Hi all,
I'm ingesting ExtraHop Reveal X https://www.extrahop.com/products/security/ logs using Fleet Managed Elastic Agent Integration "CEF" using the SYSLOG input over UDP.
Most of the fields are being extracted correct, except the field "rt", start and "end".
"error in field 'end': value is not a valid timestamp"
"error in field 'rt': value is not a valid timestamp"
"error in field 'start': value is not a valid timestamp"
Error Message:
Sample Event:
<14>2021-11-19T20:28:16.012Z noname.no-name-company.org CEF:0|ExtraHop|Reveal(x)|7.8|1|VPN Client Data Exfiltration|6|cn1=25769823408 cn1Label=detectionID cn2=65 cn2Label=riskScore cs1=https://imaginary-company.cloud.extrahop.com/extrahop/#/detections/detail/25769823408 cs1Label=detectionURL cs2=sec,sec.action,sec.exfil cs2Label=category rt=2021-11-19T20:00:00.000Z end=2021-11-19T19:41:30.000Z start=2021-11-19T19:40:00.001Z src=10.54.10.60 dst=00:50:56:B9:7E:52 msg=[dl1c34430.imaginary-company.org](#/metrics/devices/7e2dff4fa4dc4e58889e0f0399974a66.fff4380a4a0a0000/overview?from\=1637350800&interval_type\=DT&until\=1637350890) received an unusual amount of data from internal resources.\n\nThe VPN client received:\n* 1.5GB from `10.210.3.216` over HTTP\n\n
As shown in the above sample event, fields rt=2021-11-19T20:00:00.000Z end=2021-11-19T19:41:30.000Z start=2021-11-19T19:40:00.001Z, are in the format yyyy-MM-dd'T'HH:mm:ss.SSSZ
I tried to use the following time format for these field names in the "Component Templates", but still issue persists.
yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
yyyy-MM-dd'T'HH:mm:ss.SSS'X'
yyyy-MM-dd'T'HH:mm:ss.SSSZ
yyyy-MM-dd'T'HH:mm:ss.SSSX
Any help would be greatly appreciated