When using the format-cef-extension in a syslog-ng configuration, it might result in an 'Invalid CEF key' error.
This error is confirmed to appear when the format-cef-extension is combined with the following scopes:
1. Scope "rfc3164" and "all_macros":
[2021-11-16T09:34:49.910916] Invalid CEF key; key='C_AMPM'
[2021-11-16T09:34:49.912094] Outgoing message; message='2021-11-16T09:34:49+01:00 localhost \x0a'
2. Scope "nv-pairs" and "all-nv-pairs":
[2021-11-17T08:34:40.592512] Incoming log entry; line='2021-11-17T08:34:40 localhost prg00000[1234]: seq: 0000000000, thread: 0000, runid: 1637134480, stamp: 2021-11-17T08:34:40 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPAD'
[2021-11-17T08:34:40.594834] Initial message parsing follows;
[2021-11-17T08:34:40.597028] Setting value; name='PROGRAM', value='prg00000', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.599138] Setting value; name='PID', value='1234', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.600498] Setting value; name='LEGACY_MSGHDR', value='prg00000[1234]: ', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.600851] Setting value; name='HOST', value='localhost', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.601243] Setting value; name='MESSAGE', value='seq: 0000000000, thread: 0000, runid: 1637134480, stamp: 2021-11-17T08:34:40 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDP'
[2021-11-17T08:34:40.601277] >>>>>> Source side message processing begin; instance='tcp,127.0.0.1', location='/opt/syslog-ng/etc/syslog-ng.conf:46:3', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.601358] Setting value; name='HOST_FROM', value='localhost', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.601405] Setting value; name='SOURCE', value='s_bsd', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.601514] Initializing destination file writer; template='/var/log/cef', filename='/var/log/cef'
[2021-11-17T08:34:40.601697] affile_open_file; path='/var/log/cef', fd='16'
[2021-11-17T08:34:40.601747] Source side message processing finish; instance='tcp,127.0.0.1', location='/opt/syslog-ng/etc/syslog-ng.conf:46:3', msg='0x7f2aa4015d90'
[2021-11-17T08:34:40.601765] EOF occurred while reading; fd='13'
[2021-11-17T08:34:40.601875] Syslog connection closed; fd='13', client='AF_INET(127.0.0.1:32812)', local='AF_INET(0.0.0.0:514)'
[2021-11-17T08:34:40.601927] Closing log transport fd; fd='13'
[2021-11-17T08:34:40.601965] stats-aggregator-cps; name: %s_%s_%s='s_bsd#0', sum='1', divisor='1', cps='1', delta_time_since_start='0'
[2021-11-17T08:34:40.601978] stats-aggregator-cps; name: %s_%s_%s='s_bsd#0', sum='1', divisor='1', cps='1', delta_time_since_start='0'
[2021-11-17T08:34:40.601987] stats-aggregator-cps; name: %s_%s_%s='s_bsd#0', sum='1', divisor='1', cps='1', delta_time_since_start='0'
[2021-11-17T08:34:40.602060] Invalid CEF key; key='HOST_FROM'
[2021-11-17T08:34:40.602635] Outgoing message; message='2021-11-17T08:34:40+01:00 localhost \x0a'
3. Scopes "dot-nv-pairs", "rfc5424" and "sdata" (If there is SDATA eg. [test name="value"]):
[2021-11-17T08:44:59.527050] Incoming log entry; line='1 2021-11-17T08:44:59+01:00 localhost prg00000 1234 - [test name="value"] seq: 0000000000, thread: 0000, runid: 1637135099, stamp: 2021-11-17T08:44:59 PADDPADDPADDPAD'
[2021-11-17T08:44:59.529996] Initial message parsing follows;
[2021-11-17T08:44:59.532476] Setting value; name='HOST', value='localhost', msg='0x7fd008015280'
[2021-11-17T08:44:59.534477] Setting value; name='PROGRAM', value='prg00000', msg='0x7fd008015280'
[2021-11-17T08:44:59.536124] Setting value; name='PID', value='1234', msg='0x7fd008015280'
[2021-11-17T08:44:59.536338] Setting value; name='.SDATA.test.name', value='value', msg='0x7fd008015280'
[2021-11-17T08:44:59.536440] Setting value; name='MESSAGE', value='seq: 0000000000, thread: 0000, runid: 1637135099, stamp: 2021-11-17T08:44:59 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDP'
[2021-11-17T08:44:59.536604] >>>>>> Source side message processing begin; instance='tcp,127.0.0.1', location='/opt/syslog-ng/etc/syslog-ng.conf:46:3', msg='0x7fd008015280'
[2021-11-17T08:44:59.536622] Setting value; name='HOST_FROM', value='localhost', msg='0x7fd008015280'
[2021-11-17T08:44:59.536641] Setting value; name='SOURCE', value='s_bsd', msg='0x7fd008015280'
[2021-11-17T08:44:59.536660] Source side message processing finish; instance='tcp,127.0.0.1', location='/opt/syslog-ng/etc/syslog-ng.conf:46:3', msg='0x7fd008015280'
[2021-11-17T08:44:59.537132] EOF occurred while reading; fd='13'
[2021-11-17T08:44:59.537355] Syslog connection closed; fd='13', client='AF_INET(127.0.0.1:48682)', local='AF_INET(0.0.0.0:601)'
[2021-11-17T08:44:59.537402] Closing log transport fd; fd='13'
[2021-11-17T08:44:59.537436] stats-aggregator-cps; name: %s_%s_%s='s_bsd#0', sum='3', divisor='100', cps='0', delta_time_since_start='100'
[2021-11-17T08:44:59.537449] stats-aggregator-cps; name: %s_%s_%s='s_bsd#0', sum='3', divisor='100', cps='0', delta_time_since_start='100'
[2021-11-17T08:44:59.537460] stats-aggregator-cps; name: %s_%s_%s='s_bsd#0', sum='3', divisor='100', cps='0', delta_time_since_start='100'
[2021-11-17T08:44:59.537520] Invalid CEF key; key='.SDATA.test.name'
[2021-11-17T08:44:59.537539] Outgoing message; message='2021-11-17T08:44:59+01:00 localhost \x0a'
This defect has been confirmed and change request #SYSLOGDEV-6167 has been raised for tracking of the issue.
There is no ETA on when the fix will be implemented in a future release as of yet.
Please review the list of Resolved Issues and Enhancement Requests published within the product release notes to determine if this specific Change Request is included in an upcoming release. Release notes are available at support.oneidentity.com under the technical documentation section of our website. We do not guarantee that all Change Requests will be implemented in future releases. For more information on our Product Enhancements and Defects policy, please consult the One Identity Global Support Guide https://support.oneidentity.com/essentials/support-guide
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款 隐私 Cookie Preference Center