diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
index 92fb5f0..7396617 100644
--- a/package/etc/conf.d/conflib/_common/templates.conf
+++ b/package/etc/conf.d/conflib/_common/templates.conf
@@ -39,7 +39,7 @@ template t_everything {
 # ===============================================================================================
 
 template t_cef_hdr_msg {
-        template("${3}");
+        template("$(strip $MESSAGE )");
         };
 
 # ===============================================================================================
diff --git a/package/etc/conf.d/filters/common_event_format/cef.conf b/package/etc/conf.d/filters/common_event_format/cef.conf
new file mode 100644
index 0000000..0369c79
--- /dev/null
+++ b/package/etc/conf.d/filters/common_event_format/cef.conf
@@ -0,0 +1,3 @@
+filter f_cef {
+    program("CEF");
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl b/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
deleted file mode 100644
index f6c07fb..0000000
--- a/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
+++ /dev/null
@@ -1,20 +0,0 @@
-
-filter f_cef {
-    message('(<\d*>)?1? ?(?:(.*) |^)(CEF:0\|.*)' flags(store-matches)
-    );
-};
-filter f_iscef {
-    match("cef" value("fields.sc4s_syslog_format"))
-};
-rewrite set_cef_syslog {
-    set("$1" value(".PRI"));
-    set("$2" value(".CEFHEADER"));
-    set("$3" value("MSG"));
-    set("cef" value("fields.sc4s_syslog_format"));
-};
-parser p_cef {
-    syslog-parser(
-        template("${.PRI}${.CEFHEADER} CEF: ${MSG}")
-        flags(guess-timezone,assume-utf8,{{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}})
-    );
-};
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
index 506aeba..ae446ee 100644
--- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -5,8 +5,9 @@
 
 parser p_cef_header {
     csv-parser(
-        columns("fields.sc4s_cef_version", "fields.cef_device_vendor", "fields.cef_device_product", "fields.cef_device_version", "fields.cef_device_event_class", "fields.cef_name", "fields.cef_severity", MESSAGE)
+        columns("fields.cef_version", "fields.cef_device_vendor", "fields.cef_device_product", "fields.cef_device_version", "fields.cef_device_event_class", "fields.cef_name", "fields.cef_severity", MESSAGE)
         delimiters(chars("|"))
+        template(t_legacy_hdr_msg)
         flags(strip-whitespace, escape-none, greedy)
     );
 
@@ -55,13 +56,14 @@ log {
         channel {
         # Listen on the default port (typically 514) for CEF traffic
             source (s_DEFAULT);
-            filter(f_iscef);
+            filter(f_cef);
             flags(final);
         };
     };
 
     rewrite {
         r_set_splunk_dest_default(sourcetype("cef"))
+        set("CEF" value("fields.sc4s_syslog_format"));
     };
 
     parser (p_cef_header);
diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
index 8a9408c..af5c126 100644
--- a/package/etc/go_templates/source_network.t
+++ b/package/etc/go_templates/source_network.t
@@ -184,10 +184,6 @@ source s_{{ .port_id }} {
             filter(f_f5_bigip_irule);
             parser(p_f5_bigip_irule);
             rewrite(set_rfc3164);
-        } elif {
-            filter(f_cef);                        
-            rewrite(set_cef_syslog);            
-            parser(p_cef);
         } elif {
             #JSON over IP its not syslog but it can work
             filter { message('^{') and message('}$') };
diff --git a/tests/test_imperva_waf.py b/tests/test_imperva_waf.py
index fa051f2..55527ad 100644
--- a/tests/test_imperva_waf.py
+++ b/tests/test_imperva_waf.py
@@ -92,7 +92,7 @@ def test_imperva_waf_firewall(record_property, setup_wordlist, get_host_key, set
     epoch = epoch[:-7]
 
     mt = env.from_string(
-        '{{ bsd }}{{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description')
+        '{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description')
     message = mt.render(bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])