Update sqs-files to support CEF parsing#260
Open
0BL1V10N-55 wants to merge 1 commit into
Open
Conversation
New Config Option IsCEFFormat bool (line 74) - Enables CEF parsing mode for Imperva/Incapsula WAF logs New Functions Added Function Lines Purpose processCEFEvent() 350-416 Main handler - reads file line-by-line, parses CEF, ships JSON events parseCEF() 420-457 Parses CEF header (7 pipe-separated fields) + extension key=value pairs splitCEFHeader() 460-509 Splits CEF line by ` unescapeCEFHeader() 512-516 Unescapes | and \\ in header fields parseCEFExtension() 519-600 Parses key=value pairs from CEF extension section isValidCEFKeyChar() 603-608 Validates CEF key characters (alphanumeric + underscore) unescapeCEFExtension() 611-617 Unescapes \=, \n, \r, \\ in extension values Modified Function processEvent() (line 315-319) - Added check: if IsCEFFormat is true, routes to processCEFEvent() instead of bundling raw data Behavior Non-CEF lines (headers like accountId:, |==|) trigger a warning and are shipped as raw text CEF lines are parsed into structured JSON with header fields (device_vendor, severity, etc.) and all extension key-value pairs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the change
New Config Option for CEF message parsing
IsCEFFormat bool (line 74) - Enables CEF parsing mode for Imperva/Incapsula WAF logs New Functions Added
Function Lines Purpose
processCEFEvent() 350-416 Main handler - reads file line-by-line, parses CEF, ships JSON events
parseCEF() 420-457 Parses CEF header (7 pipe-separated fields) + extension key=value pairs
splitCEFHeader() 460-509 Splits CEF line by `
unescapeCEFHeader() 512-516 Unescapes | and \ in header fields
parseCEFExtension() 519-600 Parses key=value pairs from CEF extension section
isValidCEFKeyChar() 603-608 Validates CEF key characters (alphanumeric + underscore)
unescapeCEFExtension() 611-617 Unescapes =, \n, \r, \ in extension values Modified Function
processEvent() (line 315-319) - Added check: if IsCEFFormat is true, routes to processCEFEvent() instead of bundling raw data Behavior
Non-CEF lines (headers like accountId:, |==|) trigger a warning and are shipped as raw text CEF lines are parsed into structured JSON with header fields (device_vendor, severity, etc.) and all extension key-value pairs
Type of change
Related issues
https://refractionpoint.slack.com/archives/C08N44C603U/p1769014508093499?thread_ts=1769014414.452029&cid=C08N44C603U