Unable to parse Timestamp on CEF LOGS

Mmatos · November 9, 2021, 3:27pm

Hi,
I am having problems parsing a set of logs from sophos central Intercept X Antivirus. I am using the sophos tool to download the logs and store them in a File. "Service and Support"

Of the multiple formats, the CEF is the one that is working better in Elastic. I am using Filebeat to read the file and send the logs to elastic, to parse them I am using the Decode_cef Processor.

the problem that I have is that on the CEF logs there are two fields "end" & "rt". the "end" field is the timestamp of the event but when I get the following error "error.message
error in field 'end': value is not a valid timestamp, error in field 'rt': value is not a valid timestamp"

Is there a way to parse the end field as the timestamp without the use of logstatsh. I also tried the Timestamp processor with no luck.

Here is a sample of the logs.

Thanks

CEF:0|sophos|sophos central|1.0|Event::Endpoint::UpdateFailure|Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com.|1|source_info_ip=192.168.1.10 customer_id=3wertr17-rtrde-4rt35-art7-fcwre46515 endpoint_id=456d78df-56787-3e337-basd-23e53464549347 endpoint_type=computer id=4e36d78df-5343687-3e33347-basd-23543643433435347 group=UPDATING datastream=event end=2021-11-09T03:14:03.523Z duid=asdfaer4652366579y rt=2021-11-09T03:14:03.536Z dhost=frt-Gwe4231-1 suser=MMEer\erp4r64
CEF:0|sophos|sophos central|1.0|Event::Endpoint::UpdateFailure|Failed to install sed64: general error.|1|source_info_ip=192.168.1.1 customer_id=3wertr17-rtrde-4rt35-art7-fcw3446515 endpoint_id=4346d78df-53487-3e347-basd-23e53334394347 endpoint_type=computer id=45336d78df4663487-3e347-basd-23e534453439347 group=UPDATING datastream=event end=2021-11-09T03:24:54.588Z duid=asdfaer4652366579y rt=2021-11-09T03:24:54.606Z dhost=lty17829 suser=MMEer\erp4r64
CEF:0|sophos|sophos central|1.0|Event::Endpoint::UpdateFailure|Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com.|1|source_info_ip=192.168.1.18 customer_id=334ertr17-r34de-4rt345-art7-fc34wre3415 endpoint_id=456d34df-53437-3e3437-basd-2343434349347 endpoint_type=computer id=4346d78df-5347-3e3447-basd-23345634534447 group=UPDATING datastream=event end=2021-11-09T03:27:25.269Z duid=asdfaer4652366579y rt=2021-11-09T03:27:25.297Z dhost=f34rt-Gwe4231-1 suser=MMEer\erp4r64

aaron-nimocks · November 9, 2021, 3:46pm

Maybe just the set processor. Just run this after the cef processor.

    {
      "set": {
        "field": "@timestamp",
        "value": "{{{end}}}"
      }
    }

You might need to set your format for your @timestamp field in your mappings also.

system · December 7, 2021, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat CEF Module Beats filebeat	9	2152	December 3, 2019
Filebeat CEF module can't parse event as syslog rfc3164 Beats filebeat	3	1732	April 30, 2020
Filebeat collect log and output to es but occur time parse error Beats filebeat	7	785	November 20, 2020
Fleet CEF Processor Beats beats-module	7	571	March 11, 2022
Logstash CEF codec and ECS cannot parse 'rt' field throws an error Logstash	3	1293	August 25, 2022

Unable to parse Timestamp on CEF LOGS

Related Topics