From cdb3ee29955819e5faad78fbf509bd435e6b149a Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Mon, 17 Aug 2020 11:57:34 -0400
Subject: [PATCH] [filtermod] Correct location of cef template (#640)

---
 package/etc/conf.d/conflib/_common/templates.conf         | 8 --------
 .../etc/conf.d/log_paths/lp-common_event_format.conf.tmpl | 8 ++++++++
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
index 7396617..4c08c89 100644
--- a/package/etc/conf.d/conflib/_common/templates.conf
+++ b/package/etc/conf.d/conflib/_common/templates.conf
@@ -34,14 +34,6 @@ template t_everything {
         template("${ISODATE} ${HOST} ${LEGACY_MSGHDR}${MESSAGE}");
         };
 
-# ===============================================================================================
-# CEF Header with message; useful for common event format (CEF)
-# ===============================================================================================
-
-template t_cef_hdr_msg {
-        template("$(strip $MESSAGE )");
-        };
-
 # ===============================================================================================
 # Message Header with Message; for Palo Alto
 # ===============================================================================================
diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
index ae446ee..64c1f29 100644
--- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -44,6 +44,14 @@ parser p_cef_class {
     );
 };
 
+# ===============================================================================================
+# CEF Header with message; useful for common event format (CEF)
+# ===============================================================================================
+
+template t_cef_hdr_msg {
+        template("$(strip $MESSAGE )");
+        };
+
 log {
     junction {
 {{- if or (or (getenv  (print "SC4S_LISTEN_CEF_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CEF_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CEF_TLS_PORT")) }}