +1,3 @@
+filter f_cef {
+    program("CEF");
+};

package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl

@@ -5,8 +5,9 @@
 
 parser p_cef_header {
     csv-parser(
-        columns("fields.sc4s_cef_version", "fields.cef_device_vendor", "fields.cef_device_product", "fields.cef_device_version", "fields.cef_device_event_class", "fields.cef_name", "fields.cef_severity", MESSAGE)
+        columns("fields.cef_version", "fields.cef_device_vendor", "fields.cef_device_product", "fields.cef_device_version", "fields.cef_device_event_class", "fields.cef_name", "fields.cef_severity", MESSAGE)
         delimiters(chars("|"))
+        template(t_legacy_hdr_msg)
         flags(strip-whitespace, escape-none, greedy)
     );
 
@@ -55,13 +56,14 @@ log {
         channel {
         # Listen on the default port (typically 514) for CEF traffic
             source (s_DEFAULT);
-            filter(f_iscef);
+            filter(f_cef);
             flags(final);
         };
     };
 
     rewrite {
         r_set_splunk_dest_default(sourcetype("cef"))
+        set("CEF" value("fields.sc4s_syslog_format"));
     };
 
     parser (p_cef_header);

package/etc/go_templates/source_network.t

@@ -184,10 +184,6 @@ source s_{{ .port_id }} {
             filter(f_f5_bigip_irule);
             parser(p_f5_bigip_irule);
             rewrite(set_rfc3164);
-        } elif {
-            filter(f_cef);                        
-            rewrite(set_cef_syslog);            
-            parser(p_cef);
         } elif {
             #JSON over IP its not syslog but it can work
             filter { message('^{') and message('}$') };

tests/test_imperva_waf.py

@@ -92,7 +92,7 @@ def test_imperva_waf_firewall(record_property, setup_wordlist, get_host_key, set
     epoch = epoch[:-7]
 
     mt = env.from_string(
-        '{{ bsd }}{{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description')
+        '{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description')
     message = mt.render(bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])