[ https://issues.apache.org/jira/browse/METRON-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15962886#comment-15962886 ]
Ali Nazemian commented on METRON-832: ------------------------------------- In terms of Metron common message format, it provides "proto" instead of "protocol" attribute. > CEFParser does not handle un-compliant format found in the wild > --------------------------------------------------------------- > > Key: METRON-832 > URL: https://issues.apache.org/jira/browse/METRON-832 > Project: Metron > Issue Type: Bug > Affects Versions: 0.3.1 > Reporter: Simon Elliston Ball > > The CEF Parser does not currently match CEF files produced by certain Palo > Alto network devices as found in the wild. > Sample message: > <14>Apr 7 10:10:10 hostname CEF: 0|Palo Alto > Networks|PAN-OS|6.1.3|url|THREAT|1|rt=Apr 07 2017 00:10:10 GMT > deviceExternalId=00000000 src=10.10.10.10 dst=20.20.20.20 > sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress=0.0.0.0 > cs1Label=Rule cs1=Trusted-to-Untrusted suser= duser= app=ssl cs3Label=Virtual > Sys cs3=vsys2 cs4Label=Src Zone cs4=Trusted cs5Label=Dst Zone cs5=Untrusted > deviceInboundInterface=ethernet1/12.345 > deviceOutboundInterface=ethernet1/12.345 cs6Label=LogProfile cs6=Log_Profile > cn1Label=SessionID cn1=123456 cnt=1 spt=18371 dpt=443 sourceTranslatedPort=0 > destinationTranslatedPort=0 flexString1Label=Flags flexString1=0x8000 > proto=tcp act=alert request=\"www.example.com/\" cs2Label=URL Cat > cs2=gambling flexString2Label=Direction flexString2=client-to-server > externalId=123456789 requestContext= cat=(9999) filePath= fileId=0 fileHash= > deviceProcessName=Device.Process.Name -- This message was sent by Atlassian JIRA (v6.3.15#6346)