Having issues parsing time in CEF

Hi all,

I'm ingesting ExtraHop Reveal X https://www.extrahop.com/products/security/ logs using Fleet Managed Elastic Agent Integration "CEF" using the SYSLOG input over UDP.

Most of the fields are being extracted correct, except the field "rt", start and "end".

"error in field 'end': value is not a valid timestamp"
"error in field 'rt': value is not a valid timestamp"
"error in field 'start': value is not a valid timestamp"

Error Message:

Sample Event:

<14>2021-11-19T20:28:16.012Z noname.no-name-company.org CEF:0|ExtraHop|Reveal(x)|7.8|1|VPN Client Data Exfiltration|6|cn1=25769823408 cn1Label=detectionID cn2=65 cn2Label=riskScore cs1=https://imaginary-company.cloud.extrahop.com/extrahop/#/detections/detail/25769823408 cs1Label=detectionURL cs2=sec,sec.action,sec.exfil cs2Label=category rt=2021-11-19T20:00:00.000Z end=2021-11-19T19:41:30.000Z start=2021-11-19T19:40:00.001Z src=10.54.10.60 dst=00:50:56:B9:7E:52 msg=[dl1c34430.imaginary-company.org](#/metrics/devices/7e2dff4fa4dc4e58889e0f0399974a66.fff4380a4a0a0000/overview?from\=1637350800&interval_type\=DT&until\=1637350890) received an unusual amount of data from internal resources.\n\nThe VPN client received:\n* 1.5GB from `10.210.3.216` over HTTP\n\n

As shown in the above sample event, fields rt=2021-11-19T20:00:00.000Z end=2021-11-19T19:41:30.000Z start=2021-11-19T19:40:00.001Z, are in the format yyyy-MM-dd'T'HH:mm:ss.SSSZ

I tried to use the following time format for these field names in the "Component Templates", but still issue persists.

yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
yyyy-MM-dd'T'HH:mm:ss.SSS'X'
yyyy-MM-dd'T'HH:mm:ss.SSSZ
yyyy-MM-dd'T'HH:mm:ss.SSSX

Any help would be greatly appreciated

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.