Improve CEF parsing

Use a custom parser to better handle the various sources which have unique ways of sending non standard data
CSVD · Apr 17, 2020 · 965e933 · 965e933
1 parent 0c594d1
commit 965e933
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 8 deletions.
diff --git a/package/etc/conf.d/filters/common_event_format/cef.conf b/package/etc/conf.d/filters/common_event_format/cef.conf
diff --git a/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl b/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
@@ -0,0 +1,20 @@
+
+filter f_cef {
+    message('(<\d*>)1? ?(?:(.*) |^)(CEF:0\|.*)' flags(store-matches)
+    );
+};
+filter f_iscef {
+    match("cef" value("fields.sc4s_syslog_format"))
+};
+rewrite set_cef_syslog {
+    set("$1" value(".PRI"));
+    set("$2" value(".CEFHEADER"));
+    set("$3" value("MSG"));
+    set("cef" value("fields.sc4s_syslog_format"));
+};
+parser p_cef {
+    syslog-parser(
+        template("${.PRI}${.CEFHEADER} CEF: ${MSG}")
+        flags(guess-timezone,assume-utf8,{{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}})
+    );
+};
diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -48,8 +48,7 @@ log {
         channel {
         # Listen on the default port (typically 514) for CEF traffic
             source (s_DEFAULT);
-            filter(f_is_rfc3164);
-            filter(f_cef);
+            filter(f_iscef);
             flags(final);
         };
     };
@@ -71,7 +70,8 @@ log {
         parser (p_cef_ts_rt);
     } elif {
         parser (p_cef_ts_end);
-    } else {}; #Do nothing this is allows for both rt and end to be missing and still pass with the message ts
+    } else {
+    }; #Do nothing this is allows for both rt and end to be missing and still pass with the message ts
 
     #CEF TAs use the source as their bounds in props.conf
     parser(p_cef_source);
@@ -85,7 +85,7 @@ log {
     #We want to unset the fields we won't need, as this is copied into the
     #disk queue for network destinations. This can be very disk expensive
     #if we don't
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CEF_HEC" "no")) }}
     destination(d_hec);

diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
@@ -127,6 +127,10 @@ source s_{{ .port_id }} {
             filter(f_f5_bigip_irule);
             parser(p_f5_bigip_irule);
             rewrite(set_rfc3164);
+        } elif {
+            filter(f_cef);                        
+            rewrite(set_cef_syslog);            
+            parser(p_cef);
         } elif {
             #JSON over IP its not syslog but it can work
             filter { message('^{') and message('}$') };