Incomplete parsing by CEF codec?

Taking input from some network elements that are forwarding CEF, and using the CEF codec, there's an issue where if one the keys in the body has a two character sub-name (e.g ad.vd=) , it doesn't get parsed properly and gets appended to the previous key?

Example using stdin with the cef codec and ruby debug output:

Input:

Nov 28 20:25:25 TestDevice CEF:0|Fortinet|FortiGate|5.x.x (GA)|13|forward traffic accept|5|ad.logver=50 dvchost=testdevice deviceExternalId=FG-5K00000000004 ad.logid=13 cat=traffic ad.subtype=forward deviceSeverity=notice ad.vd=TestVDOM src=172.16.1.1 spt=57609 deviceInboundInterface=TestVDOM-S dst=8.8.8.8 dpt=53 deviceOutboundInterface=TestVDOM-N externalID=472728212 proto=17 act=accept ad.policyid=6 ad.dstcountry=United States ad.srccountry=Reserved ad.trandisp=snat sourceTranslatedAddress=10.10.10.10 sourceTranslatedPort=57609 app=DNS ad.duration=60 out=59 in=905 ad.sentpkt=1 ad.rcvdpkt=1

ruby debug output:

{
            "destinationPort" => "53",
                 "sourcePort" => "57609",
         "destinationAddress" => "8.8.8.8",
                "ad.policyid" => "6",
               "deviceVendor" => "Fortinet",
                 "externalID" => "472728212",
                     "syslog" => "Nov 28 20:25:25 TestDevice",
                "ad.trandisp" => "snat",
           "deviceExternalId" => "FG-5K00000000004",
    "deviceOutboundInterface" => "TestVDOM-N",
                  "ad.logver" => "50",
             "deviceSeverity" => "notice ad.vd=TestVDOM",
     "deviceInboundInterface" => "TestVDOM-S",
          "transportProtocol" => "17",
                "ad.duration" => "60",
                   "@version" => "1",
              "ad.srccountry" => "Reserved",
                       "host" => "labhost1",
              "deviceProduct" => "FortiGate",
                 "ad.subtype" => "forward",
             "deviceHostName" => "testdevice",
        "applicationProtocol" => "DNS",
                   "bytesOut" => "59",
                    "bytesIn" => "905",
                   "severity" => "5",
              "sourceAddress" => "172.16.1.1",
               "deviceAction" => "accept",
       "sourceTranslatedPort" => "57609",
                 "ad.rcvdpkt" => "1",
              "deviceVersion" => "5.x.x (GA)",
         "deviceEventClassId" => "13",
        "deviceEventCategory" => "traffic",
    "sourceTranslatedAddress" => "10.10.10.10",
                   "ad.logid" => "13",
                 "@timestamp" => 2017-11-28T22:00:25.959Z,
              "ad.dstcountry" => "United States",
                 "cefVersion" => "0",
                       "name" => "forward traffic accept",
                 "ad.sentpkt" => "1"
}

See how ad.vd is appended to deviceSeverity?

Changing ad.vd to ad.vdom (or anything more than two characters in the sub position). Changing any other value to a key.nn structure also causes that key to get appended to the immediate previous value, so its not something specific to this key or the stream coming in.

Is this a known bug with the cef codec? Any thoughts on how to work around it with additional filters?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.