Security Analytics Syslog CEF format is as shown below. The ending consists of a unix timestamp format that should contain 13 digits.
CEF:0|<OB_CEF_DEVICE_VENDOR>|<OB_CEF_DEVICE_PRODUCT>|<VERSION>|<OB_CEF_EVENT_ID_ALERT>|<OB_CEF_EVENT_NAME_ALERT>|<alert importance>|src=<ipv4_initiator> spt=<port_initiator> dst=<ipv4_responder> dpt=<port_responder> start=<UNIX timestamp> end=<UNIX timestamp> smac=<ethernet_initiator> dmac=<ethernet_responder> msg="Action: '<action name>' was triggered by Favorite: '<favorite name>'"
Security Analytics is sending 12 digits, causing the display time to be in the 1970s.
The timespec_to_string function fails to format the milliseconds portion of the timestamp in a fixed width. Statistically speaking, about ten percent of the "formatted timestamps" will be wrong or truncated.
The is fixed in Security Analytics version 7.2.x and greater.
Imported Document ID: 000030910
Subscribing will provide email updates when this Article is updated. Login is required.